315 files changed, 16521 insertions, 4441 deletions
diff --git a/Documentation/devicetree/bindings/bus/bcma.txt b/Documentation/devicetree/bindings/bus/bcma.txt
index 62a48348ac15..edd44d802139 100644
--- a/Documentation/devicetree/bindings/bus/bcma.txt
+++ b/Documentation/devicetree/bindings/bus/bcma.txt
@@ -8,6 +8,11 @@ Required properties:
 The cores on the AXI bus are automatically detected by bcma with the
 memory ranges they are using and they get registered afterwards.
+Automatic detection of the IRQ number is not working on
+BCM47xx/BCM53xx ARM SoCs. To assign IRQ numbers to the cores, provide
+them manually through device tree. Use an interrupt-map to specify the
+IRQ used by the devices on the bus. The first address is just an index,
+because we do not have any special register.
 The top-level axi bus may contain children representing attached cores
 (devices). This is needed since some hardware details can't be auto
@@ -22,6 +27,22 @@ Example:
                ranges = <0x00000000 0x18000000 0x00100000>;
                #address-cells = <1>;
                #size-cells = <1>;
+                #interrupt-cells = <1>;
+                interrupt-map-mask = <0x000fffff 0xffff>;
+                interrupt-map =
+                        /* Ethernet Controller 0 */
+                        <0x00024000 0 &gic GIC_SPI 147 IRQ_TYPE_LEVEL_HIGH>,
+                        /* Ethernet Controller 1 */
+                        <0x00025000 0 &gic GIC_SPI 148 IRQ_TYPE_LEVEL_HIGH>;
+                        /* PCIe Controller 0 */
+                        <0x00012000 0 &gic GIC_SPI 126 IRQ_TYPE_LEVEL_HIGH>,
+                        <0x00012000 1 &gic GIC_SPI 127 IRQ_TYPE_LEVEL_HIGH>,
+                        <0x00012000 2 &gic GIC_SPI 128 IRQ_TYPE_LEVEL_HIGH>,
+                        <0x00012000 3 &gic GIC_SPI 129 IRQ_TYPE_LEVEL_HIGH>,
+                        <0x00012000 4 &gic GIC_SPI 130 IRQ_TYPE_LEVEL_HIGH>,
+                        <0x00012000 5 &gic GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>;
                chipcommon {
                        reg = <0x00000000 0x1000>;
diff --git a/MAINTAINERS b/MAINTAINERS
index 7ec37a396ffe..e3f40df47513 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -7845,11 +7845,10 @@ S:	Maintained
 F:      drivers/media/dvb-frontends/rtl2832_sdr*
 RTL8180 WIRELESS DRIVER
-M:      "John W. Linville" <linville@tuxdriver.com>
 L:      linux-wireless@vger.kernel.org
 W:      http://wireless.kernel.org/
 T:      git git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-testing.git
-S:      Maintained
+S:      Orphan
 F:      drivers/net/wireless/rtl818x/rtl8180/
 RTL8187 WIRELESS DRIVER
diff --git a/drivers/bcma/driver_chipcommon.c b/drivers/bcma/driver_chipcommon.c
index b068f98920a8..19f679667ca4 100644
--- a/drivers/bcma/driver_chipcommon.c
+++ b/drivers/bcma/driver_chipcommon.c
@@ -339,7 +339,7 @@ void bcma_chipco_serial_init(struct bcma_drv_cc *cc)
                return;
        }
-        irq = bcma_core_irq(cc->core);
+        irq = bcma_core_irq(cc->core, 0);
        /* Determine the registers of the UARTs */
        cc->nr_serial_ports = (cc->capabilities & BCMA_CC_CAP_NRUART);
diff --git a/drivers/bcma/driver_gpio.c b/drivers/bcma/driver_gpio.c
index 706b9ae0dcfb..598a6cd9028a 100644
--- a/drivers/bcma/driver_gpio.c
+++ b/drivers/bcma/driver_gpio.c
@@ -152,7 +152,7 @@ static int bcma_gpio_irq_domain_init(struct bcma_drv_cc *cc)
                                         handle_simple_irq);
        }
-        hwirq = bcma_core_irq(cc->core);
+        hwirq = bcma_core_irq(cc->core, 0);
        err = request_irq(hwirq, bcma_gpio_irq_handler, IRQF_SHARED, "gpio",
                          cc);
        if (err)
@@ -183,7 +183,7 @@ static void bcma_gpio_irq_domain_exit(struct bcma_drv_cc *cc)
                return;
        bcma_cc_mask32(cc, BCMA_CC_IRQMASK, ~BCMA_CC_IRQ_GPIO);
-        free_irq(bcma_core_irq(cc->core), cc);
+        free_irq(bcma_core_irq(cc->core, 0), cc);
        for (gpio = 0; gpio < chip->ngpio; gpio++) {
                int irq = irq_find_mapping(cc->irq_domain, gpio);
diff --git a/drivers/bcma/driver_mips.c b/drivers/bcma/driver_mips.c
index 004d6aa671ce..5ec69c3d409d 100644
--- a/drivers/bcma/driver_mips.c
+++ b/drivers/bcma/driver_mips.c
@@ -115,7 +115,7 @@ static u32 bcma_core_mips_irqflag(struct bcma_device *dev)
 * If disabled, 5 is returned.
 * If not supported, 6 is returned.
 */
-static unsigned int bcma_core_mips_irq(struct bcma_device *dev)
+unsigned int bcma_core_mips_irq(struct bcma_device *dev)
 {
        struct bcma_device *mdev = dev->bus->drv_mips.core;
        u32 irqflag;
@@ -133,13 +133,6 @@ static unsigned int bcma_core_mips_irq(struct bcma_device *dev)
        return 5;
 }
-unsigned int bcma_core_irq(struct bcma_device *dev)
-{
-        unsigned int mips_irq = bcma_core_mips_irq(dev);
-        return mips_irq <= 4 ? mips_irq + 2 : 0;
-}
-EXPORT_SYMBOL(bcma_core_irq);
 static void bcma_core_mips_set_irq(struct bcma_device *dev, unsigned int irq)
 {
        unsigned int oldirq = bcma_core_mips_irq(dev);
@@ -423,7 +416,7 @@ void bcma_core_mips_init(struct bcma_drv_mips *mcore)
                break;
        default:
                list_for_each_entry(core, &bus->cores, list) {
-                        core->irq = bcma_core_irq(core);
+                        core->irq = bcma_core_irq(core, 0);
                }
                bcma_err(bus,
                         "Unknown device (0x%x) found, can not configure IRQs\n",
diff --git a/drivers/bcma/driver_pci_host.c b/drivers/bcma/driver_pci_host.c
index c3d7b03c2fdc..c8a6b741967b 100644
--- a/drivers/bcma/driver_pci_host.c
+++ b/drivers/bcma/driver_pci_host.c
@@ -593,7 +593,7 @@ int bcma_core_pci_plat_dev_init(struct pci_dev *dev)
        pr_info("PCI: Fixing up device %s\n", pci_name(dev));
        /* Fix up interrupt lines */
-        dev->irq = bcma_core_irq(pc_host->pdev->core);
+        dev->irq = bcma_core_irq(pc_host->pdev->core, 0);
        pci_write_config_byte(dev, PCI_INTERRUPT_LINE, dev->irq);
        readrq = pcie_get_readrq(dev);
@@ -617,6 +617,6 @@ int bcma_core_pci_pcibios_map_irq(const struct pci_dev *dev)
        pc_host = container_of(dev->bus->ops, struct bcma_drv_pci_host,
                               pci_ops);
-        return bcma_core_irq(pc_host->pdev->core);
+        return bcma_core_irq(pc_host->pdev->core, 0);
 }
 EXPORT_SYMBOL(bcma_core_pci_pcibios_map_irq);
diff --git a/drivers/bcma/host_pci.c b/drivers/bcma/host_pci.c
index 1e5ac0a79696..cd9161a8b3a1 100644
--- a/drivers/bcma/host_pci.c
+++ b/drivers/bcma/host_pci.c
@@ -275,7 +275,7 @@ static SIMPLE_DEV_PM_OPS(bcma_pm_ops, bcma_host_pci_suspend,
 static const struct pci_device_id bcma_pci_bridge_tbl[] = {
        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x0576) },
        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4313) },
-        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 43224) },
+        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 43224) },  /* 0xa8d8 */
        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4331) },
        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4353) },
        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4357) },
@@ -285,7 +285,8 @@ static const struct pci_device_id bcma_pci_bridge_tbl[] = {
        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43a9) },
        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x43aa) },
        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 0x4727) },
-        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 43227) },  /* 0xA8DB */
+        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 43227) },  /* 0xa8db, BCM43217 (sic!) */
+        { PCI_DEVICE(PCI_VENDOR_ID_BROADCOM, 43228) },  /* 0xa8dc */
        { 0, },
 };
 MODULE_DEVICE_TABLE(pci, bcma_pci_bridge_tbl);
diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c
index 9b229c9c35e5..534e1337766d 100644
--- a/drivers/bcma/main.c
+++ b/drivers/bcma/main.c
@@ -11,6 +11,7 @@
 #include <linux/bcma/bcma.h>
 #include <linux/slab.h>
 #include <linux/of_address.h>
+#include <linux/of_irq.h>
 MODULE_DESCRIPTION("Broadcom's specific AMBA driver");
 MODULE_LICENSE("GPL");
@@ -132,7 +133,7 @@ static bool bcma_is_core_needed_early(u16 core_id)
        return false;
 }
-#ifdef CONFIG_OF
+#if defined(CONFIG_OF) && defined(CONFIG_OF_ADDRESS)
 static struct device_node *bcma_of_find_child_device(struct platform_device *parent,
                                                     struct bcma_device *core)
 {
@@ -153,6 +154,46 @@ static struct device_node *bcma_of_find_child_device(struct platform_device *par
        return NULL;
 }
+static int bcma_of_irq_parse(struct platform_device *parent,
+                             struct bcma_device *core,
+                             struct of_phandle_args *out_irq, int num)
+{
+        __be32 laddr[1];
+        int rc;
+        if (core->dev.of_node) {
+                rc = of_irq_parse_one(core->dev.of_node, num, out_irq);
+                if (!rc)
+                        return rc;
+        }
+        out_irq->np = parent->dev.of_node;
+        out_irq->args_count = 1;
+        out_irq->args[0] = num;
+        laddr[0] = cpu_to_be32(core->addr);
+        return of_irq_parse_raw(laddr, out_irq);
+}
+static unsigned int bcma_of_get_irq(struct platform_device *parent,
+                                    struct bcma_device *core, int num)
+{
+        struct of_phandle_args out_irq;
+        int ret;
+        if (!parent || !parent->dev.of_node)
+                return 0;
+        ret = bcma_of_irq_parse(parent, core, &out_irq, num);
+        if (ret) {
+                bcma_debug(core->bus, "bcma_of_get_irq() failed with rc=%d\n",
+                           ret);
+                return 0;
+        }
+        return irq_create_of_mapping(&out_irq);
+}
 static void bcma_of_fill_device(struct platform_device *parent,
                                struct bcma_device *core)
 {
@@ -161,14 +202,45 @@ static void bcma_of_fill_device(struct platform_device *parent,
        node = bcma_of_find_child_device(parent, core);
        if (node)
                core->dev.of_node = node;
+        core->irq = bcma_of_get_irq(parent, core, 0);
 }
 #else
 static void bcma_of_fill_device(struct platform_device *parent,
                                struct bcma_device *core)
 {
 }
+static inline unsigned int bcma_of_get_irq(struct platform_device *parent,
+                                           struct bcma_device *core, int num)
+{
+        return 0;
+}
 #endif /* CONFIG_OF */
+unsigned int bcma_core_irq(struct bcma_device *core, int num)
+{
+        struct bcma_bus *bus = core->bus;
+        unsigned int mips_irq;
+        switch (bus->hosttype) {
+        case BCMA_HOSTTYPE_PCI:
+                return bus->host_pci->irq;
+        case BCMA_HOSTTYPE_SOC:
+                if (bus->drv_mips.core && num == 0) {
+                        mips_irq = bcma_core_mips_irq(core);
+                        return mips_irq <= 4 ? mips_irq + 2 : 0;
+                }
+                if (bus->host_pdev)
+                        return bcma_of_get_irq(bus->host_pdev, core, num);
+                return 0;
+        case BCMA_HOSTTYPE_SDIO:
+                return 0;
+        }
+        return 0;
+}
+EXPORT_SYMBOL(bcma_core_irq);
 void bcma_prepare_core(struct bcma_bus *bus, struct bcma_device *core)
 {
        core->dev.release = bcma_release_core_dev;
diff --git a/drivers/net/ethernet/broadcom/b44.c b/drivers/net/ethernet/broadcom/b44.c
index 416620fa8fac..ffeaf476a120 100644
--- a/drivers/net/ethernet/broadcom/b44.c
+++ b/drivers/net/ethernet/broadcom/b44.c
@@ -2104,6 +2104,7 @@ static int b44_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
                bp->flags &= ~B44_FLAG_WOL_ENABLE;
        spin_unlock_irq(&bp->lock);
+        device_set_wakeup_enable(bp->sdev->dev, wol->wolopts & WAKE_MAGIC);
        return 0;
 }
@@ -2452,6 +2453,7 @@ static int b44_init_one(struct ssb_device *sdev,
                }
        }
+        device_set_wakeup_capable(sdev->dev, true);
        netdev_info(dev, "%s %pM\n", DRV_DESCRIPTION, dev->dev_addr);
        return 0;
diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h
index 9c56ecbae37f..ccba4fea7269 100644
--- a/drivers/net/wireless/ath/ath.h
+++ b/drivers/net/wireless/ath/ath.h
@@ -80,6 +80,7 @@ struct reg_dmn_pair_mapping {
 struct ath_regulatory {
        char alpha2[2];
+        enum nl80211_dfs_regions region;
        u16 country_code;
        u16 max_power_level;
        u16 current_rd;
@@ -134,6 +135,11 @@ struct ath_ops {
 struct ath_common;
 struct ath_bus_ops;
+struct ath_ps_ops {
+        void (*wakeup)(struct ath_common *common);
+        void (*restore)(struct ath_common *common);
+};
 struct ath_common {
        void *ah;
        void *priv;
@@ -168,6 +174,7 @@ struct ath_common {
        struct ath_regulatory reg_world_copy;
        const struct ath_ops *ops;
        const struct ath_bus_ops *bus_ops;
+        const struct ath_ps_ops *ps_ops;
        bool btcoex_enabled;
        bool disable_ani;
@@ -177,6 +184,11 @@ struct ath_common {
        struct ieee80211_supported_band sbands[IEEE80211_NUM_BANDS];
 };
+static inline const struct ath_ps_ops *ath_ps_ops(struct ath_common *common)
+{
+        return common->ps_ops;
+}
 struct sk_buff *ath_rxbuf_alloc(struct ath_common *common,
                                u32 len,
                                gfp_t gfp_mask);
diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c
index 9b89ac133946..a156e6e48708 100644
--- a/drivers/net/wireless/ath/ath10k/ce.c
+++ b/drivers/net/wireless/ath/ath10k/ce.c
@@ -558,6 +558,7 @@ int ath10k_ce_revoke_recv_next(struct ath10k_ce_pipe *ce_state,
                /* sanity */
                dest_ring->per_transfer_context[sw_index] = NULL;
+                desc->nbytes = 0;
                /* Update sw_index */
                sw_index = CE_RING_IDX_INCR(nentries_mask, sw_index);
@@ -835,8 +836,8 @@ static int ath10k_ce_init_src_ring(struct ath10k *ar,
        nentries = roundup_pow_of_two(attr->src_nentries);
-        memset(src_ring->per_transfer_context, 0,
+        memset(src_ring->base_addr_owner_space, 0,
-               nentries * sizeof(*src_ring->per_transfer_context));
+               nentries * sizeof(struct ce_desc));
        src_ring->sw_index = ath10k_ce_src_ring_read_index_get(ar, ctrl_addr);
        src_ring->sw_index &= src_ring->nentries_mask;
@@ -872,8 +873,8 @@ static int ath10k_ce_init_dest_ring(struct ath10k *ar,
        nentries = roundup_pow_of_two(attr->dest_nentries);
-        memset(dest_ring->per_transfer_context, 0,
+        memset(dest_ring->base_addr_owner_space, 0,
-               nentries * sizeof(*dest_ring->per_transfer_context));
+               nentries * sizeof(struct ce_desc));
        dest_ring->sw_index = ath10k_ce_dest_ring_read_index_get(ar, ctrl_addr);
        dest_ring->sw_index &= dest_ring->nentries_mask;
diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
index 5c23d00f7d60..7762061a1944 100644
--- a/drivers/net/wireless/ath/ath10k/core.c
+++ b/drivers/net/wireless/ath/ath10k/core.c
@@ -31,12 +31,17 @@
 unsigned int ath10k_debug_mask;
 static bool uart_print;
 static unsigned int ath10k_p2p;
+static bool skip_otp;
 module_param_named(debug_mask, ath10k_debug_mask, uint, 0644);
 module_param(uart_print, bool, 0644);
 module_param_named(p2p, ath10k_p2p, uint, 0644);
+module_param(skip_otp, bool, 0644);
 MODULE_PARM_DESC(debug_mask, "Debugging mask");
 MODULE_PARM_DESC(uart_print, "Uart target debugging");
 MODULE_PARM_DESC(p2p, "Enable ath10k P2P support");
+MODULE_PARM_DESC(skip_otp, "Skip otp failure for calibration in testmode");
 static const struct ath10k_hw_params ath10k_hw_params_list[] = {
        {
@@ -280,7 +285,7 @@ static int ath10k_download_and_run_otp(struct ath10k *ar)
        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot otp execute result %d\n", result);
-        if (result != 0) {
+        if (!skip_otp && result != 0) {
                ath10k_err(ar, "otp calibration failed: %d", result);
                return -EINVAL;
        }
@@ -744,6 +749,25 @@ static void ath10k_core_restart(struct work_struct *work)
 {
        struct ath10k *ar = container_of(work, struct ath10k, restart_work);
+        set_bit(ATH10K_FLAG_CRASH_FLUSH, &ar->dev_flags);
+        /* Place a barrier to make sure the compiler doesn't reorder
+         * CRASH_FLUSH and calling other functions.
+         */
+        barrier();
+        ieee80211_stop_queues(ar->hw);
+        ath10k_drain_tx(ar);
+        complete_all(&ar->scan.started);
+        complete_all(&ar->scan.completed);
+        complete_all(&ar->scan.on_channel);
+        complete_all(&ar->offchan_tx_completed);
+        complete_all(&ar->install_key_done);
+        complete_all(&ar->vdev_setup_done);
+        wake_up(&ar->htt.empty_tx_wq);
+        wake_up(&ar->wmi.tx_credits_wq);
+        wake_up(&ar->peer_mapping_wq);
        mutex_lock(&ar->conf_mutex);
        switch (ar->state) {
@@ -775,12 +799,25 @@ static void ath10k_core_restart(struct work_struct *work)
        mutex_unlock(&ar->conf_mutex);
 }
+static void ath10k_core_init_max_sta_count(struct ath10k *ar)
+{
+        if (test_bit(ATH10K_FW_FEATURE_WMI_10X, ar->fw_features)) {
+                ar->max_num_peers = TARGET_10X_NUM_PEERS;
+                ar->max_num_stations = TARGET_10X_NUM_STATIONS;
+        } else {
+                ar->max_num_peers = TARGET_NUM_PEERS;
+                ar->max_num_stations = TARGET_NUM_STATIONS;
+        }
+}
 int ath10k_core_start(struct ath10k *ar, enum ath10k_firmware_mode mode)
 {
        int status;
        lockdep_assert_held(&ar->conf_mutex);
+        clear_bit(ATH10K_FLAG_CRASH_FLUSH, &ar->dev_flags);
        ath10k_bmi_start(ar);
        if (ath10k_init_configure_target(ar)) {
@@ -1009,6 +1046,8 @@ static int ath10k_core_probe_fw(struct ath10k *ar)
                return ret;
        }
+        ath10k_core_init_max_sta_count(ar);
        mutex_lock(&ar->conf_mutex);
        ret = ath10k_core_start(ar, ATH10K_FIRMWARE_MODE_NORMAL);
@@ -1185,6 +1224,8 @@ struct ath10k *ath10k_core_create(size_t priv_size, struct device *dev,
        INIT_LIST_HEAD(&ar->peers);
        init_waitqueue_head(&ar->peer_mapping_wq);
+        init_waitqueue_head(&ar->htt.empty_tx_wq);
+        init_waitqueue_head(&ar->wmi.tx_credits_wq);
        init_completion(&ar->offchan_tx_completed);
        INIT_WORK(&ar->offchan_tx_work, ath10k_offchan_tx_work);
diff --git a/drivers/net/wireless/ath/ath10k/core.h b/drivers/net/wireless/ath/ath10k/core.h
index 1e3fd1013b70..514c219263a5 100644
--- a/drivers/net/wireless/ath/ath10k/core.h
+++ b/drivers/net/wireless/ath/ath10k/core.h
@@ -79,10 +79,12 @@ static inline const char *ath10k_bus_str(enum ath10k_bus bus)
 struct ath10k_skb_cb {
        dma_addr_t paddr;
+        u8 eid;
        u8 vdev_id;
        struct {
                u8 tid;
+                u16 freq;
                bool is_offchan;
                struct ath10k_htt_txbuf *txbuf;
                u32 txbuf_paddr;
@@ -122,6 +124,7 @@ struct ath10k_wmi {
        struct completion service_ready;
        struct completion unified_ready;
        wait_queue_head_t tx_credits_wq;
+        DECLARE_BITMAP(svc_map, WMI_SERVICE_MAX);
        struct wmi_cmd_map *cmd;
        struct wmi_vdev_param_map *vdev_param;
        struct wmi_pdev_param_map *pdev_param;
@@ -218,6 +221,8 @@ struct ath10k_peer {
        int vdev_id;
        u8 addr[ETH_ALEN];
        DECLARE_BITMAP(peer_ids, ATH10K_MAX_NUM_PEER_IDS);
+        /* protected by ar->data_lock */
        struct ieee80211_key_conf *keys[WMI_MAX_KEY_INDEX + 1];
 };
@@ -310,7 +315,6 @@ struct ath10k_debug {
        struct ath10k_fw_stats fw_stats;
        struct completion fw_stats_complete;
        bool fw_stats_done;
-        DECLARE_BITMAP(wmi_service_bitmap, WMI_SERVICE_MAX);
        unsigned long htt_stats_mask;
        struct delayed_work htt_stats_dwork;
@@ -320,6 +324,7 @@ struct ath10k_debug {
        /* protected by conf_mutex */
        u32 fw_dbglog_mask;
        u32 pktlog_filter;
+        u32 reg_addr;
        u8 htt_max_amsdu;
        u8 htt_max_ampdu;
@@ -338,7 +343,7 @@ enum ath10k_state {
         * stopped in ath10k_core_restart() work holding conf_mutex. The state
         * RESTARTED means that the device is up and mac80211 has started hw
         * reconfiguration. Once mac80211 is done with the reconfiguration we
-         * set the state to STATE_ON in restart_complete(). */
+         * set the state to STATE_ON in reconfig_complete(). */
        ATH10K_STATE_RESTARTING,
        ATH10K_STATE_RESTARTED,
@@ -386,6 +391,11 @@ enum ath10k_dev_flags {
        /* Indicates that ath10k device is during CAC phase of DFS */
        ATH10K_CAC_RUNNING,
        ATH10K_FLAG_CORE_REGISTERED,
+        /* Device has crashed and needs to restart. This indicates any pending
+         * waiters should immediately cancel instead of waiting for a time out.
+         */
+        ATH10K_FLAG_CRASH_FLUSH,
 };
 enum ath10k_cal_mode {
@@ -555,8 +565,12 @@ struct ath10k {
        struct list_head peers;
        wait_queue_head_t peer_mapping_wq;
-        /* number of created peers; protected by data_lock */
+        /* protected by conf_mutex */
        int num_peers;
+        int num_stations;
+        int max_num_peers;
+        int max_num_stations;
        struct work_struct offchan_tx_work;
        struct sk_buff_head offchan_tx_queue;
diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
index 9147dd36dcdd..a716758f14b0 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -17,9 +17,8 @@
 #include <linux/module.h>
 #include <linux/debugfs.h>
-#include <linux/version.h>
-#include <linux/vermagic.h>
 #include <linux/vmalloc.h>
+#include <linux/utsname.h>
 #include "core.h"
 #include "debug.h"
@@ -124,7 +123,7 @@ EXPORT_SYMBOL(ath10k_info);
 void ath10k_print_driver_info(struct ath10k *ar)
 {
-        ath10k_info(ar, "%s (0x%08x, 0x%08x) fw %s api %d htt %d.%d wmi %d.%d.%d.%d cal %s\n",
+        ath10k_info(ar, "%s (0x%08x, 0x%08x) fw %s api %d htt %d.%d wmi %d.%d.%d.%d cal %s max_sta %d\n",
                    ar->hw_params.name,
                    ar->target_version,
                    ar->chip_id,
@@ -136,7 +135,8 @@ void ath10k_print_driver_info(struct ath10k *ar)
                    ar->fw_version_minor,
                    ar->fw_version_release,
                    ar->fw_version_build,
-                    ath10k_cal_mode_str(ar->cal_mode));
+                    ath10k_cal_mode_str(ar->cal_mode),
+                    ar->max_num_stations);
        ath10k_info(ar, "debug %d debugfs %d tracing %d dfs %d testmode %d\n",
                    config_enabled(CONFIG_ATH10K_DEBUG),
                    config_enabled(CONFIG_ATH10K_DEBUGFS),
@@ -179,13 +179,6 @@ EXPORT_SYMBOL(ath10k_warn);
 #ifdef CONFIG_ATH10K_DEBUGFS
-void ath10k_debug_read_service_map(struct ath10k *ar,
-                                   const void *service_map,
-                                   size_t map_size)
-{
-        memcpy(ar->debug.wmi_service_bitmap, service_map, map_size);
-}
 static ssize_t ath10k_read_wmi_services(struct file *file,
                                        char __user *user_buf,
                                        size_t count, loff_t *ppos)
@@ -207,8 +200,9 @@ static ssize_t ath10k_read_wmi_services(struct file *file,
        if (len > buf_len)
                len = buf_len;
+        spin_lock_bh(&ar->data_lock);
        for (i = 0; i < WMI_SERVICE_MAX; i++) {
-                enabled = test_bit(i, ar->debug.wmi_service_bitmap);
+                enabled = test_bit(i, ar->wmi.svc_map);
                name = wmi_service_name(i);
                if (!name) {
@@ -224,6 +218,7 @@ static ssize_t ath10k_read_wmi_services(struct file *file,
                                 "%-40s %s\n",
                                 name, enabled ? "enabled" : "-");
        }
+        spin_unlock_bh(&ar->data_lock);
        ret_cnt = simple_read_from_buffer(user_buf, count, ppos, buf, len);
@@ -695,7 +690,8 @@ static ssize_t ath10k_read_simulate_fw_crash(struct file *file,
                "To simulate firmware crash write one of the keywords to this file:\n"
                "`soft` - this will send WMI_FORCE_FW_HANG_ASSERT to firmware if FW supports that command.\n"
                "`hard` - this will send to firmware command with illegal parameters causing firmware crash.\n"
-                "`assert` - this will send special illegal parameter to firmware to cause assert failure and crash.\n";
+                "`assert` - this will send special illegal parameter to firmware to cause assert failure and crash.\n"
+                "`hw-restart` - this will simply queue hw restart without fw/hw actually crashing.\n";
        return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
 }
@@ -748,6 +744,10 @@ static ssize_t ath10k_write_simulate_fw_crash(struct file *file,
        } else if (!strcmp(buf, "assert")) {
                ath10k_info(ar, "simulating firmware assert crash\n");
                ret = ath10k_debug_fw_assert(ar);
+        } else if (!strcmp(buf, "hw-restart")) {
+                ath10k_info(ar, "user requested hw restart\n");
+                queue_work(ar->workqueue, &ar->restart_work);
+                ret = 0;
        } else {
                ret = -EINVAL;
                goto exit;
@@ -861,8 +861,8 @@ static struct ath10k_dump_file_data *ath10k_build_dump_file(struct ath10k *ar)
        strlcpy(dump_data->fw_ver, ar->hw->wiphy->fw_version,
                sizeof(dump_data->fw_ver));
-        dump_data->kernel_ver_code = cpu_to_le32(LINUX_VERSION_CODE);
+        dump_data->kernel_ver_code = 0;
-        strlcpy(dump_data->kernel_ver, VERMAGIC_STRING,
+        strlcpy(dump_data->kernel_ver, init_utsname()->release,
                sizeof(dump_data->kernel_ver));
        dump_data->tv_sec = cpu_to_le64(crash_data->timestamp.tv_sec);
@@ -924,6 +924,236 @@ static const struct file_operations fops_fw_crash_dump = {
        .llseek = default_llseek,
 };
+static ssize_t ath10k_reg_addr_read(struct file *file,
+                                    char __user *user_buf,
+                                    size_t count, loff_t *ppos)
+{
+        struct ath10k *ar = file->private_data;
+        u8 buf[32];
+        unsigned int len = 0;
+        u32 reg_addr;
+        mutex_lock(&ar->conf_mutex);
+        reg_addr = ar->debug.reg_addr;
+        mutex_unlock(&ar->conf_mutex);
+        len += scnprintf(buf + len, sizeof(buf) - len, "0x%x\n", reg_addr);
+        return simple_read_from_buffer(user_buf, count, ppos, buf, len);
+}
+static ssize_t ath10k_reg_addr_write(struct file *file,
+                                     const char __user *user_buf,
+                                     size_t count, loff_t *ppos)
+{
+        struct ath10k *ar = file->private_data;
+        u32 reg_addr;
+        int ret;
+        ret = kstrtou32_from_user(user_buf, count, 0, &reg_addr);
+        if (ret)
+                return ret;
+        if (!IS_ALIGNED(reg_addr, 4))
+                return -EFAULT;
+        mutex_lock(&ar->conf_mutex);
+        ar->debug.reg_addr = reg_addr;
+        mutex_unlock(&ar->conf_mutex);
+        return count;
+}
+static const struct file_operations fops_reg_addr = {
+        .read = ath10k_reg_addr_read,
+        .write = ath10k_reg_addr_write,
+        .open = simple_open,
+        .owner = THIS_MODULE,
+        .llseek = default_llseek,
+};
+static ssize_t ath10k_reg_value_read(struct file *file,
+                                     char __user *user_buf,
+                                     size_t count, loff_t *ppos)
+{
+        struct ath10k *ar = file->private_data;
+        u8 buf[48];
+        unsigned int len;
+        u32 reg_addr, reg_val;
+        int ret;
+        mutex_lock(&ar->conf_mutex);
+        if (ar->state != ATH10K_STATE_ON &&
+            ar->state != ATH10K_STATE_UTF) {
+                ret = -ENETDOWN;
+                goto exit;
+        }
+        reg_addr = ar->debug.reg_addr;
+        reg_val = ath10k_hif_read32(ar, reg_addr);
+        len = scnprintf(buf, sizeof(buf), "0x%08x:0x%08x\n", reg_addr, reg_val);
+        ret = simple_read_from_buffer(user_buf, count, ppos, buf, len);
+exit:
+        mutex_unlock(&ar->conf_mutex);
+        return ret;
+}
+static ssize_t ath10k_reg_value_write(struct file *file,
+                                      const char __user *user_buf,
+                                      size_t count, loff_t *ppos)
+{
+        struct ath10k *ar = file->private_data;
+        u32 reg_addr, reg_val;
+        int ret;
+        mutex_lock(&ar->conf_mutex);
+        if (ar->state != ATH10K_STATE_ON &&
+            ar->state != ATH10K_STATE_UTF) {
+                ret = -ENETDOWN;
+                goto exit;
+        }
+        reg_addr = ar->debug.reg_addr;
+        ret = kstrtou32_from_user(user_buf, count, 0, &reg_val);
+        if (ret)
+                goto exit;
+        ath10k_hif_write32(ar, reg_addr, reg_val);
+        ret = count;
+exit:
+        mutex_unlock(&ar->conf_mutex);
+        return ret;
+}
+static const struct file_operations fops_reg_value = {
+        .read = ath10k_reg_value_read,
+        .write = ath10k_reg_value_write,
+        .open = simple_open,
+        .owner = THIS_MODULE,
+        .llseek = default_llseek,
+};
+static ssize_t ath10k_mem_value_read(struct file *file,
+                                     char __user *user_buf,
+                                     size_t count, loff_t *ppos)
+{
+        struct ath10k *ar = file->private_data;
+        u8 *buf;
+        int ret;
+        if (*ppos < 0)
+                return -EINVAL;
+        if (!count)
+                return 0;
+        mutex_lock(&ar->conf_mutex);
+        buf = vmalloc(count);
+        if (!buf) {
+                ret = -ENOMEM;
+                goto exit;
+        }
+        if (ar->state != ATH10K_STATE_ON &&
+            ar->state != ATH10K_STATE_UTF) {
+                ret = -ENETDOWN;
+                goto exit;
+        }
+        ret = ath10k_hif_diag_read(ar, *ppos, buf, count);
+        if (ret) {
+                ath10k_warn(ar, "failed to read address 0x%08x via diagnose window fnrom debugfs: %d\n",
+                            (u32)(*ppos), ret);
+                goto exit;
+        }
+        ret = copy_to_user(user_buf, buf, count);
+        if (ret) {
+                ret = -EFAULT;
+                goto exit;
+        }
+        count -= ret;
+        *ppos += count;
+        ret = count;
+exit:
+        vfree(buf);
+        mutex_unlock(&ar->conf_mutex);
+        return ret;
+}
+static ssize_t ath10k_mem_value_write(struct file *file,
+                                      const char __user *user_buf,
+                                      size_t count, loff_t *ppos)
+{
+        struct ath10k *ar = file->private_data;
+        u8 *buf;
+        int ret;
+        if (*ppos < 0)
+                return -EINVAL;
+        if (!count)
+                return 0;
+        mutex_lock(&ar->conf_mutex);
+        buf = vmalloc(count);
+        if (!buf) {
+                ret = -ENOMEM;
+                goto exit;
+        }
+        if (ar->state != ATH10K_STATE_ON &&
+            ar->state != ATH10K_STATE_UTF) {
+                ret = -ENETDOWN;
+                goto exit;
+        }
+        ret = copy_from_user(buf, user_buf, count);
+        if (ret) {
+                ret = -EFAULT;
+                goto exit;
+        }
+        ret = ath10k_hif_diag_write(ar, *ppos, buf, count);
+        if (ret) {
+                ath10k_warn(ar, "failed to write address 0x%08x via diagnose window from debugfs: %d\n",
+                            (u32)(*ppos), ret);
+                goto exit;
+        }
+        *ppos += count;
+        ret = count;
+exit:
+        vfree(buf);
+        mutex_unlock(&ar->conf_mutex);
+        return ret;
+}
+static const struct file_operations fops_mem_value = {
+        .read = ath10k_mem_value_read,
+        .write = ath10k_mem_value_write,
+        .open = simple_open,
+        .owner = THIS_MODULE,
+        .llseek = default_llseek,
+};
 static int ath10k_debug_htt_stats_req(struct ath10k *ar)
 {
        u64 cookie;
@@ -1625,6 +1855,15 @@ int ath10k_debug_register(struct ath10k *ar)
        debugfs_create_file("fw_crash_dump", S_IRUSR, ar->debug.debugfs_phy,
                            ar, &fops_fw_crash_dump);
+        debugfs_create_file("reg_addr", S_IRUSR | S_IWUSR,
+                            ar->debug.debugfs_phy, ar, &fops_reg_addr);
+        debugfs_create_file("reg_value", S_IRUSR | S_IWUSR,
+                            ar->debug.debugfs_phy, ar, &fops_reg_value);
+        debugfs_create_file("mem_value", S_IRUSR | S_IWUSR,
+                            ar->debug.debugfs_phy, ar, &fops_mem_value);
        debugfs_create_file("chip_id", S_IRUSR, ar->debug.debugfs_phy,
                            ar, &fops_chip_id);
diff --git a/drivers/net/wireless/ath/ath10k/debug.h b/drivers/net/wireless/ath/ath10k/debug.h
index 0c934a8378db..1b87a5dbec53 100644
--- a/drivers/net/wireless/ath/ath10k/debug.h
+++ b/drivers/net/wireless/ath/ath10k/debug.h
@@ -35,6 +35,7 @@ enum ath10k_debug_mask {
        ATH10K_DBG_BMI          = 0x00000400,
        ATH10K_DBG_REGULATORY   = 0x00000800,
        ATH10K_DBG_TESTMODE     = 0x00001000,
+        ATH10K_DBG_WMI_PRINT    = 0x00002000,
        ATH10K_DBG_ANY          = 0xffffffff,
 };
@@ -61,9 +62,6 @@ int ath10k_debug_create(struct ath10k *ar);
 void ath10k_debug_destroy(struct ath10k *ar);
 int ath10k_debug_register(struct ath10k *ar);
 void ath10k_debug_unregister(struct ath10k *ar);
-void ath10k_debug_read_service_map(struct ath10k *ar,
-                                   const void *service_map,
-                                   size_t map_size);
 void ath10k_debug_fw_stats_process(struct ath10k *ar, struct sk_buff *skb);
 struct ath10k_fw_crash_data *
 ath10k_debug_get_new_fw_crash_data(struct ath10k *ar);
@@ -108,12 +106,6 @@ static inline void ath10k_debug_unregister(struct ath10k *ar)
 {
 }
-static inline void ath10k_debug_read_service_map(struct ath10k *ar,
-                                                 const void *service_map,
-                                                 size_t map_size)
-{
-}
 static inline void ath10k_debug_fw_stats_process(struct ath10k *ar,
                                                 struct sk_buff *skb)
 {
diff --git a/drivers/net/wireless/ath/ath10k/hif.h b/drivers/net/wireless/ath/ath10k/hif.h
index 30301f5b6051..0c92e0251e84 100644
--- a/drivers/net/wireless/ath/ath10k/hif.h
+++ b/drivers/net/wireless/ath/ath10k/hif.h
@@ -20,6 +20,7 @@
 #include <linux/kernel.h>
 #include "core.h"
+#include "debug.h"
 struct ath10k_hif_sg_item {
        u16 transfer_id;
@@ -31,11 +32,9 @@ struct ath10k_hif_sg_item {
 struct ath10k_hif_cb {
        int (*tx_completion)(struct ath10k *ar,
-                             struct sk_buff *wbuf,
+                             struct sk_buff *wbuf);
-                             unsigned transfer_id);
        int (*rx_completion)(struct ath10k *ar,
-                             struct sk_buff *wbuf,
+                             struct sk_buff *wbuf);
-                             u8 pipe_id);
 };
 struct ath10k_hif_ops {
@@ -47,6 +46,8 @@ struct ath10k_hif_ops {
        int (*diag_read)(struct ath10k *ar, u32 address, void *buf,
                         size_t buf_len);
+        int (*diag_write)(struct ath10k *ar, u32 address, const void *data,
+                          int nbytes);
        /*
         * API to handle HIF-specific BMI message exchanges, this API is
         * synchronous and only allowed to be called from a context that
@@ -84,6 +85,10 @@ struct ath10k_hif_ops {
        u16 (*get_free_queue_number)(struct ath10k *ar, u8 pipe_id);
+        u32 (*read32)(struct ath10k *ar, u32 address);
+        void (*write32)(struct ath10k *ar, u32 address, u32 value);
        /* Power up the device and enter BMI transfer mode for FW download */
        int (*power_up)(struct ath10k *ar);
@@ -108,6 +113,15 @@ static inline int ath10k_hif_diag_read(struct ath10k *ar, u32 address, void *buf
        return ar->hif.ops->diag_read(ar, address, buf, buf_len);
 }
+static inline int ath10k_hif_diag_write(struct ath10k *ar, u32 address,
+                                        const void *data, int nbytes)
+{
+        if (!ar->hif.ops->diag_write)
+                return -EOPNOTSUPP;
+        return ar->hif.ops->diag_write(ar, address, data, nbytes);
+}
 static inline int ath10k_hif_exchange_bmi_msg(struct ath10k *ar,
                                              void *request, u32 request_len,
                                              void *response, u32 *response_len)
@@ -187,4 +201,25 @@ static inline int ath10k_hif_resume(struct ath10k *ar)
        return ar->hif.ops->resume(ar);
 }
+static inline u32 ath10k_hif_read32(struct ath10k *ar, u32 address)
+{
+        if (!ar->hif.ops->read32) {
+                ath10k_warn(ar, "hif read32 not supported\n");
+                return 0xdeaddead;
+        }
+        return ar->hif.ops->read32(ar, address);
+}
+static inline void ath10k_hif_write32(struct ath10k *ar,
+                                      u32 address, u32 data)
+{
+        if (!ar->hif.ops->write32) {
+                ath10k_warn(ar, "hif write32 not supported\n");
+                return;
+        }
+        ar->hif.ops->write32(ar, address, data);
+}
 #endif /* _HIF_H_ */
diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c
index 676bd4ed969b..f1946a6be442 100644
--- a/drivers/net/wireless/ath/ath10k/htc.c
+++ b/drivers/net/wireless/ath/ath10k/htc.c
@@ -160,6 +160,7 @@ int ath10k_htc_send(struct ath10k_htc *htc,
        ath10k_htc_prepare_tx_skb(ep, skb);
+        skb_cb->eid = eid;
        skb_cb->paddr = dma_map_single(dev, skb->data, skb->len, DMA_TO_DEVICE);
        ret = dma_mapping_error(dev, skb_cb->paddr);
        if (ret)
@@ -197,15 +198,18 @@ err_pull:
 }
 static int ath10k_htc_tx_completion_handler(struct ath10k *ar,
-                                            struct sk_buff *skb,
+                                            struct sk_buff *skb)
-                                            unsigned int eid)
 {
        struct ath10k_htc *htc = &ar->htc;
-        struct ath10k_htc_ep *ep = &htc->endpoint[eid];
+        struct ath10k_skb_cb *skb_cb;
+        struct ath10k_htc_ep *ep;
        if (WARN_ON_ONCE(!skb))
                return 0;
+        skb_cb = ATH10K_SKB_CB(skb);
+        ep = &htc->endpoint[skb_cb->eid];
        ath10k_htc_notify_tx_completion(ep, skb);
        /* the skb now belongs to the completion handler */
@@ -317,8 +321,7 @@ static int ath10k_htc_process_trailer(struct ath10k_htc *htc,
 }
 static int ath10k_htc_rx_completion_handler(struct ath10k *ar,
-                                            struct sk_buff *skb,
+                                            struct sk_buff *skb)
-                                            u8 pipe_id)
 {
        int status = 0;
        struct ath10k_htc *htc = &ar->htc;
diff --git a/drivers/net/wireless/ath/ath10k/htt.h b/drivers/net/wireless/ath/ath10k/htt.h
index 15c58e884b6a..1bd5545af903 100644
--- a/drivers/net/wireless/ath/ath10k/htt.h
+++ b/drivers/net/wireless/ath/ath10k/htt.h
@@ -126,6 +126,7 @@ enum htt_data_tx_ext_tid {
 *                  (HL hosts manage queues on the host )
 *       more_in_batch: only for HL hosts. indicates if more packets are
 *                      pending. this allows target to wait and aggregate
+ *       freq: 0 means home channel of given vdev. intended for offchannel
 */
 struct htt_data_tx_desc {
        u8 flags0; /* %HTT_DATA_TX_DESC_FLAGS0_ */
@@ -133,7 +134,8 @@ struct htt_data_tx_desc {
        __le16 len;
        __le16 id;
        __le32 frags_paddr;
-        __le32 peerid;
+        __le16 peerid;
+        __le16 freq;
        u8 prefetch[0]; /* start of frame, for FW classification engine */
 } __packed;
@@ -156,6 +158,9 @@ enum htt_rx_ring_flags {
        HTT_RX_RING_FLAGS_PHY_DATA_RX  = 1 << 15
 };
+#define HTT_RX_RING_SIZE_MIN 128
+#define HTT_RX_RING_SIZE_MAX 2048
 struct htt_rx_ring_setup_ring {
        __le32 fw_idx_shadow_reg_paddr;
        __le32 rx_ring_base_paddr;
diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index fbb3175d4d6e..9c782a42665e 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -25,19 +25,8 @@
 #include <linux/log2.h>
-/* slightly larger than one large A-MPDU */
+#define HTT_RX_RING_SIZE 1024
-#define HTT_RX_RING_SIZE_MIN 128
+#define HTT_RX_RING_FILL_LEVEL 1000
-/* roughly 20 ms @ 1 Gbps of 1500B MSDUs */
-#define HTT_RX_RING_SIZE_MAX 2048
-#define HTT_RX_AVG_FRM_BYTES 1000
-/* ms, very conservative */
-#define HTT_RX_HOST_LATENCY_MAX_MS 20
-/* ms, conservative */
-#define HTT_RX_HOST_LATENCY_WORST_LIKELY_MS 10
 /* when under memory pressure rx ring refill may fail and needs a retry */
 #define HTT_RX_RING_REFILL_RETRY_MS 50
@@ -45,68 +34,6 @@
 static int ath10k_htt_rx_get_csum_state(struct sk_buff *skb);
 static void ath10k_htt_txrx_compl_task(unsigned long ptr);
-static int ath10k_htt_rx_ring_size(struct ath10k_htt *htt)
-{
-        int size;
-        /*
-         * It is expected that the host CPU will typically be able to
-         * service the rx indication from one A-MPDU before the rx
-         * indication from the subsequent A-MPDU happens, roughly 1-2 ms
-         * later. However, the rx ring should be sized very conservatively,
-         * to accomodate the worst reasonable delay before the host CPU
-         * services a rx indication interrupt.
-         *
-         * The rx ring need not be kept full of empty buffers. In theory,
-         * the htt host SW can dynamically track the low-water mark in the
-         * rx ring, and dynamically adjust the level to which the rx ring
-         * is filled with empty buffers, to dynamically meet the desired
-         * low-water mark.
-         *
-         * In contrast, it's difficult to resize the rx ring itself, once
-         * it's in use. Thus, the ring itself should be sized very
-         * conservatively, while the degree to which the ring is filled
-         * with empty buffers should be sized moderately conservatively.
-         */
-        /* 1e6 bps/mbps / 1e3 ms per sec = 1000 */
-        size =
-            htt->max_throughput_mbps +
-            1000  /
-            (8 * HTT_RX_AVG_FRM_BYTES) * HTT_RX_HOST_LATENCY_MAX_MS;
-        if (size < HTT_RX_RING_SIZE_MIN)
-                size = HTT_RX_RING_SIZE_MIN;
-        if (size > HTT_RX_RING_SIZE_MAX)
-                size = HTT_RX_RING_SIZE_MAX;
-        size = roundup_pow_of_two(size);
-        return size;
-}
-static int ath10k_htt_rx_ring_fill_level(struct ath10k_htt *htt)
-{
-        int size;
-        /* 1e6 bps/mbps / 1e3 ms per sec = 1000 */
-        size =
-            htt->max_throughput_mbps *
-            1000  /
-            (8 * HTT_RX_AVG_FRM_BYTES) * HTT_RX_HOST_LATENCY_WORST_LIKELY_MS;
-        /*
-         * Make sure the fill level is at least 1 less than the ring size.
-         * Leaving 1 element empty allows the SW to easily distinguish
-         * between a full ring vs. an empty ring.
-         */
-        if (size >= htt->rx_ring.size)
-                size = htt->rx_ring.size - 1;
-        return size;
-}
 static void ath10k_htt_rx_ring_free(struct ath10k_htt *htt)
 {
        struct sk_buff *skb;
@@ -291,54 +218,38 @@ static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
        htt->rx_ring.sw_rd_idx.msdu_payld = idx;
        htt->rx_ring.fill_cnt--;
-        trace_ath10k_htt_rx_pop_msdu(ar, msdu->data, msdu->len +
+        dma_unmap_single(htt->ar->dev,
-                                     skb_tailroom(msdu));
+                         ATH10K_SKB_CB(msdu)->paddr,
+                         msdu->len + skb_tailroom(msdu),
+                         DMA_FROM_DEVICE);
+        ath10k_dbg_dump(ar, ATH10K_DBG_HTT_DUMP, NULL, "htt rx netbuf pop: ",
+                        msdu->data, msdu->len + skb_tailroom(msdu));
        return msdu;
 }
-static void ath10k_htt_rx_free_msdu_chain(struct sk_buff *skb)
-{
-        struct sk_buff *next;
-        while (skb) {
-                next = skb->next;
-                dev_kfree_skb_any(skb);
-                skb = next;
-        }
-}
 /* return: < 0 fatal error, 0 - non chained msdu, 1 chained msdu */
 static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                                   u8 **fw_desc, int *fw_desc_len,
-                                   struct sk_buff **head_msdu,
+                                   struct sk_buff_head *amsdu)
-                                   struct sk_buff **tail_msdu,
-                                   u32 *attention)
 {
        struct ath10k *ar = htt->ar;
        int msdu_len, msdu_chaining = 0;
-        struct sk_buff *msdu, *next;
+        struct sk_buff *msdu;
        struct htt_rx_desc *rx_desc;
-        u32 tsf;
        lockdep_assert_held(&htt->rx_ring.lock);
-        if (htt->rx_confused) {
+        for (;;) {
-                ath10k_warn(ar, "htt is confused. refusing rx\n");
-                return -1;
-        }
-        msdu = *head_msdu = ath10k_htt_rx_netbuf_pop(htt);
-        while (msdu) {
                int last_msdu, msdu_len_invalid, msdu_chained;
-                dma_unmap_single(htt->ar->dev,
+                msdu = ath10k_htt_rx_netbuf_pop(htt);
-                                 ATH10K_SKB_CB(msdu)->paddr,
+                if (!msdu) {
-                                 msdu->len + skb_tailroom(msdu),
+                        __skb_queue_purge(amsdu);
-                                 DMA_FROM_DEVICE);
+                        return -ENOENT;
+                }
-                ath10k_dbg_dump(ar, ATH10K_DBG_HTT_DUMP, NULL, "htt rx pop: ",
+                __skb_queue_tail(amsdu, msdu);
-                                msdu->data, msdu->len + skb_tailroom(msdu));
                rx_desc = (struct htt_rx_desc *)msdu->data;
@@ -357,19 +268,10 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                 */
                if (!(__le32_to_cpu(rx_desc->attention.flags)
                                & RX_ATTENTION_FLAGS_MSDU_DONE)) {
-                        ath10k_htt_rx_free_msdu_chain(*head_msdu);
+                        __skb_queue_purge(amsdu);
-                        *head_msdu = NULL;
+                        return -EIO;
-                        msdu = NULL;
-                        ath10k_err(ar, "htt rx stopped. cannot recover\n");
-                        htt->rx_confused = true;
-                        break;
                }
-                *attention |= __le32_to_cpu(rx_desc->attention.flags) &
-                                            (RX_ATTENTION_FLAGS_TKIP_MIC_ERR |
-                                             RX_ATTENTION_FLAGS_DECRYPT_ERR |
-                                             RX_ATTENTION_FLAGS_FCS_ERR |
-                                             RX_ATTENTION_FLAGS_MGMT_TYPE);
                /*
                 * Copy the FW rx descriptor for this MSDU from the rx
                 * indication message into the MSDU's netbuf. HL uses the
@@ -426,46 +328,32 @@ static int ath10k_htt_rx_amsdu_pop(struct ath10k_htt *htt,
                skb_put(msdu, min(msdu_len, HTT_RX_MSDU_SIZE));
                msdu_len -= msdu->len;
-                /* FIXME: Do chained buffers include htt_rx_desc or not? */
+                /* Note: Chained buffers do not contain rx descriptor */
                while (msdu_chained--) {
-                        struct sk_buff *next = ath10k_htt_rx_netbuf_pop(htt);
+                        msdu = ath10k_htt_rx_netbuf_pop(htt);
+                        if (!msdu) {
-                        dma_unmap_single(htt->ar->dev,
+                                __skb_queue_purge(amsdu);
-                                         ATH10K_SKB_CB(next)->paddr,
+                                return -ENOENT;
-                                         next->len + skb_tailroom(next),
+                        }
-                                         DMA_FROM_DEVICE);
-                        ath10k_dbg_dump(ar, ATH10K_DBG_HTT_DUMP, NULL,
-                                        "htt rx chained: ", next->data,
-                                        next->len + skb_tailroom(next));
-                        skb_trim(next, 0);
-                        skb_put(next, min(msdu_len, HTT_RX_BUF_SIZE));
-                        msdu_len -= next->len;
-                        msdu->next = next;
+                        __skb_queue_tail(amsdu, msdu);
-                        msdu = next;
+                        skb_trim(msdu, 0);
+                        skb_put(msdu, min(msdu_len, HTT_RX_BUF_SIZE));
+                        msdu_len -= msdu->len;
                        msdu_chaining = 1;
                }
                last_msdu = __le32_to_cpu(rx_desc->msdu_end.info0) &
                                RX_MSDU_END_INFO0_LAST_MSDU;
-                tsf = __le32_to_cpu(rx_desc->ppdu_end.tsf_timestamp);
+                trace_ath10k_htt_rx_desc(ar, &rx_desc->attention,
-                trace_ath10k_htt_rx_desc(ar, tsf, &rx_desc->attention,
                                         sizeof(*rx_desc) - sizeof(u32));
-                if (last_msdu) {
-                        msdu->next = NULL;
-                        break;
-                }
-                next = ath10k_htt_rx_netbuf_pop(htt);
+                if (last_msdu)
-                msdu->next = next;
+                        break;
-                msdu = next;
        }
-        *tail_msdu = msdu;
-        if (*head_msdu == NULL)
+        if (skb_queue_empty(amsdu))
                msdu_chaining = -1;
        /*
@@ -499,25 +387,20 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt)
        size_t size;
        struct timer_list *timer = &htt->rx_ring.refill_retry_timer;
-        htt->rx_ring.size = ath10k_htt_rx_ring_size(htt);
+        htt->rx_confused = false;
+        /* XXX: The fill level could be changed during runtime in response to
+         * the host processing latency. Is this really worth it?
+         */
+        htt->rx_ring.size = HTT_RX_RING_SIZE;
+        htt->rx_ring.size_mask = htt->rx_ring.size - 1;
+        htt->rx_ring.fill_level = HTT_RX_RING_FILL_LEVEL;
        if (!is_power_of_2(htt->rx_ring.size)) {
                ath10k_warn(ar, "htt rx ring size is not power of 2\n");
                return -EINVAL;
        }
-        htt->rx_ring.size_mask = htt->rx_ring.size - 1;
-        /*
-         * Set the initial value for the level to which the rx ring
-         * should be filled, based on the max throughput and the
-         * worst likely latency for the host to fill the rx ring
-         * with new buffers. In theory, this fill level can be
-         * dynamically adjusted from the initial value set here, to
-         * reflect the actual host latency rather than a
-         * conservative assumption about the host latency.
-         */
-        htt->rx_ring.fill_level = ath10k_htt_rx_ring_fill_level(htt);
        htt->rx_ring.netbufs_ring =
                kzalloc(htt->rx_ring.size * sizeof(struct sk_buff *),
                        GFP_KERNEL);
@@ -588,73 +471,50 @@ static int ath10k_htt_rx_crypto_param_len(struct ath10k *ar,
                                          enum htt_rx_mpdu_encrypt_type type)
 {
        switch (type) {
+        case HTT_RX_MPDU_ENCRYPT_NONE:
+                return 0;
        case HTT_RX_MPDU_ENCRYPT_WEP40:
        case HTT_RX_MPDU_ENCRYPT_WEP104:
-                return 4;
+                return IEEE80211_WEP_IV_LEN;
        case HTT_RX_MPDU_ENCRYPT_TKIP_WITHOUT_MIC:
-        case HTT_RX_MPDU_ENCRYPT_WEP128: /* not tested */
        case HTT_RX_MPDU_ENCRYPT_TKIP_WPA:
-        case HTT_RX_MPDU_ENCRYPT_WAPI: /* not tested */
+                return IEEE80211_TKIP_IV_LEN;
        case HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2:
-                return 8;
+                return IEEE80211_CCMP_HDR_LEN;
-        case HTT_RX_MPDU_ENCRYPT_NONE:
+        case HTT_RX_MPDU_ENCRYPT_WEP128:
-                return 0;
+        case HTT_RX_MPDU_ENCRYPT_WAPI:
+                break;
        }
-        ath10k_warn(ar, "unknown encryption type %d\n", type);
+        ath10k_warn(ar, "unsupported encryption type %d\n", type);
        return 0;
 }
+#define MICHAEL_MIC_LEN 8
 static int ath10k_htt_rx_crypto_tail_len(struct ath10k *ar,
                                         enum htt_rx_mpdu_encrypt_type type)
 {
        switch (type) {
        case HTT_RX_MPDU_ENCRYPT_NONE:
+                return 0;
        case HTT_RX_MPDU_ENCRYPT_WEP40:
        case HTT_RX_MPDU_ENCRYPT_WEP104:
-        case HTT_RX_MPDU_ENCRYPT_WEP128:
+                return IEEE80211_WEP_ICV_LEN;
-        case HTT_RX_MPDU_ENCRYPT_WAPI:
-                return 0;
        case HTT_RX_MPDU_ENCRYPT_TKIP_WITHOUT_MIC:
        case HTT_RX_MPDU_ENCRYPT_TKIP_WPA:
-                return 4;
+                return IEEE80211_TKIP_ICV_LEN;
        case HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2:
-                return 8;
+                return IEEE80211_CCMP_MIC_LEN;
+        case HTT_RX_MPDU_ENCRYPT_WEP128:
+        case HTT_RX_MPDU_ENCRYPT_WAPI:
+                break;
        }
-        ath10k_warn(ar, "unknown encryption type %d\n", type);
+        ath10k_warn(ar, "unsupported encryption type %d\n", type);
        return 0;
 }
-/* Applies for first msdu in chain, before altering it. */
-static struct ieee80211_hdr *ath10k_htt_rx_skb_get_hdr(struct sk_buff *skb)
-{
-        struct htt_rx_desc *rxd;
-        enum rx_msdu_decap_format fmt;
-        rxd = (void *)skb->data - sizeof(*rxd);
-        fmt = MS(__le32_to_cpu(rxd->msdu_start.info1),
-                 RX_MSDU_START_INFO1_DECAP_FORMAT);
-        if (fmt == RX_MSDU_DECAP_RAW)
-                return (void *)skb->data;
-        return (void *)skb->data - RX_HTT_HDR_STATUS_LEN;
-}
-/* This function only applies for first msdu in an msdu chain */
-static bool ath10k_htt_rx_hdr_is_amsdu(struct ieee80211_hdr *hdr)
-{
-        u8 *qc;
-        if (ieee80211_is_data_qos(hdr->frame_control)) {
-                qc = ieee80211_get_qos_ctl(hdr);
-                if (qc[0] & 0x80)
-                        return true;
-        }
-        return false;
-}
 struct rfc1042_hdr {
        u8 llc_dsap;
        u8 llc_ssap;
@@ -689,23 +549,34 @@ static const u8 rx_legacy_rate_idx[] = {
 };
 static void ath10k_htt_rx_h_rates(struct ath10k *ar,
-                                  enum ieee80211_band band,
+                                  struct ieee80211_rx_status *status,
-                                  u8 info0, u32 info1, u32 info2,
+                                  struct htt_rx_desc *rxd)
-                                  struct ieee80211_rx_status *status)
 {
+        enum ieee80211_band band;
        u8 cck, rate, rate_idx, bw, sgi, mcs, nss;
        u8 preamble = 0;
+        u32 info1, info2, info3;
-        /* Check if valid fields */
+        /* Band value can't be set as undefined but freq can be 0 - use that to
-        if (!(info0 & HTT_RX_INDICATION_INFO0_START_VALID))
+         * determine whether band is provided.
+         *
+         * FIXME: Perhaps this can go away if CCK rate reporting is a little
+         * reworked?
+         */
+        if (!status->freq)
                return;
-        preamble = MS(info1, HTT_RX_INDICATION_INFO1_PREAMBLE_TYPE);
+        band = status->band;
+        info1 = __le32_to_cpu(rxd->ppdu_start.info1);
+        info2 = __le32_to_cpu(rxd->ppdu_start.info2);
+        info3 = __le32_to_cpu(rxd->ppdu_start.info3);
+        preamble = MS(info1, RX_PPDU_START_INFO1_PREAMBLE_TYPE);
        switch (preamble) {
        case HTT_RX_LEGACY:
-                cck = info0 & HTT_RX_INDICATION_INFO0_LEGACY_RATE_CCK;
+                cck = info1 & RX_PPDU_START_INFO1_L_SIG_RATE_SELECT;
-                rate = MS(info0, HTT_RX_INDICATION_INFO0_LEGACY_RATE);
+                rate = MS(info1, RX_PPDU_START_INFO1_L_SIG_RATE);
                rate_idx = 0;
                if (rate < 0x08 || rate > 0x0F)
@@ -732,11 +603,11 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar,
                break;
        case HTT_RX_HT:
        case HTT_RX_HT_WITH_TXBF:
-                /* HT-SIG - Table 20-11 in info1 and info2 */
+                /* HT-SIG - Table 20-11 in info2 and info3 */
-                mcs = info1 & 0x1F;
+                mcs = info2 & 0x1F;
                nss = mcs >> 3;
-                bw = (info1 >> 7) & 1;
+                bw = (info2 >> 7) & 1;
-                sgi = (info2 >> 7) & 1;
+                sgi = (info3 >> 7) & 1;
                status->rate_idx = mcs;
                status->flag |= RX_FLAG_HT;
@@ -747,12 +618,12 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar,
                break;
        case HTT_RX_VHT:
        case HTT_RX_VHT_WITH_TXBF:
-                /* VHT-SIG-A1 in info 1, VHT-SIG-A2 in info2
+                /* VHT-SIG-A1 in info2, VHT-SIG-A2 in info3
                   TODO check this */
-                mcs = (info2 >> 4) & 0x0F;
+                mcs = (info3 >> 4) & 0x0F;
-                nss = ((info1 >> 10) & 0x07) + 1;
+                nss = ((info2 >> 10) & 0x07) + 1;
-                bw = info1 & 3;
+                bw = info2 & 3;
-                sgi = info2 & 1;
+                sgi = info3 & 1;
                status->rate_idx = mcs;
                status->vht_nss = nss;
@@ -780,41 +651,6 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar,
        }
 }
-static void ath10k_htt_rx_h_protected(struct ath10k_htt *htt,
-                                      struct ieee80211_rx_status *rx_status,
-                                      struct sk_buff *skb,
-                                      enum htt_rx_mpdu_encrypt_type enctype,
-                                      enum rx_msdu_decap_format fmt,
-                                      bool dot11frag)
-{
-        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
-        rx_status->flag &= ~(RX_FLAG_DECRYPTED |
-                             RX_FLAG_IV_STRIPPED |
-                             RX_FLAG_MMIC_STRIPPED);
-        if (enctype == HTT_RX_MPDU_ENCRYPT_NONE)
-                return;
-        /*
-         * There's no explicit rx descriptor flag to indicate whether a given
-         * frame has been decrypted or not. We're forced to use the decap
-         * format as an implicit indication. However fragmentation rx is always
-         * raw and it probably never reports undecrypted raws.
-         *
-         * This makes sure sniffed frames are reported as-is without stripping
-         * the protected flag.
-         */
-        if (fmt == RX_MSDU_DECAP_RAW && !dot11frag)
-                return;
-        rx_status->flag |= RX_FLAG_DECRYPTED |
-                           RX_FLAG_IV_STRIPPED |
-                           RX_FLAG_MMIC_STRIPPED;
-        hdr->frame_control = __cpu_to_le16(__le16_to_cpu(hdr->frame_control) &
-                                           ~IEEE80211_FCTL_PROTECTED);
-}
 static bool ath10k_htt_rx_h_channel(struct ath10k *ar,
                                    struct ieee80211_rx_status *status)
 {
@@ -835,6 +671,72 @@ static bool ath10k_htt_rx_h_channel(struct ath10k *ar,
        return true;
 }
+static void ath10k_htt_rx_h_signal(struct ath10k *ar,
+                                   struct ieee80211_rx_status *status,
+                                   struct htt_rx_desc *rxd)
+{
+        /* FIXME: Get real NF */
+        status->signal = ATH10K_DEFAULT_NOISE_FLOOR +
+                         rxd->ppdu_start.rssi_comb;
+        status->flag &= ~RX_FLAG_NO_SIGNAL_VAL;
+}
+static void ath10k_htt_rx_h_mactime(struct ath10k *ar,
+                                    struct ieee80211_rx_status *status,
+                                    struct htt_rx_desc *rxd)
+{
+        /* FIXME: TSF is known only at the end of PPDU, in the last MPDU. This
+         * means all prior MSDUs in a PPDU are reported to mac80211 without the
+         * TSF. Is it worth holding frames until end of PPDU is known?
+         *
+         * FIXME: Can we get/compute 64bit TSF?
+         */
+        status->mactime = __le32_to_cpu(rxd->ppdu_end.tsf_timestamp);
+        status->flag |= RX_FLAG_MACTIME_END;
+}
+static void ath10k_htt_rx_h_ppdu(struct ath10k *ar,
+                                 struct sk_buff_head *amsdu,
+                                 struct ieee80211_rx_status *status)
+{
+        struct sk_buff *first;
+        struct htt_rx_desc *rxd;
+        bool is_first_ppdu;
+        bool is_last_ppdu;
+        if (skb_queue_empty(amsdu))
+                return;
+        first = skb_peek(amsdu);
+        rxd = (void *)first->data - sizeof(*rxd);
+        is_first_ppdu = !!(rxd->attention.flags &
+                           __cpu_to_le32(RX_ATTENTION_FLAGS_FIRST_MPDU));
+        is_last_ppdu = !!(rxd->attention.flags &
+                          __cpu_to_le32(RX_ATTENTION_FLAGS_LAST_MPDU));
+        if (is_first_ppdu) {
+                /* New PPDU starts so clear out the old per-PPDU status. */
+                status->freq = 0;
+                status->rate_idx = 0;
+                status->vht_nss = 0;
+                status->vht_flag &= ~RX_VHT_FLAG_80MHZ;
+                status->flag &= ~(RX_FLAG_HT |
+                                  RX_FLAG_VHT |
+                                  RX_FLAG_SHORT_GI |
+                                  RX_FLAG_40MHZ |
+                                  RX_FLAG_MACTIME_END);
+                status->flag |= RX_FLAG_NO_SIGNAL_VAL;
+                ath10k_htt_rx_h_signal(ar, status, rxd);
+                ath10k_htt_rx_h_channel(ar, status);
+                ath10k_htt_rx_h_rates(ar, status, rxd);
+        }
+        if (is_last_ppdu)
+                ath10k_htt_rx_h_mactime(ar, status, rxd);
+}
 static const char * const tid_to_ac[] = {
        "BE",
        "BK",
@@ -899,6 +801,8 @@ static void ath10k_process_rx(struct ath10k *ar,
                   !!(status->flag & RX_FLAG_AMSDU_MORE));
        ath10k_dbg_dump(ar, ATH10K_DBG_HTT_DUMP, NULL, "rx skb: ",
                        skb->data, skb->len);
+        trace_ath10k_rx_hdr(ar, skb->data, skb->len);
+        trace_ath10k_rx_payload(ar, skb->data, skb->len);
        ieee80211_rx(ar->hw, skb);
 }
@@ -909,187 +813,263 @@ static int ath10k_htt_rx_nwifi_hdrlen(struct ieee80211_hdr *hdr)
        return round_up(ieee80211_hdrlen(hdr->frame_control), 4);
 }
-static void ath10k_htt_rx_amsdu(struct ath10k_htt *htt,
+static void ath10k_htt_rx_h_undecap_raw(struct ath10k *ar,
-                                struct ieee80211_rx_status *rx_status,
+                                        struct sk_buff *msdu,
-                                struct sk_buff *skb_in)
+                                        struct ieee80211_rx_status *status,
+                                        enum htt_rx_mpdu_encrypt_type enctype,
+                                        bool is_decrypted)
 {
-        struct ath10k *ar = htt->ar;
+        struct ieee80211_hdr *hdr;
        struct htt_rx_desc *rxd;
-        struct sk_buff *skb = skb_in;
+        size_t hdr_len;
-        struct sk_buff *first;
+        size_t crypto_len;
-        enum rx_msdu_decap_format fmt;
+        bool is_first;
-        enum htt_rx_mpdu_encrypt_type enctype;
+        bool is_last;
+        rxd = (void *)msdu->data - sizeof(*rxd);
+        is_first = !!(rxd->msdu_end.info0 &
+                      __cpu_to_le32(RX_MSDU_END_INFO0_FIRST_MSDU));
+        is_last = !!(rxd->msdu_end.info0 &
+                     __cpu_to_le32(RX_MSDU_END_INFO0_LAST_MSDU));
+        /* Delivered decapped frame:
+         * [802.11 header]
+         * [crypto param] <-- can be trimmed if !fcs_err &&
+         *                    !decrypt_err && !peer_idx_invalid
+         * [amsdu header] <-- only if A-MSDU
+         * [rfc1042/llc]
+         * [payload]
+         * [FCS] <-- at end, needs to be trimmed
+         */
+        /* This probably shouldn't happen but warn just in case */
+        if (unlikely(WARN_ON_ONCE(!is_first)))
+                return;
+        /* This probably shouldn't happen but warn just in case */
+        if (unlikely(WARN_ON_ONCE(!(is_first && is_last))))
+                return;
+        skb_trim(msdu, msdu->len - FCS_LEN);
+        /* In most cases this will be true for sniffed frames. It makes sense
+         * to deliver them as-is without stripping the crypto param. This would
+         * also make sense for software based decryption (which is not
+         * implemented in ath10k).
+         *
+         * If there's no error then the frame is decrypted. At least that is
+         * the case for frames that come in via fragmented rx indication.
+         */
+        if (!is_decrypted)
+                return;
+        /* The payload is decrypted so strip crypto params. Start from tail
+         * since hdr is used to compute some stuff.
+         */
+        hdr = (void *)msdu->data;
+        /* Tail */
+        skb_trim(msdu, msdu->len - ath10k_htt_rx_crypto_tail_len(ar, enctype));
+        /* MMIC */
+        if (!ieee80211_has_morefrags(hdr->frame_control) &&
+            enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA)
+                skb_trim(msdu, msdu->len - 8);
+        /* Head */
+        hdr_len = ieee80211_hdrlen(hdr->frame_control);
+        crypto_len = ath10k_htt_rx_crypto_param_len(ar, enctype);
+        memmove((void *)msdu->data + crypto_len,
+                (void *)msdu->data, hdr_len);
+        skb_pull(msdu, crypto_len);
+}
+static void ath10k_htt_rx_h_undecap_nwifi(struct ath10k *ar,
+                                          struct sk_buff *msdu,
+                                          struct ieee80211_rx_status *status,
+                                          const u8 first_hdr[64])
+{
        struct ieee80211_hdr *hdr;
-        u8 hdr_buf[64], da[ETH_ALEN], sa[ETH_ALEN], *qos;
+        size_t hdr_len;
-        unsigned int hdr_len;
+        u8 da[ETH_ALEN];
+        u8 sa[ETH_ALEN];
-        rxd = (void *)skb->data - sizeof(*rxd);
+        /* Delivered decapped frame:
-        enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0),
+         * [nwifi 802.11 header] <-- replaced with 802.11 hdr
-                     RX_MPDU_START_INFO0_ENCRYPT_TYPE);
+         * [rfc1042/llc]
+         *
+         * Note: The nwifi header doesn't have QoS Control and is
+         * (always?) a 3addr frame.
+         *
+         * Note2: There's no A-MSDU subframe header. Even if it's part
+         * of an A-MSDU.
+         */
+        /* pull decapped header and copy SA & DA */
+        hdr = (struct ieee80211_hdr *)msdu->data;
+        hdr_len = ath10k_htt_rx_nwifi_hdrlen(hdr);
+        ether_addr_copy(da, ieee80211_get_DA(hdr));
+        ether_addr_copy(sa, ieee80211_get_SA(hdr));
+        skb_pull(msdu, hdr_len);
-        hdr = (struct ieee80211_hdr *)rxd->rx_hdr_status;
+        /* push original 802.11 header */
+        hdr = (struct ieee80211_hdr *)first_hdr;
        hdr_len = ieee80211_hdrlen(hdr->frame_control);
-        memcpy(hdr_buf, hdr, hdr_len);
+        memcpy(skb_push(msdu, hdr_len), hdr, hdr_len);
-        hdr = (struct ieee80211_hdr *)hdr_buf;
-        first = skb;
-        while (skb) {
-                void *decap_hdr;
-                int len;
-                rxd = (void *)skb->data - sizeof(*rxd);
-                fmt = MS(__le32_to_cpu(rxd->msdu_start.info1),
-                         RX_MSDU_START_INFO1_DECAP_FORMAT);
-                decap_hdr = (void *)rxd->rx_hdr_status;
-                skb->ip_summed = ath10k_htt_rx_get_csum_state(skb);
-                /* First frame in an A-MSDU chain has more decapped data. */
-                if (skb == first) {
-                        len = round_up(ieee80211_hdrlen(hdr->frame_control), 4);
-                        len += round_up(ath10k_htt_rx_crypto_param_len(ar,
-                                                enctype), 4);
-                        decap_hdr += len;
-                }
-                switch (fmt) {
+        /* original 802.11 header has a different DA and in
-                case RX_MSDU_DECAP_RAW:
+         * case of 4addr it may also have different SA
-                        /* remove trailing FCS */
+         */
-                        skb_trim(skb, skb->len - FCS_LEN);
+        hdr = (struct ieee80211_hdr *)msdu->data;
-                        break;
+        ether_addr_copy(ieee80211_get_DA(hdr), da);
-                case RX_MSDU_DECAP_NATIVE_WIFI:
+        ether_addr_copy(ieee80211_get_SA(hdr), sa);
-                        /* pull decapped header and copy SA & DA */
+}
-                        hdr = (struct ieee80211_hdr *)skb->data;
-                        hdr_len = ath10k_htt_rx_nwifi_hdrlen(hdr);
+static void *ath10k_htt_rx_h_find_rfc1042(struct ath10k *ar,
-                        ether_addr_copy(da, ieee80211_get_DA(hdr));
+                                          struct sk_buff *msdu,
-                        ether_addr_copy(sa, ieee80211_get_SA(hdr));
+                                          enum htt_rx_mpdu_encrypt_type enctype)
-                        skb_pull(skb, hdr_len);
+{
+        struct ieee80211_hdr *hdr;
-                        /* push original 802.11 header */
+        struct htt_rx_desc *rxd;
-                        hdr = (struct ieee80211_hdr *)hdr_buf;
+        size_t hdr_len, crypto_len;
-                        hdr_len = ieee80211_hdrlen(hdr->frame_control);
+        void *rfc1042;
-                        memcpy(skb_push(skb, hdr_len), hdr, hdr_len);
+        bool is_first, is_last, is_amsdu;
-                        /* original A-MSDU header has the bit set but we're
-                         * not including A-MSDU subframe header */
-                        hdr = (struct ieee80211_hdr *)skb->data;
-                        qos = ieee80211_get_qos_ctl(hdr);
-                        qos[0] &= ~IEEE80211_QOS_CTL_A_MSDU_PRESENT;
-                        /* original 802.11 header has a different DA and in
-                         * case of 4addr it may also have different SA
-                         */
-                        ether_addr_copy(ieee80211_get_DA(hdr), da);
-                        ether_addr_copy(ieee80211_get_SA(hdr), sa);
-                        break;
-                case RX_MSDU_DECAP_ETHERNET2_DIX:
-                        /* strip ethernet header and insert decapped 802.11
-                         * header, amsdu subframe header and rfc1042 header */
-                        len = 0;
+        rxd = (void *)msdu->data - sizeof(*rxd);
-                        len += sizeof(struct rfc1042_hdr);
+        hdr = (void *)rxd->rx_hdr_status;
-                        len += sizeof(struct amsdu_subframe_hdr);
-                        skb_pull(skb, sizeof(struct ethhdr));
+        is_first = !!(rxd->msdu_end.info0 &
-                        memcpy(skb_push(skb, len), decap_hdr, len);
+                      __cpu_to_le32(RX_MSDU_END_INFO0_FIRST_MSDU));
-                        memcpy(skb_push(skb, hdr_len), hdr, hdr_len);
+        is_last = !!(rxd->msdu_end.info0 &
-                        break;
+                     __cpu_to_le32(RX_MSDU_END_INFO0_LAST_MSDU));
-                case RX_MSDU_DECAP_8023_SNAP_LLC:
+        is_amsdu = !(is_first && is_last);
-                        /* insert decapped 802.11 header making a singly
-                         * A-MSDU */
-                        memcpy(skb_push(skb, hdr_len), hdr, hdr_len);
-                        break;
-                }
-                skb_in = skb;
+        rfc1042 = hdr;
-                ath10k_htt_rx_h_protected(htt, rx_status, skb_in, enctype, fmt,
-                                          false);
-                skb = skb->next;
-                skb_in->next = NULL;
-                if (skb)
+        if (is_first) {
-                        rx_status->flag |= RX_FLAG_AMSDU_MORE;
+                hdr_len = ieee80211_hdrlen(hdr->frame_control);
-                else
+                crypto_len = ath10k_htt_rx_crypto_param_len(ar, enctype);
-                        rx_status->flag &= ~RX_FLAG_AMSDU_MORE;
-                ath10k_process_rx(htt->ar, rx_status, skb_in);
+                rfc1042 += round_up(hdr_len, 4) +
+                           round_up(crypto_len, 4);
        }
-        /* FIXME: It might be nice to re-assemble the A-MSDU when there's a
+        if (is_amsdu)
-         * monitor interface active for sniffing purposes. */
+                rfc1042 += sizeof(struct amsdu_subframe_hdr);
+        return rfc1042;
 }
-static void ath10k_htt_rx_msdu(struct ath10k_htt *htt,
+static void ath10k_htt_rx_h_undecap_eth(struct ath10k *ar,
-                               struct ieee80211_rx_status *rx_status,
+                                        struct sk_buff *msdu,
-                               struct sk_buff *skb)
+                                        struct ieee80211_rx_status *status,
+                                        const u8 first_hdr[64],
+                                        enum htt_rx_mpdu_encrypt_type enctype)
 {
-        struct ath10k *ar = htt->ar;
-        struct htt_rx_desc *rxd;
        struct ieee80211_hdr *hdr;
-        enum rx_msdu_decap_format fmt;
+        struct ethhdr *eth;
-        enum htt_rx_mpdu_encrypt_type enctype;
+        size_t hdr_len;
-        int hdr_len;
        void *rfc1042;
+        u8 da[ETH_ALEN];
+        u8 sa[ETH_ALEN];
-        /* This shouldn't happen. If it does than it may be a FW bug. */
+        /* Delivered decapped frame:
-        if (skb->next) {
+         * [eth header] <-- replaced with 802.11 hdr & rfc1042/llc
-                ath10k_warn(ar, "htt rx received chained non A-MSDU frame\n");
+         * [payload]
-                ath10k_htt_rx_free_msdu_chain(skb->next);
+         */
-                skb->next = NULL;
-        }
-        rxd = (void *)skb->data - sizeof(*rxd);
+        rfc1042 = ath10k_htt_rx_h_find_rfc1042(ar, msdu, enctype);
-        fmt = MS(__le32_to_cpu(rxd->msdu_start.info1),
+        if (WARN_ON_ONCE(!rfc1042))
-                 RX_MSDU_START_INFO1_DECAP_FORMAT);
+                return;
-        enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0),
-                     RX_MPDU_START_INFO0_ENCRYPT_TYPE);
+        /* pull decapped header and copy SA & DA */
-        hdr = (struct ieee80211_hdr *)rxd->rx_hdr_status;
+        eth = (struct ethhdr *)msdu->data;
+        ether_addr_copy(da, eth->h_dest);
+        ether_addr_copy(sa, eth->h_source);
+        skb_pull(msdu, sizeof(struct ethhdr));
+        /* push rfc1042/llc/snap */
+        memcpy(skb_push(msdu, sizeof(struct rfc1042_hdr)), rfc1042,
+               sizeof(struct rfc1042_hdr));
+        /* push original 802.11 header */
+        hdr = (struct ieee80211_hdr *)first_hdr;
+        hdr_len = ieee80211_hdrlen(hdr->frame_control);
+        memcpy(skb_push(msdu, hdr_len), hdr, hdr_len);
+        /* original 802.11 header has a different DA and in
+         * case of 4addr it may also have different SA
+         */
+        hdr = (struct ieee80211_hdr *)msdu->data;
+        ether_addr_copy(ieee80211_get_DA(hdr), da);
+        ether_addr_copy(ieee80211_get_SA(hdr), sa);
+}
+static void ath10k_htt_rx_h_undecap_snap(struct ath10k *ar,
+                                         struct sk_buff *msdu,
+                                         struct ieee80211_rx_status *status,
+                                         const u8 first_hdr[64])
+{
+        struct ieee80211_hdr *hdr;
+        size_t hdr_len;
+        /* Delivered decapped frame:
+         * [amsdu header] <-- replaced with 802.11 hdr
+         * [rfc1042/llc]
+         * [payload]
+         */
+        skb_pull(msdu, sizeof(struct amsdu_subframe_hdr));
+        hdr = (struct ieee80211_hdr *)first_hdr;
        hdr_len = ieee80211_hdrlen(hdr->frame_control);
+        memcpy(skb_push(msdu, hdr_len), hdr, hdr_len);
+}
-        skb->ip_summed = ath10k_htt_rx_get_csum_state(skb);
+static void ath10k_htt_rx_h_undecap(struct ath10k *ar,
+                                    struct sk_buff *msdu,
+                                    struct ieee80211_rx_status *status,
+                                    u8 first_hdr[64],
+                                    enum htt_rx_mpdu_encrypt_type enctype,
+                                    bool is_decrypted)
+{
+        struct htt_rx_desc *rxd;
+        enum rx_msdu_decap_format decap;
+        struct ieee80211_hdr *hdr;
+        /* First msdu's decapped header:
+         * [802.11 header] <-- padded to 4 bytes long
+         * [crypto param] <-- padded to 4 bytes long
+         * [amsdu header] <-- only if A-MSDU
+         * [rfc1042/llc]
+         *
+         * Other (2nd, 3rd, ..) msdu's decapped header:
+         * [amsdu header] <-- only if A-MSDU
+         * [rfc1042/llc]
+         */
-        switch (fmt) {
+        rxd = (void *)msdu->data - sizeof(*rxd);
+        hdr = (void *)rxd->rx_hdr_status;
+        decap = MS(__le32_to_cpu(rxd->msdu_start.info1),
+                   RX_MSDU_START_INFO1_DECAP_FORMAT);
+        switch (decap) {
        case RX_MSDU_DECAP_RAW:
-                /* remove trailing FCS */
+                ath10k_htt_rx_h_undecap_raw(ar, msdu, status, enctype,
-                skb_trim(skb, skb->len - FCS_LEN);
+                                            is_decrypted);
                break;
        case RX_MSDU_DECAP_NATIVE_WIFI:
-                /* Pull decapped header */
+                ath10k_htt_rx_h_undecap_nwifi(ar, msdu, status, first_hdr);
-                hdr = (struct ieee80211_hdr *)skb->data;
-                hdr_len = ath10k_htt_rx_nwifi_hdrlen(hdr);
-                skb_pull(skb, hdr_len);
-                /* Push original header */
-                hdr = (struct ieee80211_hdr *)rxd->rx_hdr_status;
-                hdr_len = ieee80211_hdrlen(hdr->frame_control);
-                memcpy(skb_push(skb, hdr_len), hdr, hdr_len);
                break;
        case RX_MSDU_DECAP_ETHERNET2_DIX:
-                /* strip ethernet header and insert decapped 802.11 header and
+                ath10k_htt_rx_h_undecap_eth(ar, msdu, status, first_hdr, enctype);
-                 * rfc1042 header */
-                rfc1042 = hdr;
-                rfc1042 += roundup(hdr_len, 4);
-                rfc1042 += roundup(ath10k_htt_rx_crypto_param_len(ar,
-                                        enctype), 4);
-                skb_pull(skb, sizeof(struct ethhdr));
-                memcpy(skb_push(skb, sizeof(struct rfc1042_hdr)),
-                       rfc1042, sizeof(struct rfc1042_hdr));
-                memcpy(skb_push(skb, hdr_len), hdr, hdr_len);
                break;
        case RX_MSDU_DECAP_8023_SNAP_LLC:
-                /* remove A-MSDU subframe header and insert
+                ath10k_htt_rx_h_undecap_snap(ar, msdu, status, first_hdr);
-                 * decapped 802.11 header. rfc1042 header is already there */
-                skb_pull(skb, sizeof(struct amsdu_subframe_hdr));
-                memcpy(skb_push(skb, hdr_len), hdr, hdr_len);
                break;
        }
-        ath10k_htt_rx_h_protected(htt, rx_status, skb, enctype, fmt, false);
-        ath10k_process_rx(htt->ar, rx_status, skb);
 }
 static int ath10k_htt_rx_get_csum_state(struct sk_buff *skb)
@@ -1123,10 +1103,128 @@ static int ath10k_htt_rx_get_csum_state(struct sk_buff *skb)
        return CHECKSUM_UNNECESSARY;
 }
-static int ath10k_unchain_msdu(struct sk_buff *msdu_head)
+static void ath10k_htt_rx_h_csum_offload(struct sk_buff *msdu)
+{
+        msdu->ip_summed = ath10k_htt_rx_get_csum_state(msdu);
+}
+static void ath10k_htt_rx_h_mpdu(struct ath10k *ar,
+                                 struct sk_buff_head *amsdu,
+                                 struct ieee80211_rx_status *status)
+{
+        struct sk_buff *first;
+        struct sk_buff *last;
+        struct sk_buff *msdu;
+        struct htt_rx_desc *rxd;
+        struct ieee80211_hdr *hdr;
+        enum htt_rx_mpdu_encrypt_type enctype;
+        u8 first_hdr[64];
+        u8 *qos;
+        size_t hdr_len;
+        bool has_fcs_err;
+        bool has_crypto_err;
+        bool has_tkip_err;
+        bool has_peer_idx_invalid;
+        bool is_decrypted;
+        u32 attention;
+        if (skb_queue_empty(amsdu))
+                return;
+        first = skb_peek(amsdu);
+        rxd = (void *)first->data - sizeof(*rxd);
+        enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0),
+                     RX_MPDU_START_INFO0_ENCRYPT_TYPE);
+        /* First MSDU's Rx descriptor in an A-MSDU contains full 802.11
+         * decapped header. It'll be used for undecapping of each MSDU.
+         */
+        hdr = (void *)rxd->rx_hdr_status;
+        hdr_len = ieee80211_hdrlen(hdr->frame_control);
+        memcpy(first_hdr, hdr, hdr_len);
+        /* Each A-MSDU subframe will use the original header as the base and be
+         * reported as a separate MSDU so strip the A-MSDU bit from QoS Ctl.
+         */
+        hdr = (void *)first_hdr;
+        qos = ieee80211_get_qos_ctl(hdr);
+        qos[0] &= ~IEEE80211_QOS_CTL_A_MSDU_PRESENT;
+        /* Some attention flags are valid only in the last MSDU. */
+        last = skb_peek_tail(amsdu);
+        rxd = (void *)last->data - sizeof(*rxd);
+        attention = __le32_to_cpu(rxd->attention.flags);
+        has_fcs_err = !!(attention & RX_ATTENTION_FLAGS_FCS_ERR);
+        has_crypto_err = !!(attention & RX_ATTENTION_FLAGS_DECRYPT_ERR);
+        has_tkip_err = !!(attention & RX_ATTENTION_FLAGS_TKIP_MIC_ERR);
+        has_peer_idx_invalid = !!(attention & RX_ATTENTION_FLAGS_PEER_IDX_INVALID);
+        /* Note: If hardware captures an encrypted frame that it can't decrypt,
+         * e.g. due to fcs error, missing peer or invalid key data it will
+         * report the frame as raw.
+         */
+        is_decrypted = (enctype != HTT_RX_MPDU_ENCRYPT_NONE &&
+                        !has_fcs_err &&
+                        !has_crypto_err &&
+                        !has_peer_idx_invalid);
+        /* Clear per-MPDU flags while leaving per-PPDU flags intact. */
+        status->flag &= ~(RX_FLAG_FAILED_FCS_CRC |
+                          RX_FLAG_MMIC_ERROR |
+                          RX_FLAG_DECRYPTED |
+                          RX_FLAG_IV_STRIPPED |
+                          RX_FLAG_MMIC_STRIPPED);
+        if (has_fcs_err)
+                status->flag |= RX_FLAG_FAILED_FCS_CRC;
+        if (has_tkip_err)
+                status->flag |= RX_FLAG_MMIC_ERROR;
+        if (is_decrypted)
+                status->flag |= RX_FLAG_DECRYPTED |
+                                RX_FLAG_IV_STRIPPED |
+                                RX_FLAG_MMIC_STRIPPED;
+        skb_queue_walk(amsdu, msdu) {
+                ath10k_htt_rx_h_csum_offload(msdu);
+                ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype,
+                                        is_decrypted);
+                /* Undecapping involves copying the original 802.11 header back
+                 * to sk_buff. If frame is protected and hardware has decrypted
+                 * it then remove the protected bit.
+                 */
+                if (!is_decrypted)
+                        continue;
+                hdr = (void *)msdu->data;
+                hdr->frame_control &= ~__cpu_to_le16(IEEE80211_FCTL_PROTECTED);
+        }
+}
+static void ath10k_htt_rx_h_deliver(struct ath10k *ar,
+                                    struct sk_buff_head *amsdu,
+                                    struct ieee80211_rx_status *status)
 {
-        struct sk_buff *next = msdu_head->next;
+        struct sk_buff *msdu;
-        struct sk_buff *to_free = next;
+        while ((msdu = __skb_dequeue(amsdu))) {
+                /* Setup per-MSDU flags */
+                if (skb_queue_empty(amsdu))
+                        status->flag &= ~RX_FLAG_AMSDU_MORE;
+                else
+                        status->flag |= RX_FLAG_AMSDU_MORE;
+                ath10k_process_rx(ar, status, msdu);
+        }
+}
+static int ath10k_unchain_msdu(struct sk_buff_head *amsdu)
+{
+        struct sk_buff *skb, *first;
        int space;
        int total_len = 0;
@@ -1137,113 +1235,142 @@ static int ath10k_unchain_msdu(struct sk_buff *msdu_head)
         * skb?
         */
-        msdu_head->next = NULL;
+        first = __skb_dequeue(amsdu);
        /* Allocate total length all at once. */
-        while (next) {
+        skb_queue_walk(amsdu, skb)
-                total_len += next->len;
+                total_len += skb->len;
-                next = next->next;
-        }
-        space = total_len - skb_tailroom(msdu_head);
+        space = total_len - skb_tailroom(first);
        if ((space > 0) &&
-            (pskb_expand_head(msdu_head, 0, space, GFP_ATOMIC) < 0)) {
+            (pskb_expand_head(first, 0, space, GFP_ATOMIC) < 0)) {
                /* TODO:  bump some rx-oom error stat */
                /* put it back together so we can free the
                 * whole list at once.
                 */
-                msdu_head->next = to_free;
+                __skb_queue_head(amsdu, first);
                return -1;
        }
        /* Walk list again, copying contents into
         * msdu_head
         */
-        next = to_free;
+        while ((skb = __skb_dequeue(amsdu))) {
-        while (next) {
+                skb_copy_from_linear_data(skb, skb_put(first, skb->len),
-                skb_copy_from_linear_data(next, skb_put(msdu_head, next->len),
+                                          skb->len);
-                                          next->len);
+                dev_kfree_skb_any(skb);
-                next = next->next;
        }
-        /* If here, we have consolidated skb.  Free the
+        __skb_queue_head(amsdu, first);
-         * fragments and pass the main skb on up the
-         * stack.
-         */
-        ath10k_htt_rx_free_msdu_chain(to_free);
        return 0;
 }
-static bool ath10k_htt_rx_amsdu_allowed(struct ath10k_htt *htt,
+static void ath10k_htt_rx_h_unchain(struct ath10k *ar,
-                                        struct sk_buff *head,
+                                    struct sk_buff_head *amsdu,
-                                        enum htt_rx_mpdu_status status,
+                                    bool chained)
-                                        bool channel_set,
-                                        u32 attention)
 {
-        struct ath10k *ar = htt->ar;
+        struct sk_buff *first;
+        struct htt_rx_desc *rxd;
+        enum rx_msdu_decap_format decap;
-        if (head->len == 0) {
+        first = skb_peek(amsdu);
-                ath10k_dbg(ar, ATH10K_DBG_HTT,
+        rxd = (void *)first->data - sizeof(*rxd);
-                           "htt rx dropping due to zero-len\n");
+        decap = MS(__le32_to_cpu(rxd->msdu_start.info1),
-                return false;
+                   RX_MSDU_START_INFO1_DECAP_FORMAT);
-        }
-        if (attention & RX_ATTENTION_FLAGS_DECRYPT_ERR) {
+        if (!chained)
-                ath10k_dbg(ar, ATH10K_DBG_HTT,
+                return;
-                           "htt rx dropping due to decrypt-err\n");
-                return false;
-        }
-        if (!channel_set) {
+        /* FIXME: Current unchaining logic can only handle simple case of raw
-                ath10k_warn(ar, "no channel configured; ignoring frame!\n");
+         * msdu chaining. If decapping is other than raw the chaining may be
-                return false;
+         * more complex and this isn't handled by the current code. Don't even
+         * try re-constructing such frames - it'll be pretty much garbage.
+         */
+        if (decap != RX_MSDU_DECAP_RAW ||
+            skb_queue_len(amsdu) != 1 + rxd->frag_info.ring2_more_count) {
+                __skb_queue_purge(amsdu);
+                return;
        }
-        /* Skip mgmt frames while we handle this in WMI */
+        ath10k_unchain_msdu(amsdu);
-        if (status == HTT_RX_IND_MPDU_STATUS_MGMT_CTRL ||
+}
-            attention & RX_ATTENTION_FLAGS_MGMT_TYPE) {
-                ath10k_dbg(ar, ATH10K_DBG_HTT, "htt rx mgmt ctrl\n");
+static bool ath10k_htt_rx_amsdu_allowed(struct ath10k *ar,
+                                        struct sk_buff_head *amsdu,
+                                        struct ieee80211_rx_status *rx_status)
+{
+        struct sk_buff *msdu;
+        struct htt_rx_desc *rxd;
+        bool is_mgmt;
+        bool has_fcs_err;
+        msdu = skb_peek(amsdu);
+        rxd = (void *)msdu->data - sizeof(*rxd);
+        /* FIXME: It might be a good idea to do some fuzzy-testing to drop
+         * invalid/dangerous frames.
+         */
+        if (!rx_status->freq) {
+                ath10k_warn(ar, "no channel configured; ignoring frame(s)!\n");
                return false;
        }
-        if (status != HTT_RX_IND_MPDU_STATUS_OK &&
+        is_mgmt = !!(rxd->attention.flags &
-            status != HTT_RX_IND_MPDU_STATUS_TKIP_MIC_ERR &&
+                     __cpu_to_le32(RX_ATTENTION_FLAGS_MGMT_TYPE));
-            status != HTT_RX_IND_MPDU_STATUS_ERR_INV_PEER &&
+        has_fcs_err = !!(rxd->attention.flags &
-            !htt->ar->monitor_started) {
+                         __cpu_to_le32(RX_ATTENTION_FLAGS_FCS_ERR));
-                ath10k_dbg(ar, ATH10K_DBG_HTT,
-                           "htt rx ignoring frame w/ status %d\n",
+        /* Management frames are handled via WMI events. The pros of such
-                           status);
+         * approach is that channel is explicitly provided in WMI events
+         * whereas HTT doesn't provide channel information for Rxed frames.
+         *
+         * However some firmware revisions don't report corrupted frames via
+         * WMI so don't drop them.
+         */
+        if (is_mgmt && !has_fcs_err) {
+                ath10k_dbg(ar, ATH10K_DBG_HTT, "htt rx mgmt ctrl\n");
                return false;
        }
-        if (test_bit(ATH10K_CAC_RUNNING, &htt->ar->dev_flags)) {
+        if (test_bit(ATH10K_CAC_RUNNING, &ar->dev_flags)) {
-                ath10k_dbg(ar, ATH10K_DBG_HTT,
+                ath10k_dbg(ar, ATH10K_DBG_HTT, "htt rx cac running\n");
-                           "htt rx CAC running\n");
                return false;
        }
        return true;
 }
+static void ath10k_htt_rx_h_filter(struct ath10k *ar,
+                                   struct sk_buff_head *amsdu,
+                                   struct ieee80211_rx_status *rx_status)
+{
+        if (skb_queue_empty(amsdu))
+                return;
+        if (ath10k_htt_rx_amsdu_allowed(ar, amsdu, rx_status))
+                return;
+        __skb_queue_purge(amsdu);
+}
 static void ath10k_htt_rx_handler(struct ath10k_htt *htt,
                                  struct htt_rx_indication *rx)
 {
        struct ath10k *ar = htt->ar;
        struct ieee80211_rx_status *rx_status = &htt->rx_status;
        struct htt_rx_indication_mpdu_range *mpdu_ranges;
-        struct htt_rx_desc *rxd;
+        struct sk_buff_head amsdu;
-        enum htt_rx_mpdu_status status;
-        struct ieee80211_hdr *hdr;
        int num_mpdu_ranges;
-        u32 attention;
        int fw_desc_len;
        u8 *fw_desc;
-        bool channel_set;
+        int i, ret, mpdu_count = 0;
-        int i, j;
-        int ret;
        lockdep_assert_held(&htt->rx_ring.lock);
+        if (htt->rx_confused)
+                return;
        fw_desc_len = __le16_to_cpu(rx->prefix.fw_rx_desc_bytes);
        fw_desc = (u8 *)&rx->fw_desc;
@@ -1251,92 +1378,33 @@ static void ath10k_htt_rx_handler(struct ath10k_htt *htt,
                             HTT_RX_INDICATION_INFO1_NUM_MPDU_RANGES);
        mpdu_ranges = htt_rx_ind_get_mpdu_ranges(rx);
-        /* Fill this once, while this is per-ppdu */
-        if (rx->ppdu.info0 & HTT_RX_INDICATION_INFO0_START_VALID) {
-                memset(rx_status, 0, sizeof(*rx_status));
-                rx_status->signal  = ATH10K_DEFAULT_NOISE_FLOOR +
-                                     rx->ppdu.combined_rssi;
-        }
-        if (rx->ppdu.info0 & HTT_RX_INDICATION_INFO0_END_VALID) {
-                /* TSF available only in 32-bit */
-                rx_status->mactime = __le32_to_cpu(rx->ppdu.tsf) & 0xffffffff;
-                rx_status->flag |= RX_FLAG_MACTIME_END;
-        }
-        channel_set = ath10k_htt_rx_h_channel(htt->ar, rx_status);
-        if (channel_set) {
-                ath10k_htt_rx_h_rates(htt->ar, rx_status->band,
-                                      rx->ppdu.info0,
-                                      __le32_to_cpu(rx->ppdu.info1),
-                                      __le32_to_cpu(rx->ppdu.info2),
-                                      rx_status);
-        }
        ath10k_dbg_dump(ar, ATH10K_DBG_HTT_DUMP, NULL, "htt rx ind: ",
                        rx, sizeof(*rx) +
                        (sizeof(struct htt_rx_indication_mpdu_range) *
                                num_mpdu_ranges));
-        for (i = 0; i < num_mpdu_ranges; i++) {
+        for (i = 0; i < num_mpdu_ranges; i++)
-                status = mpdu_ranges[i].mpdu_range_status;
+                mpdu_count += mpdu_ranges[i].mpdu_count;
-                for (j = 0; j < mpdu_ranges[i].mpdu_count; j++) {
+        while (mpdu_count--) {
-                        struct sk_buff *msdu_head, *msdu_tail;
+                __skb_queue_head_init(&amsdu);
+                ret = ath10k_htt_rx_amsdu_pop(htt, &fw_desc,
-                        attention = 0;
+                                              &fw_desc_len, &amsdu);
-                        msdu_head = NULL;
+                if (ret < 0) {
-                        msdu_tail = NULL;
+                        ath10k_warn(ar, "rx ring became corrupted: %d\n", ret);
-                        ret = ath10k_htt_rx_amsdu_pop(htt,
+                        __skb_queue_purge(&amsdu);
-                                                      &fw_desc,
+                        /* FIXME: It's probably a good idea to reboot the
-                                                      &fw_desc_len,
+                         * device instead of leaving it inoperable.
-                                                      &msdu_head,
+                         */
-                                                      &msdu_tail,
+                        htt->rx_confused = true;
-                                                      &attention);
+                        break;
-                        if (ret < 0) {
-                                ath10k_warn(ar, "failed to pop amsdu from htt rx ring %d\n",
-                                            ret);
-                                ath10k_htt_rx_free_msdu_chain(msdu_head);
-                                continue;
-                        }
-                        rxd = container_of((void *)msdu_head->data,
-                                           struct htt_rx_desc,
-                                           msdu_payload);
-                        if (!ath10k_htt_rx_amsdu_allowed(htt, msdu_head,
-                                                         status,
-                                                         channel_set,
-                                                         attention)) {
-                                ath10k_htt_rx_free_msdu_chain(msdu_head);
-                                continue;
-                        }
-                        if (ret > 0 &&
-                            ath10k_unchain_msdu(msdu_head) < 0) {
-                                ath10k_htt_rx_free_msdu_chain(msdu_head);
-                                continue;
-                        }
-                        if (attention & RX_ATTENTION_FLAGS_FCS_ERR)
-                                rx_status->flag |= RX_FLAG_FAILED_FCS_CRC;
-                        else
-                                rx_status->flag &= ~RX_FLAG_FAILED_FCS_CRC;
-                        if (attention & RX_ATTENTION_FLAGS_TKIP_MIC_ERR)
-                                rx_status->flag |= RX_FLAG_MMIC_ERROR;
-                        else
-                                rx_status->flag &= ~RX_FLAG_MMIC_ERROR;
-                        hdr = ath10k_htt_rx_skb_get_hdr(msdu_head);
-                        if (ath10k_htt_rx_hdr_is_amsdu(hdr))
-                                ath10k_htt_rx_amsdu(htt, rx_status, msdu_head);
-                        else
-                                ath10k_htt_rx_msdu(htt, rx_status, msdu_head);
                }
+                ath10k_htt_rx_h_ppdu(ar, &amsdu, rx_status);
+                ath10k_htt_rx_h_unchain(ar, &amsdu, ret > 0);
+                ath10k_htt_rx_h_filter(ar, &amsdu, rx_status);
+                ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status);
+                ath10k_htt_rx_h_deliver(ar, &amsdu, rx_status);
        }
        tasklet_schedule(&htt->rx_replenish_task);
@@ -1346,108 +1414,44 @@ static void ath10k_htt_rx_frag_handler(struct ath10k_htt *htt,
                                       struct htt_rx_fragment_indication *frag)
 {
        struct ath10k *ar = htt->ar;
-        struct sk_buff *msdu_head, *msdu_tail;
-        enum htt_rx_mpdu_encrypt_type enctype;
-        struct htt_rx_desc *rxd;
-        enum rx_msdu_decap_format fmt;
        struct ieee80211_rx_status *rx_status = &htt->rx_status;
-        struct ieee80211_hdr *hdr;
+        struct sk_buff_head amsdu;
        int ret;
-        bool tkip_mic_err;
-        bool decrypt_err;
        u8 *fw_desc;
-        int fw_desc_len, hdrlen, paramlen;
+        int fw_desc_len;
-        int trim;
-        u32 attention = 0;
        fw_desc_len = __le16_to_cpu(frag->fw_rx_desc_bytes);
        fw_desc = (u8 *)frag->fw_msdu_rx_desc;
-        msdu_head = NULL;
+        __skb_queue_head_init(&amsdu);
-        msdu_tail = NULL;
        spin_lock_bh(&htt->rx_ring.lock);
        ret = ath10k_htt_rx_amsdu_pop(htt, &fw_desc, &fw_desc_len,
-                                      &msdu_head, &msdu_tail,
+                                      &amsdu);
-                                      &attention);
        spin_unlock_bh(&htt->rx_ring.lock);
+        tasklet_schedule(&htt->rx_replenish_task);
        ath10k_dbg(ar, ATH10K_DBG_HTT_DUMP, "htt rx frag ahead\n");
        if (ret) {
                ath10k_warn(ar, "failed to pop amsdu from httr rx ring for fragmented rx %d\n",
                            ret);
-                ath10k_htt_rx_free_msdu_chain(msdu_head);
+                __skb_queue_purge(&amsdu);
                return;
        }
-        /* FIXME: implement signal strength */
+        if (skb_queue_len(&amsdu) != 1) {
-        rx_status->flag |= RX_FLAG_NO_SIGNAL_VAL;
+                ath10k_warn(ar, "failed to pop frag amsdu: too many msdus\n");
+                __skb_queue_purge(&amsdu);
-        hdr = (struct ieee80211_hdr *)msdu_head->data;
+                return;
-        rxd = (void *)msdu_head->data - sizeof(*rxd);
-        tkip_mic_err = !!(attention & RX_ATTENTION_FLAGS_TKIP_MIC_ERR);
-        decrypt_err = !!(attention & RX_ATTENTION_FLAGS_DECRYPT_ERR);
-        fmt = MS(__le32_to_cpu(rxd->msdu_start.info1),
-                 RX_MSDU_START_INFO1_DECAP_FORMAT);
-        if (fmt != RX_MSDU_DECAP_RAW) {
-                ath10k_warn(ar, "we dont support non-raw fragmented rx yet\n");
-                dev_kfree_skb_any(msdu_head);
-                goto end;
-        }
-        enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0),
-                     RX_MPDU_START_INFO0_ENCRYPT_TYPE);
-        ath10k_htt_rx_h_protected(htt, rx_status, msdu_head, enctype, fmt,
-                                  true);
-        msdu_head->ip_summed = ath10k_htt_rx_get_csum_state(msdu_head);
-        if (tkip_mic_err)
-                ath10k_warn(ar, "tkip mic error\n");
-        if (decrypt_err) {
-                ath10k_warn(ar, "decryption err in fragmented rx\n");
-                dev_kfree_skb_any(msdu_head);
-                goto end;
-        }
-        if (enctype != HTT_RX_MPDU_ENCRYPT_NONE) {
-                hdrlen = ieee80211_hdrlen(hdr->frame_control);
-                paramlen = ath10k_htt_rx_crypto_param_len(ar, enctype);
-                /* It is more efficient to move the header than the payload */
-                memmove((void *)msdu_head->data + paramlen,
-                        (void *)msdu_head->data,
-                        hdrlen);
-                skb_pull(msdu_head, paramlen);
-                hdr = (struct ieee80211_hdr *)msdu_head->data;
-        }
-        /* remove trailing FCS */
-        trim  = 4;
-        /* remove crypto trailer */
-        trim += ath10k_htt_rx_crypto_tail_len(ar, enctype);
-        /* last fragment of TKIP frags has MIC */
-        if (!ieee80211_has_morefrags(hdr->frame_control) &&
-            enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA)
-                trim += 8;
-        if (trim > msdu_head->len) {
-                ath10k_warn(ar, "htt rx fragment: trailer longer than the frame itself? drop\n");
-                dev_kfree_skb_any(msdu_head);
-                goto end;
        }
-        skb_trim(msdu_head, msdu_head->len - trim);
+        ath10k_htt_rx_h_ppdu(ar, &amsdu, rx_status);
+        ath10k_htt_rx_h_filter(ar, &amsdu, rx_status);
-        ath10k_dbg_dump(ar, ATH10K_DBG_HTT_DUMP, NULL, "htt rx frag mpdu: ",
+        ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status);
-                        msdu_head->data, msdu_head->len);
+        ath10k_htt_rx_h_deliver(ar, &amsdu, rx_status);
-        ath10k_process_rx(htt->ar, rx_status, msdu_head);
-end:
        if (fw_desc_len > 0) {
                ath10k_dbg(ar, ATH10K_DBG_HTT,
                           "expecting more fragmented rx in one indication %d\n",
diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c
index b0df470250a2..4bc51d8a14a3 100644
--- a/drivers/net/wireless/ath/ath10k/htt_tx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_tx.c
@@ -92,7 +92,6 @@ int ath10k_htt_tx_alloc(struct ath10k_htt *htt)
        struct ath10k *ar = htt->ar;
        spin_lock_init(&htt->tx_lock);
-        init_waitqueue_head(&htt->empty_tx_wq);
        if (test_bit(ATH10K_FW_FEATURE_WMI_10X, htt->ar->fw_features))
                htt->max_num_pending_tx = TARGET_10X_NUM_MSDU_DESC;
@@ -555,16 +554,18 @@ int ath10k_htt_tx(struct ath10k_htt *htt, struct sk_buff *msdu)
        skb_cb->htt.txbuf->cmd_tx.len = __cpu_to_le16(msdu->len);
        skb_cb->htt.txbuf->cmd_tx.id = __cpu_to_le16(msdu_id);
        skb_cb->htt.txbuf->cmd_tx.frags_paddr = __cpu_to_le32(frags_paddr);
-        skb_cb->htt.txbuf->cmd_tx.peerid = __cpu_to_le32(HTT_INVALID_PEERID);
+        skb_cb->htt.txbuf->cmd_tx.peerid = __cpu_to_le16(HTT_INVALID_PEERID);
+        skb_cb->htt.txbuf->cmd_tx.freq = __cpu_to_le16(skb_cb->htt.freq);
        trace_ath10k_htt_tx(ar, msdu_id, msdu->len, vdev_id, tid);
        ath10k_dbg(ar, ATH10K_DBG_HTT,
-                   "htt tx flags0 %hhu flags1 %hu len %d id %hu frags_paddr %08x, msdu_paddr %08x vdev %hhu tid %hhu\n",
+                   "htt tx flags0 %hhu flags1 %hu len %d id %hu frags_paddr %08x, msdu_paddr %08x vdev %hhu tid %hhu freq %hu\n",
                   flags0, flags1, msdu->len, msdu_id, frags_paddr,
-                   (u32)skb_cb->paddr, vdev_id, tid);
+                   (u32)skb_cb->paddr, vdev_id, tid, skb_cb->htt.freq);
        ath10k_dbg_dump(ar, ATH10K_DBG_HTT_DUMP, NULL, "htt tx msdu: ",
                        msdu->data, msdu->len);
-        trace_ath10k_htt_tx_msdu(ar, msdu->data, msdu->len);
+        trace_ath10k_tx_hdr(ar, msdu->data, msdu->len);
+        trace_ath10k_tx_payload(ar, msdu->data, msdu->len);
        sg_items[0].transfer_id = 0;
        sg_items[0].transfer_context = NULL;
diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h
index 392c2501d0a1..dfedfd0e0f34 100644
--- a/drivers/net/wireless/ath/ath10k/hw.h
+++ b/drivers/net/wireless/ath/ath10k/hw.h
@@ -97,11 +97,13 @@ struct ath10k_pktlog_hdr {
 #define TARGET_DMA_BURST_SIZE                   0
 #define TARGET_MAC_AGGR_DELIM                   0
 #define TARGET_AST_SKID_LIMIT                   16
-#define TARGET_NUM_PEERS                        16
+#define TARGET_NUM_STATIONS                     16
+#define TARGET_NUM_PEERS                        ((TARGET_NUM_STATIONS) + \
+                                                 (TARGET_NUM_VDEVS))
 #define TARGET_NUM_OFFLOAD_PEERS                0
 #define TARGET_NUM_OFFLOAD_REORDER_BUFS         0
 #define TARGET_NUM_PEER_KEYS                    2
-#define TARGET_NUM_TIDS         (2 * ((TARGET_NUM_PEERS) + (TARGET_NUM_VDEVS)))
+#define TARGET_NUM_TIDS                         ((TARGET_NUM_PEERS) * 2)
 #define TARGET_TX_CHAIN_MASK                    (BIT(0) | BIT(1) | BIT(2))
 #define TARGET_RX_CHAIN_MASK                    (BIT(0) | BIT(1) | BIT(2))
 #define TARGET_RX_TIMEOUT_LO_PRI                100
@@ -132,12 +134,15 @@ struct ath10k_pktlog_hdr {
 #define TARGET_10X_DMA_BURST_SIZE               0
 #define TARGET_10X_MAC_AGGR_DELIM               0
 #define TARGET_10X_AST_SKID_LIMIT               16
-#define TARGET_10X_NUM_PEERS                    (128 + (TARGET_10X_NUM_VDEVS))
+#define TARGET_10X_NUM_STATIONS                 128
-#define TARGET_10X_NUM_PEERS_MAX                128
+#define TARGET_10X_NUM_PEERS                    ((TARGET_10X_NUM_STATIONS) + \
+                                                 (TARGET_10X_NUM_VDEVS))
 #define TARGET_10X_NUM_OFFLOAD_PEERS            0
 #define TARGET_10X_NUM_OFFLOAD_REORDER_BUFS     0
 #define TARGET_10X_NUM_PEER_KEYS                2
-#define TARGET_10X_NUM_TIDS                     256
+#define TARGET_10X_NUM_TIDS_MAX                 256
+#define TARGET_10X_NUM_TIDS                     min((TARGET_10X_NUM_TIDS_MAX), \
+                                                    (TARGET_10X_NUM_PEERS) * 2)
 #define TARGET_10X_TX_CHAIN_MASK                (BIT(0) | BIT(1) | BIT(2))
 #define TARGET_10X_RX_CHAIN_MASK                (BIT(0) | BIT(1) | BIT(2))
 #define TARGET_10X_RX_TIMEOUT_LO_PRI            100
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index f6d2fd0887d3..c4005670cba2 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -136,7 +136,9 @@ static int ath10k_install_peer_wep_keys(struct ath10k_vif *arvif,
                if (ret)
                        return ret;
+                spin_lock_bh(&ar->data_lock);
                peer->keys[i] = arvif->wep_keys[i];
+                spin_unlock_bh(&ar->data_lock);
        }
        return 0;
@@ -173,12 +175,39 @@ static int ath10k_clear_peer_keys(struct ath10k_vif *arvif,
                        ath10k_warn(ar, "failed to remove peer wep key %d: %d\n",
                                    i, ret);
+                spin_lock_bh(&ar->data_lock);
                peer->keys[i] = NULL;
+                spin_unlock_bh(&ar->data_lock);
        }
        return first_errno;
 }
+bool ath10k_mac_is_peer_wep_key_set(struct ath10k *ar, const u8 *addr,
+                                    u8 keyidx)
+{
+        struct ath10k_peer *peer;
+        int i;
+        lockdep_assert_held(&ar->data_lock);
+        /* We don't know which vdev this peer belongs to,
+         * since WMI doesn't give us that information.
+         *
+         * FIXME: multi-bss needs to be handled.
+         */
+        peer = ath10k_peer_find(ar, 0, addr);
+        if (!peer)
+                return false;
+        for (i = 0; i < ARRAY_SIZE(peer->keys); i++) {
+                if (peer->keys[i] && peer->keys[i]->keyidx == keyidx)
+                        return true;
+        }
+        return false;
+}
 static int ath10k_clear_vdev_key(struct ath10k_vif *arvif,
                                 struct ieee80211_key_conf *key)
 {
@@ -326,6 +355,9 @@ static int ath10k_peer_create(struct ath10k *ar, u32 vdev_id, const u8 *addr)
        lockdep_assert_held(&ar->conf_mutex);
+        if (ar->num_peers >= ar->max_num_peers)
+                return -ENOBUFS;
        ret = ath10k_wmi_peer_create(ar, vdev_id, addr);
        if (ret) {
                ath10k_warn(ar, "failed to create wmi peer %pM on vdev %i: %i\n",
@@ -339,9 +371,8 @@ static int ath10k_peer_create(struct ath10k *ar, u32 vdev_id, const u8 *addr)
                            addr, vdev_id, ret);
                return ret;
        }
-        spin_lock_bh(&ar->data_lock);
        ar->num_peers++;
-        spin_unlock_bh(&ar->data_lock);
        return 0;
 }
@@ -391,15 +422,11 @@ static int ath10k_mac_set_kickout(struct ath10k_vif *arvif)
        return 0;
 }
-static int  ath10k_mac_set_rts(struct ath10k_vif *arvif, u32 value)
+static int ath10k_mac_set_rts(struct ath10k_vif *arvif, u32 value)
 {
        struct ath10k *ar = arvif->ar;
        u32 vdev_param;
-        if (value != 0xFFFFFFFF)
-                value = min_t(u32, arvif->ar->hw->wiphy->rts_threshold,
-                              ATH10K_RTS_MAX);
        vdev_param = ar->wmi.vdev_param->rts_threshold;
        return ath10k_wmi_vdev_set_param(ar, arvif->vdev_id, vdev_param, value);
 }
@@ -432,9 +459,7 @@ static int ath10k_peer_delete(struct ath10k *ar, u32 vdev_id, const u8 *addr)
        if (ret)
                return ret;
-        spin_lock_bh(&ar->data_lock);
        ar->num_peers--;
-        spin_unlock_bh(&ar->data_lock);
        return 0;
 }
@@ -471,8 +496,10 @@ static void ath10k_peer_cleanup_all(struct ath10k *ar)
                list_del(&peer->list);
                kfree(peer);
        }
-        ar->num_peers = 0;
        spin_unlock_bh(&ar->data_lock);
+        ar->num_peers = 0;
+        ar->num_stations = 0;
 }
 /************************/
@@ -519,6 +546,9 @@ static inline int ath10k_vdev_setup_sync(struct ath10k *ar)
        lockdep_assert_held(&ar->conf_mutex);
+        if (test_bit(ATH10K_FLAG_CRASH_FLUSH, &ar->dev_flags))
+                return -ESHUTDOWN;
        ret = wait_for_completion_timeout(&ar->vdev_setup_done,
                                          ATH10K_VDEV_SETUP_TIMEOUT_HZ);
        if (ret == 0)
@@ -551,6 +581,8 @@ static int ath10k_monitor_vdev_start(struct ath10k *ar, int vdev_id)
        arg.channel.max_reg_power = channel->max_reg_power * 2;
        arg.channel.max_antenna_gain = channel->max_antenna_gain * 2;
+        reinit_completion(&ar->vdev_setup_done);
        ret = ath10k_wmi_vdev_start(ar, &arg);
        if (ret) {
                ath10k_warn(ar, "failed to request monitor vdev %i start: %d\n",
@@ -598,6 +630,8 @@ static int ath10k_monitor_vdev_stop(struct ath10k *ar)
                ath10k_warn(ar, "failed to put down monitor vdev %i: %d\n",
                            ar->monitor_vdev_id, ret);
+        reinit_completion(&ar->vdev_setup_done);
        ret = ath10k_wmi_vdev_stop(ar, ar->monitor_vdev_id);
        if (ret)
                ath10k_warn(ar, "failed to to request monitor vdev %i stop: %d\n",
@@ -1990,6 +2024,18 @@ static void ath10k_tx_h_add_p2p_noa_ie(struct ath10k *ar,
        }
 }
+static bool ath10k_mac_need_offchan_tx_work(struct ath10k *ar)
+{
+        /* FIXME: Not really sure since when the behaviour changed. At some
+         * point new firmware stopped requiring creation of peer entries for
+         * offchannel tx (and actually creating them causes issues with wmi-htc
+         * tx credit replenishment and reliability). Assuming it's at least 3.4
+         * because that's when the `freq` was introduced to TX_FRM HTT command.
+         */
+        return !(ar->htt.target_version_major >= 3 &&
+                 ar->htt.target_version_minor >= 4);
+}
 static void ath10k_tx_htt(struct ath10k *ar, struct sk_buff *skb)
 {
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
@@ -2165,10 +2211,10 @@ void __ath10k_scan_finish(struct ath10k *ar)
        case ATH10K_SCAN_IDLE:
                break;
        case ATH10K_SCAN_RUNNING:
-        case ATH10K_SCAN_ABORTING:
                if (ar->scan.is_roc)
                        ieee80211_remain_on_channel_expired(ar->hw);
-                else
+        case ATH10K_SCAN_ABORTING:
+                if (!ar->scan.is_roc)
                        ieee80211_scan_completed(ar->hw,
                                                 (ar->scan.state ==
                                                  ATH10K_SCAN_ABORTING));
@@ -2334,23 +2380,28 @@ static void ath10k_tx(struct ieee80211_hw *hw,
        if (info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) {
                spin_lock_bh(&ar->data_lock);
-                ATH10K_SKB_CB(skb)->htt.is_offchan = true;
+                ATH10K_SKB_CB(skb)->htt.freq = ar->scan.roc_freq;
                ATH10K_SKB_CB(skb)->vdev_id = ar->scan.vdev_id;
                spin_unlock_bh(&ar->data_lock);
-                ath10k_dbg(ar, ATH10K_DBG_MAC, "queued offchannel skb %p\n",
+                if (ath10k_mac_need_offchan_tx_work(ar)) {
-                           skb);
+                        ATH10K_SKB_CB(skb)->htt.freq = 0;
+                        ATH10K_SKB_CB(skb)->htt.is_offchan = true;
-                skb_queue_tail(&ar->offchan_tx_queue, skb);
+                        ath10k_dbg(ar, ATH10K_DBG_MAC, "queued offchannel skb %p\n",
-                ieee80211_queue_work(hw, &ar->offchan_tx_work);
+                                   skb);
-                return;
+                        skb_queue_tail(&ar->offchan_tx_queue, skb);
+                        ieee80211_queue_work(hw, &ar->offchan_tx_work);
+                        return;
+                }
        }
        ath10k_tx_htt(ar, skb);
 }
 /* Must not be called with conf_mutex held as workers can use that also. */
-static void ath10k_drain_tx(struct ath10k *ar)
+void ath10k_drain_tx(struct ath10k *ar)
 {
        /* make sure rcu-protected mac80211 tx path itself is drained */
        synchronize_net();
@@ -2407,12 +2458,28 @@ static int ath10k_get_antenna(struct ieee80211_hw *hw, u32 *tx_ant, u32 *rx_ant)
        return 0;
 }
+static void ath10k_check_chain_mask(struct ath10k *ar, u32 cm, const char *dbg)
+{
+        /* It is not clear that allowing gaps in chainmask
+         * is helpful.  Probably it will not do what user
+         * is hoping for, so warn in that case.
+         */
+        if (cm == 15 || cm == 7 || cm == 3 || cm == 1 || cm == 0)
+                return;
+        ath10k_warn(ar, "mac %s antenna chainmask may be invalid: 0x%x.  Suggested values: 15, 7, 3, 1 or 0.\n",
+                    dbg, cm);
+}
 static int __ath10k_set_antenna(struct ath10k *ar, u32 tx_ant, u32 rx_ant)
 {
        int ret;
        lockdep_assert_held(&ar->conf_mutex);
+        ath10k_check_chain_mask(ar, tx_ant, "tx");
+        ath10k_check_chain_mask(ar, rx_ant, "rx");
        ar->cfg_tx_chainmask = tx_ant;
        ar->cfg_rx_chainmask = rx_ant;
@@ -2775,6 +2842,17 @@ static int ath10k_config(struct ieee80211_hw *hw, u32 changed)
        return ret;
 }
+static u32 get_nss_from_chainmask(u16 chain_mask)
+{
+        if ((chain_mask & 0x15) == 0x15)
+                return 4;
+        else if ((chain_mask & 0x7) == 0x7)
+                return 3;
+        else if ((chain_mask & 0x3) == 0x3)
+                return 2;
+        return 1;
+}
 /*
 * TODO:
 * Figure out how to handle WMI_VDEV_SUBTYPE_P2P_DEVICE,
@@ -2907,6 +2985,20 @@ static int ath10k_add_interface(struct ieee80211_hw *hw,
                goto err_vdev_delete;
        }
+        if (ar->cfg_tx_chainmask) {
+                u16 nss = get_nss_from_chainmask(ar->cfg_tx_chainmask);
+                vdev_param = ar->wmi.vdev_param->nss;
+                ret = ath10k_wmi_vdev_set_param(ar, arvif->vdev_id, vdev_param,
+                                                nss);
+                if (ret) {
+                        ath10k_warn(ar, "failed to set vdev %i chainmask 0x%x, nss %i: %d\n",
+                                    arvif->vdev_id, ar->cfg_tx_chainmask, nss,
+                                    ret);
+                        goto err_vdev_delete;
+                }
+        }
        if (arvif->vdev_type == WMI_VDEV_TYPE_AP) {
                ret = ath10k_peer_create(ar, arvif->vdev_id, vif->addr);
                if (ret) {
@@ -3007,10 +3099,10 @@ static void ath10k_remove_interface(struct ieee80211_hw *hw,
        struct ath10k_vif *arvif = ath10k_vif_to_arvif(vif);
        int ret;
-        mutex_lock(&ar->conf_mutex);
        cancel_work_sync(&arvif->wep_key_work);
+        mutex_lock(&ar->conf_mutex);
        spin_lock_bh(&ar->data_lock);
        ath10k_mac_vif_beacon_cleanup(arvif);
        spin_unlock_bh(&ar->data_lock);
@@ -3307,9 +3399,10 @@ static void ath10k_cancel_hw_scan(struct ieee80211_hw *hw,
        struct ath10k *ar = hw->priv;
        mutex_lock(&ar->conf_mutex);
-        cancel_delayed_work_sync(&ar->scan.timeout);
        ath10k_scan_abort(ar);
        mutex_unlock(&ar->conf_mutex);
+        cancel_delayed_work_sync(&ar->scan.timeout);
 }
 static void ath10k_set_key_h_def_keyidx(struct ath10k *ar,
@@ -3503,6 +3596,37 @@ static void ath10k_sta_rc_update_wk(struct work_struct *wk)
        mutex_unlock(&ar->conf_mutex);
 }
+static int ath10k_mac_inc_num_stations(struct ath10k_vif *arvif)
+{
+        struct ath10k *ar = arvif->ar;
+        lockdep_assert_held(&ar->conf_mutex);
+        if (arvif->vdev_type != WMI_VDEV_TYPE_AP &&
+            arvif->vdev_type != WMI_VDEV_TYPE_IBSS)
+                return 0;
+        if (ar->num_stations >= ar->max_num_stations)
+                return -ENOBUFS;
+        ar->num_stations++;
+        return 0;
+}
+static void ath10k_mac_dec_num_stations(struct ath10k_vif *arvif)
+{
+        struct ath10k *ar = arvif->ar;
+        lockdep_assert_held(&ar->conf_mutex);
+        if (arvif->vdev_type != WMI_VDEV_TYPE_AP &&
+            arvif->vdev_type != WMI_VDEV_TYPE_IBSS)
+                return;
+        ar->num_stations--;
+}
 static int ath10k_sta_state(struct ieee80211_hw *hw,
                            struct ieee80211_vif *vif,
                            struct ieee80211_sta *sta,
@@ -3512,7 +3636,6 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
        struct ath10k *ar = hw->priv;
        struct ath10k_vif *arvif = ath10k_vif_to_arvif(vif);
        struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv;
-        int max_num_peers;
        int ret = 0;
        if (old_state == IEEE80211_STA_NOTEXIST &&
@@ -3534,26 +3657,26 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
                /*
                 * New station addition.
                 */
-                if (test_bit(ATH10K_FW_FEATURE_WMI_10X, ar->fw_features))
+                ath10k_dbg(ar, ATH10K_DBG_MAC,
-                        max_num_peers = TARGET_10X_NUM_PEERS_MAX - 1;
+                           "mac vdev %d peer create %pM (new sta) sta %d / %d peer %d / %d\n",
-                else
+                           arvif->vdev_id, sta->addr,
-                        max_num_peers = TARGET_NUM_PEERS;
+                           ar->num_stations + 1, ar->max_num_stations,
+                           ar->num_peers + 1, ar->max_num_peers);
-                if (ar->num_peers >= max_num_peers) {
+                ret = ath10k_mac_inc_num_stations(arvif);
-                        ath10k_warn(ar, "number of peers exceeded: peers number %d (max peers %d)\n",
+                if (ret) {
-                                    ar->num_peers, max_num_peers);
+                        ath10k_warn(ar, "refusing to associate station: too many connected already (%d)\n",
-                        ret = -ENOBUFS;
+                                    ar->max_num_stations);
                        goto exit;
                }
-                ath10k_dbg(ar, ATH10K_DBG_MAC,
-                           "mac vdev %d peer create %pM (new sta) num_peers %d\n",
-                           arvif->vdev_id, sta->addr, ar->num_peers);
                ret = ath10k_peer_create(ar, arvif->vdev_id, sta->addr);
-                if (ret)
+                if (ret) {
                        ath10k_warn(ar, "failed to add peer %pM for vdev %d when adding a new sta: %i\n",
                                    sta->addr, arvif->vdev_id, ret);
+                        ath10k_mac_dec_num_stations(arvif);
+                        goto exit;
+                }
                if (vif->type == NL80211_IFTYPE_STATION) {
                        WARN_ON(arvif->is_started);
@@ -3564,6 +3687,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
                                            arvif->vdev_id, ret);
                                WARN_ON(ath10k_peer_delete(ar, arvif->vdev_id,
                                                           sta->addr));
+                                ath10k_mac_dec_num_stations(arvif);
                                goto exit;
                        }
@@ -3594,6 +3718,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
                        ath10k_warn(ar, "failed to delete peer %pM for vdev %d: %i\n",
                                    sta->addr, arvif->vdev_id, ret);
+                ath10k_mac_dec_num_stations(arvif);
        } else if (old_state == IEEE80211_STA_AUTH &&
                   new_state == IEEE80211_STA_ASSOC &&
                   (vif->type == NL80211_IFTYPE_AP ||
@@ -3782,6 +3907,8 @@ static int ath10k_remain_on_channel(struct ieee80211_hw *hw,
        if (ret)
                goto exit;
+        duration = max(duration, WMI_SCAN_CHAN_MIN_TIME_MSEC);
        memset(&arg, 0, sizeof(arg));
        ath10k_wmi_start_scan_init(ar, &arg);
        arg.vdev_id = arvif->vdev_id;
@@ -3826,10 +3953,11 @@ static int ath10k_cancel_remain_on_channel(struct ieee80211_hw *hw)
        struct ath10k *ar = hw->priv;
        mutex_lock(&ar->conf_mutex);
-        cancel_delayed_work_sync(&ar->scan.timeout);
        ath10k_scan_abort(ar);
        mutex_unlock(&ar->conf_mutex);
+        cancel_delayed_work_sync(&ar->scan.timeout);
        return 0;
 }
@@ -3872,7 +4000,7 @@ static int ath10k_set_frag_threshold(struct ieee80211_hw *hw, u32 value)
                ath10k_dbg(ar, ATH10K_DBG_MAC, "mac vdev %d fragmentation threshold %d\n",
                           arvif->vdev_id, value);
-                ret = ath10k_mac_set_rts(arvif, value);
+                ret = ath10k_mac_set_frag(arvif, value);
                if (ret) {
                        ath10k_warn(ar, "failed to set fragmentation threshold for vdev %d: %d\n",
                                    arvif->vdev_id, ret);
@@ -3908,7 +4036,9 @@ static void ath10k_flush(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
                        empty = (ar->htt.num_pending_tx == 0);
                        spin_unlock_bh(&ar->htt.tx_lock);
-                        skip = (ar->state == ATH10K_STATE_WEDGED);
+                        skip = (ar->state == ATH10K_STATE_WEDGED) ||
+                               test_bit(ATH10K_FLAG_CRASH_FLUSH,
+                                        &ar->dev_flags);
                        (empty || skip);
                }), ATH10K_FLUSH_TIMEOUT_HZ);
@@ -3994,10 +4124,14 @@ exit:
 }
 #endif
-static void ath10k_restart_complete(struct ieee80211_hw *hw)
+static void ath10k_reconfig_complete(struct ieee80211_hw *hw,
+                                     enum ieee80211_reconfig_type reconfig_type)
 {
        struct ath10k *ar = hw->priv;
+        if (reconfig_type != IEEE80211_RECONFIG_TYPE_RESTART)
+                return;
        mutex_lock(&ar->conf_mutex);
        /* If device failed to restart it will be in a different state, e.g.
@@ -4005,6 +4139,7 @@ static void ath10k_restart_complete(struct ieee80211_hw *hw)
        if (ar->state == ATH10K_STATE_RESTARTED) {
                ath10k_info(ar, "device successfully recovered\n");
                ar->state = ATH10K_STATE_ON;
+                ieee80211_wake_queues(ar->hw);
        }
        mutex_unlock(&ar->conf_mutex);
@@ -4040,6 +4175,9 @@ static int ath10k_get_survey(struct ieee80211_hw *hw, int idx,
        survey->channel = &sband->channels[idx];
+        if (ar->rx_channel == survey->channel)
+                survey->filled |= SURVEY_INFO_IN_USE;
 exit:
        mutex_unlock(&ar->conf_mutex);
        return ret;
@@ -4087,6 +4225,10 @@ ath10k_default_bitrate_mask(struct ath10k *ar,
        u32 legacy = 0x00ff;
        u8 ht = 0xff, i;
        u16 vht = 0x3ff;
+        u16 nrf = ar->num_rf_chains;
+        if (ar->cfg_tx_chainmask)
+                nrf = get_nss_from_chainmask(ar->cfg_tx_chainmask);
        switch (band) {
        case IEEE80211_BAND_2GHZ:
@@ -4102,11 +4244,11 @@ ath10k_default_bitrate_mask(struct ath10k *ar,
        if (mask->control[band].legacy != legacy)
                return false;
-        for (i = 0; i < ar->num_rf_chains; i++)
+        for (i = 0; i < nrf; i++)
                if (mask->control[band].ht_mcs[i] != ht)
                        return false;
-        for (i = 0; i < ar->num_rf_chains; i++)
+        for (i = 0; i < nrf; i++)
                if (mask->control[band].vht_mcs[i] != vht)
                        return false;
@@ -4357,6 +4499,9 @@ static int ath10k_set_bitrate_mask(struct ieee80211_hw *hw,
        u8 fixed_nss = ar->num_rf_chains;
        u8 force_sgi;
+        if (ar->cfg_tx_chainmask)
+                fixed_nss = get_nss_from_chainmask(ar->cfg_tx_chainmask);
        force_sgi = mask->control[band].gi;
        if (force_sgi == NL80211_TXRATE_FORCE_LGI)
                return -EINVAL;
@@ -4515,7 +4660,7 @@ static const struct ieee80211_ops ath10k_ops = {
        .tx_last_beacon                 = ath10k_tx_last_beacon,
        .set_antenna                    = ath10k_set_antenna,
        .get_antenna                    = ath10k_get_antenna,
-        .restart_complete               = ath10k_restart_complete,
+        .reconfig_complete              = ath10k_reconfig_complete,
        .get_survey                     = ath10k_get_survey,
        .set_bitrate_mask               = ath10k_set_bitrate_mask,
        .sta_rc_update                  = ath10k_sta_rc_update,
@@ -4886,10 +5031,6 @@ int ath10k_mac_register(struct ath10k *ar)
                        IEEE80211_HW_AP_LINK_PS |
                        IEEE80211_HW_SPECTRUM_MGMT;
-        /* MSDU can have HTT TX fragment pushed in front. The additional 4
-         * bytes is used for padding/alignment if necessary. */
-        ar->hw->extra_tx_headroom += sizeof(struct htt_data_tx_desc_frag)*2 + 4;
        ar->hw->wiphy->features |= NL80211_FEATURE_STATIC_SMPS;
        if (ar->ht_cap_info & WMI_HT_CAP_DYNAMIC_SMPS)
@@ -4913,6 +5054,8 @@ int ath10k_mac_register(struct ath10k *ar)
        ar->hw->wiphy->max_remain_on_channel_duration = 5000;
        ar->hw->wiphy->flags |= WIPHY_FLAG_AP_UAPSD;
+        ar->hw->wiphy->features |= NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE;
        /*
         * on LL hardware queues are managed entirely by the FW
         * so we only advertise to mac we can do the queues thing
diff --git a/drivers/net/wireless/ath/ath10k/mac.h b/drivers/net/wireless/ath/ath10k/mac.h
index 965c51117499..68296117d203 100644
--- a/drivers/net/wireless/ath/ath10k/mac.h
+++ b/drivers/net/wireless/ath/ath10k/mac.h
@@ -21,6 +21,8 @@
 #include <net/mac80211.h>
 #include "core.h"
+#define WEP_KEYID_SHIFT 6
 struct ath10k_generic_iter {
        struct ath10k *ar;
        int ret;
@@ -40,6 +42,9 @@ void ath10k_mgmt_over_wmi_tx_purge(struct ath10k *ar);
 void ath10k_mgmt_over_wmi_tx_work(struct work_struct *work);
 void ath10k_halt(struct ath10k *ar);
 void ath10k_mac_vif_beacon_free(struct ath10k_vif *arvif);
+void ath10k_drain_tx(struct ath10k *ar);
+bool ath10k_mac_is_peer_wep_key_set(struct ath10k *ar, const u8 *addr,
+                                    u8 keyidx);
 static inline struct ath10k_vif *ath10k_vif_to_arvif(struct ieee80211_vif *vif)
 {
diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
index 4a4740b4bdc0..7abb8367119a 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -823,20 +823,24 @@ static void ath10k_pci_ce_send_done(struct ath10k_ce_pipe *ce_state)
        struct ath10k *ar = ce_state->ar;
        struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
        struct ath10k_hif_cb *cb = &ar_pci->msg_callbacks_current;
-        void *transfer_context;
+        struct sk_buff_head list;
+        struct sk_buff *skb;
        u32 ce_data;
        unsigned int nbytes;
        unsigned int transfer_id;
-        while (ath10k_ce_completed_send_next(ce_state, &transfer_context,
+        __skb_queue_head_init(&list);
-                                             &ce_data, &nbytes,
+        while (ath10k_ce_completed_send_next(ce_state, (void **)&skb, &ce_data,
-                                             &transfer_id) == 0) {
+                                             &nbytes, &transfer_id) == 0) {
                /* no need to call tx completion for NULL pointers */
-                if (transfer_context == NULL)
+                if (skb == NULL)
                        continue;
-                cb->tx_completion(ar, transfer_context, transfer_id);
+                __skb_queue_tail(&list, skb);
        }
+        while ((skb = __skb_dequeue(&list)))
+                cb->tx_completion(ar, skb);
 }
 /* Called by lower (CE) layer when data is received from the Target. */
@@ -847,12 +851,14 @@ static void ath10k_pci_ce_recv_data(struct ath10k_ce_pipe *ce_state)
        struct ath10k_pci_pipe *pipe_info =  &ar_pci->pipe_info[ce_state->id];
        struct ath10k_hif_cb *cb = &ar_pci->msg_callbacks_current;
        struct sk_buff *skb;
+        struct sk_buff_head list;
        void *transfer_context;
        u32 ce_data;
        unsigned int nbytes, max_nbytes;
        unsigned int transfer_id;
        unsigned int flags;
+        __skb_queue_head_init(&list);
        while (ath10k_ce_completed_recv_next(ce_state, &transfer_context,
                                             &ce_data, &nbytes, &transfer_id,
                                             &flags) == 0) {
@@ -869,13 +875,16 @@ static void ath10k_pci_ce_recv_data(struct ath10k_ce_pipe *ce_state)
                }
                skb_put(skb, nbytes);
+                __skb_queue_tail(&list, skb);
+        }
+        while ((skb = __skb_dequeue(&list))) {
                ath10k_dbg(ar, ATH10K_DBG_PCI, "pci rx ce pipe %d len %d\n",
                           ce_state->id, skb->len);
                ath10k_dbg_dump(ar, ATH10K_DBG_PCI_DUMP, NULL, "pci rx: ",
                                skb->data, skb->len);
-                cb->rx_completion(ar, skb, pipe_info->pipe_num);
+                cb->rx_completion(ar, skb);
        }
        ath10k_pci_rx_post_pipe(pipe_info);
@@ -1196,64 +1205,74 @@ static int ath10k_pci_hif_start(struct ath10k *ar)
        return 0;
 }
-static void ath10k_pci_rx_pipe_cleanup(struct ath10k_pci_pipe *pipe_info)
+static void ath10k_pci_rx_pipe_cleanup(struct ath10k_pci_pipe *pci_pipe)
 {
        struct ath10k *ar;
-        struct ath10k_pci *ar_pci;
+        struct ath10k_ce_pipe *ce_pipe;
-        struct ath10k_ce_pipe *ce_hdl;
+        struct ath10k_ce_ring *ce_ring;
-        u32 buf_sz;
+        struct sk_buff *skb;
-        struct sk_buff *netbuf;
+        int i;
-        u32 ce_data;
-        buf_sz = pipe_info->buf_sz;
+        ar = pci_pipe->hif_ce_state;
+        ce_pipe = pci_pipe->ce_hdl;
+        ce_ring = ce_pipe->dest_ring;
-        /* Unused Copy Engine */
+        if (!ce_ring)
-        if (buf_sz == 0)
                return;
-        ar = pipe_info->hif_ce_state;
+        if (!pci_pipe->buf_sz)
-        ar_pci = ath10k_pci_priv(ar);
+                return;
-        ce_hdl = pipe_info->ce_hdl;
+        for (i = 0; i < ce_ring->nentries; i++) {
+                skb = ce_ring->per_transfer_context[i];
+                if (!skb)
+                        continue;
+                ce_ring->per_transfer_context[i] = NULL;
-        while (ath10k_ce_revoke_recv_next(ce_hdl, (void **)&netbuf,
+                dma_unmap_single(ar->dev, ATH10K_SKB_CB(skb)->paddr,
-                                          &ce_data) == 0) {
+                                 skb->len + skb_tailroom(skb),
-                dma_unmap_single(ar->dev, ATH10K_SKB_CB(netbuf)->paddr,
-                                 netbuf->len + skb_tailroom(netbuf),
                                 DMA_FROM_DEVICE);
-                dev_kfree_skb_any(netbuf);
+                dev_kfree_skb_any(skb);
        }
 }
-static void ath10k_pci_tx_pipe_cleanup(struct ath10k_pci_pipe *pipe_info)
+static void ath10k_pci_tx_pipe_cleanup(struct ath10k_pci_pipe *pci_pipe)
 {
        struct ath10k *ar;
        struct ath10k_pci *ar_pci;
-        struct ath10k_ce_pipe *ce_hdl;
+        struct ath10k_ce_pipe *ce_pipe;
-        struct sk_buff *netbuf;
+        struct ath10k_ce_ring *ce_ring;
-        u32 ce_data;
+        struct ce_desc *ce_desc;
-        unsigned int nbytes;
+        struct sk_buff *skb;
        unsigned int id;
-        u32 buf_sz;
+        int i;
-        buf_sz = pipe_info->buf_sz;
+        ar = pci_pipe->hif_ce_state;
+        ar_pci = ath10k_pci_priv(ar);
+        ce_pipe = pci_pipe->ce_hdl;
+        ce_ring = ce_pipe->src_ring;
-        /* Unused Copy Engine */
+        if (!ce_ring)
-        if (buf_sz == 0)
                return;
-        ar = pipe_info->hif_ce_state;
+        if (!pci_pipe->buf_sz)
-        ar_pci = ath10k_pci_priv(ar);
+                return;
-        ce_hdl = pipe_info->ce_hdl;
-        while (ath10k_ce_cancel_send_next(ce_hdl, (void **)&netbuf,
+        ce_desc = ce_ring->shadow_base;
-                                          &ce_data, &nbytes, &id) == 0) {
+        if (WARN_ON(!ce_desc))
-                /* no need to call tx completion for NULL pointers */
+                return;
-                if (!netbuf)
+        for (i = 0; i < ce_ring->nentries; i++) {
+                skb = ce_ring->per_transfer_context[i];
+                if (!skb)
                        continue;
-                ar_pci->msg_callbacks_current.tx_completion(ar,
+                ce_ring->per_transfer_context[i] = NULL;
-                                                            netbuf,
+                id = MS(__le16_to_cpu(ce_desc[i].flags),
-                                                            id);
+                        CE_DESC_FLAGS_META_DATA);
+                ar_pci->msg_callbacks_current.tx_completion(ar, skb);
        }
 }
@@ -1432,6 +1451,9 @@ static void ath10k_pci_bmi_recv_data(struct ath10k_ce_pipe *ce_state)
                                          &nbytes, &transfer_id, &flags))
                return;
+        if (WARN_ON_ONCE(!xfer))
+                return;
        if (!xfer->wait_for_resp) {
                ath10k_warn(ar, "unexpected: BMI data received; ignoring\n");
                return;
@@ -1707,99 +1729,167 @@ static void ath10k_pci_warm_reset_si0(struct ath10k *ar)
        msleep(10);
 }
-static int ath10k_pci_warm_reset(struct ath10k *ar)
+static void ath10k_pci_warm_reset_cpu(struct ath10k *ar)
 {
        u32 val;
-        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot warm reset\n");
+        ath10k_pci_write32(ar, FW_INDICATOR_ADDRESS, 0);
-        spin_lock_bh(&ar->data_lock);
-        ar->stats.fw_warm_reset_counter++;
-        spin_unlock_bh(&ar->data_lock);
-        /* debug */
-        val = ath10k_pci_read32(ar, SOC_CORE_BASE_ADDRESS +
-                                PCIE_INTR_CAUSE_ADDRESS);
-        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot host cpu intr cause: 0x%08x\n",
-                   val);
-        val = ath10k_pci_read32(ar, SOC_CORE_BASE_ADDRESS +
+        val = ath10k_pci_read32(ar, RTC_SOC_BASE_ADDRESS +
-                                CPU_INTR_ADDRESS);
+                                SOC_RESET_CONTROL_ADDRESS);
-        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot target cpu intr cause: 0x%08x\n",
+        ath10k_pci_write32(ar, RTC_SOC_BASE_ADDRESS + SOC_RESET_CONTROL_ADDRESS,
-                   val);
+                           val | SOC_RESET_CONTROL_CPU_WARM_RST_MASK);
+}
-        /* disable pending irqs */
+static void ath10k_pci_warm_reset_ce(struct ath10k *ar)
-        ath10k_pci_write32(ar, SOC_CORE_BASE_ADDRESS +
+{
-                           PCIE_INTR_ENABLE_ADDRESS, 0);
+        u32 val;
-        ath10k_pci_write32(ar, SOC_CORE_BASE_ADDRESS +
+        val = ath10k_pci_read32(ar, RTC_SOC_BASE_ADDRESS +
-                           PCIE_INTR_CLR_ADDRESS, ~0);
+                                SOC_RESET_CONTROL_ADDRESS);
-        msleep(100);
+        ath10k_pci_write32(ar, RTC_SOC_BASE_ADDRESS + SOC_RESET_CONTROL_ADDRESS,
+                           val | SOC_RESET_CONTROL_CE_RST_MASK);
+        msleep(10);
+        ath10k_pci_write32(ar, RTC_SOC_BASE_ADDRESS + SOC_RESET_CONTROL_ADDRESS,
+                           val & ~SOC_RESET_CONTROL_CE_RST_MASK);
+}
-        /* clear fw indicator */
+static void ath10k_pci_warm_reset_clear_lf(struct ath10k *ar)
-        ath10k_pci_write32(ar, FW_INDICATOR_ADDRESS, 0);
+{
+        u32 val;
-        /* clear target LF timer interrupts */
        val = ath10k_pci_read32(ar, RTC_SOC_BASE_ADDRESS +
                                SOC_LF_TIMER_CONTROL0_ADDRESS);
        ath10k_pci_write32(ar, RTC_SOC_BASE_ADDRESS +
                           SOC_LF_TIMER_CONTROL0_ADDRESS,
                           val & ~SOC_LF_TIMER_CONTROL0_ENABLE_MASK);
+}
-        /* reset CE */
+static int ath10k_pci_warm_reset(struct ath10k *ar)
-        val = ath10k_pci_read32(ar, RTC_SOC_BASE_ADDRESS +
+{
-                                SOC_RESET_CONTROL_ADDRESS);
+        int ret;
-        ath10k_pci_write32(ar, RTC_SOC_BASE_ADDRESS + SOC_RESET_CONTROL_ADDRESS,
-                           val | SOC_RESET_CONTROL_CE_RST_MASK);
-        val = ath10k_pci_read32(ar, RTC_SOC_BASE_ADDRESS +
-                                SOC_RESET_CONTROL_ADDRESS);
-        msleep(10);
-        /* unreset CE */
+        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot warm reset\n");
-        ath10k_pci_write32(ar, RTC_SOC_BASE_ADDRESS + SOC_RESET_CONTROL_ADDRESS,
-                           val & ~SOC_RESET_CONTROL_CE_RST_MASK);
+        spin_lock_bh(&ar->data_lock);
-        val = ath10k_pci_read32(ar, RTC_SOC_BASE_ADDRESS +
+        ar->stats.fw_warm_reset_counter++;
-                                SOC_RESET_CONTROL_ADDRESS);
+        spin_unlock_bh(&ar->data_lock);
-        msleep(10);
+        ath10k_pci_irq_disable(ar);
+        /* Make sure the target CPU is not doing anything dangerous, e.g. if it
+         * were to access copy engine while host performs copy engine reset
+         * then it is possible for the device to confuse pci-e controller to
+         * the point of bringing host system to a complete stop (i.e. hang).
+         */
        ath10k_pci_warm_reset_si0(ar);
+        ath10k_pci_warm_reset_cpu(ar);
+        ath10k_pci_init_pipes(ar);
+        ath10k_pci_wait_for_target_init(ar);
-        /* debug */
+        ath10k_pci_warm_reset_clear_lf(ar);
-        val = ath10k_pci_read32(ar, SOC_CORE_BASE_ADDRESS +
+        ath10k_pci_warm_reset_ce(ar);
-                                PCIE_INTR_CAUSE_ADDRESS);
+        ath10k_pci_warm_reset_cpu(ar);
-        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot host cpu intr cause: 0x%08x\n",
+        ath10k_pci_init_pipes(ar);
-                   val);
-        val = ath10k_pci_read32(ar, SOC_CORE_BASE_ADDRESS +
+        ret = ath10k_pci_wait_for_target_init(ar);
-                                CPU_INTR_ADDRESS);
+        if (ret) {
-        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot target cpu intr cause: 0x%08x\n",
+                ath10k_warn(ar, "failed to wait for target init: %d\n", ret);
-                   val);
+                return ret;
+        }
-        /* CPU warm reset */
+        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot warm reset complete\n");
-        val = ath10k_pci_read32(ar, RTC_SOC_BASE_ADDRESS +
-                                SOC_RESET_CONTROL_ADDRESS);
-        ath10k_pci_write32(ar, RTC_SOC_BASE_ADDRESS + SOC_RESET_CONTROL_ADDRESS,
-                           val | SOC_RESET_CONTROL_CPU_WARM_RST_MASK);
-        val = ath10k_pci_read32(ar, RTC_SOC_BASE_ADDRESS +
+        return 0;
-                                SOC_RESET_CONTROL_ADDRESS);
+}
-        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot target reset state: 0x%08x\n",
-                   val);
-        msleep(100);
+static int ath10k_pci_chip_reset(struct ath10k *ar)
+{
+        int i, ret;
+        u32 val;
-        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot warm reset complete\n");
+        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot chip reset\n");
+        /* Some hardware revisions (e.g. CUS223v2) has issues with cold reset.
+         * It is thus preferred to use warm reset which is safer but may not be
+         * able to recover the device from all possible fail scenarios.
+         *
+         * Warm reset doesn't always work on first try so attempt it a few
+         * times before giving up.
+         */
+        for (i = 0; i < ATH10K_PCI_NUM_WARM_RESET_ATTEMPTS; i++) {
+                ret = ath10k_pci_warm_reset(ar);
+                if (ret) {
+                        ath10k_warn(ar, "failed to warm reset attempt %d of %d: %d\n",
+                                    i + 1, ATH10K_PCI_NUM_WARM_RESET_ATTEMPTS,
+                                    ret);
+                        continue;
+                }
+                /* FIXME: Sometimes copy engine doesn't recover after warm
+                 * reset. In most cases this needs cold reset. In some of these
+                 * cases the device is in such a state that a cold reset may
+                 * lock up the host.
+                 *
+                 * Reading any host interest register via copy engine is
+                 * sufficient to verify if device is capable of booting
+                 * firmware blob.
+                 */
+                ret = ath10k_pci_init_pipes(ar);
+                if (ret) {
+                        ath10k_warn(ar, "failed to init copy engine: %d\n",
+                                    ret);
+                        continue;
+                }
+                ret = ath10k_pci_diag_read32(ar, QCA988X_HOST_INTEREST_ADDRESS,
+                                             &val);
+                if (ret) {
+                        ath10k_warn(ar, "failed to poke copy engine: %d\n",
+                                    ret);
+                        continue;
+                }
+                ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot chip reset complete (warm)\n");
+                return 0;
+        }
+        if (ath10k_pci_reset_mode == ATH10K_PCI_RESET_WARM_ONLY) {
+                ath10k_warn(ar, "refusing cold reset as requested\n");
+                return -EPERM;
+        }
+        ret = ath10k_pci_cold_reset(ar);
+        if (ret) {
+                ath10k_warn(ar, "failed to cold reset: %d\n", ret);
+                return ret;
+        }
+        ret = ath10k_pci_wait_for_target_init(ar);
+        if (ret) {
+                ath10k_warn(ar, "failed to wait for target after cold reset: %d\n",
+                            ret);
+                return ret;
+        }
+        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot chip reset complete (cold)\n");
        return 0;
 }
-static int __ath10k_pci_hif_power_up(struct ath10k *ar, bool cold_reset)
+static int ath10k_pci_hif_power_up(struct ath10k *ar)
 {
        int ret;
+        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot hif power up\n");
+        ret = ath10k_pci_wake(ar);
+        if (ret) {
+                ath10k_err(ar, "failed to wake up target: %d\n", ret);
+                return ret;
+        }
        /*
         * Bring the target up cleanly.
         *
@@ -1810,26 +1900,16 @@ static int __ath10k_pci_hif_power_up(struct ath10k *ar, bool cold_reset)
         * is in an unexpected state. We try to catch that here in order to
         * reset the Target and retry the probe.
         */
-        if (cold_reset)
+        ret = ath10k_pci_chip_reset(ar);
-                ret = ath10k_pci_cold_reset(ar);
-        else
-                ret = ath10k_pci_warm_reset(ar);
        if (ret) {
-                ath10k_err(ar, "failed to reset target: %d\n", ret);
+                ath10k_err(ar, "failed to reset chip: %d\n", ret);
-                goto err;
+                goto err_sleep;
        }
        ret = ath10k_pci_init_pipes(ar);
        if (ret) {
                ath10k_err(ar, "failed to initialize CE: %d\n", ret);
-                goto err;
+                goto err_sleep;
-        }
-        ret = ath10k_pci_wait_for_target_init(ar);
-        if (ret) {
-                ath10k_err(ar, "failed to wait for target to init: %d\n", ret);
-                goto err_ce;
        }
        ret = ath10k_pci_init_config(ar);
@@ -1848,73 +1928,21 @@ static int __ath10k_pci_hif_power_up(struct ath10k *ar, bool cold_reset)
 err_ce:
        ath10k_pci_ce_deinit(ar);
-        ath10k_pci_warm_reset(ar);
-err:
-        return ret;
-}
-static int ath10k_pci_hif_power_up_warm(struct ath10k *ar)
-{
-        int i, ret;
-        /*
-         * Sometime warm reset succeeds after retries.
-         *
-         * FIXME: It might be possible to tune ath10k_pci_warm_reset() to work
-         * at first try.
-         */
-        for (i = 0; i < ATH10K_PCI_NUM_WARM_RESET_ATTEMPTS; i++) {
-                ret = __ath10k_pci_hif_power_up(ar, false);
-                if (ret == 0)
-                        break;
-                ath10k_warn(ar, "failed to warm reset (attempt %d out of %d): %d\n",
-                            i + 1, ATH10K_PCI_NUM_WARM_RESET_ATTEMPTS, ret);
-        }
+err_sleep:
+        ath10k_pci_sleep(ar);
        return ret;
 }
-static int ath10k_pci_hif_power_up(struct ath10k *ar)
-{
-        int ret;
-        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot hif power up\n");
-        /*
-         * Hardware CUS232 version 2 has some issues with cold reset and the
-         * preferred (and safer) way to perform a device reset is through a
-         * warm reset.
-         *
-         * Warm reset doesn't always work though so fall back to cold reset may
-         * be necessary.
-         */
-        ret = ath10k_pci_hif_power_up_warm(ar);
-        if (ret) {
-                ath10k_warn(ar, "failed to power up target using warm reset: %d\n",
-                            ret);
-                if (ath10k_pci_reset_mode == ATH10K_PCI_RESET_WARM_ONLY)
-                        return ret;
-                ath10k_warn(ar, "trying cold reset\n");
-                ret = __ath10k_pci_hif_power_up(ar, true);
-                if (ret) {
-                        ath10k_err(ar, "failed to power up target using cold reset too (%d)\n",
-                                   ret);
-                        return ret;
-                }
-        }
-        return 0;
-}
 static void ath10k_pci_hif_power_down(struct ath10k *ar)
 {
        ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot hif power down\n");
-        ath10k_pci_warm_reset(ar);
+        /* Currently hif_power_up performs effectively a reset and hif_stop
+         * resets the chip as well so there's no point in resetting here.
+         */
+        ath10k_pci_sleep(ar);
 }
 #ifdef CONFIG_PM
@@ -1969,6 +1997,7 @@ static int ath10k_pci_hif_resume(struct ath10k *ar)
 static const struct ath10k_hif_ops ath10k_pci_hif_ops = {
        .tx_sg                  = ath10k_pci_hif_tx_sg,
        .diag_read              = ath10k_pci_hif_diag_read,
+        .diag_write             = ath10k_pci_diag_write_mem,
        .exchange_bmi_msg       = ath10k_pci_hif_exchange_bmi_msg,
        .start                  = ath10k_pci_hif_start,
        .stop                   = ath10k_pci_hif_stop,
@@ -1979,6 +2008,8 @@ static const struct ath10k_hif_ops ath10k_pci_hif_ops = {
        .get_free_queue_number  = ath10k_pci_hif_get_free_queue_number,
        .power_up               = ath10k_pci_hif_power_up,
        .power_down             = ath10k_pci_hif_power_down,
+        .read32                 = ath10k_pci_read32,
+        .write32                = ath10k_pci_write32,
 #ifdef CONFIG_PM
        .suspend                = ath10k_pci_hif_suspend,
        .resume                 = ath10k_pci_hif_resume,
@@ -2516,6 +2547,8 @@ static int ath10k_pci_probe(struct pci_dev *pdev,
                goto err_deinit_irq;
        }
+        ath10k_pci_sleep(ar);
        ret = ath10k_core_register(ar, chip_id);
        if (ret) {
                ath10k_err(ar, "failed to register driver core: %d\n", ret);
@@ -2567,7 +2600,6 @@ static void ath10k_pci_remove(struct pci_dev *pdev)
        ath10k_pci_deinit_irq(ar);
        ath10k_pci_ce_deinit(ar);
        ath10k_pci_free_pipes(ar);
-        ath10k_pci_sleep(ar);
        ath10k_pci_release(ar);
        ath10k_core_destroy(ar);
 }
diff --git a/drivers/net/wireless/ath/ath10k/trace.h b/drivers/net/wireless/ath/ath10k/trace.h
index 9d34e7f6c455..b289378b6e3e 100644
--- a/drivers/net/wireless/ath/ath10k/trace.h
+++ b/drivers/net/wireless/ath/ath10k/trace.h
@@ -20,6 +20,15 @@
 #include <linux/tracepoint.h>
 #include "core.h"
+#if !defined(_TRACE_H_)
+static inline u32 ath10k_frm_hdr_len(const void *buf)
+{
+        const struct ieee80211_hdr *hdr = buf;
+        return ieee80211_hdrlen(hdr->frame_control);
+}
+#endif
 #define _TRACE_H_
 /* create empty functions when tracing is disabled */
@@ -138,7 +147,8 @@ TRACE_EVENT(ath10k_log_dbg_dump,
 );
 TRACE_EVENT(ath10k_wmi_cmd,
-        TP_PROTO(struct ath10k *ar, int id, void *buf, size_t buf_len, int ret),
+        TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len,
+                 int ret),
        TP_ARGS(ar, id, buf, buf_len, ret),
@@ -171,7 +181,7 @@ TRACE_EVENT(ath10k_wmi_cmd,
 );
 TRACE_EVENT(ath10k_wmi_event,
-        TP_PROTO(struct ath10k *ar, int id, void *buf, size_t buf_len),
+        TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len),
        TP_ARGS(ar, id, buf, buf_len),
@@ -201,7 +211,7 @@ TRACE_EVENT(ath10k_wmi_event,
 );
 TRACE_EVENT(ath10k_htt_stats,
-        TP_PROTO(struct ath10k *ar, void *buf, size_t buf_len),
+        TP_PROTO(struct ath10k *ar, const void *buf, size_t buf_len),
        TP_ARGS(ar, buf, buf_len),
@@ -228,7 +238,7 @@ TRACE_EVENT(ath10k_htt_stats,
 );
 TRACE_EVENT(ath10k_wmi_dbglog,
-        TP_PROTO(struct ath10k *ar, void *buf, size_t buf_len),
+        TP_PROTO(struct ath10k *ar, const void *buf, size_t buf_len),
        TP_ARGS(ar, buf, buf_len),
@@ -255,7 +265,7 @@ TRACE_EVENT(ath10k_wmi_dbglog,
 );
 TRACE_EVENT(ath10k_htt_pktlog,
-            TP_PROTO(struct ath10k *ar, void *buf, u16 buf_len),
+            TP_PROTO(struct ath10k *ar, const void *buf, u16 buf_len),
        TP_ARGS(ar, buf, buf_len),
@@ -281,36 +291,6 @@ TRACE_EVENT(ath10k_htt_pktlog,
         )
 );
-TRACE_EVENT(ath10k_htt_rx_desc,
-            TP_PROTO(struct ath10k *ar, u32 tsf, void *rxdesc, u16 len),
-        TP_ARGS(ar, tsf, rxdesc, len),
-        TP_STRUCT__entry(
-                __string(device, dev_name(ar->dev))
-                __string(driver, dev_driver_string(ar->dev))
-                __field(u32, tsf)
-                __field(u16, len)
-                __dynamic_array(u8, rxdesc, len)
-        ),
-        TP_fast_assign(
-                __assign_str(device, dev_name(ar->dev));
-                __assign_str(driver, dev_driver_string(ar->dev));
-                __entry->tsf = tsf;
-                __entry->len = len;
-                memcpy(__get_dynamic_array(rxdesc), rxdesc, len);
-        ),
-        TP_printk(
-                "%s %s %u len %hu",
-                __get_str(driver),
-                __get_str(device),
-                __entry->tsf,
-                __entry->len
-         )
-);
 TRACE_EVENT(ath10k_htt_tx,
            TP_PROTO(struct ath10k *ar, u16 msdu_id, u16 msdu_len,
                     u8 vdev_id, u8 tid),
@@ -371,8 +351,8 @@ TRACE_EVENT(ath10k_txrx_tx_unref,
         )
 );
-DECLARE_EVENT_CLASS(ath10k_data_event,
+DECLARE_EVENT_CLASS(ath10k_hdr_event,
-                    TP_PROTO(struct ath10k *ar, void *data, size_t len),
+                    TP_PROTO(struct ath10k *ar, const void *data, size_t len),
        TP_ARGS(ar, data, len),
@@ -380,14 +360,14 @@ DECLARE_EVENT_CLASS(ath10k_data_event,
                __string(device, dev_name(ar->dev))
                __string(driver, dev_driver_string(ar->dev))
                __field(size_t, len)
-                __dynamic_array(u8, data, len)
+                __dynamic_array(u8, data, ath10k_frm_hdr_len(data))
        ),
        TP_fast_assign(
                __assign_str(device, dev_name(ar->dev));
                __assign_str(driver, dev_driver_string(ar->dev));
-                __entry->len = len;
+                __entry->len = ath10k_frm_hdr_len(data);
-                memcpy(__get_dynamic_array(data), data, len);
+                memcpy(__get_dynamic_array(data), data, __entry->len);
        ),
        TP_printk(
@@ -398,25 +378,81 @@ DECLARE_EVENT_CLASS(ath10k_data_event,
        )
 );
-DEFINE_EVENT(ath10k_data_event, ath10k_htt_tx_msdu,
+DECLARE_EVENT_CLASS(ath10k_payload_event,
-             TP_PROTO(struct ath10k *ar, void *data, size_t len),
+                    TP_PROTO(struct ath10k *ar, const void *data, size_t len),
+        TP_ARGS(ar, data, len),
+        TP_STRUCT__entry(
+                __string(device, dev_name(ar->dev))
+                __string(driver, dev_driver_string(ar->dev))
+                __field(size_t, len)
+                __dynamic_array(u8, payload, (len - ath10k_frm_hdr_len(data)))
+        ),
+        TP_fast_assign(
+                __assign_str(device, dev_name(ar->dev));
+                __assign_str(driver, dev_driver_string(ar->dev));
+                __entry->len = len - ath10k_frm_hdr_len(data);
+                memcpy(__get_dynamic_array(payload),
+                       data + ath10k_frm_hdr_len(data), __entry->len);
+        ),
+        TP_printk(
+                "%s %s len %zu\n",
+                __get_str(driver),
+                __get_str(device),
+                __entry->len
+        )
+);
+DEFINE_EVENT(ath10k_hdr_event, ath10k_tx_hdr,
+             TP_PROTO(struct ath10k *ar, const void *data, size_t len),
             TP_ARGS(ar, data, len)
 );
-DEFINE_EVENT(ath10k_data_event, ath10k_htt_rx_pop_msdu,
+DEFINE_EVENT(ath10k_payload_event, ath10k_tx_payload,
-             TP_PROTO(struct ath10k *ar, void *data, size_t len),
+             TP_PROTO(struct ath10k *ar, const void *data, size_t len),
             TP_ARGS(ar, data, len)
 );
-DEFINE_EVENT(ath10k_data_event, ath10k_wmi_mgmt_tx,
+DEFINE_EVENT(ath10k_hdr_event, ath10k_rx_hdr,
-             TP_PROTO(struct ath10k *ar, void *data, size_t len),
+             TP_PROTO(struct ath10k *ar, const void *data, size_t len),
             TP_ARGS(ar, data, len)
 );
-DEFINE_EVENT(ath10k_data_event, ath10k_wmi_bcn_tx,
+DEFINE_EVENT(ath10k_payload_event, ath10k_rx_payload,
-             TP_PROTO(struct ath10k *ar, void *data, size_t len),
+             TP_PROTO(struct ath10k *ar, const void *data, size_t len),
             TP_ARGS(ar, data, len)
 );
+TRACE_EVENT(ath10k_htt_rx_desc,
+            TP_PROTO(struct ath10k *ar, const void *data, size_t len),
+        TP_ARGS(ar, data, len),
+        TP_STRUCT__entry(
+                __string(device, dev_name(ar->dev))
+                __string(driver, dev_driver_string(ar->dev))
+                __field(u16, len)
+                __dynamic_array(u8, rxdesc, len)
+        ),
+        TP_fast_assign(
+                __assign_str(device, dev_name(ar->dev));
+                __assign_str(driver, dev_driver_string(ar->dev));
+                __entry->len = len;
+                memcpy(__get_dynamic_array(rxdesc), data, len);
+        ),
+        TP_printk(
+                "%s %s rxdesc len %d",
+                __get_str(driver),
+                __get_str(device),
+                __entry->len
+         )
+);
 #endif /* _TRACE_H_ || TRACE_HEADER_MULTI_READ*/
 /* we don't want to use include/trace/events */
diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
index f9c90e37bc7c..7579de8e7a8c 100644
--- a/drivers/net/wireless/ath/ath10k/txrx.c
+++ b/drivers/net/wireless/ath/ath10k/txrx.c
@@ -146,7 +146,8 @@ static int ath10k_wait_for_peer_common(struct ath10k *ar, int vdev_id,
                        mapped = !!ath10k_peer_find(ar, vdev_id, addr);
                        spin_unlock_bh(&ar->data_lock);
-                        mapped == expect_mapped;
+                        (mapped == expect_mapped ||
+                         test_bit(ATH10K_FLAG_CRASH_FLUSH, &ar->dev_flags));
                }), 3*HZ);
        if (ret <= 0)
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index ae746cece211..c0f3e4d09263 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -779,6 +779,10 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id)
                ath10k_wmi_tx_beacons_nowait(ar);
                ret = ath10k_wmi_cmd_send_nowait(ar, skb, cmd_id);
+                if (ret && test_bit(ATH10K_FLAG_CRASH_FLUSH, &ar->dev_flags))
+                        ret = -ESHUTDOWN;
                (ret != -EAGAIN);
        }), 3*HZ);
@@ -834,7 +838,8 @@ int ath10k_wmi_mgmt_tx(struct ath10k *ar, struct sk_buff *skb)
        ath10k_dbg(ar, ATH10K_DBG_WMI, "wmi mgmt tx skb %p len %d ftype %02x stype %02x\n",
                   wmi_skb, wmi_skb->len, fc & IEEE80211_FCTL_FTYPE,
                   fc & IEEE80211_FCTL_STYPE);
-        trace_ath10k_wmi_mgmt_tx(ar, skb->data, skb->len);
+        trace_ath10k_tx_hdr(ar, skb->data, skb->len);
+        trace_ath10k_tx_payload(ar, skb->data, skb->len);
        /* Send the management frame buffer to the target */
        ret = ath10k_wmi_cmd_send(ar, wmi_skb, ar->wmi.cmd->mgmt_tx_cmdid);
@@ -1108,6 +1113,40 @@ static inline u8 get_rate_idx(u32 rate, enum ieee80211_band band)
        return rate_idx;
 }
+/* If keys are configured, HW decrypts all frames
+ * with protected bit set. Mark such frames as decrypted.
+ */
+static void ath10k_wmi_handle_wep_reauth(struct ath10k *ar,
+                                         struct sk_buff *skb,
+                                         struct ieee80211_rx_status *status)
+{
+        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+        unsigned int hdrlen;
+        bool peer_key;
+        u8 *addr, keyidx;
+        if (!ieee80211_is_auth(hdr->frame_control) ||
+            !ieee80211_has_protected(hdr->frame_control))
+                return;
+        hdrlen = ieee80211_hdrlen(hdr->frame_control);
+        if (skb->len < (hdrlen + IEEE80211_WEP_IV_LEN))
+                return;
+        keyidx = skb->data[hdrlen + (IEEE80211_WEP_IV_LEN - 1)] >> WEP_KEYID_SHIFT;
+        addr = ieee80211_get_SA(hdr);
+        spin_lock_bh(&ar->data_lock);
+        peer_key = ath10k_mac_is_peer_wep_key_set(ar, addr, keyidx);
+        spin_unlock_bh(&ar->data_lock);
+        if (peer_key) {
+                ath10k_dbg(ar, ATH10K_DBG_MAC,
+                           "mac wep key present for peer %pM\n", addr);
+                status->flag |= RX_FLAG_DECRYPTED;
+        }
+}
 static int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
 {
        struct wmi_mgmt_rx_event_v1 *ev_v1;
@@ -1161,8 +1200,11 @@ static int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
                return 0;
        }
-        if (rx_status & WMI_RX_STATUS_ERR_CRC)
+        if (rx_status & WMI_RX_STATUS_ERR_CRC) {
-                status->flag |= RX_FLAG_FAILED_FCS_CRC;
+                dev_kfree_skb(skb);
+                return 0;
+        }
        if (rx_status & WMI_RX_STATUS_ERR_MIC)
                status->flag |= RX_FLAG_MMIC_ERROR;
@@ -1195,6 +1237,8 @@ static int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
        hdr = (struct ieee80211_hdr *)skb->data;
        fc = le16_to_cpu(hdr->frame_control);
+        ath10k_wmi_handle_wep_reauth(ar, skb, status);
        /* FW delivers WEP Shared Auth frame with Protected Bit set and
         * encrypted payload. However in case of PMF it delivers decrypted
         * frames with Protected Bit set. */
@@ -1893,7 +1937,9 @@ static void ath10k_wmi_event_host_swba(struct ath10k *ar, struct sk_buff *skb)
                arvif->beacon = bcn;
                arvif->beacon_sent = false;
-                trace_ath10k_wmi_bcn_tx(ar, bcn->data, bcn->len);
+                trace_ath10k_tx_hdr(ar, bcn->data, bcn->len);
+                trace_ath10k_tx_payload(ar, bcn->data, bcn->len);
                ath10k_wmi_tx_beacon_nowait(arvif);
 skip:
                spin_unlock_bh(&ar->data_lock);
@@ -2254,7 +2300,7 @@ static void ath10k_wmi_event_debug_print(struct ath10k *ar,
        /* the last byte is always reserved for the null character */
        buf[i] = '\0';
-        ath10k_dbg(ar, ATH10K_DBG_WMI, "wmi event debug print '%s'\n", buf);
+        ath10k_dbg(ar, ATH10K_DBG_WMI_PRINT, "wmi print '%s'\n", buf);
 }
 static void ath10k_wmi_event_pdev_qvit(struct ath10k *ar, struct sk_buff *skb)
@@ -2411,6 +2457,7 @@ static int ath10k_wmi_main_pull_svc_rdy_ev(struct sk_buff *skb,
        arg->eeprom_rd = ev->hal_reg_capabilities.eeprom_rd;
        arg->num_mem_reqs = ev->num_mem_reqs;
        arg->service_map = ev->wmi_service_bitmap;
+        arg->service_map_len = sizeof(ev->wmi_service_bitmap);
        n = min_t(size_t, __le32_to_cpu(arg->num_mem_reqs),
                  ARRAY_SIZE(arg->mem_reqs));
@@ -2445,6 +2492,7 @@ static int ath10k_wmi_10x_pull_svc_rdy_ev(struct sk_buff *skb,
        arg->eeprom_rd = ev->hal_reg_capabilities.eeprom_rd;
        arg->num_mem_reqs = ev->num_mem_reqs;
        arg->service_map = ev->wmi_service_bitmap;
+        arg->service_map_len = sizeof(ev->wmi_service_bitmap);
        n = min_t(size_t, __le32_to_cpu(arg->num_mem_reqs),
                  ARRAY_SIZE(arg->mem_reqs));
@@ -2463,15 +2511,18 @@ static void ath10k_wmi_event_service_ready(struct ath10k *ar,
 {
        struct wmi_svc_rdy_ev_arg arg = {};
        u32 num_units, req_id, unit_size, num_mem_reqs, num_unit_info, i;
-        DECLARE_BITMAP(svc_bmap, WMI_SERVICE_MAX) = {};
        int ret;
+        memset(&ar->wmi.svc_map, 0, sizeof(ar->wmi.svc_map));
        if (test_bit(ATH10K_FW_FEATURE_WMI_10X, ar->fw_features)) {
                ret = ath10k_wmi_10x_pull_svc_rdy_ev(skb, &arg);
-                wmi_10x_svc_map(arg.service_map, svc_bmap);
+                wmi_10x_svc_map(arg.service_map, ar->wmi.svc_map,
+                                arg.service_map_len);
        } else {
                ret = ath10k_wmi_main_pull_svc_rdy_ev(skb, &arg);
-                wmi_main_svc_map(arg.service_map, svc_bmap);
+                wmi_main_svc_map(arg.service_map, ar->wmi.svc_map,
+                                 arg.service_map_len);
        }
        if (ret) {
@@ -2493,9 +2544,8 @@ static void ath10k_wmi_event_service_ready(struct ath10k *ar,
        ar->num_rf_chains = __le32_to_cpu(arg.num_rf_chains);
        ar->ath_common.regulatory.current_rd = __le32_to_cpu(arg.eeprom_rd);
-        ath10k_debug_read_service_map(ar, svc_bmap, sizeof(svc_bmap));
        ath10k_dbg_dump(ar, ATH10K_DBG_WMI, NULL, "wmi svc: ",
-                        arg.service_map, sizeof(arg.service_map));
+                        arg.service_map, arg.service_map_len);
        /* only manually set fw features when not using FW IE format */
        if (ar->fw_api == 1 && ar->fw_version_build > 636)
@@ -3135,7 +3185,7 @@ static int ath10k_wmi_main_cmd_init(struct ath10k *ar)
        u32 len, val;
        config.num_vdevs = __cpu_to_le32(TARGET_NUM_VDEVS);
-        config.num_peers = __cpu_to_le32(TARGET_NUM_PEERS + TARGET_NUM_VDEVS);
+        config.num_peers = __cpu_to_le32(TARGET_NUM_PEERS);
        config.num_offload_peers = __cpu_to_le32(TARGET_NUM_OFFLOAD_PEERS);
        config.num_offload_reorder_bufs =
@@ -4187,9 +4237,9 @@ int ath10k_wmi_peer_assoc(struct ath10k *ar,
        if (test_bit(ATH10K_FW_FEATURE_WMI_10X, ar->fw_features)) {
                if (test_bit(ATH10K_FW_FEATURE_WMI_10_2, ar->fw_features))
-                        ath10k_wmi_peer_assoc_fill_10_1(ar, skb->data, arg);
-                else
                        ath10k_wmi_peer_assoc_fill_10_2(ar, skb->data, arg);
+                else
+                        ath10k_wmi_peer_assoc_fill_10_1(ar, skb->data, arg);
        } else {
                ath10k_wmi_peer_assoc_fill_main(ar, skb->data, arg);
        }
@@ -4398,7 +4448,6 @@ int ath10k_wmi_attach(struct ath10k *ar)
        init_completion(&ar->wmi.service_ready);
        init_completion(&ar->wmi.unified_ready);
-        init_waitqueue_head(&ar->wmi.tx_credits_wq);
        return 0;
 }
diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h
index a38d788a6101..21391929d318 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.h
+++ b/drivers/net/wireless/ath/ath10k/wmi.h
@@ -222,128 +222,131 @@ static inline char *wmi_service_name(int service_id)
 #undef SVCSTR
 }
-#define WMI_SERVICE_IS_ENABLED(wmi_svc_bmap, svc_id) \
+#define WMI_SERVICE_IS_ENABLED(wmi_svc_bmap, svc_id, len) \
-        (__le32_to_cpu((wmi_svc_bmap)[(svc_id)/(sizeof(u32))]) & \
+        ((svc_id) < (len) && \
+         __le32_to_cpu((wmi_svc_bmap)[(svc_id)/(sizeof(u32))]) & \
         BIT((svc_id)%(sizeof(u32))))
-#define SVCMAP(x, y) \
+#define SVCMAP(x, y, len) \
        do { \
-                if (WMI_SERVICE_IS_ENABLED((in), (x))) \
+                if (WMI_SERVICE_IS_ENABLED((in), (x), (len))) \
                        __set_bit(y, out); \
        } while (0)
-static inline void wmi_10x_svc_map(const __le32 *in, unsigned long *out)
+static inline void wmi_10x_svc_map(const __le32 *in, unsigned long *out,
+                                   size_t len)
 {
        SVCMAP(WMI_10X_SERVICE_BEACON_OFFLOAD,
-               WMI_SERVICE_BEACON_OFFLOAD);
+               WMI_SERVICE_BEACON_OFFLOAD, len);
        SVCMAP(WMI_10X_SERVICE_SCAN_OFFLOAD,
-               WMI_SERVICE_SCAN_OFFLOAD);
+               WMI_SERVICE_SCAN_OFFLOAD, len);
        SVCMAP(WMI_10X_SERVICE_ROAM_OFFLOAD,
-               WMI_SERVICE_ROAM_OFFLOAD);
+               WMI_SERVICE_ROAM_OFFLOAD, len);
        SVCMAP(WMI_10X_SERVICE_BCN_MISS_OFFLOAD,
-               WMI_SERVICE_BCN_MISS_OFFLOAD);
+               WMI_SERVICE_BCN_MISS_OFFLOAD, len);
        SVCMAP(WMI_10X_SERVICE_STA_PWRSAVE,
-               WMI_SERVICE_STA_PWRSAVE);
+               WMI_SERVICE_STA_PWRSAVE, len);
        SVCMAP(WMI_10X_SERVICE_STA_ADVANCED_PWRSAVE,
-               WMI_SERVICE_STA_ADVANCED_PWRSAVE);
+               WMI_SERVICE_STA_ADVANCED_PWRSAVE, len);
        SVCMAP(WMI_10X_SERVICE_AP_UAPSD,
-               WMI_SERVICE_AP_UAPSD);
+               WMI_SERVICE_AP_UAPSD, len);
        SVCMAP(WMI_10X_SERVICE_AP_DFS,
-               WMI_SERVICE_AP_DFS);
+               WMI_SERVICE_AP_DFS, len);
        SVCMAP(WMI_10X_SERVICE_11AC,
-               WMI_SERVICE_11AC);
+               WMI_SERVICE_11AC, len);
        SVCMAP(WMI_10X_SERVICE_BLOCKACK,
-               WMI_SERVICE_BLOCKACK);
+               WMI_SERVICE_BLOCKACK, len);
        SVCMAP(WMI_10X_SERVICE_PHYERR,
-               WMI_SERVICE_PHYERR);
+               WMI_SERVICE_PHYERR, len);
        SVCMAP(WMI_10X_SERVICE_BCN_FILTER,
-               WMI_SERVICE_BCN_FILTER);
+               WMI_SERVICE_BCN_FILTER, len);
        SVCMAP(WMI_10X_SERVICE_RTT,
-               WMI_SERVICE_RTT);
+               WMI_SERVICE_RTT, len);
        SVCMAP(WMI_10X_SERVICE_RATECTRL,
-               WMI_SERVICE_RATECTRL);
+               WMI_SERVICE_RATECTRL, len);
        SVCMAP(WMI_10X_SERVICE_WOW,
-               WMI_SERVICE_WOW);
+               WMI_SERVICE_WOW, len);
        SVCMAP(WMI_10X_SERVICE_RATECTRL_CACHE,
-               WMI_SERVICE_RATECTRL_CACHE);
+               WMI_SERVICE_RATECTRL_CACHE, len);
        SVCMAP(WMI_10X_SERVICE_IRAM_TIDS,
-               WMI_SERVICE_IRAM_TIDS);
+               WMI_SERVICE_IRAM_TIDS, len);
        SVCMAP(WMI_10X_SERVICE_BURST,
-               WMI_SERVICE_BURST);
+               WMI_SERVICE_BURST, len);
        SVCMAP(WMI_10X_SERVICE_SMART_ANTENNA_SW_SUPPORT,
-               WMI_SERVICE_SMART_ANTENNA_SW_SUPPORT);
+               WMI_SERVICE_SMART_ANTENNA_SW_SUPPORT, len);
        SVCMAP(WMI_10X_SERVICE_FORCE_FW_HANG,
-               WMI_SERVICE_FORCE_FW_HANG);
+               WMI_SERVICE_FORCE_FW_HANG, len);
        SVCMAP(WMI_10X_SERVICE_SMART_ANTENNA_HW_SUPPORT,
-               WMI_SERVICE_SMART_ANTENNA_HW_SUPPORT);
+               WMI_SERVICE_SMART_ANTENNA_HW_SUPPORT, len);
 }
-static inline void wmi_main_svc_map(const __le32 *in, unsigned long *out)
+static inline void wmi_main_svc_map(const __le32 *in, unsigned long *out,
+                                    size_t len)
 {
        SVCMAP(WMI_MAIN_SERVICE_BEACON_OFFLOAD,
-               WMI_SERVICE_BEACON_OFFLOAD);
+               WMI_SERVICE_BEACON_OFFLOAD, len);
        SVCMAP(WMI_MAIN_SERVICE_SCAN_OFFLOAD,
-               WMI_SERVICE_SCAN_OFFLOAD);
+               WMI_SERVICE_SCAN_OFFLOAD, len);
        SVCMAP(WMI_MAIN_SERVICE_ROAM_OFFLOAD,
-               WMI_SERVICE_ROAM_OFFLOAD);
+               WMI_SERVICE_ROAM_OFFLOAD, len);
        SVCMAP(WMI_MAIN_SERVICE_BCN_MISS_OFFLOAD,
-               WMI_SERVICE_BCN_MISS_OFFLOAD);
+               WMI_SERVICE_BCN_MISS_OFFLOAD, len);
        SVCMAP(WMI_MAIN_SERVICE_STA_PWRSAVE,
-               WMI_SERVICE_STA_PWRSAVE);
+               WMI_SERVICE_STA_PWRSAVE, len);
        SVCMAP(WMI_MAIN_SERVICE_STA_ADVANCED_PWRSAVE,
-               WMI_SERVICE_STA_ADVANCED_PWRSAVE);
+               WMI_SERVICE_STA_ADVANCED_PWRSAVE, len);
        SVCMAP(WMI_MAIN_SERVICE_AP_UAPSD,
-               WMI_SERVICE_AP_UAPSD);
+               WMI_SERVICE_AP_UAPSD, len);
        SVCMAP(WMI_MAIN_SERVICE_AP_DFS,
-               WMI_SERVICE_AP_DFS);
+               WMI_SERVICE_AP_DFS, len);
        SVCMAP(WMI_MAIN_SERVICE_11AC,
-               WMI_SERVICE_11AC);
+               WMI_SERVICE_11AC, len);
        SVCMAP(WMI_MAIN_SERVICE_BLOCKACK,
-               WMI_SERVICE_BLOCKACK);
+               WMI_SERVICE_BLOCKACK, len);
        SVCMAP(WMI_MAIN_SERVICE_PHYERR,
-               WMI_SERVICE_PHYERR);
+               WMI_SERVICE_PHYERR, len);
        SVCMAP(WMI_MAIN_SERVICE_BCN_FILTER,
-               WMI_SERVICE_BCN_FILTER);
+               WMI_SERVICE_BCN_FILTER, len);
        SVCMAP(WMI_MAIN_SERVICE_RTT,
-               WMI_SERVICE_RTT);
+               WMI_SERVICE_RTT, len);
        SVCMAP(WMI_MAIN_SERVICE_RATECTRL,
-               WMI_SERVICE_RATECTRL);
+               WMI_SERVICE_RATECTRL, len);
        SVCMAP(WMI_MAIN_SERVICE_WOW,
-               WMI_SERVICE_WOW);
+               WMI_SERVICE_WOW, len);
        SVCMAP(WMI_MAIN_SERVICE_RATECTRL_CACHE,
-               WMI_SERVICE_RATECTRL_CACHE);
+               WMI_SERVICE_RATECTRL_CACHE, len);
        SVCMAP(WMI_MAIN_SERVICE_IRAM_TIDS,
-               WMI_SERVICE_IRAM_TIDS);
+               WMI_SERVICE_IRAM_TIDS, len);
        SVCMAP(WMI_MAIN_SERVICE_ARPNS_OFFLOAD,
-               WMI_SERVICE_ARPNS_OFFLOAD);
+               WMI_SERVICE_ARPNS_OFFLOAD, len);
        SVCMAP(WMI_MAIN_SERVICE_NLO,
-               WMI_SERVICE_NLO);
+               WMI_SERVICE_NLO, len);
        SVCMAP(WMI_MAIN_SERVICE_GTK_OFFLOAD,
-               WMI_SERVICE_GTK_OFFLOAD);
+               WMI_SERVICE_GTK_OFFLOAD, len);
        SVCMAP(WMI_MAIN_SERVICE_SCAN_SCH,
-               WMI_SERVICE_SCAN_SCH);
+               WMI_SERVICE_SCAN_SCH, len);
        SVCMAP(WMI_MAIN_SERVICE_CSA_OFFLOAD,
-               WMI_SERVICE_CSA_OFFLOAD);
+               WMI_SERVICE_CSA_OFFLOAD, len);
        SVCMAP(WMI_MAIN_SERVICE_CHATTER,
-               WMI_SERVICE_CHATTER);
+               WMI_SERVICE_CHATTER, len);
        SVCMAP(WMI_MAIN_SERVICE_COEX_FREQAVOID,
-               WMI_SERVICE_COEX_FREQAVOID);
+               WMI_SERVICE_COEX_FREQAVOID, len);
        SVCMAP(WMI_MAIN_SERVICE_PACKET_POWER_SAVE,
-               WMI_SERVICE_PACKET_POWER_SAVE);
+               WMI_SERVICE_PACKET_POWER_SAVE, len);
        SVCMAP(WMI_MAIN_SERVICE_FORCE_FW_HANG,
-               WMI_SERVICE_FORCE_FW_HANG);
+               WMI_SERVICE_FORCE_FW_HANG, len);
        SVCMAP(WMI_MAIN_SERVICE_GPIO,
-               WMI_SERVICE_GPIO);
+               WMI_SERVICE_GPIO, len);
        SVCMAP(WMI_MAIN_SERVICE_STA_DTIM_PS_MODULATED_DTIM,
-               WMI_SERVICE_STA_DTIM_PS_MODULATED_DTIM);
+               WMI_SERVICE_STA_DTIM_PS_MODULATED_DTIM, len);
        SVCMAP(WMI_MAIN_SERVICE_STA_UAPSD_BASIC_AUTO_TRIG,
-               WMI_SERVICE_STA_UAPSD_BASIC_AUTO_TRIG);
+               WMI_SERVICE_STA_UAPSD_BASIC_AUTO_TRIG, len);
        SVCMAP(WMI_MAIN_SERVICE_STA_UAPSD_VAR_AUTO_TRIG,
-               WMI_SERVICE_STA_UAPSD_VAR_AUTO_TRIG);
+               WMI_SERVICE_STA_UAPSD_VAR_AUTO_TRIG, len);
        SVCMAP(WMI_MAIN_SERVICE_STA_KEEP_ALIVE,
-               WMI_SERVICE_STA_KEEP_ALIVE);
+               WMI_SERVICE_STA_KEEP_ALIVE, len);
        SVCMAP(WMI_MAIN_SERVICE_TX_ENCAP,
-               WMI_SERVICE_TX_ENCAP);
+               WMI_SERVICE_TX_ENCAP, len);
 }
 #undef SVCMAP
@@ -1952,6 +1955,11 @@ struct wmi_ssid_list {
 #define WLAN_SCAN_PARAMS_MAX_BSSID   4
 #define WLAN_SCAN_PARAMS_MAX_IE_LEN  256
+/* Values lower than this may be refused by some firmware revisions with a scan
+ * completion with a timedout reason.
+ */
+#define WMI_SCAN_CHAN_MIN_TIME_MSEC 40
 /* Scan priority numbers must be sequential, starting with 0 */
 enum wmi_scan_priority {
        WMI_SCAN_PRIORITY_VERY_LOW = 0,
@@ -4547,7 +4555,6 @@ struct wmi_dbglog_cfg_cmd {
        __le32 config_valid;
 } __packed;
-#define ATH10K_RTS_MAX          2347
 #define ATH10K_FRAGMT_THRESHOLD_MIN     540
 #define ATH10K_FRAGMT_THRESHOLD_MAX     2346
@@ -4572,6 +4579,7 @@ struct wmi_svc_rdy_ev_arg {
        __le32 eeprom_rd;
        __le32 num_mem_reqs;
        const __le32 *service_map;
+        size_t service_map_len;
        const struct wlan_host_mem_req *mem_reqs[WMI_MAX_MEM_REQS];
 };
diff --git a/drivers/net/wireless/ath/ath5k/mac80211-ops.c b/drivers/net/wireless/ath/ath5k/mac80211-ops.c
index ab2709a43768..19eab2a69ad5 100644
--- a/drivers/net/wireless/ath/ath5k/mac80211-ops.c
+++ b/drivers/net/wireless/ath/ath5k/mac80211-ops.c
@@ -547,7 +547,9 @@ ath5k_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
 static void
-ath5k_sw_scan_start(struct ieee80211_hw *hw)
+ath5k_sw_scan_start(struct ieee80211_hw *hw,
+                    struct ieee80211_vif *vif,
+                    const u8 *mac_addr)
 {
        struct ath5k_hw *ah = hw->priv;
        if (!ah->assoc)
@@ -556,7 +558,7 @@ ath5k_sw_scan_start(struct ieee80211_hw *hw)
 static void
-ath5k_sw_scan_complete(struct ieee80211_hw *hw)
+ath5k_sw_scan_complete(struct ieee80211_hw *hw, struct ieee80211_vif *vif)
 {
        struct ath5k_hw *ah = hw->priv;
        ath5k_hw_set_ledstate(ah, ah->assoc ?
diff --git a/drivers/net/wireless/ath/ath5k/qcu.c b/drivers/net/wireless/ath/ath5k/qcu.c
index 0583c69d26db..ddaad712c59a 100644
--- a/drivers/net/wireless/ath/ath5k/qcu.c
+++ b/drivers/net/wireless/ath/ath5k/qcu.c
@@ -225,13 +225,7 @@ ath5k_hw_setup_tx_queue(struct ath5k_hw *ah, enum ath5k_tx_queue queue_type,
        } else {
                switch (queue_type) {
                case AR5K_TX_QUEUE_DATA:
-                        for (queue = AR5K_TX_QUEUE_ID_DATA_MIN;
+                        queue = queue_info->tqi_subtype;
-                                ah->ah_txq[queue].tqi_type !=
-                                AR5K_TX_QUEUE_INACTIVE; queue++) {
-                                if (queue > AR5K_TX_QUEUE_ID_DATA_MAX)
-                                        return -EINVAL;
-                        }
                        break;
                case AR5K_TX_QUEUE_UAPSD:
                        queue = AR5K_TX_QUEUE_ID_UAPSD;
diff --git a/drivers/net/wireless/ath/ath6kl/cfg80211.c b/drivers/net/wireless/ath/ath6kl/cfg80211.c
index ba60e37213eb..7a5337877a0c 100644
--- a/drivers/net/wireless/ath/ath6kl/cfg80211.c
+++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c
@@ -2976,11 +2976,11 @@ static int ath6kl_stop_ap(struct wiphy *wiphy, struct net_device *dev)
 static const u8 bcast_addr[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
 static int ath6kl_del_station(struct wiphy *wiphy, struct net_device *dev,
-                              const u8 *mac)
+                              struct station_del_parameters *params)
 {
        struct ath6kl *ar = ath6kl_priv(dev);
        struct ath6kl_vif *vif = netdev_priv(dev);
-        const u8 *addr = mac ? mac : bcast_addr;
+        const u8 *addr = params->mac ? params->mac : bcast_addr;
        return ath6kl_wmi_ap_set_mlme(ar->wmi, vif->fw_vif_idx, WMI_AP_DEAUTH,
                                      addr, WLAN_REASON_PREV_AUTH_NOT_VALID);
diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c
index a6a5e40b3e98..9da3594fd010 100644
--- a/drivers/net/wireless/ath/ath6kl/usb.c
+++ b/drivers/net/wireless/ath/ath6kl/usb.c
@@ -1193,18 +1193,10 @@ static int ath6kl_usb_pm_resume(struct usb_interface *interface)
        return 0;
 }
-static int ath6kl_usb_pm_reset_resume(struct usb_interface *intf)
-{
-        if (usb_get_intfdata(intf))
-                ath6kl_usb_remove(intf);
-        return 0;
-}
 #else
 #define ath6kl_usb_pm_suspend NULL
 #define ath6kl_usb_pm_resume NULL
-#define ath6kl_usb_pm_reset_resume NULL
 #endif
@@ -1222,7 +1214,6 @@ static struct usb_driver ath6kl_usb_driver = {
        .probe = ath6kl_usb_probe,
        .suspend = ath6kl_usb_pm_suspend,
        .resume = ath6kl_usb_pm_resume,
-        .reset_resume = ath6kl_usb_pm_reset_resume,
        .disconnect = ath6kl_usb_remove,
        .id_table = ath6kl_usb_ids,
        .supports_autosuspend = true,
diff --git a/drivers/net/wireless/ath/ath9k/Kconfig b/drivers/net/wireless/ath/ath9k/Kconfig
index ca101d7cb99f..fee0cadb0f5e 100644
--- a/drivers/net/wireless/ath/ath9k/Kconfig
+++ b/drivers/net/wireless/ath/ath9k/Kconfig
@@ -3,6 +3,8 @@ config ATH9K_HW
 config ATH9K_COMMON
        tristate
        select ATH_COMMON
+        select DEBUG_FS
+        select RELAY
 config ATH9K_DFS_DEBUGFS
        def_bool y
        depends on ATH9K_DEBUGFS && ATH9K_DFS_CERTIFIED
diff --git a/drivers/net/wireless/ath/ath9k/Makefile b/drivers/net/wireless/ath/ath9k/Makefile
index 22b934b07bd4..473972288a84 100644
--- a/drivers/net/wireless/ath/ath9k/Makefile
+++ b/drivers/net/wireless/ath/ath9k/Makefile
@@ -16,8 +16,7 @@ ath9k-$(CONFIG_ATH9K_DFS_CERTIFIED) += dfs.o
 ath9k-$(CONFIG_ATH9K_TX99) += tx99.o
 ath9k-$(CONFIG_ATH9K_WOW) += wow.o
-ath9k-$(CONFIG_ATH9K_DEBUGFS) += debug.o \
+ath9k-$(CONFIG_ATH9K_DEBUGFS) += debug.o
-                                 spectral.o
 ath9k-$(CONFIG_ATH9K_STATION_STATISTICS) += debug_sta.o
@@ -59,7 +58,8 @@ obj-$(CONFIG_ATH9K_COMMON) += ath9k_common.o
 ath9k_common-y:=        common.o \
                        common-init.o \
                        common-beacon.o \
-                        common-debug.o
+                        common-debug.o \
+                        common-spectral.o
 ath9k_htc-y +=  htc_hst.o \
                hif_usb.o \
diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
index 2a93519f4bdf..f816909d9474 100644
--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c
+++ b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
@@ -281,7 +281,7 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
        ACCESS_ONCE(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen)
                | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0)
-                | SM(i->txpower, AR_XmitPower0)
+                | SM(i->txpower[0], AR_XmitPower0)
                | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0)
                | (i->flags & ATH9K_TXDESC_INTREQ ? AR_TxIntrReq : 0)
                | (i->keyix != ATH9K_TXKEYIX_INVALID ? AR_DestIdxValid : 0)
@@ -307,9 +307,9 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
                | set11nRateFlags(i->rates, 3)
                | SM(i->rtscts_rate, AR_RTSCTSRate);
-        ACCESS_ONCE(ads->ds_ctl9) = SM(i->txpower, AR_XmitPower1);
+        ACCESS_ONCE(ads->ds_ctl9) = SM(i->txpower[1], AR_XmitPower1);
-        ACCESS_ONCE(ads->ds_ctl10) = SM(i->txpower, AR_XmitPower2);
+        ACCESS_ONCE(ads->ds_ctl10) = SM(i->txpower[2], AR_XmitPower2);
-        ACCESS_ONCE(ads->ds_ctl11) = SM(i->txpower, AR_XmitPower3);
+        ACCESS_ONCE(ads->ds_ctl11) = SM(i->txpower[3], AR_XmitPower3);
 }
 static int ar9002_hw_proc_txdesc(struct ath_hw *ah, void *ds,
diff --git a/drivers/net/wireless/ath/ath9k/ar9002_phy.c b/drivers/net/wireless/ath/ath9k/ar9002_phy.c
index 9a2afa2c690b..fc08162b5820 100644
--- a/drivers/net/wireless/ath/ath9k/ar9002_phy.c
+++ b/drivers/net/wireless/ath/ath9k/ar9002_phy.c
@@ -643,9 +643,12 @@ static void ar9002_hw_spectral_scan_config(struct ath_hw *ah,
         * and fix otherwise.
         */
        count = param->count;
-        if (param->endless)
+        if (param->endless) {
-                count = 0x80;
+                if (AR_SREV_9271(ah))
-        else if (count & 0x80)
+                        count = 0;
+                else
+                        count = 0x80;
+        } else if (count & 0x80)
                count = 0x7f;
        REG_RMW_FIELD(ah, AR_PHY_SPECTRAL_SCAN,
diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
index 80c6eacbda53..08225a0067c2 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -4079,27 +4079,28 @@ static int ar9003_hw_get_thermometer(struct ath_hw *ah)
 static void ar9003_hw_thermometer_apply(struct ath_hw *ah)
 {
+        struct ath9k_hw_capabilities *pCap = &ah->caps;
        int thermometer = ar9003_hw_get_thermometer(ah);
        u8 therm_on = (thermometer < 0) ? 0 : 1;
        REG_RMW_FIELD(ah, AR_PHY_65NM_CH0_RXTX4,
                      AR_PHY_65NM_CH0_RXTX4_THERM_ON_OVR, therm_on);
-        if (ah->caps.tx_chainmask & BIT(1))
+        if (pCap->chip_chainmask & BIT(1))
                REG_RMW_FIELD(ah, AR_PHY_65NM_CH1_RXTX4,
                              AR_PHY_65NM_CH0_RXTX4_THERM_ON_OVR, therm_on);
-        if (ah->caps.tx_chainmask & BIT(2))
+        if (pCap->chip_chainmask & BIT(2))
                REG_RMW_FIELD(ah, AR_PHY_65NM_CH2_RXTX4,
                              AR_PHY_65NM_CH0_RXTX4_THERM_ON_OVR, therm_on);
        therm_on = (thermometer < 0) ? 0 : (thermometer == 0);
        REG_RMW_FIELD(ah, AR_PHY_65NM_CH0_RXTX4,
                      AR_PHY_65NM_CH0_RXTX4_THERM_ON, therm_on);
-        if (ah->caps.tx_chainmask & BIT(1)) {
+        if (pCap->chip_chainmask & BIT(1)) {
                therm_on = (thermometer < 0) ? 0 : (thermometer == 1);
                REG_RMW_FIELD(ah, AR_PHY_65NM_CH1_RXTX4,
                              AR_PHY_65NM_CH0_RXTX4_THERM_ON, therm_on);
        }
-        if (ah->caps.tx_chainmask & BIT(2)) {
+        if (pCap->chip_chainmask & BIT(2)) {
                therm_on = (thermometer < 0) ? 0 : (thermometer == 2);
                REG_RMW_FIELD(ah, AR_PHY_65NM_CH2_RXTX4,
                              AR_PHY_65NM_CH0_RXTX4_THERM_ON, therm_on);
@@ -4376,6 +4377,25 @@ static u8 ar9003_hw_eeprom_get_cck_tgt_pwr(struct ath_hw *ah,
                                                 targetPowerArray, numPiers);
 }
+static void ar9003_hw_selfgen_tpc_txpower(struct ath_hw *ah,
+                                          struct ath9k_channel *chan,
+                                          u8 *pwr_array)
+{
+        u32 val;
+        /* target power values for self generated frames (ACK,RTS/CTS) */
+        if (IS_CHAN_2GHZ(chan)) {
+                val = SM(pwr_array[ALL_TARGET_LEGACY_1L_5L], AR_TPC_ACK) |
+                      SM(pwr_array[ALL_TARGET_LEGACY_1L_5L], AR_TPC_CTS) |
+                      SM(0x3f, AR_TPC_CHIRP) | SM(0x3f, AR_TPC_RPT);
+        } else {
+                val = SM(pwr_array[ALL_TARGET_LEGACY_6_24], AR_TPC_ACK) |
+                      SM(pwr_array[ALL_TARGET_LEGACY_6_24], AR_TPC_CTS) |
+                      SM(0x3f, AR_TPC_CHIRP) | SM(0x3f, AR_TPC_RPT);
+        }
+        REG_WRITE(ah, AR_TPC, val);
+}
 /* Set tx power registers to array of values passed in */
 static int ar9003_hw_tx_power_regwrite(struct ath_hw *ah, u8 * pPwrArray)
 {
@@ -5311,6 +5331,7 @@ static void ath9k_hw_ar9300_set_txpower(struct ath_hw *ah,
        struct ar9300_modal_eep_header *modal_hdr;
        u8 targetPowerValT2[ar9300RateSize];
        u8 target_power_val_t2_eep[ar9300RateSize];
+        u8 targetPowerValT2_tpc[ar9300RateSize];
        unsigned int i = 0, paprd_scale_factor = 0;
        u8 pwr_idx, min_pwridx = 0;
@@ -5362,6 +5383,9 @@ static void ath9k_hw_ar9300_set_txpower(struct ath_hw *ah,
                                           twiceAntennaReduction,
                                           powerLimit);
+        memcpy(targetPowerValT2_tpc, targetPowerValT2,
+               sizeof(targetPowerValT2));
        if (ar9003_is_paprd_enabled(ah)) {
                for (i = 0; i < ar9300RateSize; i++) {
                        if ((ah->paprd_ratemask & (1 << i)) &&
@@ -5395,6 +5419,30 @@ static void ath9k_hw_ar9300_set_txpower(struct ath_hw *ah,
        ar9003_hw_tx_power_regwrite(ah, targetPowerValT2);
        ar9003_hw_calibration_apply(ah, chan->channel);
        ar9003_paprd_set_txpower(ah, chan, targetPowerValT2);
+        ar9003_hw_selfgen_tpc_txpower(ah, chan, targetPowerValT2);
+        /* TPC initializations */
+        if (ah->tpc_enabled) {
+                u32 val;
+                ar9003_hw_init_rate_txpower(ah, targetPowerValT2_tpc, chan);
+                /* Enable TPC */
+                REG_WRITE(ah, AR_PHY_PWRTX_MAX,
+                          AR_PHY_POWER_TX_RATE_MAX_TPC_ENABLE);
+                /* Disable per chain power reduction */
+                val = REG_READ(ah, AR_PHY_POWER_TX_SUB);
+                if (AR_SREV_9340(ah))
+                        REG_WRITE(ah, AR_PHY_POWER_TX_SUB,
+                                  val & 0xFFFFFFC0);
+                else
+                        REG_WRITE(ah, AR_PHY_POWER_TX_SUB,
+                                  val & 0xFFFFF000);
+        } else {
+                /* Disable TPC */
+                REG_WRITE(ah, AR_PHY_PWRTX_MAX, 0);
+        }
 }
 static u16 ath9k_hw_ar9300_get_spur_channel(struct ath_hw *ah,
diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c
index cb09102245b2..06ad2172030e 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c
@@ -333,12 +333,29 @@ static void ar9003_hw_init_mode_regs(struct ath_hw *ah)
                               qca953x_1p0_soc_preamble);
                INIT_INI_ARRAY(&ah->iniSOC[ATH_INI_POST],
                               qca953x_1p0_soc_postamble);
-                INIT_INI_ARRAY(&ah->iniModesRxGain,
-                               qca953x_1p0_common_wo_xlna_rx_gain_table);
+                if (AR_SREV_9531_20(ah)) {
-                INIT_INI_ARRAY(&ah->ini_modes_rx_gain_bounds,
+                        INIT_INI_ARRAY(&ah->iniModesRxGain,
-                               qca953x_1p0_common_wo_xlna_rx_gain_bounds);
+                                       qca953x_2p0_common_wo_xlna_rx_gain_table);
-                INIT_INI_ARRAY(&ah->iniModesTxGain,
+                        INIT_INI_ARRAY(&ah->ini_modes_rx_gain_bounds,
-                               qca953x_1p0_modes_no_xpa_tx_gain_table);
+                                       qca953x_2p0_common_wo_xlna_rx_gain_bounds);
+                } else {
+                        INIT_INI_ARRAY(&ah->iniModesRxGain,
+                                       qca953x_1p0_common_wo_xlna_rx_gain_table);
+                        INIT_INI_ARRAY(&ah->ini_modes_rx_gain_bounds,
+                                       qca953x_1p0_common_wo_xlna_rx_gain_bounds);
+                }
+                if (AR_SREV_9531_20(ah))
+                        INIT_INI_ARRAY(&ah->iniModesTxGain,
+                                       qca953x_2p0_modes_no_xpa_tx_gain_table);
+                else if (AR_SREV_9531_11(ah))
+                        INIT_INI_ARRAY(&ah->iniModesTxGain,
+                                       qca953x_1p1_modes_no_xpa_tx_gain_table);
+                else
+                        INIT_INI_ARRAY(&ah->iniModesTxGain,
+                                       qca953x_1p0_modes_no_xpa_tx_gain_table);
                INIT_INI_ARRAY(&ah->iniModesFastClock,
                               qca953x_1p0_modes_fast_clock);
        } else if (AR_SREV_9580(ah)) {
@@ -518,9 +535,15 @@ static void ar9003_tx_gain_table_mode0(struct ath_hw *ah)
        else if (AR_SREV_9550(ah))
                INIT_INI_ARRAY(&ah->iniModesTxGain,
                        ar955x_1p0_modes_xpa_tx_gain_table);
-        else if (AR_SREV_9531(ah))
+        else if (AR_SREV_9531_10(ah))
+                INIT_INI_ARRAY(&ah->iniModesTxGain,
+                               qca953x_1p0_modes_xpa_tx_gain_table);
+        else if (AR_SREV_9531_11(ah))
                INIT_INI_ARRAY(&ah->iniModesTxGain,
-                        qca953x_1p0_modes_xpa_tx_gain_table);
+                               qca953x_1p1_modes_xpa_tx_gain_table);
+        else if (AR_SREV_9531_20(ah))
+                INIT_INI_ARRAY(&ah->iniModesTxGain,
+                               qca953x_2p0_modes_xpa_tx_gain_table);
        else if (AR_SREV_9580(ah))
                INIT_INI_ARRAY(&ah->iniModesTxGain,
                        ar9580_1p0_lowest_ob_db_tx_gain_table);
@@ -562,7 +585,10 @@ static void ar9003_tx_gain_table_mode1(struct ath_hw *ah)
                INIT_INI_ARRAY(&ah->iniModesTxGain,
                        ar955x_1p0_modes_no_xpa_tx_gain_table);
        else if (AR_SREV_9531(ah)) {
-                if (AR_SREV_9531_11(ah))
+                if (AR_SREV_9531_20(ah))
+                        INIT_INI_ARRAY(&ah->iniModesTxGain,
+                                       qca953x_2p0_modes_no_xpa_tx_gain_table);
+                else if (AR_SREV_9531_11(ah))
                        INIT_INI_ARRAY(&ah->iniModesTxGain,
                                       qca953x_1p1_modes_no_xpa_tx_gain_table);
                else
@@ -789,11 +815,16 @@ static void ar9003_rx_gain_table_mode1(struct ath_hw *ah)
                        ar955x_1p0_common_wo_xlna_rx_gain_table);
                INIT_INI_ARRAY(&ah->ini_modes_rx_gain_bounds,
                        ar955x_1p0_common_wo_xlna_rx_gain_bounds);
-        } else if (AR_SREV_9531(ah)) {
+        } else if (AR_SREV_9531_10(ah) || AR_SREV_9531_11(ah)) {
                INIT_INI_ARRAY(&ah->iniModesRxGain,
                               qca953x_1p0_common_wo_xlna_rx_gain_table);
                INIT_INI_ARRAY(&ah->ini_modes_rx_gain_bounds,
                               qca953x_1p0_common_wo_xlna_rx_gain_bounds);
+        } else if (AR_SREV_9531_20(ah)) {
+                INIT_INI_ARRAY(&ah->iniModesRxGain,
+                               qca953x_2p0_common_wo_xlna_rx_gain_table);
+                INIT_INI_ARRAY(&ah->ini_modes_rx_gain_bounds,
+                               qca953x_2p0_common_wo_xlna_rx_gain_bounds);
        } else if (AR_SREV_9580(ah))
                INIT_INI_ARRAY(&ah->iniModesRxGain,
                        ar9580_1p0_wo_xlna_rx_gain_table);
diff --git a/drivers/net/wireless/ath/ath9k/ar9003_mac.c b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
index 057b1657c428..da84b705cbcd 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_mac.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
@@ -101,7 +101,7 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
        ACCESS_ONCE(ads->ctl11) = (i->pkt_len & AR_FrameLen)
                | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0)
-                | SM(i->txpower, AR_XmitPower0)
+                | SM(i->txpower[0], AR_XmitPower0)
                | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0)
                | (i->keyix != ATH9K_TXKEYIX_INVALID ? AR_DestIdxValid : 0)
                | (i->flags & ATH9K_TXDESC_LOWRXCHAIN ? AR_LowRxChain : 0)
@@ -152,9 +152,9 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
        ACCESS_ONCE(ads->ctl19) = AR_Not_Sounding;
-        ACCESS_ONCE(ads->ctl20) = SM(i->txpower, AR_XmitPower1);
+        ACCESS_ONCE(ads->ctl20) = SM(i->txpower[1], AR_XmitPower1);
-        ACCESS_ONCE(ads->ctl21) = SM(i->txpower, AR_XmitPower2);
+        ACCESS_ONCE(ads->ctl21) = SM(i->txpower[2], AR_XmitPower2);
-        ACCESS_ONCE(ads->ctl22) = SM(i->txpower, AR_XmitPower3);
+        ACCESS_ONCE(ads->ctl22) = SM(i->txpower[3], AR_XmitPower3);
 }
 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.c b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
index 9bdaa0afc37f..ae6cde273414 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
@@ -18,6 +18,21 @@
 #include "hw.h"
 #include "ar9003_phy.h"
+#define AR9300_OFDM_RATES       8
+#define AR9300_HT_SS_RATES      8
+#define AR9300_HT_DS_RATES      8
+#define AR9300_HT_TS_RATES      8
+#define AR9300_11NA_OFDM_SHIFT          0
+#define AR9300_11NA_HT_SS_SHIFT         8
+#define AR9300_11NA_HT_DS_SHIFT         16
+#define AR9300_11NA_HT_TS_SHIFT         24
+#define AR9300_11NG_OFDM_SHIFT          4
+#define AR9300_11NG_HT_SS_SHIFT         12
+#define AR9300_11NG_HT_DS_SHIFT         20
+#define AR9300_11NG_HT_TS_SHIFT         28
 static const int firstep_table[] =
 /* level:  0   1   2   3   4   5   6   7   8  */
        { -4, -2,  0,  2,  4,  6,  8, 10, 12 }; /* lvl 0-8, default 2 */
@@ -40,6 +55,71 @@ static const int m2ThreshLowExt_off = 127;
 static const int m1ThreshExt_off = 127;
 static const int m2ThreshExt_off = 127;
+static const u8 ofdm2pwr[] = {
+        ALL_TARGET_LEGACY_6_24,
+        ALL_TARGET_LEGACY_6_24,
+        ALL_TARGET_LEGACY_6_24,
+        ALL_TARGET_LEGACY_6_24,
+        ALL_TARGET_LEGACY_6_24,
+        ALL_TARGET_LEGACY_36,
+        ALL_TARGET_LEGACY_48,
+        ALL_TARGET_LEGACY_54
+};
+static const u8 mcs2pwr_ht20[] = {
+        ALL_TARGET_HT20_0_8_16,
+        ALL_TARGET_HT20_1_3_9_11_17_19,
+        ALL_TARGET_HT20_1_3_9_11_17_19,
+        ALL_TARGET_HT20_1_3_9_11_17_19,
+        ALL_TARGET_HT20_4,
+        ALL_TARGET_HT20_5,
+        ALL_TARGET_HT20_6,
+        ALL_TARGET_HT20_7,
+        ALL_TARGET_HT20_0_8_16,
+        ALL_TARGET_HT20_1_3_9_11_17_19,
+        ALL_TARGET_HT20_1_3_9_11_17_19,
+        ALL_TARGET_HT20_1_3_9_11_17_19,
+        ALL_TARGET_HT20_12,
+        ALL_TARGET_HT20_13,
+        ALL_TARGET_HT20_14,
+        ALL_TARGET_HT20_15,
+        ALL_TARGET_HT20_0_8_16,
+        ALL_TARGET_HT20_1_3_9_11_17_19,
+        ALL_TARGET_HT20_1_3_9_11_17_19,
+        ALL_TARGET_HT20_1_3_9_11_17_19,
+        ALL_TARGET_HT20_20,
+        ALL_TARGET_HT20_21,
+        ALL_TARGET_HT20_22,
+        ALL_TARGET_HT20_23
+};
+static const u8 mcs2pwr_ht40[] = {
+        ALL_TARGET_HT40_0_8_16,
+        ALL_TARGET_HT40_1_3_9_11_17_19,
+        ALL_TARGET_HT40_1_3_9_11_17_19,
+        ALL_TARGET_HT40_1_3_9_11_17_19,
+        ALL_TARGET_HT40_4,
+        ALL_TARGET_HT40_5,
+        ALL_TARGET_HT40_6,
+        ALL_TARGET_HT40_7,
+        ALL_TARGET_HT40_0_8_16,
+        ALL_TARGET_HT40_1_3_9_11_17_19,
+        ALL_TARGET_HT40_1_3_9_11_17_19,
+        ALL_TARGET_HT40_1_3_9_11_17_19,
+        ALL_TARGET_HT40_12,
+        ALL_TARGET_HT40_13,
+        ALL_TARGET_HT40_14,
+        ALL_TARGET_HT40_15,
+        ALL_TARGET_HT40_0_8_16,
+        ALL_TARGET_HT40_1_3_9_11_17_19,
+        ALL_TARGET_HT40_1_3_9_11_17_19,
+        ALL_TARGET_HT40_1_3_9_11_17_19,
+        ALL_TARGET_HT40_20,
+        ALL_TARGET_HT40_21,
+        ALL_TARGET_HT40_22,
+        ALL_TARGET_HT40_23,
+};
 /**
 * ar9003_hw_set_channel - set channel on single-chip device
 * @ah: atheros hardware structure
@@ -664,6 +744,19 @@ static void ar9003_hw_override_ini(struct ath_hw *ah)
                ah->enabled_cals |= TX_CL_CAL;
        else
                ah->enabled_cals &= ~TX_CL_CAL;
+        if (AR_SREV_9340(ah) || AR_SREV_9531(ah) || AR_SREV_9550(ah)) {
+                if (ah->is_clk_25mhz) {
+                        REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x17c << 1);
+                        REG_WRITE(ah, AR_SLP32_MODE, 0x0010f3d7);
+                        REG_WRITE(ah, AR_SLP32_INC, 0x0001e7ae);
+                } else {
+                        REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x261 << 1);
+                        REG_WRITE(ah, AR_SLP32_MODE, 0x0010f400);
+                        REG_WRITE(ah, AR_SLP32_INC, 0x0001e800);
+                }
+                udelay(100);
+        }
 }
 static void ar9003_hw_prog_ini(struct ath_hw *ah,
@@ -1786,6 +1879,100 @@ static void ar9003_hw_tx99_set_txpower(struct ath_hw *ah, u8 txpower)
                  ATH9K_POW_SM(p_pwr_array[ALL_TARGET_HT40_14],  0));
 }
+static void ar9003_hw_init_txpower_cck(struct ath_hw *ah, u8 *rate_array)
+{
+        ah->tx_power[0] = rate_array[ALL_TARGET_LEGACY_1L_5L];
+        ah->tx_power[1] = rate_array[ALL_TARGET_LEGACY_1L_5L];
+        ah->tx_power[2] = min(rate_array[ALL_TARGET_LEGACY_1L_5L],
+                              rate_array[ALL_TARGET_LEGACY_5S]);
+        ah->tx_power[3] = min(rate_array[ALL_TARGET_LEGACY_11L],
+                              rate_array[ALL_TARGET_LEGACY_11S]);
+}
+static void ar9003_hw_init_txpower_ofdm(struct ath_hw *ah, u8 *rate_array,
+                                        int offset)
+{
+        int i, j;
+        for (i = offset; i < offset + AR9300_OFDM_RATES; i++) {
+                /* OFDM rate to power table idx */
+                j = ofdm2pwr[i - offset];
+                ah->tx_power[i] = rate_array[j];
+        }
+}
+static void ar9003_hw_init_txpower_ht(struct ath_hw *ah, u8 *rate_array,
+                                      int ss_offset, int ds_offset,
+                                      int ts_offset, bool is_40)
+{
+        int i, j, mcs_idx = 0;
+        const u8 *mcs2pwr = (is_40) ? mcs2pwr_ht40 : mcs2pwr_ht20;
+        for (i = ss_offset; i < ss_offset + AR9300_HT_SS_RATES; i++) {
+                j = mcs2pwr[mcs_idx];
+                ah->tx_power[i] = rate_array[j];
+                mcs_idx++;
+        }
+        for (i = ds_offset; i < ds_offset + AR9300_HT_DS_RATES; i++) {
+                j = mcs2pwr[mcs_idx];
+                ah->tx_power[i] = rate_array[j];
+                mcs_idx++;
+        }
+        for (i = ts_offset; i < ts_offset + AR9300_HT_TS_RATES; i++) {
+                j = mcs2pwr[mcs_idx];
+                ah->tx_power[i] = rate_array[j];
+                mcs_idx++;
+        }
+}
+static void ar9003_hw_init_txpower_stbc(struct ath_hw *ah, int ss_offset,
+                                        int ds_offset, int ts_offset)
+{
+        memcpy(&ah->tx_power_stbc[ss_offset], &ah->tx_power[ss_offset],
+               AR9300_HT_SS_RATES);
+        memcpy(&ah->tx_power_stbc[ds_offset], &ah->tx_power[ds_offset],
+               AR9300_HT_DS_RATES);
+        memcpy(&ah->tx_power_stbc[ts_offset], &ah->tx_power[ts_offset],
+               AR9300_HT_TS_RATES);
+}
+void ar9003_hw_init_rate_txpower(struct ath_hw *ah, u8 *rate_array,
+                                 struct ath9k_channel *chan)
+{
+        if (IS_CHAN_5GHZ(chan)) {
+                ar9003_hw_init_txpower_ofdm(ah, rate_array,
+                                            AR9300_11NA_OFDM_SHIFT);
+                if (IS_CHAN_HT20(chan) || IS_CHAN_HT40(chan)) {
+                        ar9003_hw_init_txpower_ht(ah, rate_array,
+                                                  AR9300_11NA_HT_SS_SHIFT,
+                                                  AR9300_11NA_HT_DS_SHIFT,
+                                                  AR9300_11NA_HT_TS_SHIFT,
+                                                  IS_CHAN_HT40(chan));
+                        ar9003_hw_init_txpower_stbc(ah,
+                                                    AR9300_11NA_HT_SS_SHIFT,
+                                                    AR9300_11NA_HT_DS_SHIFT,
+                                                    AR9300_11NA_HT_TS_SHIFT);
+                }
+        } else {
+                ar9003_hw_init_txpower_cck(ah, rate_array);
+                ar9003_hw_init_txpower_ofdm(ah, rate_array,
+                                            AR9300_11NG_OFDM_SHIFT);
+                if (IS_CHAN_HT20(chan) || IS_CHAN_HT40(chan)) {
+                        ar9003_hw_init_txpower_ht(ah, rate_array,
+                                                  AR9300_11NG_HT_SS_SHIFT,
+                                                  AR9300_11NG_HT_DS_SHIFT,
+                                                  AR9300_11NG_HT_TS_SHIFT,
+                                                  IS_CHAN_HT40(chan));
+                        ar9003_hw_init_txpower_stbc(ah,
+                                                    AR9300_11NG_HT_SS_SHIFT,
+                                                    AR9300_11NG_HT_DS_SHIFT,
+                                                    AR9300_11NG_HT_TS_SHIFT);
+                }
+        }
+}
 void ar9003_hw_attach_phy_ops(struct ath_hw *ah)
 {
        struct ath_hw_private_ops *priv_ops = ath9k_hw_private_ops(ah);
diff --git a/drivers/net/wireless/ath/ath9k/ar953x_initvals.h b/drivers/net/wireless/ath/ath9k/ar953x_initvals.h
index 812a9d787bf3..159cc6fd2362 100644
--- a/drivers/net/wireless/ath/ath9k/ar953x_initvals.h
+++ b/drivers/net/wireless/ath/ath9k/ar953x_initvals.h
@@ -20,6 +20,8 @@
 #define qca953x_1p0_mac_postamble ar9300_2p2_mac_postamble
+#define qca953x_1p0_soc_preamble ar955x_1p0_soc_preamble
 #define qca953x_1p0_soc_postamble ar9300_2p2_soc_postamble
 #define qca953x_1p0_common_rx_gain_table ar9300Common_rx_gain_table_2p2
@@ -28,6 +30,10 @@
 #define qca953x_1p0_modes_fast_clock ar9300Modes_fast_clock_2p2
+#define qca953x_1p0_common_wo_xlna_rx_gain_bounds ar955x_1p0_common_wo_xlna_rx_gain_bounds
+#define qca953x_1p0_common_rx_gain_bounds ar955x_1p0_common_rx_gain_bounds
 static const u32 qca953x_1p0_mac_core[][2] = {
        /* Addr      allmodes  */
        {0x00000008, 0x00000000},
@@ -490,35 +496,6 @@ static const u32 qca953x_1p0_radio_postamble[][5] = {
        {0x00016540, 0x10804008, 0x10804008, 0x50804000, 0x50804000},
 };
-static const u32 qca953x_1p0_soc_preamble[][2] = {
-        /* Addr      allmodes  */
-        {0x00007000, 0x00000000},
-        {0x00007004, 0x00000000},
-        {0x00007008, 0x00000000},
-        {0x0000700c, 0x00000000},
-        {0x0000701c, 0x00000000},
-        {0x00007020, 0x00000000},
-        {0x00007024, 0x00000000},
-        {0x00007028, 0x00000000},
-        {0x0000702c, 0x00000000},
-        {0x00007030, 0x00000000},
-        {0x00007034, 0x00000002},
-        {0x00007038, 0x000004c2},
-        {0x00007048, 0x00000000},
-};
-static const u32 qca953x_1p0_common_rx_gain_bounds[][5] = {
-        /* Addr      5G_HT20     5G_HT40     2G_HT40     2G_HT20   */
-        {0x00009e44, 0xfe321e27, 0xfe321e27, 0xfe291e27, 0xfe291e27},
-        {0x00009e48, 0x5030201a, 0x5030201a, 0x50302018, 0x50302018},
-};
-static const u32 qca953x_1p0_common_wo_xlna_rx_gain_bounds[][5] = {
-        /* Addr      5G_HT20     5G_HT40     2G_HT40     2G_HT20   */
-        {0x00009e44, 0xfe321e27, 0xfe321e27, 0xfe291e27, 0xfe291e27},
-        {0x00009e48, 0x5030201a, 0x5030201a, 0x50302012, 0x50302012},
-};
 static const u32 qca953x_1p0_modes_xpa_tx_gain_table[][2] = {
        /* Addr      allmodes  */
        {0x0000a2dc, 0xfffd5aaa},
@@ -715,8 +692,73 @@ static const u32 qca953x_1p1_modes_no_xpa_tx_gain_table[][2] = {
        {0x00016448, 0x6c927a70},
 };
+static const u32 qca953x_1p1_modes_xpa_tx_gain_table[][2] = {
+        /* Addr      allmodes  */
+        {0x0000a2dc, 0xfffb52aa},
+        {0x0000a2e0, 0xfffd64cc},
+        {0x0000a2e4, 0xfffe80f0},
+        {0x0000a2e8, 0xffffff00},
+        {0x0000a410, 0x000050d5},
+        {0x0000a500, 0x00000000},
+        {0x0000a504, 0x04000002},
+        {0x0000a508, 0x08000004},
+        {0x0000a50c, 0x0c000006},
+        {0x0000a510, 0x1000000a},
+        {0x0000a514, 0x1400000c},
+        {0x0000a518, 0x1800000e},
+        {0x0000a51c, 0x1c000048},
+        {0x0000a520, 0x2000004a},
+        {0x0000a524, 0x2400004c},
+        {0x0000a528, 0x2800004e},
+        {0x0000a52c, 0x2b00024a},
+        {0x0000a530, 0x2f00024c},
+        {0x0000a534, 0x3300024e},
+        {0x0000a538, 0x36000668},
+        {0x0000a53c, 0x38000669},
+        {0x0000a540, 0x3a000868},
+        {0x0000a544, 0x3d00086a},
+        {0x0000a548, 0x4000086c},
+        {0x0000a54c, 0x4200086e},
+        {0x0000a550, 0x43000a6e},
+        {0x0000a554, 0x43000a6e},
+        {0x0000a558, 0x43000a6e},
+        {0x0000a55c, 0x43000a6e},
+        {0x0000a560, 0x43000a6e},
+        {0x0000a564, 0x43000a6e},
+        {0x0000a568, 0x43000a6e},
+        {0x0000a56c, 0x43000a6e},
+        {0x0000a570, 0x43000a6e},
+        {0x0000a574, 0x43000a6e},
+        {0x0000a578, 0x43000a6e},
+        {0x0000a57c, 0x43000a6e},
+        {0x0000a600, 0x00000000},
+        {0x0000a604, 0x00000000},
+        {0x0000a608, 0x00000000},
+        {0x0000a60c, 0x03804000},
+        {0x0000a610, 0x03804e01},
+        {0x0000a614, 0x03804e01},
+        {0x0000a618, 0x03804e01},
+        {0x0000a61c, 0x04009002},
+        {0x0000a620, 0x04009002},
+        {0x0000a624, 0x04009002},
+        {0x0000a628, 0x04009002},
+        {0x0000a62c, 0x04009002},
+        {0x0000a630, 0x04009002},
+        {0x0000a634, 0x04009002},
+        {0x0000a638, 0x04009002},
+        {0x0000a63c, 0x04009002},
+        {0x0000b2dc, 0xfffb52aa},
+        {0x0000b2e0, 0xfffd64cc},
+        {0x0000b2e4, 0xfffe80f0},
+        {0x0000b2e8, 0xffffff00},
+        {0x00016044, 0x024922db},
+        {0x00016048, 0x6c927a70},
+        {0x00016444, 0x024922db},
+        {0x00016448, 0x6c927a70},
+};
 static const u32 qca953x_2p0_baseband_core[][2] = {
-        /* Addr      allmodes */
+        /* Addr      allmodes  */
        {0x00009800, 0xafe68e30},
        {0x00009804, 0xfd14e000},
        {0x00009808, 0x9c0a9f6b},
@@ -914,4 +956,400 @@ static const u32 qca953x_2p0_baseband_postamble[][5] = {
        {0x0000b284, 0x00000000, 0x00000000, 0x00000010, 0x00000010},
 };
+static const u32 qca953x_2p0_common_wo_xlna_rx_gain_table[][2] = {
+        /* Addr      allmodes  */
+        {0x0000a000, 0x00010000},
+        {0x0000a004, 0x00030002},
+        {0x0000a008, 0x00050004},
+        {0x0000a00c, 0x00810080},
+        {0x0000a010, 0x00830082},
+        {0x0000a014, 0x01810180},
+        {0x0000a018, 0x01830182},
+        {0x0000a01c, 0x01850184},
+        {0x0000a020, 0x01890188},
+        {0x0000a024, 0x018b018a},
+        {0x0000a028, 0x018d018c},
+        {0x0000a02c, 0x03820190},
+        {0x0000a030, 0x03840383},
+        {0x0000a034, 0x03880385},
+        {0x0000a038, 0x038a0389},
+        {0x0000a03c, 0x038c038b},
+        {0x0000a040, 0x0390038d},
+        {0x0000a044, 0x03920391},
+        {0x0000a048, 0x03940393},
+        {0x0000a04c, 0x03960395},
+        {0x0000a050, 0x00000000},
+        {0x0000a054, 0x00000000},
+        {0x0000a058, 0x00000000},
+        {0x0000a05c, 0x00000000},
+        {0x0000a060, 0x00000000},
+        {0x0000a064, 0x00000000},
+        {0x0000a068, 0x00000000},
+        {0x0000a06c, 0x00000000},
+        {0x0000a070, 0x00000000},
+        {0x0000a074, 0x00000000},
+        {0x0000a078, 0x00000000},
+        {0x0000a07c, 0x00000000},
+        {0x0000a080, 0x29292929},
+        {0x0000a084, 0x29292929},
+        {0x0000a088, 0x29292929},
+        {0x0000a08c, 0x29292929},
+        {0x0000a090, 0x22292929},
+        {0x0000a094, 0x1d1d2222},
+        {0x0000a098, 0x0c111117},
+        {0x0000a09c, 0x00030303},
+        {0x0000a0a0, 0x00000000},
+        {0x0000a0a4, 0x00000000},
+        {0x0000a0a8, 0x00000000},
+        {0x0000a0ac, 0x00000000},
+        {0x0000a0b0, 0x00000000},
+        {0x0000a0b4, 0x00000000},
+        {0x0000a0b8, 0x00000000},
+        {0x0000a0bc, 0x00000000},
+        {0x0000a0c0, 0x001f0000},
+        {0x0000a0c4, 0x01000101},
+        {0x0000a0c8, 0x011e011f},
+        {0x0000a0cc, 0x011c011d},
+        {0x0000a0d0, 0x02030204},
+        {0x0000a0d4, 0x02010202},
+        {0x0000a0d8, 0x021f0200},
+        {0x0000a0dc, 0x0302021e},
+        {0x0000a0e0, 0x03000301},
+        {0x0000a0e4, 0x031e031f},
+        {0x0000a0e8, 0x0402031d},
+        {0x0000a0ec, 0x04000401},
+        {0x0000a0f0, 0x041e041f},
+        {0x0000a0f4, 0x0502041d},
+        {0x0000a0f8, 0x05000501},
+        {0x0000a0fc, 0x051e051f},
+        {0x0000a100, 0x06010602},
+        {0x0000a104, 0x061f0600},
+        {0x0000a108, 0x061d061e},
+        {0x0000a10c, 0x07020703},
+        {0x0000a110, 0x07000701},
+        {0x0000a114, 0x00000000},
+        {0x0000a118, 0x00000000},
+        {0x0000a11c, 0x00000000},
+        {0x0000a120, 0x00000000},
+        {0x0000a124, 0x00000000},
+        {0x0000a128, 0x00000000},
+        {0x0000a12c, 0x00000000},
+        {0x0000a130, 0x00000000},
+        {0x0000a134, 0x00000000},
+        {0x0000a138, 0x00000000},
+        {0x0000a13c, 0x00000000},
+        {0x0000a140, 0x001f0000},
+        {0x0000a144, 0x01000101},
+        {0x0000a148, 0x011e011f},
+        {0x0000a14c, 0x011c011d},
+        {0x0000a150, 0x02030204},
+        {0x0000a154, 0x02010202},
+        {0x0000a158, 0x021f0200},
+        {0x0000a15c, 0x0302021e},
+        {0x0000a160, 0x03000301},
+        {0x0000a164, 0x031e031f},
+        {0x0000a168, 0x0402031d},
+        {0x0000a16c, 0x04000401},
+        {0x0000a170, 0x041e041f},
+        {0x0000a174, 0x0502041d},
+        {0x0000a178, 0x05000501},
+        {0x0000a17c, 0x051e051f},
+        {0x0000a180, 0x06010602},
+        {0x0000a184, 0x061f0600},
+        {0x0000a188, 0x061d061e},
+        {0x0000a18c, 0x07020703},
+        {0x0000a190, 0x07000701},
+        {0x0000a194, 0x00000000},
+        {0x0000a198, 0x00000000},
+        {0x0000a19c, 0x00000000},
+        {0x0000a1a0, 0x00000000},
+        {0x0000a1a4, 0x00000000},
+        {0x0000a1a8, 0x00000000},
+        {0x0000a1ac, 0x00000000},
+        {0x0000a1b0, 0x00000000},
+        {0x0000a1b4, 0x00000000},
+        {0x0000a1b8, 0x00000000},
+        {0x0000a1bc, 0x00000000},
+        {0x0000a1c0, 0x00000000},
+        {0x0000a1c4, 0x00000000},
+        {0x0000a1c8, 0x00000000},
+        {0x0000a1cc, 0x00000000},
+        {0x0000a1d0, 0x00000000},
+        {0x0000a1d4, 0x00000000},
+        {0x0000a1d8, 0x00000000},
+        {0x0000a1dc, 0x00000000},
+        {0x0000a1e0, 0x00000000},
+        {0x0000a1e4, 0x00000000},
+        {0x0000a1e8, 0x00000000},
+        {0x0000a1ec, 0x00000000},
+        {0x0000a1f0, 0x00000396},
+        {0x0000a1f4, 0x00000396},
+        {0x0000a1f8, 0x00000396},
+        {0x0000a1fc, 0x00000196},
+        {0x0000b000, 0x00010000},
+        {0x0000b004, 0x00030002},
+        {0x0000b008, 0x00050004},
+        {0x0000b00c, 0x00810080},
+        {0x0000b010, 0x00830082},
+        {0x0000b014, 0x01810180},
+        {0x0000b018, 0x01830182},
+        {0x0000b01c, 0x01850184},
+        {0x0000b020, 0x02810280},
+        {0x0000b024, 0x02830282},
+        {0x0000b028, 0x02850284},
+        {0x0000b02c, 0x02890288},
+        {0x0000b030, 0x028b028a},
+        {0x0000b034, 0x0388028c},
+        {0x0000b038, 0x038a0389},
+        {0x0000b03c, 0x038c038b},
+        {0x0000b040, 0x0390038d},
+        {0x0000b044, 0x03920391},
+        {0x0000b048, 0x03940393},
+        {0x0000b04c, 0x03960395},
+        {0x0000b050, 0x00000000},
+        {0x0000b054, 0x00000000},
+        {0x0000b058, 0x00000000},
+        {0x0000b05c, 0x00000000},
+        {0x0000b060, 0x00000000},
+        {0x0000b064, 0x00000000},
+        {0x0000b068, 0x00000000},
+        {0x0000b06c, 0x00000000},
+        {0x0000b070, 0x00000000},
+        {0x0000b074, 0x00000000},
+        {0x0000b078, 0x00000000},
+        {0x0000b07c, 0x00000000},
+        {0x0000b080, 0x32323232},
+        {0x0000b084, 0x2f2f3232},
+        {0x0000b088, 0x23282a2d},
+        {0x0000b08c, 0x1c1e2123},
+        {0x0000b090, 0x14171919},
+        {0x0000b094, 0x0e0e1214},
+        {0x0000b098, 0x03050707},
+        {0x0000b09c, 0x00030303},
+        {0x0000b0a0, 0x00000000},
+        {0x0000b0a4, 0x00000000},
+        {0x0000b0a8, 0x00000000},
+        {0x0000b0ac, 0x00000000},
+        {0x0000b0b0, 0x00000000},
+        {0x0000b0b4, 0x00000000},
+        {0x0000b0b8, 0x00000000},
+        {0x0000b0bc, 0x00000000},
+        {0x0000b0c0, 0x003f0020},
+        {0x0000b0c4, 0x00400041},
+        {0x0000b0c8, 0x0140005f},
+        {0x0000b0cc, 0x0160015f},
+        {0x0000b0d0, 0x017e017f},
+        {0x0000b0d4, 0x02410242},
+        {0x0000b0d8, 0x025f0240},
+        {0x0000b0dc, 0x027f0260},
+        {0x0000b0e0, 0x0341027e},
+        {0x0000b0e4, 0x035f0340},
+        {0x0000b0e8, 0x037f0360},
+        {0x0000b0ec, 0x04400441},
+        {0x0000b0f0, 0x0460045f},
+        {0x0000b0f4, 0x0541047f},
+        {0x0000b0f8, 0x055f0540},
+        {0x0000b0fc, 0x057f0560},
+        {0x0000b100, 0x06400641},
+        {0x0000b104, 0x0660065f},
+        {0x0000b108, 0x067e067f},
+        {0x0000b10c, 0x07410742},
+        {0x0000b110, 0x075f0740},
+        {0x0000b114, 0x077f0760},
+        {0x0000b118, 0x07800781},
+        {0x0000b11c, 0x07a0079f},
+        {0x0000b120, 0x07c107bf},
+        {0x0000b124, 0x000007c0},
+        {0x0000b128, 0x00000000},
+        {0x0000b12c, 0x00000000},
+        {0x0000b130, 0x00000000},
+        {0x0000b134, 0x00000000},
+        {0x0000b138, 0x00000000},
+        {0x0000b13c, 0x00000000},
+        {0x0000b140, 0x003f0020},
+        {0x0000b144, 0x00400041},
+        {0x0000b148, 0x0140005f},
+        {0x0000b14c, 0x0160015f},
+        {0x0000b150, 0x017e017f},
+        {0x0000b154, 0x02410242},
+        {0x0000b158, 0x025f0240},
+        {0x0000b15c, 0x027f0260},
+        {0x0000b160, 0x0341027e},
+        {0x0000b164, 0x035f0340},
+        {0x0000b168, 0x037f0360},
+        {0x0000b16c, 0x04400441},
+        {0x0000b170, 0x0460045f},
+        {0x0000b174, 0x0541047f},
+        {0x0000b178, 0x055f0540},
+        {0x0000b17c, 0x057f0560},
+        {0x0000b180, 0x06400641},
+        {0x0000b184, 0x0660065f},
+        {0x0000b188, 0x067e067f},
+        {0x0000b18c, 0x07410742},
+        {0x0000b190, 0x075f0740},
+        {0x0000b194, 0x077f0760},
+        {0x0000b198, 0x07800781},
+        {0x0000b19c, 0x07a0079f},
+        {0x0000b1a0, 0x07c107bf},
+        {0x0000b1a4, 0x000007c0},
+        {0x0000b1a8, 0x00000000},
+        {0x0000b1ac, 0x00000000},
+        {0x0000b1b0, 0x00000000},
+        {0x0000b1b4, 0x00000000},
+        {0x0000b1b8, 0x00000000},
+        {0x0000b1bc, 0x00000000},
+        {0x0000b1c0, 0x00000000},
+        {0x0000b1c4, 0x00000000},
+        {0x0000b1c8, 0x00000000},
+        {0x0000b1cc, 0x00000000},
+        {0x0000b1d0, 0x00000000},
+        {0x0000b1d4, 0x00000000},
+        {0x0000b1d8, 0x00000000},
+        {0x0000b1dc, 0x00000000},
+        {0x0000b1e0, 0x00000000},
+        {0x0000b1e4, 0x00000000},
+        {0x0000b1e8, 0x00000000},
+        {0x0000b1ec, 0x00000000},
+        {0x0000b1f0, 0x00000396},
+        {0x0000b1f4, 0x00000396},
+        {0x0000b1f8, 0x00000396},
+        {0x0000b1fc, 0x00000196},
+};
+static const u32 qca953x_2p0_common_wo_xlna_rx_gain_bounds[][5] = {
+        /* Addr      5G_HT20     5G_HT40     2G_HT40     2G_HT20   */
+        {0x00009e44, 0xfe321e27, 0xfe321e27, 0xfe291e27, 0xfe291e27},
+        {0x00009e48, 0x5030201a, 0x5030201a, 0x50302012, 0x50302012},
+};
+static const u32 qca953x_2p0_modes_xpa_tx_gain_table[][2] = {
+        /* Addr      allmodes  */
+        {0x0000a2dc, 0xfffb52aa},
+        {0x0000a2e0, 0xfffd64cc},
+        {0x0000a2e4, 0xfffe80f0},
+        {0x0000a2e8, 0xffffff00},
+        {0x0000a410, 0x000050d5},
+        {0x0000a500, 0x00000000},
+        {0x0000a504, 0x04000002},
+        {0x0000a508, 0x08000004},
+        {0x0000a50c, 0x0c000006},
+        {0x0000a510, 0x1000000a},
+        {0x0000a514, 0x1400000c},
+        {0x0000a518, 0x1800000e},
+        {0x0000a51c, 0x1c000048},
+        {0x0000a520, 0x2000004a},
+        {0x0000a524, 0x2400004c},
+        {0x0000a528, 0x2800004e},
+        {0x0000a52c, 0x2b00024a},
+        {0x0000a530, 0x2f00024c},
+        {0x0000a534, 0x3300024e},
+        {0x0000a538, 0x36000668},
+        {0x0000a53c, 0x38000669},
+        {0x0000a540, 0x3a000868},
+        {0x0000a544, 0x3d00086a},
+        {0x0000a548, 0x4000086c},
+        {0x0000a54c, 0x4200086e},
+        {0x0000a550, 0x43000a6e},
+        {0x0000a554, 0x43000a6e},
+        {0x0000a558, 0x43000a6e},
+        {0x0000a55c, 0x43000a6e},
+        {0x0000a560, 0x43000a6e},
+        {0x0000a564, 0x43000a6e},
+        {0x0000a568, 0x43000a6e},
+        {0x0000a56c, 0x43000a6e},
+        {0x0000a570, 0x43000a6e},
+        {0x0000a574, 0x43000a6e},
+        {0x0000a578, 0x43000a6e},
+        {0x0000a57c, 0x43000a6e},
+        {0x0000a600, 0x00000000},
+        {0x0000a604, 0x00000000},
+        {0x0000a608, 0x00000000},
+        {0x0000a60c, 0x03804000},
+        {0x0000a610, 0x03804e01},
+        {0x0000a614, 0x03804e01},
+        {0x0000a618, 0x03804e01},
+        {0x0000a61c, 0x04009002},
+        {0x0000a620, 0x04009002},
+        {0x0000a624, 0x04009002},
+        {0x0000a628, 0x04009002},
+        {0x0000a62c, 0x04009002},
+        {0x0000a630, 0x04009002},
+        {0x0000a634, 0x04009002},
+        {0x0000a638, 0x04009002},
+        {0x0000a63c, 0x04009002},
+        {0x0000b2dc, 0xfffb52aa},
+        {0x0000b2e0, 0xfffd64cc},
+        {0x0000b2e4, 0xfffe80f0},
+        {0x0000b2e8, 0xffffff00},
+        {0x00016044, 0x024922db},
+        {0x00016048, 0x6c927a70},
+        {0x00016444, 0x024922db},
+        {0x00016448, 0x6c927a70},
+};
+static const u32 qca953x_2p0_modes_no_xpa_tx_gain_table[][2] = {
+        /* Addr      allmodes  */
+        {0x0000a2dc, 0xffd5f552},
+        {0x0000a2e0, 0xffe60664},
+        {0x0000a2e4, 0xfff80780},
+        {0x0000a2e8, 0xfffff800},
+        {0x0000a410, 0x000050de},
+        {0x0000a500, 0x00000061},
+        {0x0000a504, 0x04000063},
+        {0x0000a508, 0x08000065},
+        {0x0000a50c, 0x0c000261},
+        {0x0000a510, 0x10000263},
+        {0x0000a514, 0x14000265},
+        {0x0000a518, 0x18000482},
+        {0x0000a51c, 0x1b000484},
+        {0x0000a520, 0x1f000486},
+        {0x0000a524, 0x240008c2},
+        {0x0000a528, 0x28000cc1},
+        {0x0000a52c, 0x2d000ce3},
+        {0x0000a530, 0x31000ce5},
+        {0x0000a534, 0x350010e5},
+        {0x0000a538, 0x360012e5},
+        {0x0000a53c, 0x380014e5},
+        {0x0000a540, 0x3b0018e5},
+        {0x0000a544, 0x3d001d04},
+        {0x0000a548, 0x3e001d05},
+        {0x0000a54c, 0x40001d07},
+        {0x0000a550, 0x42001f27},
+        {0x0000a554, 0x43001f67},
+        {0x0000a558, 0x46001fe7},
+        {0x0000a55c, 0x47001f2b},
+        {0x0000a560, 0x49001f0d},
+        {0x0000a564, 0x4b001ed2},
+        {0x0000a568, 0x4c001ed4},
+        {0x0000a56c, 0x4e001f15},
+        {0x0000a570, 0x4f001ff6},
+        {0x0000a574, 0x4f001ff6},
+        {0x0000a578, 0x4f001ff6},
+        {0x0000a57c, 0x4f001ff6},
+        {0x0000a600, 0x00000000},
+        {0x0000a604, 0x00000000},
+        {0x0000a608, 0x00000000},
+        {0x0000a60c, 0x00804201},
+        {0x0000a610, 0x01008201},
+        {0x0000a614, 0x0180c402},
+        {0x0000a618, 0x0180c603},
+        {0x0000a61c, 0x0180c603},
+        {0x0000a620, 0x01c10603},
+        {0x0000a624, 0x01c10704},
+        {0x0000a628, 0x02c18b05},
+        {0x0000a62c, 0x02c14c07},
+        {0x0000a630, 0x01008704},
+        {0x0000a634, 0x01c10402},
+        {0x0000a638, 0x0301cc07},
+        {0x0000a63c, 0x0301cc07},
+        {0x0000b2dc, 0xffd5f552},
+        {0x0000b2e0, 0xffe60664},
+        {0x0000b2e4, 0xfff80780},
+        {0x0000b2e8, 0xfffff800},
+        {0x00016044, 0x049242db},
+        {0x00016048, 0x6c927a70},
+        {0x00016444, 0x049242db},
+        {0x00016448, 0x6c927a70},
+};
 #endif /* INITVALS_953X_H */
diff --git a/drivers/net/wireless/ath/ath9k/ath9k.h b/drivers/net/wireless/ath/ath9k/ath9k.h
index 85d74ff0767c..1a9fe0983a6b 100644
--- a/drivers/net/wireless/ath/ath9k/ath9k.h
+++ b/drivers/net/wireless/ath/ath9k/ath9k.h
@@ -28,7 +28,6 @@
 #include "debug.h"
 #include "mci.h"
 #include "dfs.h"
-#include "spectral.h"
 struct ath_node;
 struct ath_vif;
@@ -190,6 +189,7 @@ struct ath_frame_info {
        u8 rtscts_rate;
        u8 retries : 7;
        u8 baw_tracked : 1;
+        u8 tx_power;
 };
 struct ath_rxbuf {
@@ -347,6 +347,7 @@ struct ath_chanctx {
        int flush_timeout;
        u16 txpower;
+        u16 cur_txpower;
        bool offchannel;
        bool stopped;
        bool active;
@@ -381,6 +382,7 @@ enum ath_chanctx_state {
 struct ath_chanctx_sched {
        bool beacon_pending;
+        bool beacon_adjust;
        bool offchannel_pending;
        bool wait_switch;
        bool force_noa_update;
@@ -931,6 +933,7 @@ void ath_ant_comb_scan(struct ath_softc *sc, struct ath_rx_status *rs);
 #define ATH9K_PCI_AR9565_2ANT     0x0100
 #define ATH9K_PCI_NO_PLL_PWRSAVE  0x0200
 #define ATH9K_PCI_KILLER          0x0400
+#define ATH9K_PCI_LED_ACT_HI      0x0800
 /*
 * Default cache line size, in bytes.
@@ -987,7 +990,6 @@ struct ath_softc {
        u8 gtt_cnt;
        u32 intrstatus;
        u16 ps_flags; /* PS_* */
-        u16 curtxpow;
        bool ps_enabled;
        bool ps_idle;
        short nbcnvifs;
@@ -1028,10 +1030,8 @@ struct ath_softc {
        struct dfs_pattern_detector *dfs_detector;
        u64 dfs_prev_pulse_ts;
        u32 wow_enabled;
-        /* relay(fs) channel for spectral scan */
-        struct rchan *rfs_chan_spec_scan;
+        struct ath_spec_scan_priv spec_priv;
-        enum spectral_mode spectral_mode;
-        struct ath_spec_scan spec_config;
        struct ieee80211_vif *tx99_vif;
        struct sk_buff *tx99_skb;
diff --git a/drivers/net/wireless/ath/ath9k/beacon.c b/drivers/net/wireless/ath/ath9k/beacon.c
index ecb783beeec2..cb366adc820b 100644
--- a/drivers/net/wireless/ath/ath9k/beacon.c
+++ b/drivers/net/wireless/ath/ath9k/beacon.c
@@ -78,7 +78,7 @@ static void ath9k_beacon_setup(struct ath_softc *sc, struct ieee80211_vif *vif,
        struct ath_tx_info info;
        struct ieee80211_supported_band *sband;
        u8 chainmask = ah->txchainmask;
-        u8 rate = 0;
+        u8 i, rate = 0;
        sband = &common->sbands[sc->cur_chandef.chan->band];
        rate = sband->bitrates[rateidx].hw_value;
@@ -88,7 +88,8 @@ static void ath9k_beacon_setup(struct ath_softc *sc, struct ieee80211_vif *vif,
        memset(&info, 0, sizeof(info));
        info.pkt_len = skb->len + FCS_LEN;
        info.type = ATH9K_PKT_TYPE_BEACON;
-        info.txpower = MAX_RATE_POWER;
+        for (i = 0; i < 4; i++)
+                info.txpower[i] = MAX_RATE_POWER;
        info.keyix = ATH9K_TXKEYIX_INVALID;
        info.keytype = ATH9K_KEY_TYPE_CLEAR;
        info.flags = ATH9K_TXDESC_NOACK | ATH9K_TXDESC_CLRDMASK;
diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c
index c7234d5dda34..206665059d66 100644
--- a/drivers/net/wireless/ath/ath9k/channel.c
+++ b/drivers/net/wireless/ath/ath9k/channel.c
@@ -92,8 +92,8 @@ static int ath_set_channel(struct ath_softc *sc)
        } else {
                /* perform spectral scan if requested. */
                if (test_bit(ATH_OP_SCANNING, &common->op_flags) &&
-                        sc->spectral_mode == SPECTRAL_CHANSCAN)
+                        sc->spec_priv.spectral_mode == SPECTRAL_CHANSCAN)
-                        ath9k_spectral_scan_trigger(hw);
+                        ath9k_cmn_spectral_scan_trigger(common, &sc->spec_priv);
        }
        return 0;
@@ -659,6 +659,7 @@ void ath_chanctx_event(struct ath_softc *sc, struct ieee80211_vif *vif,
                sc->sched.beacon_miss = 0;
                if (sc->sched.state == ATH_CHANCTX_STATE_FORCE_ACTIVE ||
+                    !sc->sched.beacon_adjust ||
                    !sc->cur_chan->tsf_val)
                        break;
@@ -672,7 +673,7 @@ void ath_chanctx_event(struct ath_softc *sc, struct ieee80211_vif *vif,
                        ath9k_hw_get_tsf_offset(&sc->cur_chan->tsf_ts, NULL);
                tsf_time += ath9k_hw_gettsf32(ah);
+                sc->sched.beacon_adjust = false;
                ath_chanctx_setup_timer(sc, tsf_time);
                break;
        case ATH_CHANCTX_EVENT_AUTHORIZED:
@@ -717,6 +718,7 @@ void ath_chanctx_event(struct ath_softc *sc, struct ieee80211_vif *vif,
                ath_chanctx_setup_timer(sc, tsf_time);
                sc->sched.beacon_pending = true;
+                sc->sched.beacon_adjust = true;
                break;
        case ATH_CHANCTX_EVENT_ENABLE_MULTICHANNEL:
                if (sc->cur_chan == &sc->offchannel.chan ||
@@ -900,6 +902,11 @@ void ath_offchannel_next(struct ath_softc *sc)
                sc->offchannel.state = ATH_OFFCHANNEL_ROC_START;
                ath_chanctx_offchan_switch(sc, sc->offchannel.roc_chan);
        } else {
+                spin_lock_bh(&sc->chan_lock);
+                sc->sched.offchannel_pending = false;
+                sc->sched.wait_switch = false;
+                spin_unlock_bh(&sc->chan_lock);
                ath_chanctx_switch(sc, ath_chanctx_get_oper_chan(sc, false),
                                   NULL);
                sc->offchannel.state = ATH_OFFCHANNEL_IDLE;
@@ -919,8 +926,7 @@ void ath_roc_complete(struct ath_softc *sc, bool abort)
        sc->offchannel.roc_vif = NULL;
        sc->offchannel.roc_chan = NULL;
-        if (abort)
+        ieee80211_remain_on_channel_expired(sc->hw);
-                ieee80211_remain_on_channel_expired(sc->hw);
        ath_offchannel_next(sc);
        ath9k_ps_restore(sc);
 }
@@ -957,7 +963,7 @@ static void ath_scan_send_probe(struct ath_softc *sc,
        struct ieee80211_tx_info *info;
        int band = sc->offchannel.chan.chandef.chan->band;
-        skb = ieee80211_probereq_get(sc->hw, vif,
+        skb = ieee80211_probereq_get(sc->hw, vif->addr,
                        ssid->ssid, ssid->ssid_len, req->ie_len);
        if (!skb)
                return;
@@ -1051,10 +1057,8 @@ static void ath_offchannel_timer(unsigned long data)
                break;
        case ATH_OFFCHANNEL_ROC_START:
        case ATH_OFFCHANNEL_ROC_WAIT:
-                ctx = ath_chanctx_get_oper_chan(sc, false);
                sc->offchannel.state = ATH_OFFCHANNEL_ROC_DONE;
-                ieee80211_remain_on_channel_expired(sc->hw);
+                ath_roc_complete(sc, false);
-                ath_chanctx_switch(sc, ctx, NULL);
                break;
        default:
                break;
@@ -1184,7 +1188,6 @@ static void ath_offchannel_channel_change(struct ath_softc *sc)
                ieee80211_ready_on_channel(sc->hw);
                break;
        case ATH_OFFCHANNEL_ROC_DONE:
-                ath_roc_complete(sc, false);
                break;
        default:
                break;
diff --git a/drivers/net/wireless/ath/ath9k/spectral.c b/drivers/net/wireless/ath/ath9k/common-spectral.c
index 8f68426ca653..ec93ddf0863a 100644
--- a/drivers/net/wireless/ath/ath9k/spectral.c
+++ b/drivers/net/wireless/ath/ath9k/common-spectral.c
@@ -24,23 +24,24 @@ static s8 fix_rssi_inv_only(u8 rssi_val)
        return (s8) rssi_val;
 }
-static void ath_debug_send_fft_sample(struct ath_softc *sc,
+static void ath_debug_send_fft_sample(struct ath_spec_scan_priv *spec_priv,
                                      struct fft_sample_tlv *fft_sample_tlv)
 {
        int length;
-        if (!sc->rfs_chan_spec_scan)
+        if (!spec_priv->rfs_chan_spec_scan)
                return;
        length = __be16_to_cpu(fft_sample_tlv->length) +
                 sizeof(*fft_sample_tlv);
-        relay_write(sc->rfs_chan_spec_scan, fft_sample_tlv, length);
+        relay_write(spec_priv->rfs_chan_spec_scan, fft_sample_tlv, length);
 }
 /* returns 1 if this was a spectral frame, even if not handled. */
-int ath_process_fft(struct ath_softc *sc, struct ieee80211_hdr *hdr,
+int ath_cmn_process_fft(struct ath_spec_scan_priv *spec_priv, struct ieee80211_hdr *hdr,
                    struct ath_rx_status *rs, u64 tsf)
 {
-        struct ath_hw *ah = sc->sc_ah;
+        struct ath_hw *ah = spec_priv->ah;
+        struct ath_common *common = ath9k_hw_common(spec_priv->ah);
        u8 num_bins, *bins, *vdata = (u8 *)hdr;
        struct fft_sample_ht20 fft_sample_20;
        struct fft_sample_ht20_40 fft_sample_40;
@@ -67,7 +68,7 @@ int ath_process_fft(struct ath_softc *sc, struct ieee80211_hdr *hdr,
        if (!(radar_info->pulse_bw_info & SPECTRAL_SCAN_BITMASK))
                return 0;
-        chan_type = cfg80211_get_chandef_type(&sc->hw->conf.chandef);
+        chan_type = cfg80211_get_chandef_type(&common->hw->conf.chandef);
        if ((chan_type == NL80211_CHAN_HT40MINUS) ||
            (chan_type == NL80211_CHAN_HT40PLUS)) {
                fft_len = SPECTRAL_HT20_40_TOTAL_DATA_LEN;
@@ -199,10 +200,11 @@ int ath_process_fft(struct ath_softc *sc, struct ieee80211_hdr *hdr,
                tlv = (struct fft_sample_tlv *)&fft_sample_20;
        }
-        ath_debug_send_fft_sample(sc, tlv);
+        ath_debug_send_fft_sample(spec_priv, tlv);
        return 1;
 }
+EXPORT_SYMBOL(ath_cmn_process_fft);
 /*********************/
 /* spectral_scan_ctl */
@@ -211,11 +213,11 @@ int ath_process_fft(struct ath_softc *sc, struct ieee80211_hdr *hdr,
 static ssize_t read_file_spec_scan_ctl(struct file *file, char __user *user_buf,
                                       size_t count, loff_t *ppos)
 {
-        struct ath_softc *sc = file->private_data;
+        struct ath_spec_scan_priv *spec_priv = file->private_data;
        char *mode = "";
        unsigned int len;
-        switch (sc->spectral_mode) {
+        switch (spec_priv->spectral_mode) {
        case SPECTRAL_DISABLED:
                mode = "disable";
                break;
@@ -233,12 +235,84 @@ static ssize_t read_file_spec_scan_ctl(struct file *file, char __user *user_buf,
        return simple_read_from_buffer(user_buf, count, ppos, mode, len);
 }
+void ath9k_cmn_spectral_scan_trigger(struct ath_common *common,
+                                 struct ath_spec_scan_priv *spec_priv)
+{
+        struct ath_hw *ah = spec_priv->ah;
+        u32 rxfilter;
+        if (config_enabled(CONFIG_ATH9K_TX99))
+                return;
+        if (!ath9k_hw_ops(ah)->spectral_scan_trigger) {
+                ath_err(common, "spectrum analyzer not implemented on this hardware\n");
+                return;
+        }
+        ath_ps_ops(common)->wakeup(common);
+        rxfilter = ath9k_hw_getrxfilter(ah);
+        ath9k_hw_setrxfilter(ah, rxfilter |
+                                 ATH9K_RX_FILTER_PHYRADAR |
+                                 ATH9K_RX_FILTER_PHYERR);
+        /* TODO: usually this should not be neccesary, but for some reason
+         * (or in some mode?) the trigger must be called after the
+         * configuration, otherwise the register will have its values reset
+         * (on my ar9220 to value 0x01002310)
+         */
+        ath9k_cmn_spectral_scan_config(common, spec_priv, spec_priv->spectral_mode);
+        ath9k_hw_ops(ah)->spectral_scan_trigger(ah);
+        ath_ps_ops(common)->restore(common);
+}
+EXPORT_SYMBOL(ath9k_cmn_spectral_scan_trigger);
+int ath9k_cmn_spectral_scan_config(struct ath_common *common,
+                               struct ath_spec_scan_priv *spec_priv,
+                               enum spectral_mode spectral_mode)
+{
+        struct ath_hw *ah = spec_priv->ah;
+        if (!ath9k_hw_ops(ah)->spectral_scan_trigger) {
+                ath_err(common, "spectrum analyzer not implemented on this hardware\n");
+                return -1;
+        }
+        switch (spectral_mode) {
+        case SPECTRAL_DISABLED:
+                spec_priv->spec_config.enabled = 0;
+                break;
+        case SPECTRAL_BACKGROUND:
+                /* send endless samples.
+                 * TODO: is this really useful for "background"?
+                 */
+                spec_priv->spec_config.endless = 1;
+                spec_priv->spec_config.enabled = 1;
+                break;
+        case SPECTRAL_CHANSCAN:
+        case SPECTRAL_MANUAL:
+                spec_priv->spec_config.endless = 0;
+                spec_priv->spec_config.enabled = 1;
+                break;
+        default:
+                return -1;
+        }
+        ath_ps_ops(common)->wakeup(common);
+        ath9k_hw_ops(ah)->spectral_scan_config(ah, &spec_priv->spec_config);
+        ath_ps_ops(common)->restore(common);
+        spec_priv->spectral_mode = spectral_mode;
+        return 0;
+}
+EXPORT_SYMBOL(ath9k_cmn_spectral_scan_config);
 static ssize_t write_file_spec_scan_ctl(struct file *file,
                                        const char __user *user_buf,
                                        size_t count, loff_t *ppos)
 {
-        struct ath_softc *sc = file->private_data;
+        struct ath_spec_scan_priv *spec_priv = file->private_data;
-        struct ath_common *common = ath9k_hw_common(sc->sc_ah);
+        struct ath_common *common = ath9k_hw_common(spec_priv->ah);
        char buf[32];
        ssize_t len;
@@ -252,18 +326,18 @@ static ssize_t write_file_spec_scan_ctl(struct file *file,
        buf[len] = '\0';
        if (strncmp("trigger", buf, 7) == 0) {
-                ath9k_spectral_scan_trigger(sc->hw);
+                ath9k_cmn_spectral_scan_trigger(common, spec_priv);
        } else if (strncmp("background", buf, 10) == 0) {
-                ath9k_spectral_scan_config(sc->hw, SPECTRAL_BACKGROUND);
+                ath9k_cmn_spectral_scan_config(common, spec_priv, SPECTRAL_BACKGROUND);
                ath_dbg(common, CONFIG, "spectral scan: background mode enabled\n");
        } else if (strncmp("chanscan", buf, 8) == 0) {
-                ath9k_spectral_scan_config(sc->hw, SPECTRAL_CHANSCAN);
+                ath9k_cmn_spectral_scan_config(common, spec_priv, SPECTRAL_CHANSCAN);
                ath_dbg(common, CONFIG, "spectral scan: channel scan mode enabled\n");
        } else if (strncmp("manual", buf, 6) == 0) {
-                ath9k_spectral_scan_config(sc->hw, SPECTRAL_MANUAL);
+                ath9k_cmn_spectral_scan_config(common, spec_priv, SPECTRAL_MANUAL);
                ath_dbg(common, CONFIG, "spectral scan: manual mode enabled\n");
        } else if (strncmp("disable", buf, 7) == 0) {
-                ath9k_spectral_scan_config(sc->hw, SPECTRAL_DISABLED);
+                ath9k_cmn_spectral_scan_config(common, spec_priv, SPECTRAL_DISABLED);
                ath_dbg(common, CONFIG, "spectral scan: disabled\n");
        } else {
                return -EINVAL;
@@ -288,11 +362,11 @@ static ssize_t read_file_spectral_short_repeat(struct file *file,
                                               char __user *user_buf,
                                               size_t count, loff_t *ppos)
 {
-        struct ath_softc *sc = file->private_data;
+        struct ath_spec_scan_priv *spec_priv = file->private_data;
        char buf[32];
        unsigned int len;
-        len = sprintf(buf, "%d\n", sc->spec_config.short_repeat);
+        len = sprintf(buf, "%d\n", spec_priv->spec_config.short_repeat);
        return simple_read_from_buffer(user_buf, count, ppos, buf, len);
 }
@@ -300,7 +374,7 @@ static ssize_t write_file_spectral_short_repeat(struct file *file,
                                                const char __user *user_buf,
                                                size_t count, loff_t *ppos)
 {
-        struct ath_softc *sc = file->private_data;
+        struct ath_spec_scan_priv *spec_priv = file->private_data;
        unsigned long val;
        char buf[32];
        ssize_t len;
@@ -316,7 +390,7 @@ static ssize_t write_file_spectral_short_repeat(struct file *file,
        if (val > 1)
                return -EINVAL;
-        sc->spec_config.short_repeat = val;
+        spec_priv->spec_config.short_repeat = val;
        return count;
 }
@@ -336,11 +410,11 @@ static ssize_t read_file_spectral_count(struct file *file,
                                        char __user *user_buf,
                                        size_t count, loff_t *ppos)
 {
-        struct ath_softc *sc = file->private_data;
+        struct ath_spec_scan_priv *spec_priv = file->private_data;
        char buf[32];
        unsigned int len;
-        len = sprintf(buf, "%d\n", sc->spec_config.count);
+        len = sprintf(buf, "%d\n", spec_priv->spec_config.count);
        return simple_read_from_buffer(user_buf, count, ppos, buf, len);
 }
@@ -348,7 +422,7 @@ static ssize_t write_file_spectral_count(struct file *file,
                                         const char __user *user_buf,
                                         size_t count, loff_t *ppos)
 {
-        struct ath_softc *sc = file->private_data;
+        struct ath_spec_scan_priv *spec_priv = file->private_data;
        unsigned long val;
        char buf[32];
        ssize_t len;
@@ -364,7 +438,7 @@ static ssize_t write_file_spectral_count(struct file *file,
        if (val > 255)
                return -EINVAL;
-        sc->spec_config.count = val;
+        spec_priv->spec_config.count = val;
        return count;
 }
@@ -384,11 +458,11 @@ static ssize_t read_file_spectral_period(struct file *file,
                                         char __user *user_buf,
                                         size_t count, loff_t *ppos)
 {
-        struct ath_softc *sc = file->private_data;
+        struct ath_spec_scan_priv *spec_priv = file->private_data;
        char buf[32];
        unsigned int len;
-        len = sprintf(buf, "%d\n", sc->spec_config.period);
+        len = sprintf(buf, "%d\n", spec_priv->spec_config.period);
        return simple_read_from_buffer(user_buf, count, ppos, buf, len);
 }
@@ -396,7 +470,7 @@ static ssize_t write_file_spectral_period(struct file *file,
                                          const char __user *user_buf,
                                          size_t count, loff_t *ppos)
 {
-        struct ath_softc *sc = file->private_data;
+        struct ath_spec_scan_priv *spec_priv = file->private_data;
        unsigned long val;
        char buf[32];
        ssize_t len;
@@ -412,7 +486,7 @@ static ssize_t write_file_spectral_period(struct file *file,
        if (val > 255)
                return -EINVAL;
-        sc->spec_config.period = val;
+        spec_priv->spec_config.period = val;
        return count;
 }
@@ -432,11 +506,11 @@ static ssize_t read_file_spectral_fft_period(struct file *file,
                                             char __user *user_buf,
                                             size_t count, loff_t *ppos)
 {
-        struct ath_softc *sc = file->private_data;
+        struct ath_spec_scan_priv *spec_priv = file->private_data;
        char buf[32];
        unsigned int len;
-        len = sprintf(buf, "%d\n", sc->spec_config.fft_period);
+        len = sprintf(buf, "%d\n", spec_priv->spec_config.fft_period);
        return simple_read_from_buffer(user_buf, count, ppos, buf, len);
 }
@@ -444,7 +518,7 @@ static ssize_t write_file_spectral_fft_period(struct file *file,
                                              const char __user *user_buf,
                                              size_t count, loff_t *ppos)
 {
-        struct ath_softc *sc = file->private_data;
+        struct ath_spec_scan_priv *spec_priv = file->private_data;
        unsigned long val;
        char buf[32];
        ssize_t len;
@@ -460,7 +534,7 @@ static ssize_t write_file_spectral_fft_period(struct file *file,
        if (val > 15)
                return -EINVAL;
-        sc->spec_config.fft_period = val;
+        spec_priv->spec_config.fft_period = val;
        return count;
 }
@@ -506,38 +580,41 @@ static struct rchan_callbacks rfs_spec_scan_cb = {
 /* Debug Init/Deinit */
 /*********************/
-void ath9k_spectral_deinit_debug(struct ath_softc *sc)
+void ath9k_cmn_spectral_deinit_debug(struct ath_spec_scan_priv *spec_priv)
 {
-        if (config_enabled(CONFIG_ATH9K_DEBUGFS) && sc->rfs_chan_spec_scan) {
+        if (config_enabled(CONFIG_ATH9K_DEBUGFS) && spec_priv->rfs_chan_spec_scan) {
-                relay_close(sc->rfs_chan_spec_scan);
+                relay_close(spec_priv->rfs_chan_spec_scan);
-                sc->rfs_chan_spec_scan = NULL;
+                spec_priv->rfs_chan_spec_scan = NULL;
        }
 }
+EXPORT_SYMBOL(ath9k_cmn_spectral_deinit_debug);
-void ath9k_spectral_init_debug(struct ath_softc *sc)
+void ath9k_cmn_spectral_init_debug(struct ath_spec_scan_priv *spec_priv,
+                                   struct dentry *debugfs_phy)
 {
-        sc->rfs_chan_spec_scan = relay_open("spectral_scan",
+        spec_priv->rfs_chan_spec_scan = relay_open("spectral_scan",
-                                            sc->debug.debugfs_phy,
+                                            debugfs_phy,
                                            1024, 256, &rfs_spec_scan_cb,
                                            NULL);
        debugfs_create_file("spectral_scan_ctl",
                            S_IRUSR | S_IWUSR,
-                            sc->debug.debugfs_phy, sc,
+                            debugfs_phy, spec_priv,
                            &fops_spec_scan_ctl);
        debugfs_create_file("spectral_short_repeat",
                            S_IRUSR | S_IWUSR,
-                            sc->debug.debugfs_phy, sc,
+                            debugfs_phy, spec_priv,
                            &fops_spectral_short_repeat);
        debugfs_create_file("spectral_count",
                            S_IRUSR | S_IWUSR,
-                            sc->debug.debugfs_phy, sc,
+                            debugfs_phy, spec_priv,
                            &fops_spectral_count);
        debugfs_create_file("spectral_period",
                            S_IRUSR | S_IWUSR,
-                            sc->debug.debugfs_phy, sc,
+                            debugfs_phy, spec_priv,
                            &fops_spectral_period);
        debugfs_create_file("spectral_fft_period",
                            S_IRUSR | S_IWUSR,
-                            sc->debug.debugfs_phy, sc,
+                            debugfs_phy, spec_priv,
                            &fops_spectral_fft_period);
 }
+EXPORT_SYMBOL(ath9k_cmn_spectral_init_debug);
diff --git a/drivers/net/wireless/ath/ath9k/spectral.h b/drivers/net/wireless/ath/ath9k/common-spectral.h
index 7b410c6858b0..82d9dd29652c 100644
--- a/drivers/net/wireless/ath/ath9k/spectral.h
+++ b/drivers/net/wireless/ath/ath9k/common-spectral.h
@@ -92,6 +92,13 @@ struct ath_ht20_40_fft_packet {
        struct ath_radar_info radar_info;
 } __packed;
+struct ath_spec_scan_priv {
+        struct ath_hw *ah;
+        /* relay(fs) channel for spectral scan */
+        struct rchan *rfs_chan_spec_scan;
+        enum spectral_mode spectral_mode;
+        struct ath_spec_scan spec_config;
+};
 #define SPECTRAL_HT20_40_TOTAL_DATA_LEN (sizeof(struct ath_ht20_40_fft_packet))
@@ -123,23 +130,15 @@ static inline u8 spectral_bitmap_weight(u8 *bins)
        return bins[0] & 0x3f;
 }
-void ath9k_spectral_init_debug(struct ath_softc *sc);
+void ath9k_cmn_spectral_init_debug(struct ath_spec_scan_priv *spec_priv, struct dentry *debugfs_phy);
-void ath9k_spectral_deinit_debug(struct ath_softc *sc);
+void ath9k_cmn_spectral_deinit_debug(struct ath_spec_scan_priv *spec_priv);
-void ath9k_spectral_scan_trigger(struct ieee80211_hw *hw);
+void ath9k_cmn_spectral_scan_trigger(struct ath_common *common,
-int ath9k_spectral_scan_config(struct ieee80211_hw *hw,
+                                 struct ath_spec_scan_priv *spec_priv);
+int ath9k_cmn_spectral_scan_config(struct ath_common *common,
+                               struct ath_spec_scan_priv *spec_priv,
                               enum spectral_mode spectral_mode);
+int ath_cmn_process_fft(struct ath_spec_scan_priv *spec_priv, struct ieee80211_hdr *hdr,
-#ifdef CONFIG_ATH9K_DEBUGFS
-int ath_process_fft(struct ath_softc *sc, struct ieee80211_hdr *hdr,
                    struct ath_rx_status *rs, u64 tsf);
-#else
-static inline int ath_process_fft(struct ath_softc *sc,
-                                  struct ieee80211_hdr *hdr,
-                                  struct ath_rx_status *rs, u64 tsf)
-{
-        return 0;
-}
-#endif /* CONFIG_ATH9K_DEBUGFS */
 #endif /* SPECTRAL_H */
diff --git a/drivers/net/wireless/ath/ath9k/common.c b/drivers/net/wireless/ath/ath9k/common.c
index c6dd7f1fed65..e8c699446470 100644
--- a/drivers/net/wireless/ath/ath9k/common.c
+++ b/drivers/net/wireless/ath/ath9k/common.c
@@ -159,7 +159,7 @@ void ath9k_cmn_rx_skb_postprocess(struct ath_common *common,
                if (test_bit(keyix, common->keymap))
                        rxs->flag |= RX_FLAG_DECRYPTED;
        }
-        if (ah->sw_mgmt_crypto &&
+        if (ah->sw_mgmt_crypto_rx &&
            (rxs->flag & RX_FLAG_DECRYPTED) &&
            ieee80211_is_mgmt(fc))
                /* Use software decrypt for management frames. */
@@ -368,11 +368,11 @@ void ath9k_cmn_update_txpow(struct ath_hw *ah, u16 cur_txpow,
 {
        struct ath_regulatory *reg = ath9k_hw_regulatory(ah);
-        if (reg->power_limit != new_txpow) {
+        if (reg->power_limit != new_txpow)
                ath9k_hw_set_txpowerlimit(ah, new_txpow, false);
-                /* read back in case value is clamped */
-                *txpower = reg->max_power_level;
+        /* read back in case value is clamped */
-        }
+        *txpower = reg->max_power_level;
 }
 EXPORT_SYMBOL(ath9k_cmn_update_txpow);
diff --git a/drivers/net/wireless/ath/ath9k/common.h b/drivers/net/wireless/ath/ath9k/common.h
index ffc454b18637..2b79a568e803 100644
--- a/drivers/net/wireless/ath/ath9k/common.h
+++ b/drivers/net/wireless/ath/ath9k/common.h
@@ -24,6 +24,7 @@
 #include "common-init.h"
 #include "common-beacon.h"
 #include "common-debug.h"
+#include "common-spectral.h"
 /* Common header for Atheros 802.11n base driver cores */
diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c
index 2a2a17df5fb3..696e3d5309c6 100644
--- a/drivers/net/wireless/ath/ath9k/debug.c
+++ b/drivers/net/wireless/ath/ath9k/debug.c
@@ -455,7 +455,7 @@ static ssize_t read_file_dma(struct file *file, char __user *user_buf,
                         "%2d          %2x      %1x     %2x           %2x\n",
                         i, (*qcuBase & (0x7 << qcuOffset)) >> qcuOffset,
                         (*qcuBase & (0x8 << qcuOffset)) >> (qcuOffset + 3),
-                         val[2] & (0x7 << (i * 3)) >> (i * 3),
+                         (val[2] & (0x7 << (i * 3))) >> (i * 3),
                         (*dcuBase & (0x1f << dcuOffset)) >> dcuOffset);
        }
@@ -828,13 +828,14 @@ static ssize_t read_file_misc(struct file *file, char __user *user_buf,
        i = 0;
        ath_for_each_chanctx(sc, ctx) {
-                if (!ctx->assigned || list_empty(&ctx->vifs))
+                if (list_empty(&ctx->vifs))
                        continue;
                ath9k_calculate_iter_data(sc, ctx, &iter_data);
                len += scnprintf(buf + len, sizeof(buf) - len,
-                        "VIF-COUNTS: CTX %i AP: %i STA: %i MESH: %i WDS: %i",
+                        "VIFS: CTX %i(%i) AP: %i STA: %i MESH: %i WDS: %i",
-                        i++, iter_data.naps, iter_data.nstations,
+                        i++, (int)(ctx->assigned), iter_data.naps,
+                        iter_data.nstations,
                        iter_data.nmeshes, iter_data.nwds);
                len += scnprintf(buf + len, sizeof(buf) - len,
                        " ADHOC: %i TOTAL: %hi BEACON-VIF: %hi\n",
@@ -1310,7 +1311,7 @@ void ath9k_get_et_stats(struct ieee80211_hw *hw,
 void ath9k_deinit_debug(struct ath_softc *sc)
 {
-        ath9k_spectral_deinit_debug(sc);
+        ath9k_cmn_spectral_deinit_debug(&sc->spec_priv);
 }
 int ath9k_init_debug(struct ath_hw *ah)
@@ -1330,7 +1331,7 @@ int ath9k_init_debug(struct ath_hw *ah)
        ath9k_dfs_init_debug(sc);
        ath9k_tx99_init_debug(sc);
-        ath9k_spectral_init_debug(sc);
+        ath9k_cmn_spectral_init_debug(&sc->spec_priv, sc->debug.debugfs_phy);
        debugfs_create_file("dma", S_IRUSR, sc->debug.debugfs_phy, sc,
                            &fops_dma);
diff --git a/drivers/net/wireless/ath/ath9k/gpio.c b/drivers/net/wireless/ath/ath9k/gpio.c
index b1956bf6e01e..2fef7a480fec 100644
--- a/drivers/net/wireless/ath/ath9k/gpio.c
+++ b/drivers/net/wireless/ath/ath9k/gpio.c
@@ -25,7 +25,12 @@ static void ath_led_brightness(struct led_classdev *led_cdev,
                               enum led_brightness brightness)
 {
        struct ath_softc *sc = container_of(led_cdev, struct ath_softc, led_cdev);
-        ath9k_hw_set_gpio(sc->sc_ah, sc->sc_ah->led_pin, (brightness == LED_OFF));
+        u32 val = (brightness == LED_OFF);
+        if (sc->sc_ah->config.led_active_high)
+                val = !val;
+        ath9k_hw_set_gpio(sc->sc_ah, sc->sc_ah->led_pin, val);
 }
 void ath_deinit_leds(struct ath_softc *sc)
@@ -82,7 +87,7 @@ void ath_fill_led_pin(struct ath_softc *sc)
        ath9k_hw_cfg_output(ah, ah->led_pin, AR_GPIO_OUTPUT_MUX_AS_OUTPUT);
        /* LED off, active low */
-        ath9k_hw_set_gpio(ah, ah->led_pin, 1);
+        ath9k_hw_set_gpio(ah, ah->led_pin, (ah->config.led_active_high) ? 0 : 1);
 }
 #endif
diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h
index 09a5d72f3ff5..9dde265d3f84 100644
--- a/drivers/net/wireless/ath/ath9k/htc.h
+++ b/drivers/net/wireless/ath/ath9k/htc.h
@@ -481,6 +481,7 @@ struct ath9k_htc_priv {
        unsigned long op_flags;
        struct ath9k_hw_cal_data caldata;
+        struct ath_spec_scan_priv spec_priv;
        spinlock_t beacon_lock;
        struct ath_beacon_config cur_beacon_conf;
@@ -625,8 +626,12 @@ int ath9k_htc_resume(struct htc_target *htc_handle);
 #endif
 #ifdef CONFIG_ATH9K_HTC_DEBUGFS
 int ath9k_htc_init_debug(struct ath_hw *ah);
+void ath9k_htc_deinit_debug(struct ath9k_htc_priv *priv);
 #else
 static inline int ath9k_htc_init_debug(struct ath_hw *ah) { return 0; };
+static inline void ath9k_htc_deinit_debug(struct ath9k_htc_priv *priv)
+{
+}
 #endif /* CONFIG_ATH9K_HTC_DEBUGFS */
 #endif /* HTC_H */
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
index 8b529e4b8ac4..8cef1edcc621 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
@@ -490,6 +490,10 @@ void ath9k_htc_get_et_stats(struct ieee80211_hw *hw,
        WARN_ON(i != ATH9K_HTC_SSTATS_LEN);
 }
+void ath9k_htc_deinit_debug(struct ath9k_htc_priv *priv)
+{
+        ath9k_cmn_spectral_deinit_debug(&priv->spec_priv);
+}
 int ath9k_htc_init_debug(struct ath_hw *ah)
 {
@@ -501,6 +505,8 @@ int ath9k_htc_init_debug(struct ath_hw *ah)
        if (!priv->debug.debugfs_phy)
                return -ENOMEM;
+        ath9k_cmn_spectral_init_debug(&priv->spec_priv, priv->debug.debugfs_phy);
        debugfs_create_file("tgt_int_stats", S_IRUSR, priv->debug.debugfs_phy,
                            priv, &fops_tgt_int_stats);
        debugfs_create_file("tgt_tx_stats", S_IRUSR, priv->debug.debugfs_phy,
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
index 4014c4be6e79..e8fa9448da24 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
@@ -53,6 +53,21 @@ static const struct ieee80211_tpt_blink ath9k_htc_tpt_blink[] = {
 };
 #endif
+static void ath9k_htc_op_ps_wakeup(struct ath_common *common)
+{
+        ath9k_htc_ps_wakeup((struct ath9k_htc_priv *) common->priv);
+}
+static void ath9k_htc_op_ps_restore(struct ath_common *common)
+{
+        ath9k_htc_ps_restore((struct ath9k_htc_priv *) common->priv);
+}
+static struct ath_ps_ops ath9k_htc_ps_ops = {
+        .wakeup = ath9k_htc_op_ps_wakeup,
+        .restore = ath9k_htc_op_ps_restore,
+};
 static int ath9k_htc_wait_for_target(struct ath9k_htc_priv *priv)
 {
        int time_left;
@@ -87,6 +102,7 @@ static void ath9k_deinit_device(struct ath9k_htc_priv *priv)
        wiphy_rfkill_stop_polling(hw->wiphy);
        ath9k_deinit_leds(priv);
+        ath9k_htc_deinit_debug(priv);
        ieee80211_unregister_hw(hw);
        ath9k_rx_cleanup(priv);
        ath9k_tx_cleanup(priv);
@@ -449,6 +465,14 @@ static void ath9k_init_misc(struct ath9k_htc_priv *priv)
        common->last_rssi = ATH_RSSI_DUMMY_MARKER;
        priv->ah->opmode = NL80211_IFTYPE_STATION;
+        priv->spec_priv.ah = priv->ah;
+        priv->spec_priv.spec_config.enabled = 0;
+        priv->spec_priv.spec_config.short_repeat = false;
+        priv->spec_priv.spec_config.count = 8;
+        priv->spec_priv.spec_config.endless = false;
+        priv->spec_priv.spec_config.period = 0x12;
+        priv->spec_priv.spec_config.fft_period = 0x02;
 }
 static int ath9k_init_priv(struct ath9k_htc_priv *priv,
@@ -478,6 +502,7 @@ static int ath9k_init_priv(struct ath9k_htc_priv *priv,
        common = ath9k_hw_common(ah);
        common->ops = &ah->reg_ops;
+        common->ps_ops = &ath9k_htc_ps_ops;
        common->bus_ops = &ath9k_usb_bus_ops;
        common->ah = ah;
        common->hw = priv->hw;
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
index 994fff1ff519..92d5a6c5a225 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
@@ -314,6 +314,10 @@ static int ath9k_htc_set_channel(struct ath9k_htc_priv *priv,
        mod_timer(&priv->tx.cleanup_timer,
                  jiffies + msecs_to_jiffies(ATH9K_HTC_TX_CLEANUP_INTERVAL));
+        /* perform spectral scan if requested. */
+        if (test_bit(ATH_OP_SCANNING, &common->op_flags) &&
+                     priv->spec_priv.spectral_mode == SPECTRAL_CHANSCAN)
+                ath9k_cmn_spectral_scan_trigger(common, &priv->spec_priv);
 err:
        ath9k_htc_ps_restore(priv);
        return ret;
@@ -1443,7 +1447,7 @@ static int ath9k_htc_set_key(struct ieee80211_hw *hw,
                        key->flags |= IEEE80211_KEY_FLAG_GENERATE_IV;
                        if (key->cipher == WLAN_CIPHER_SUITE_TKIP)
                                key->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC;
-                        if (priv->ah->sw_mgmt_crypto &&
+                        if (priv->ah->sw_mgmt_crypto_tx &&
                            key->cipher == WLAN_CIPHER_SUITE_CCMP)
                                key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX;
                        ret = 0;
@@ -1687,7 +1691,9 @@ static int ath9k_htc_ampdu_action(struct ieee80211_hw *hw,
        return ret;
 }
-static void ath9k_htc_sw_scan_start(struct ieee80211_hw *hw)
+static void ath9k_htc_sw_scan_start(struct ieee80211_hw *hw,
+                                    struct ieee80211_vif *vif,
+                                    const u8 *mac_addr)
 {
        struct ath9k_htc_priv *priv = hw->priv;
        struct ath_common *common = ath9k_hw_common(priv->ah);
@@ -1701,7 +1707,8 @@ static void ath9k_htc_sw_scan_start(struct ieee80211_hw *hw)
        mutex_unlock(&priv->mutex);
 }
-static void ath9k_htc_sw_scan_complete(struct ieee80211_hw *hw)
+static void ath9k_htc_sw_scan_complete(struct ieee80211_hw *hw,
+                                       struct ieee80211_vif *vif)
 {
        struct ath9k_htc_priv *priv = hw->priv;
        struct ath_common *common = ath9k_hw_common(priv->ah);
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index f0484b1b617e..a0f58e2aa553 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -946,7 +946,7 @@ static inline void convert_htc_flag(struct ath_rx_status *rx_stats,
 static void rx_status_htc_to_ath(struct ath_rx_status *rx_stats,
                                 struct ath_htc_rx_status *rxstatus)
 {
-        rx_stats->rs_datalen    = rxstatus->rs_datalen;
+        rx_stats->rs_datalen    = be16_to_cpu(rxstatus->rs_datalen);
        rx_stats->rs_status     = rxstatus->rs_status;
        rx_stats->rs_phyerr     = rxstatus->rs_phyerr;
        rx_stats->rs_rssi       = rxstatus->rs_rssi;
@@ -1012,6 +1012,20 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
         * separately to avoid doing two lookups for a rate for each frame.
         */
        hdr = (struct ieee80211_hdr *)skb->data;
+        /*
+         * Process PHY errors and return so that the packet
+         * can be dropped.
+         */
+        if (rx_stats.rs_status & ATH9K_RXERR_PHY) {
+                /* TODO: Not using DFS processing now. */
+                if (ath_cmn_process_fft(&priv->spec_priv, hdr,
+                                    &rx_stats, rx_status->mactime)) {
+                        /* TODO: Code to collect spectral scan statistics */
+                }
+                goto rx_next;
+        }
        if (!ath9k_cmn_rx_accept(common, hdr, rx_status, &rx_stats,
                        &decrypt_error, priv->rxfilter))
                goto rx_next;
diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
index ee9fb52cec62..6d4b273469b1 100644
--- a/drivers/net/wireless/ath/ath9k/hw.c
+++ b/drivers/net/wireless/ath/ath9k/hw.c
@@ -870,19 +870,6 @@ static void ath9k_hw_init_pll(struct ath_hw *ah,
        udelay(RTC_PLL_SETTLE_DELAY);
        REG_WRITE(ah, AR_RTC_SLEEP_CLK, AR_RTC_FORCE_DERIVED_CLK);
-        if (AR_SREV_9340(ah) || AR_SREV_9550(ah)) {
-                if (ah->is_clk_25mhz) {
-                        REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x17c << 1);
-                        REG_WRITE(ah, AR_SLP32_MODE, 0x0010f3d7);
-                        REG_WRITE(ah,  AR_SLP32_INC, 0x0001e7ae);
-                } else {
-                        REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x261 << 1);
-                        REG_WRITE(ah, AR_SLP32_MODE, 0x0010f400);
-                        REG_WRITE(ah,  AR_SLP32_INC, 0x0001e800);
-                }
-                udelay(100);
-        }
 }
 static void ath9k_hw_init_interrupt_masks(struct ath_hw *ah,
@@ -1598,16 +1585,22 @@ static void ath9k_hw_init_mfp(struct ath_hw *ah)
                 * frames when constructing CCMP AAD. */
                REG_RMW_FIELD(ah, AR_AES_MUTE_MASK1, AR_AES_MUTE_MASK1_FC_MGMT,
                              0xc7ff);
-                ah->sw_mgmt_crypto = false;
+                if (AR_SREV_9271(ah) || AR_DEVID_7010(ah))
+                        ah->sw_mgmt_crypto_tx = true;
+                else
+                        ah->sw_mgmt_crypto_tx = false;
+                ah->sw_mgmt_crypto_rx = false;
        } else if (AR_SREV_9160_10_OR_LATER(ah)) {
                /* Disable hardware crypto for management frames */
                REG_CLR_BIT(ah, AR_PCU_MISC_MODE2,
                            AR_PCU_MISC_MODE2_MGMT_CRYPTO_ENABLE);
                REG_SET_BIT(ah, AR_PCU_MISC_MODE2,
                            AR_PCU_MISC_MODE2_NO_CRYPTO_FOR_NON_DATA_PKT);
-                ah->sw_mgmt_crypto = true;
+                ah->sw_mgmt_crypto_tx = true;
+                ah->sw_mgmt_crypto_rx = true;
        } else {
-                ah->sw_mgmt_crypto = true;
+                ah->sw_mgmt_crypto_tx = true;
+                ah->sw_mgmt_crypto_rx = true;
        }
 }
@@ -1954,6 +1947,8 @@ int ath9k_hw_reset(struct ath_hw *ah, struct ath9k_channel *chan,
        REGWRITE_BUFFER_FLUSH(ah);
+        ath9k_hw_gen_timer_start_tsf2(ah);
        ath9k_hw_init_desc(ah);
        if (ath9k_hw_btcoex_is_enabled(ah))
@@ -2333,7 +2328,6 @@ int ath9k_hw_fill_cap_info(struct ath_hw *ah)
        struct ath9k_hw_capabilities *pCap = &ah->caps;
        struct ath_regulatory *regulatory = ath9k_hw_regulatory(ah);
        struct ath_common *common = ath9k_hw_common(ah);
-        unsigned int chip_chainmask;
        u16 eeval;
        u8 ant_div_ctl1, tx_chainmask, rx_chainmask;
@@ -2377,15 +2371,16 @@ int ath9k_hw_fill_cap_info(struct ath_hw *ah)
            AR_SREV_9285(ah) ||
            AR_SREV_9330(ah) ||
            AR_SREV_9565(ah))
-                chip_chainmask = 1;
+                pCap->chip_chainmask = 1;
-        else if (AR_SREV_9462(ah))
-                chip_chainmask = 3;
        else if (!AR_SREV_9280_20_OR_LATER(ah))
-                chip_chainmask = 7;
+                pCap->chip_chainmask = 7;
-        else if (!AR_SREV_9300_20_OR_LATER(ah) || AR_SREV_9340(ah))
+        else if (!AR_SREV_9300_20_OR_LATER(ah) ||
-                chip_chainmask = 3;
+                 AR_SREV_9340(ah) ||
+                 AR_SREV_9462(ah) ||
+                 AR_SREV_9531(ah))
+                pCap->chip_chainmask = 3;
        else
-                chip_chainmask = 7;
+                pCap->chip_chainmask = 7;
        pCap->tx_chainmask = ah->eep_ops->get_eeprom(ah, EEP_TX_MASK);
        /*
@@ -2403,8 +2398,8 @@ int ath9k_hw_fill_cap_info(struct ath_hw *ah)
                /* Use rx_chainmask from EEPROM. */
                pCap->rx_chainmask = ah->eep_ops->get_eeprom(ah, EEP_RX_MASK);
-        pCap->tx_chainmask = fixup_chainmask(chip_chainmask, pCap->tx_chainmask);
+        pCap->tx_chainmask = fixup_chainmask(pCap->chip_chainmask, pCap->tx_chainmask);
-        pCap->rx_chainmask = fixup_chainmask(chip_chainmask, pCap->rx_chainmask);
+        pCap->rx_chainmask = fixup_chainmask(pCap->chip_chainmask, pCap->rx_chainmask);
        ah->txchainmask = pCap->tx_chainmask;
        ah->rxchainmask = pCap->rx_chainmask;
@@ -2918,6 +2913,16 @@ u32 ath9k_hw_gettsf32(struct ath_hw *ah)
 }
 EXPORT_SYMBOL(ath9k_hw_gettsf32);
+void ath9k_hw_gen_timer_start_tsf2(struct ath_hw *ah)
+{
+        struct ath_gen_timer_table *timer_table = &ah->hw_gen_timers;
+        if (timer_table->tsf2_enabled) {
+                REG_SET_BIT(ah, AR_DIRECT_CONNECT, AR_DC_AP_STA_EN);
+                REG_SET_BIT(ah, AR_RESET_TSF, AR_RESET_TSF2_ONCE);
+        }
+}
 struct ath_gen_timer *ath_gen_timer_alloc(struct ath_hw *ah,
                                          void (*trigger)(void *),
                                          void (*overflow)(void *),
@@ -2928,7 +2933,11 @@ struct ath_gen_timer *ath_gen_timer_alloc(struct ath_hw *ah,
        struct ath_gen_timer *timer;
        if ((timer_index < AR_FIRST_NDP_TIMER) ||
-                (timer_index >= ATH_MAX_GEN_TIMER))
+            (timer_index >= ATH_MAX_GEN_TIMER))
+                return NULL;
+        if ((timer_index > AR_FIRST_NDP_TIMER) &&
+            !AR_SREV_9300_20_OR_LATER(ah))
                return NULL;
        timer = kzalloc(sizeof(struct ath_gen_timer), GFP_KERNEL);
@@ -2942,6 +2951,11 @@ struct ath_gen_timer *ath_gen_timer_alloc(struct ath_hw *ah,
        timer->overflow = overflow;
        timer->arg = arg;
+        if ((timer_index > AR_FIRST_NDP_TIMER) && !timer_table->tsf2_enabled) {
+                timer_table->tsf2_enabled = true;
+                ath9k_hw_gen_timer_start_tsf2(ah);
+        }
        return timer;
 }
 EXPORT_SYMBOL(ath_gen_timer_alloc);
diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
index e49721e85f6a..1cbd33551513 100644
--- a/drivers/net/wireless/ath/ath9k/hw.h
+++ b/drivers/net/wireless/ath/ath9k/hw.h
@@ -217,8 +217,8 @@
 #define AH_WOW_BEACON_MISS              BIT(3)
 enum ath_hw_txq_subtype {
-        ATH_TXQ_AC_BE = 0,
+        ATH_TXQ_AC_BK = 0,
-        ATH_TXQ_AC_BK = 1,
+        ATH_TXQ_AC_BE = 1,
        ATH_TXQ_AC_VI = 2,
        ATH_TXQ_AC_VO = 3,
 };
@@ -276,6 +276,7 @@ struct ath9k_hw_capabilities {
        u16 rts_aggr_limit;
        u8 tx_chainmask;
        u8 rx_chainmask;
+        u8 chip_chainmask;
        u8 max_txchains;
        u8 max_rxchains;
        u8 num_gpio_pins;
@@ -329,6 +330,7 @@ struct ath9k_ops_config {
        bool alt_mingainidx;
        bool no_pll_pwrsave;
        bool tx_gain_buffalo;
+        bool led_active_high;
 };
 enum ath9k_int {
@@ -524,6 +526,7 @@ struct ath_gen_timer {
 struct ath_gen_timer_table {
        struct ath_gen_timer *timers[ATH_MAX_GEN_TIMER];
        u16 timer_mask;
+        bool tsf2_enabled;
 };
 struct ath_hw_antcomb_conf {
@@ -753,7 +756,8 @@ struct ath_hw {
        } eeprom;
        const struct eeprom_ops *eep_ops;
-        bool sw_mgmt_crypto;
+        bool sw_mgmt_crypto_tx;
+        bool sw_mgmt_crypto_rx;
        bool is_pciexpress;
        bool aspm_enabled;
        bool is_monitoring;
@@ -936,6 +940,10 @@ struct ath_hw {
        const struct firmware *eeprom_blob;
        struct ath_dynack dynack;
+        bool tpc_enabled;
+        u8 tx_power[Ar5416RateSize];
+        u8 tx_power_stbc[Ar5416RateSize];
 };
 struct ath_bus_ops {
@@ -1035,6 +1043,7 @@ void ath9k_hw_gen_timer_start(struct ath_hw *ah,
                              struct ath_gen_timer *timer,
                              u32 timer_next,
                              u32 timer_period);
+void ath9k_hw_gen_timer_start_tsf2(struct ath_hw *ah);
 void ath9k_hw_gen_timer_stop(struct ath_hw *ah, struct ath_gen_timer *timer);
 void ath_gen_timer_free(struct ath_hw *ah, struct ath_gen_timer *timer);
@@ -1075,6 +1084,8 @@ int ar9003_paprd_init_table(struct ath_hw *ah);
 bool ar9003_paprd_is_done(struct ath_hw *ah);
 bool ar9003_is_paprd_enabled(struct ath_hw *ah);
 void ar9003_hw_set_chain_masks(struct ath_hw *ah, u8 rx, u8 tx);
+void ar9003_hw_init_rate_txpower(struct ath_hw *ah, u8 *rate_array,
+                                 struct ath9k_channel *chan);
 /* Hardware family op attach helpers */
 int ar5008_hw_attach_phy_ops(struct ath_hw *ah);
diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c
index 2294109f79e9..d1c39346b264 100644
--- a/drivers/net/wireless/ath/ath9k/init.c
+++ b/drivers/net/wireless/ath/ath9k/init.c
@@ -88,6 +88,21 @@ static const struct ieee80211_tpt_blink ath9k_tpt_blink[] = {
 static void ath9k_deinit_softc(struct ath_softc *sc);
+static void ath9k_op_ps_wakeup(struct ath_common *common)
+{
+        ath9k_ps_wakeup((struct ath_softc *) common->priv);
+}
+static void ath9k_op_ps_restore(struct ath_common *common)
+{
+        ath9k_ps_restore((struct ath_softc *) common->priv);
+}
+static struct ath_ps_ops ath9k_ps_ops = {
+        .wakeup = ath9k_op_ps_wakeup,
+        .restore = ath9k_op_ps_restore,
+};
 /*
 * Read and write, they both share the same lock. We do this to serialize
 * reads and writes on Atheros 802.11n PCI devices only. This is required
@@ -172,17 +187,20 @@ static void ath9k_reg_notifier(struct wiphy *wiphy,
        ath_reg_notifier_apply(wiphy, request, reg);
        /* Set tx power */
-        if (ah->curchan) {
+        if (!ah->curchan)
-                sc->cur_chan->txpower = 2 * ah->curchan->chan->max_power;
+                return;
-                ath9k_ps_wakeup(sc);
-                ath9k_hw_set_txpowerlimit(ah, sc->cur_chan->txpower, false);
+        sc->cur_chan->txpower = 2 * ah->curchan->chan->max_power;
-                sc->curtxpow = ath9k_hw_regulatory(ah)->power_limit;
+        ath9k_ps_wakeup(sc);
-                /* synchronize DFS detector if regulatory domain changed */
+        ath9k_hw_set_txpowerlimit(ah, sc->cur_chan->txpower, false);
-                if (sc->dfs_detector != NULL)
+        ath9k_cmn_update_txpow(ah, sc->cur_chan->cur_txpower,
-                        sc->dfs_detector->set_dfs_domain(sc->dfs_detector,
+                               sc->cur_chan->txpower,
-                                                         request->dfs_region);
+                               &sc->cur_chan->cur_txpower);
-                ath9k_ps_restore(sc);
+        /* synchronize DFS detector if regulatory domain changed */
-        }
+        if (sc->dfs_detector != NULL)
+                sc->dfs_detector->set_dfs_domain(sc->dfs_detector,
+                                                 request->dfs_region);
+        ath9k_ps_restore(sc);
 }
 /*
@@ -348,12 +366,13 @@ static void ath9k_init_misc(struct ath_softc *sc)
        if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_ANT_DIV_COMB)
                sc->ant_comb.count = ATH_ANT_DIV_COMB_INIT_COUNT;
-        sc->spec_config.enabled = 0;
+        sc->spec_priv.ah = sc->sc_ah;
-        sc->spec_config.short_repeat = true;
+        sc->spec_priv.spec_config.enabled = 0;
-        sc->spec_config.count = 8;
+        sc->spec_priv.spec_config.short_repeat = true;
-        sc->spec_config.endless = false;
+        sc->spec_priv.spec_config.count = 8;
-        sc->spec_config.period = 0xFF;
+        sc->spec_priv.spec_config.endless = false;
-        sc->spec_config.fft_period = 0xF;
+        sc->spec_priv.spec_config.period = 0xFF;
+        sc->spec_priv.spec_config.fft_period = 0xF;
 }
 static void ath9k_init_pcoem_platform(struct ath_softc *sc)
@@ -422,6 +441,9 @@ static void ath9k_init_pcoem_platform(struct ath_softc *sc)
                ah->config.no_pll_pwrsave = true;
                ath_info(common, "Disable PLL PowerSave\n");
        }
+        if (sc->driver_data & ATH9K_PCI_LED_ACT_HI)
+                ah->config.led_active_high = true;
 }
 static void ath9k_eeprom_request_cb(const struct firmware *eeprom_blob,
@@ -510,10 +532,14 @@ static int ath9k_init_softc(u16 devid, struct ath_softc *sc,
        ah->reg_ops.read = ath9k_ioread32;
        ah->reg_ops.write = ath9k_iowrite32;
        ah->reg_ops.rmw = ath9k_reg_rmw;
-        sc->sc_ah = ah;
        pCap = &ah->caps;
        common = ath9k_hw_common(ah);
+        /* Will be cleared in ath9k_start() */
+        set_bit(ATH_OP_INVALID, &common->op_flags);
+        sc->sc_ah = ah;
        sc->dfs_detector = dfs_pattern_detector_init(common, NL80211_DFS_UNSET);
        sc->tx99_power = MAX_RATE_POWER + 1;
        init_waitqueue_head(&sc->tx_wait);
@@ -539,6 +565,7 @@ static int ath9k_init_softc(u16 devid, struct ath_softc *sc,
        common->ops = &ah->reg_ops;
        common->bus_ops = bus_ops;
+        common->ps_ops = &ath9k_ps_ops;
        common->ah = ah;
        common->hw = sc->hw;
        common->priv = sc;
@@ -741,6 +768,32 @@ static const struct ieee80211_iface_combination if_comb[] = {
 #endif
 };
+#ifdef CONFIG_ATH9K_CHANNEL_CONTEXT
+static void ath9k_set_mcc_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
+{
+        struct ath_hw *ah = sc->sc_ah;
+        struct ath_common *common = ath9k_hw_common(ah);
+        if (!ath9k_is_chanctx_enabled())
+                return;
+        hw->flags |= IEEE80211_HW_QUEUE_CONTROL;
+        hw->queues = ATH9K_NUM_TX_QUEUES;
+        hw->offchannel_tx_hw_queue = hw->queues - 1;
+        hw->wiphy->interface_modes &= ~ BIT(NL80211_IFTYPE_WDS);
+        hw->wiphy->iface_combinations = if_comb_multi;
+        hw->wiphy->n_iface_combinations = ARRAY_SIZE(if_comb_multi);
+        hw->wiphy->max_scan_ssids = 255;
+        hw->wiphy->max_scan_ie_len = IEEE80211_MAX_DATA_LEN;
+        hw->wiphy->max_remain_on_channel_duration = 10000;
+        hw->chanctx_data_size = sizeof(void *);
+        hw->extra_beacon_tailroom =
+                sizeof(struct ieee80211_p2p_noa_attr) + 9;
+        ath_dbg(common, CHAN_CTX, "Use channel contexts\n");
+}
+#endif /* CONFIG_ATH9K_CHANNEL_CONTEXT */
 static void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
 {
        struct ath_hw *ah = sc->sc_ah;
@@ -753,7 +806,6 @@ static void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
                IEEE80211_HW_SPECTRUM_MGMT |
                IEEE80211_HW_REPORTS_TX_ACK_STATUS |
                IEEE80211_HW_SUPPORTS_RC_TABLE |
-                IEEE80211_HW_QUEUE_CONTROL |
                IEEE80211_HW_SUPPORTS_HT_CCK_RATES;
        if (ath9k_ps_enable)
@@ -788,24 +840,6 @@ static void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
                        hw->wiphy->n_iface_combinations = ARRAY_SIZE(if_comb);
        }
-#ifdef CONFIG_ATH9K_CHANNEL_CONTEXT
-        if (ath9k_is_chanctx_enabled()) {
-                hw->wiphy->interface_modes &= ~ BIT(NL80211_IFTYPE_WDS);
-                hw->wiphy->iface_combinations = if_comb_multi;
-                hw->wiphy->n_iface_combinations = ARRAY_SIZE(if_comb_multi);
-                hw->wiphy->max_scan_ssids = 255;
-                hw->wiphy->max_scan_ie_len = IEEE80211_MAX_DATA_LEN;
-                hw->wiphy->max_remain_on_channel_duration = 10000;
-                hw->chanctx_data_size = sizeof(void *);
-                hw->extra_beacon_tailroom =
-                        sizeof(struct ieee80211_p2p_noa_attr) + 9;
-                ath_dbg(common, CHAN_CTX, "Use channel contexts\n");
-        }
-#endif /* CONFIG_ATH9K_CHANNEL_CONTEXT */
        hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT;
        hw->wiphy->flags |= WIPHY_FLAG_IBSS_RSN;
@@ -815,12 +849,7 @@ static void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
        hw->wiphy->flags |= WIPHY_FLAG_HAS_CHANNEL_SWITCH;
        hw->wiphy->flags |= WIPHY_FLAG_AP_UAPSD;
-        /* allow 4 queues per channel context +
+        hw->queues = 4;
-         * 1 cab queue + 1 offchannel tx queue
-         */
-        hw->queues = ATH9K_NUM_TX_QUEUES;
-        /* last queue for offchannel */
-        hw->offchannel_tx_hw_queue = hw->queues - 1;
        hw->max_rates = 4;
        hw->max_listen_interval = 10;
        hw->max_rate_tries = 10;
@@ -844,6 +873,9 @@ static void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
                hw->wiphy->bands[IEEE80211_BAND_5GHZ] =
                        &common->sbands[IEEE80211_BAND_5GHZ];
+#ifdef CONFIG_ATH9K_CHANNEL_CONTEXT
+        ath9k_set_mcc_capab(sc, hw);
+#endif
        ath9k_init_wow(hw);
        ath9k_cmn_reload_chainmask(ah);
@@ -868,9 +900,6 @@ int ath9k_init_device(u16 devid, struct ath_softc *sc,
        common = ath9k_hw_common(ah);
        ath9k_set_hw_capab(sc, hw);
-        /* Will be cleared in ath9k_start() */
-        set_bit(ATH_OP_INVALID, &common->op_flags);
        /* Initialize regulatory */
        error = ath_regd_init(&common->regulatory, sc->hw->wiphy,
                              ath9k_reg_notifier);
diff --git a/drivers/net/wireless/ath/ath9k/mac.c b/drivers/net/wireless/ath/ath9k/mac.c
index 275205ab5f15..3e58bfa0c1fd 100644
--- a/drivers/net/wireless/ath/ath9k/mac.c
+++ b/drivers/net/wireless/ath/ath9k/mac.c
@@ -311,14 +311,7 @@ int ath9k_hw_setuptxqueue(struct ath_hw *ah, enum ath9k_tx_queue type,
                q = ATH9K_NUM_TX_QUEUES - 3;
                break;
        case ATH9K_TX_QUEUE_DATA:
-                for (q = 0; q < ATH9K_NUM_TX_QUEUES; q++)
+                q = qinfo->tqi_subtype;
-                        if (ah->txq[q].tqi_type ==
-                            ATH9K_TX_QUEUE_INACTIVE)
-                                break;
-                if (q == ATH9K_NUM_TX_QUEUES) {
-                        ath_err(common, "No available TX queue\n");
-                        return -1;
-                }
                break;
        default:
                ath_err(common, "Invalid TX queue type: %u\n", type);
diff --git a/drivers/net/wireless/ath/ath9k/mac.h b/drivers/net/wireless/ath/ath9k/mac.h
index aa69ceaad0be..e55fa11894b6 100644
--- a/drivers/net/wireless/ath/ath9k/mac.h
+++ b/drivers/net/wireless/ath/ath9k/mac.h
@@ -704,7 +704,7 @@ struct ath_tx_info {
        enum ath9k_pkt_type type;
        enum ath9k_key_type keytype;
        u8 keyix;
-        u8 txpower;
+        u8 txpower[4];
 };
 struct ath_hw;
diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
index 45465d8e3f0a..cff070d7a325 100644
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -233,8 +233,9 @@ static bool ath_complete_reset(struct ath_softc *sc, bool start)
        ath9k_calculate_summary_state(sc, sc->cur_chan);
        ath_startrecv(sc);
-        ath9k_cmn_update_txpow(ah, sc->curtxpow,
+        ath9k_cmn_update_txpow(ah, sc->cur_chan->cur_txpower,
-                               sc->cur_chan->txpower, &sc->curtxpow);
+                               sc->cur_chan->txpower,
+                               &sc->cur_chan->cur_txpower);
        clear_bit(ATH_OP_HW_RESET, &common->op_flags);
        if (!sc->cur_chan->offchannel && start) {
@@ -511,16 +512,13 @@ irqreturn_t ath_isr(int irq, void *dev)
        if (!ah || test_bit(ATH_OP_INVALID, &common->op_flags))
                return IRQ_NONE;
-        /* shared irq, not for us */
+        if (!AR_SREV_9100(ah) && test_bit(ATH_OP_HW_RESET, &common->op_flags))
+                return IRQ_NONE;
+        /* shared irq, not for us */
        if (!ath9k_hw_intrpend(ah))
                return IRQ_NONE;
-        if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) {
-                ath9k_hw_kill_interrupts(ah);
-                return IRQ_HANDLED;
-        }
        /*
         * Figure out the reason(s) for the interrupt.  Note
         * that the hal returns a pseudo-ISR that may include
@@ -531,6 +529,9 @@ irqreturn_t ath_isr(int irq, void *dev)
        ath9k_debug_sync_cause(sc, sync_cause);
        status &= ah->imask;    /* discard unasked-for bits */
+        if (AR_SREV_9100(ah) && test_bit(ATH_OP_HW_RESET, &common->op_flags))
+                return IRQ_HANDLED;
        /*
         * If there are no status bits set, then this interrupt was not
         * for me (should have been caught above).
@@ -612,6 +613,7 @@ int ath_reset(struct ath_softc *sc, struct ath9k_channel *hchan)
        struct ath_common *common = ath9k_hw_common(sc->sc_ah);
        int r;
+        ath9k_hw_kill_interrupts(sc->sc_ah);
        set_bit(ATH_OP_HW_RESET, &common->op_flags);
        ath9k_ps_wakeup(sc);
@@ -632,6 +634,7 @@ void ath9k_queue_reset(struct ath_softc *sc, enum ath_reset_type type)
 #ifdef CONFIG_ATH9K_DEBUGFS
        RESET_STAT_INC(sc, type);
 #endif
+        ath9k_hw_kill_interrupts(sc->sc_ah);
        set_bit(ATH_OP_HW_RESET, &common->op_flags);
        ieee80211_queue_work(sc->hw, &sc->hw_reset_work);
 }
@@ -726,7 +729,8 @@ static int ath9k_start(struct ieee80211_hw *hw)
        if (ah->led_pin >= 0) {
                ath9k_hw_cfg_output(ah, ah->led_pin,
                                    AR_GPIO_OUTPUT_MUX_AS_OUTPUT);
-                ath9k_hw_set_gpio(ah, ah->led_pin, 0);
+                ath9k_hw_set_gpio(ah, ah->led_pin,
+                                  (ah->config.led_active_high) ? 1 : 0);
        }
        /*
@@ -868,7 +872,8 @@ static void ath9k_stop(struct ieee80211_hw *hw)
        spin_lock_bh(&sc->sc_pcu_lock);
        if (ah->led_pin >= 0) {
-                ath9k_hw_set_gpio(ah, ah->led_pin, 1);
+                ath9k_hw_set_gpio(ah, ah->led_pin,
+                                  (ah->config.led_active_high) ? 0 : 1);
                ath9k_hw_cfg_gpio_input(ah, ah->led_pin);
        }
@@ -884,6 +889,9 @@ static void ath9k_stop(struct ieee80211_hw *hw)
                                                    &sc->cur_chan->chandef);
        ath9k_hw_reset(ah, ah->curchan, ah->caldata, false);
+        set_bit(ATH_OP_INVALID, &common->op_flags);
        ath9k_hw_phy_disable(ah);
        ath9k_hw_configpcipowersave(ah, true);
@@ -892,7 +900,6 @@ static void ath9k_stop(struct ieee80211_hw *hw)
        ath9k_ps_restore(sc);
-        set_bit(ATH_OP_INVALID, &common->op_flags);
        sc->ps_idle = prev_idle;
        mutex_unlock(&sc->mutex);
@@ -1181,10 +1188,14 @@ static void ath9k_assign_hw_queues(struct ieee80211_hw *hw,
 {
        int i;
+        if (!ath9k_is_chanctx_enabled())
+                return;
        for (i = 0; i < IEEE80211_NUM_ACS; i++)
                vif->hw_queue[i] = i;
-        if (vif->type == NL80211_IFTYPE_AP)
+        if (vif->type == NL80211_IFTYPE_AP ||
+            vif->type == NL80211_IFTYPE_MESH_POINT)
                vif->cab_queue = hw->queues - 2;
        else
                vif->cab_queue = IEEE80211_INVAL_HW_QUEUE;
@@ -1336,78 +1347,6 @@ static void ath9k_disable_ps(struct ath_softc *sc)
        ath_dbg(common, PS, "PowerSave disabled\n");
 }
-void ath9k_spectral_scan_trigger(struct ieee80211_hw *hw)
-{
-        struct ath_softc *sc = hw->priv;
-        struct ath_hw *ah = sc->sc_ah;
-        struct ath_common *common = ath9k_hw_common(ah);
-        u32 rxfilter;
-        if (config_enabled(CONFIG_ATH9K_TX99))
-                return;
-        if (!ath9k_hw_ops(ah)->spectral_scan_trigger) {
-                ath_err(common, "spectrum analyzer not implemented on this hardware\n");
-                return;
-        }
-        ath9k_ps_wakeup(sc);
-        rxfilter = ath9k_hw_getrxfilter(ah);
-        ath9k_hw_setrxfilter(ah, rxfilter |
-                                 ATH9K_RX_FILTER_PHYRADAR |
-                                 ATH9K_RX_FILTER_PHYERR);
-        /* TODO: usually this should not be neccesary, but for some reason
-         * (or in some mode?) the trigger must be called after the
-         * configuration, otherwise the register will have its values reset
-         * (on my ar9220 to value 0x01002310)
-         */
-        ath9k_spectral_scan_config(hw, sc->spectral_mode);
-        ath9k_hw_ops(ah)->spectral_scan_trigger(ah);
-        ath9k_ps_restore(sc);
-}
-int ath9k_spectral_scan_config(struct ieee80211_hw *hw,
-                               enum spectral_mode spectral_mode)
-{
-        struct ath_softc *sc = hw->priv;
-        struct ath_hw *ah = sc->sc_ah;
-        struct ath_common *common = ath9k_hw_common(ah);
-        if (!ath9k_hw_ops(ah)->spectral_scan_trigger) {
-                ath_err(common, "spectrum analyzer not implemented on this hardware\n");
-                return -1;
-        }
-        switch (spectral_mode) {
-        case SPECTRAL_DISABLED:
-                sc->spec_config.enabled = 0;
-                break;
-        case SPECTRAL_BACKGROUND:
-                /* send endless samples.
-                 * TODO: is this really useful for "background"?
-                 */
-                sc->spec_config.endless = 1;
-                sc->spec_config.enabled = 1;
-                break;
-        case SPECTRAL_CHANSCAN:
-        case SPECTRAL_MANUAL:
-                sc->spec_config.endless = 0;
-                sc->spec_config.enabled = 1;
-                break;
-        default:
-                return -1;
-        }
-        ath9k_ps_wakeup(sc);
-        ath9k_hw_ops(ah)->spectral_scan_config(ah, &sc->spec_config);
-        ath9k_ps_restore(sc);
-        sc->spectral_mode = spectral_mode;
-        return 0;
-}
 static int ath9k_config(struct ieee80211_hw *hw, u32 changed)
 {
        struct ath_softc *sc = hw->priv;
@@ -1468,8 +1407,9 @@ static int ath9k_config(struct ieee80211_hw *hw, u32 changed)
        if (changed & IEEE80211_CONF_CHANGE_POWER) {
                ath_dbg(common, CONFIG, "Set power: %d\n", conf->power_level);
                sc->cur_chan->txpower = 2 * conf->power_level;
-                ath9k_cmn_update_txpow(ah, sc->curtxpow,
+                ath9k_cmn_update_txpow(ah, sc->cur_chan->cur_txpower,
-                                       sc->cur_chan->txpower, &sc->curtxpow);
+                                       sc->cur_chan->txpower,
+                                       &sc->cur_chan->cur_txpower);
        }
        mutex_unlock(&sc->mutex);
@@ -1724,7 +1664,7 @@ static int ath9k_set_key(struct ieee80211_hw *hw,
                        key->flags |= IEEE80211_KEY_FLAG_GENERATE_IV;
                        if (key->cipher == WLAN_CIPHER_SUITE_TKIP)
                                key->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC;
-                        if (sc->sc_ah->sw_mgmt_crypto &&
+                        if (sc->sc_ah->sw_mgmt_crypto_tx &&
                            key->cipher == WLAN_CIPHER_SUITE_CCMP)
                                key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX;
                        ret = 0;
@@ -2247,14 +2187,17 @@ static int ath9k_get_antenna(struct ieee80211_hw *hw, u32 *tx_ant, u32 *rx_ant)
        return 0;
 }
-static void ath9k_sw_scan_start(struct ieee80211_hw *hw)
+static void ath9k_sw_scan_start(struct ieee80211_hw *hw,
+                                struct ieee80211_vif *vif,
+                                const u8 *mac_addr)
 {
        struct ath_softc *sc = hw->priv;
        struct ath_common *common = ath9k_hw_common(sc->sc_ah);
        set_bit(ATH_OP_SCANNING, &common->op_flags);
 }
-static void ath9k_sw_scan_complete(struct ieee80211_hw *hw)
+static void ath9k_sw_scan_complete(struct ieee80211_hw *hw,
+                                   struct ieee80211_vif *vif)
 {
        struct ath_softc *sc = hw->priv;
        struct ath_common *common = ath9k_hw_common(sc->sc_ah);
@@ -2263,6 +2206,28 @@ static void ath9k_sw_scan_complete(struct ieee80211_hw *hw)
 #ifdef CONFIG_ATH9K_CHANNEL_CONTEXT
+static void ath9k_cancel_pending_offchannel(struct ath_softc *sc)
+{
+        struct ath_common *common = ath9k_hw_common(sc->sc_ah);
+        if (sc->offchannel.roc_vif) {
+                ath_dbg(common, CHAN_CTX,
+                        "%s: Aborting RoC\n", __func__);
+                del_timer_sync(&sc->offchannel.timer);
+                if (sc->offchannel.state >= ATH_OFFCHANNEL_ROC_START)
+                        ath_roc_complete(sc, true);
+        }
+        if (test_bit(ATH_OP_SCANNING, &common->op_flags)) {
+                ath_dbg(common, CHAN_CTX,
+                        "%s: Aborting HW scan\n", __func__);
+                del_timer_sync(&sc->offchannel.timer);
+                ath_scan_complete(sc, true);
+        }
+}
 static int ath9k_hw_scan(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
                         struct ieee80211_scan_request *hw_req)
 {
@@ -2449,6 +2414,8 @@ static int ath9k_assign_vif_chanctx(struct ieee80211_hw *hw,
        struct ath_chanctx *ctx = ath_chanctx_get(conf);
        int i;
+        ath9k_cancel_pending_offchannel(sc);
        mutex_lock(&sc->mutex);
        ath_dbg(common, CHAN_CTX,
@@ -2478,6 +2445,8 @@ static void ath9k_unassign_vif_chanctx(struct ieee80211_hw *hw,
        struct ath_chanctx *ctx = ath_chanctx_get(conf);
        int ac;
+        ath9k_cancel_pending_offchannel(sc);
        mutex_lock(&sc->mutex);
        ath_dbg(common, CHAN_CTX,
@@ -2523,18 +2492,7 @@ static void ath9k_mgd_prepare_tx(struct ieee80211_hw *hw,
        if (!changed)
                goto out;
-        if (test_bit(ATH_OP_SCANNING, &common->op_flags)) {
+        ath9k_cancel_pending_offchannel(sc);
-                ath_dbg(common, CHAN_CTX,
-                        "%s: Aborting HW scan\n", __func__);
-                mutex_unlock(&sc->mutex);
-                del_timer_sync(&sc->offchannel.timer);
-                ath_scan_complete(sc, true);
-                flush_work(&sc->chanctx_work);
-                mutex_lock(&sc->mutex);
-        }
        go_ctx = ath_is_go_chanctx_present(sc);
@@ -2549,13 +2507,22 @@ static void ath9k_mgd_prepare_tx(struct ieee80211_hw *hw,
                beacon_int = TU_TO_USEC(cur_conf->beacon_interval);
                spin_unlock_bh(&sc->chan_lock);
-                timeout = usecs_to_jiffies(beacon_int);
+                timeout = usecs_to_jiffies(beacon_int * 2);
                init_completion(&sc->go_beacon);
+                mutex_unlock(&sc->mutex);
                if (wait_for_completion_timeout(&sc->go_beacon,
-                                                timeout) == 0)
+                                                timeout) == 0) {
                        ath_dbg(common, CHAN_CTX,
                                "Failed to send new NoA\n");
+                        spin_lock_bh(&sc->chan_lock);
+                        sc->sched.mgd_prepare_tx = false;
+                        spin_unlock_bh(&sc->chan_lock);
+                }
+                mutex_lock(&sc->mutex);
        }
        ath_dbg(common, CHAN_CTX,
@@ -2591,6 +2558,24 @@ void ath9k_fill_chanctx_ops(void)
 #endif
+static int ath9k_get_txpower(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+                             int *dbm)
+{
+        struct ath_softc *sc = hw->priv;
+        struct ath_vif *avp = (void *)vif->drv_priv;
+        mutex_lock(&sc->mutex);
+        if (avp->chanctx)
+                *dbm = avp->chanctx->cur_txpower;
+        else
+                *dbm = sc->cur_chan->cur_txpower;
+        mutex_unlock(&sc->mutex);
+        *dbm /= 2;
+        return 0;
+}
 struct ieee80211_ops ath9k_ops = {
        .tx                 = ath9k_tx,
        .start              = ath9k_start,
@@ -2637,4 +2622,5 @@ struct ieee80211_ops ath9k_ops = {
 #endif
        .sw_scan_start      = ath9k_sw_scan_start,
        .sw_scan_complete   = ath9k_sw_scan_complete,
+        .get_txpower        = ath9k_get_txpower,
 };
diff --git a/drivers/net/wireless/ath/ath9k/pci.c b/drivers/net/wireless/ath/ath9k/pci.c
index e3f60d5c5263..f009b5b57e5e 100644
--- a/drivers/net/wireless/ath/ath9k/pci.c
+++ b/drivers/net/wireless/ath/ath9k/pci.c
@@ -657,7 +657,9 @@ static const struct pci_device_id ath_pci_id_table[] = {
                         0x0036,
                         PCI_VENDOR_ID_DELL,
                         0x020E),
-          .driver_data = ATH9K_PCI_AR9565_2ANT | ATH9K_PCI_BT_ANT_DIV },
+          .driver_data = ATH9K_PCI_AR9565_2ANT |
+                         ATH9K_PCI_BT_ANT_DIV |
+                         ATH9K_PCI_LED_ACT_HI},
        /* PCI-E AR9565 (WB335) */
        { PCI_VDEVICE(ATHEROS, 0x0036),
diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
index 6914e21816e4..7395afbc5124 100644
--- a/drivers/net/wireless/ath/ath9k/recv.c
+++ b/drivers/net/wireless/ath/ath9k/recv.c
@@ -870,7 +870,7 @@ static int ath9k_rx_skb_preprocess(struct ath_softc *sc,
         */
        if (rx_stats->rs_status & ATH9K_RXERR_PHY) {
                ath9k_dfs_process_phyerr(sc, hdr, rx_stats, rx_status->mactime);
-                if (ath_process_fft(sc, hdr, rx_stats, rx_status->mactime))
+                if (ath_cmn_process_fft(&sc->spec_priv, hdr, rx_stats, rx_status->mactime))
                        RX_STAT_INC(rx_spectral);
                return -EINVAL;
diff --git a/drivers/net/wireless/ath/ath9k/reg.h b/drivers/net/wireless/ath/ath9k/reg.h
index 1c0b1c1c5350..fb11a9172f38 100644
--- a/drivers/net/wireless/ath/ath9k/reg.h
+++ b/drivers/net/wireless/ath/ath9k/reg.h
@@ -1605,6 +1605,7 @@ enum {
 #define AR_RESET_TSF        0x8020
 #define AR_RESET_TSF_ONCE   0x01000000
+#define AR_RESET_TSF2_ONCE  0x02000000
 #define AR_MAX_CFP_DUR      0x8038
 #define AR_CFP_VAL          0x0000FFFF
@@ -1723,6 +1724,8 @@ enum {
 #define AR_TPC_CTS_S           8
 #define AR_TPC_CHIRP           0x003f0000
 #define AR_TPC_CHIRP_S         16
+#define AR_TPC_RPT             0x3f000000
+#define AR_TPC_RPT_S           24
 #define AR_QUIET1          0x80fc
 #define AR_QUIET1_NEXT_QUIET_S         0
@@ -1966,6 +1969,8 @@ enum {
 #define AR_MAC_PCU_ASYNC_FIFO_REG3_SOFT_RESET           0x80000000
 #define AR_MAC_PCU_GEN_TIMER_TSF_SEL                    0x83d8
+#define AR_DIRECT_CONNECT                              0x83a0
+#define AR_DC_AP_STA_EN                                0x00000001
 #define AR_AES_MUTE_MASK0       0x805c
 #define AR_AES_MUTE_MASK0_FC    0x0000FFFF
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index 493a183d0aaf..e9bd02c2e844 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -169,7 +169,10 @@ static void ath_txq_skb_done(struct ath_softc *sc, struct ath_txq *txq,
        if (txq->stopped &&
            txq->pending_frames < sc->tx.txq_max_pending[q]) {
-                ieee80211_wake_queue(sc->hw, info->hw_queue);
+                if (ath9k_is_chanctx_enabled())
+                        ieee80211_wake_queue(sc->hw, info->hw_queue);
+                else
+                        ieee80211_wake_queue(sc->hw, q);
                txq->stopped = false;
        }
 }
@@ -1093,6 +1096,37 @@ void ath_update_max_aggr_framelen(struct ath_softc *sc, int queue, int txop)
        }
 }
+static u8 ath_get_rate_txpower(struct ath_softc *sc, struct ath_buf *bf,
+                               u8 rateidx)
+{
+        u8 max_power;
+        struct ath_hw *ah = sc->sc_ah;
+        if (sc->tx99_state)
+                return MAX_RATE_POWER;
+        if (!AR_SREV_9300_20_OR_LATER(ah)) {
+                /* ar9002 is not sipported for the moment */
+                return MAX_RATE_POWER;
+        }
+        if (!bf->bf_state.bfs_paprd) {
+                struct sk_buff *skb = bf->bf_mpdu;
+                struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+                struct ath_frame_info *fi = get_frame_info(skb);
+                if (rateidx < 8 && (info->flags & IEEE80211_TX_CTL_STBC))
+                        max_power = min(ah->tx_power_stbc[rateidx],
+                                        fi->tx_power);
+                else
+                        max_power = min(ah->tx_power[rateidx], fi->tx_power);
+        } else {
+                max_power = ah->paprd_training_power;
+        }
+        return max_power;
+}
 static void ath_buf_set_rate(struct ath_softc *sc, struct ath_buf *bf,
                             struct ath_tx_info *info, int len, bool rts)
 {
@@ -1163,6 +1197,8 @@ static void ath_buf_set_rate(struct ath_softc *sc, struct ath_buf *bf,
                                 is_40, is_sgi, is_sp);
                        if (rix < 8 && (tx_info->flags & IEEE80211_TX_CTL_STBC))
                                info->rates[i].RateFlags |= ATH9K_RATESERIES_STBC;
+                        info->txpower[i] = ath_get_rate_txpower(sc, bf, rix);
                        continue;
                }
@@ -1190,6 +1226,8 @@ static void ath_buf_set_rate(struct ath_softc *sc, struct ath_buf *bf,
                info->rates[i].PktDuration = ath9k_hw_computetxtime(sc->sc_ah,
                        phy, rate->bitrate * 100, len, rix, is_sp);
+                info->txpower[i] = ath_get_rate_txpower(sc, bf, rix);
        }
        /* For AR5416 - RTS cannot be followed by a frame larger than 8K */
@@ -1236,7 +1274,6 @@ static void ath_tx_fill_desc(struct ath_softc *sc, struct ath_buf *bf,
        memset(&info, 0, sizeof(info));
        info.is_first = true;
        info.is_last = true;
-        info.txpower = MAX_RATE_POWER;
        info.qcu = txq->axq_qnum;
        while (bf) {
@@ -2060,6 +2097,7 @@ static void setup_frame_info(struct ieee80211_hw *hw,
                fi->keyix = ATH9K_TXKEYIX_INVALID;
        fi->keytype = keytype;
        fi->framelen = framelen;
+        fi->tx_power = MAX_RATE_POWER;
        if (!rate)
                return;
@@ -2247,7 +2285,10 @@ int ath_tx_start(struct ieee80211_hw *hw, struct sk_buff *skb,
                fi->txq = q;
                if (++txq->pending_frames > sc->tx.txq_max_pending[q] &&
                    !txq->stopped) {
-                        ieee80211_stop_queue(sc->hw, info->hw_queue);
+                        if (ath9k_is_chanctx_enabled())
+                                ieee80211_stop_queue(sc->hw, info->hw_queue);
+                        else
+                                ieee80211_stop_queue(sc->hw, q);
                        txq->stopped = true;
                }
        }
diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c
index 650be79c7ac9..cfd0554cf140 100644
--- a/drivers/net/wireless/ath/dfs_pattern_detector.c
+++ b/drivers/net/wireless/ath/dfs_pattern_detector.c
@@ -86,7 +86,7 @@ static const struct radar_detector_specs fcc_radar_ref_types[] = {
        FCC_PATTERN(1, 0, 5, 150, 230, 1, 23),
        FCC_PATTERN(2, 6, 10, 200, 500, 1, 16),
        FCC_PATTERN(3, 11, 20, 200, 500, 1, 12),
-        FCC_PATTERN(4, 50, 100, 1000, 2000, 20, 1),
+        FCC_PATTERN(4, 50, 100, 1000, 2000, 1, 20),
        FCC_PATTERN(5, 0, 1, 333, 333, 1, 9),
 };
@@ -105,7 +105,7 @@ static const struct radar_detector_specs jp_radar_ref_types[] = {
        JP_PATTERN(4, 0, 5, 150, 230, 1, 23),
        JP_PATTERN(5, 6, 10, 200, 500, 1, 16),
        JP_PATTERN(6, 11, 20, 200, 500, 1, 12),
-        JP_PATTERN(7, 50, 100, 1000, 2000, 20, 1),
+        JP_PATTERN(7, 50, 100, 1000, 2000, 1, 20),
        JP_PATTERN(5, 0, 1, 333, 333, 1, 9),
 };
diff --git a/drivers/net/wireless/ath/regd.c b/drivers/net/wireless/ath/regd.c
index 415393dfb6fc..06ea6cc9e30a 100644
--- a/drivers/net/wireless/ath/regd.c
+++ b/drivers/net/wireless/ath/regd.c
@@ -515,6 +515,7 @@ void ath_reg_notifier_apply(struct wiphy *wiphy,
        if (!request)
                return;
+        reg->region = request->dfs_region;
        switch (request->initiator) {
        case NL80211_REGDOM_SET_BY_CORE:
                /*
@@ -779,6 +780,19 @@ u32 ath_regd_get_band_ctl(struct ath_regulatory *reg,
                return SD_NO_CTL;
        }
+        if (ath_regd_get_eepromRD(reg) == CTRY_DEFAULT) {
+                switch (reg->region) {
+                case NL80211_DFS_FCC:
+                        return CTL_FCC;
+                case NL80211_DFS_ETSI:
+                        return CTL_ETSI;
+                case NL80211_DFS_JP:
+                        return CTL_MKK;
+                default:
+                        break;
+                }
+        }
        switch (band) {
        case IEEE80211_BAND_2GHZ:
                return reg->regpair->reg_2ghz_ctl;
diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
index b71d2b33532d..267c35d1f699 100644
--- a/drivers/net/wireless/ath/wcn36xx/main.c
+++ b/drivers/net/wireless/ath/wcn36xx/main.c
@@ -494,7 +494,9 @@ out:
        return ret;
 }
-static void wcn36xx_sw_scan_start(struct ieee80211_hw *hw)
+static void wcn36xx_sw_scan_start(struct ieee80211_hw *hw,
+                                  struct ieee80211_vif *vif,
+                                  const u8 *mac_addr)
 {
        struct wcn36xx *wcn = hw->priv;
@@ -502,7 +504,8 @@ static void wcn36xx_sw_scan_start(struct ieee80211_hw *hw)
        wcn36xx_smd_start_scan(wcn);
 }
-static void wcn36xx_sw_scan_complete(struct ieee80211_hw *hw)
+static void wcn36xx_sw_scan_complete(struct ieee80211_hw *hw,
+                                     struct ieee80211_vif *vif)
 {
        struct wcn36xx *wcn = hw->priv;
diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index 4248fb3352d2..38332a6dfb3a 100644
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -792,12 +792,13 @@ static int wil_cfg80211_stop_ap(struct wiphy *wiphy,
 }
 static int wil_cfg80211_del_station(struct wiphy *wiphy,
-                                    struct net_device *dev, const u8 *mac)
+                                    struct net_device *dev,
+                                    struct station_del_parameters *params)
 {
        struct wil6210_priv *wil = wiphy_to_wil(wiphy);
        mutex_lock(&wil->mutex);
-        wil6210_disconnect(wil, mac, false);
+        wil6210_disconnect(wil, params->mac, params->reason_code, false);
        mutex_unlock(&wil->mutex);
        return 0;
diff --git a/drivers/net/wireless/ath/wil6210/debug.c b/drivers/net/wireless/ath/wil6210/debug.c
index 8d99021d27a8..3249562d93b4 100644
--- a/drivers/net/wireless/ath/wil6210/debug.c
+++ b/drivers/net/wireless/ath/wil6210/debug.c
@@ -32,6 +32,23 @@ void wil_err(struct wil6210_priv *wil, const char *fmt, ...)
        va_end(args);
 }
+void wil_err_ratelimited(struct wil6210_priv *wil, const char *fmt, ...)
+{
+        if (net_ratelimit()) {
+                struct net_device *ndev = wil_to_ndev(wil);
+                struct va_format vaf = {
+                        .fmt = fmt,
+                };
+                va_list args;
+                va_start(args, fmt);
+                vaf.va = &args;
+                netdev_err(ndev, "%pV", &vaf);
+                trace_wil6210_log_err(&vaf);
+                va_end(args);
+        }
+}
 void wil_info(struct wil6210_priv *wil, const char *fmt, ...)
 {
        struct net_device *ndev = wil_to_ndev(wil);
diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
index 54a6ddc6301b..4e6e14501c2f 100644
--- a/drivers/net/wireless/ath/wil6210/debugfs.c
+++ b/drivers/net/wireless/ath/wil6210/debugfs.c
@@ -573,8 +573,10 @@ static ssize_t wil_write_file_txmgmt(struct file *file, const char __user *buf,
        if (!frame)
                return -ENOMEM;
-        if (copy_from_user(frame, buf, len))
+        if (copy_from_user(frame, buf, len)) {
+                kfree(frame);
                return -EIO;
+        }
        params.buf = frame;
        params.len = len;
@@ -614,8 +616,10 @@ static ssize_t wil_write_file_wmi(struct file *file, const char __user *buf,
                return -ENOMEM;
        rc = simple_write_to_buffer(wmi, len, ppos, buf, len);
-        if (rc < 0)
+        if (rc < 0) {
+                kfree(wmi);
                return rc;
+        }
        cmd = &wmi[1];
        cmdid = le16_to_cpu(wmi->id);
diff --git a/drivers/net/wireless/ath/wil6210/fw.c b/drivers/net/wireless/ath/wil6210/fw.c
index 8c6f3b041f77..93c5cc16c515 100644
--- a/drivers/net/wireless/ath/wil6210/fw.c
+++ b/drivers/net/wireless/ath/wil6210/fw.c
@@ -15,7 +15,6 @@
 */
 #include <linux/firmware.h>
 #include <linux/module.h>
-#include <linux/pci.h>
 #include <linux/crc32.h>
 #include "wil6210.h"
 #include "fw.h"
diff --git a/drivers/net/wireless/ath/wil6210/fw_inc.c b/drivers/net/wireless/ath/wil6210/fw_inc.c
index 44cb71f5ea5b..d4acf93a9a02 100644
--- a/drivers/net/wireless/ath/wil6210/fw_inc.c
+++ b/drivers/net/wireless/ath/wil6210/fw_inc.c
@@ -446,7 +446,7 @@ static int wil_fw_load(struct wil6210_priv *wil, const void *data, size_t size)
                if (size >= sizeof(*hdr)) {
                        wil_err_fw(wil, "Stop at offset %ld"
                                   " record type %d [%zd bytes]\n",
-                                   (const void *)hdr - data,
+                                   (long)((const void *)hdr - data),
                                   le16_to_cpu(hdr->type), hdr_sz);
                }
                return -EINVAL;
@@ -471,7 +471,7 @@ int wil_request_firmware(struct wil6210_priv *wil, const char *name)
        size_t sz;
        const void *d;
-        rc = request_firmware(&fw, name, wil_to_pcie_dev(wil));
+        rc = request_firmware(&fw, name, wil_to_dev(wil));
        if (rc) {
                wil_err_fw(wil, "Failed to load firmware %s\n", name);
                return rc;
diff --git a/drivers/net/wireless/ath/wil6210/interrupt.c b/drivers/net/wireless/ath/wil6210/interrupt.c
index 90f416f239bd..4bcbd6297b3e 100644
--- a/drivers/net/wireless/ath/wil6210/interrupt.c
+++ b/drivers/net/wireless/ath/wil6210/interrupt.c
@@ -36,7 +36,8 @@
 */
 #define WIL6210_IRQ_DISABLE     (0xFFFFFFFFUL)
-#define WIL6210_IMC_RX          BIT_DMA_EP_RX_ICR_RX_DONE
+#define WIL6210_IMC_RX          (BIT_DMA_EP_RX_ICR_RX_DONE | \
+                                 BIT_DMA_EP_RX_ICR_RX_HTRSH)
 #define WIL6210_IMC_TX          (BIT_DMA_EP_TX_ICR_TX_DONE | \
                                BIT_DMA_EP_TX_ICR_TX_DONE_N(0))
 #define WIL6210_IMC_MISC        (ISR_MISC_FW_READY | \
@@ -171,6 +172,7 @@ static irqreturn_t wil6210_irq_rx(int irq, void *cookie)
        u32 isr = wil_ioread32_and_clear(wil->csr +
                                         HOSTADDR(RGF_DMA_EP_RX_ICR) +
                                         offsetof(struct RGF_ICR, ICR));
+        bool need_unmask = true;
        trace_wil6210_irq_rx(isr);
        wil_dbg_irq(wil, "ISR RX 0x%08x\n", isr);
@@ -182,12 +184,24 @@ static irqreturn_t wil6210_irq_rx(int irq, void *cookie)
        wil6210_mask_irq_rx(wil);
-        if (isr & BIT_DMA_EP_RX_ICR_RX_DONE) {
+        /* RX_DONE and RX_HTRSH interrupts are the same if interrupt
+         * moderation is not used. Interrupt moderation may cause RX
+         * buffer overflow while RX_DONE is delayed. The required
+         * action is always the same - should empty the accumulated
+         * packets from the RX ring.
+         */
+        if (isr & (BIT_DMA_EP_RX_ICR_RX_DONE | BIT_DMA_EP_RX_ICR_RX_HTRSH)) {
                wil_dbg_irq(wil, "RX done\n");
-                isr &= ~BIT_DMA_EP_RX_ICR_RX_DONE;
+                if (isr & BIT_DMA_EP_RX_ICR_RX_HTRSH)
+                        wil_err_ratelimited(wil, "Received \"Rx buffer is in risk "
+                                "of overflow\" interrupt\n");
+                isr &= ~(BIT_DMA_EP_RX_ICR_RX_DONE | BIT_DMA_EP_RX_ICR_RX_HTRSH);
                if (test_bit(wil_status_reset_done, &wil->status)) {
                        if (test_bit(wil_status_napi_en, &wil->status)) {
                                wil_dbg_txrx(wil, "NAPI(Rx) schedule\n");
+                                need_unmask = false;
                                napi_schedule(&wil->napi_rx);
                        } else {
                                wil_err(wil, "Got Rx interrupt while "
@@ -204,6 +218,10 @@ static irqreturn_t wil6210_irq_rx(int irq, void *cookie)
        /* Rx IRQ will be enabled when NAPI processing finished */
        atomic_inc(&wil->isr_count_rx);
+        if (unlikely(need_unmask))
+                wil6210_unmask_irq_rx(wil);
        return IRQ_HANDLED;
 }
@@ -213,6 +231,7 @@ static irqreturn_t wil6210_irq_tx(int irq, void *cookie)
        u32 isr = wil_ioread32_and_clear(wil->csr +
                                         HOSTADDR(RGF_DMA_EP_TX_ICR) +
                                         offsetof(struct RGF_ICR, ICR));
+        bool need_unmask = true;
        trace_wil6210_irq_tx(isr);
        wil_dbg_irq(wil, "ISR TX 0x%08x\n", isr);
@@ -231,6 +250,7 @@ static irqreturn_t wil6210_irq_tx(int irq, void *cookie)
                isr &= ~(BIT(25) - 1UL);
                if (test_bit(wil_status_reset_done, &wil->status)) {
                        wil_dbg_txrx(wil, "NAPI(Tx) schedule\n");
+                        need_unmask = false;
                        napi_schedule(&wil->napi_tx);
                } else {
                        wil_err(wil, "Got Tx interrupt while in reset\n");
@@ -243,6 +263,10 @@ static irqreturn_t wil6210_irq_tx(int irq, void *cookie)
        /* Tx IRQ will be enabled when NAPI processing finished */
        atomic_inc(&wil->isr_count_tx);
+        if (unlikely(need_unmask))
+                wil6210_unmask_irq_tx(wil);
        return IRQ_HANDLED;
 }
diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c
index 6212983fede2..8ff3fe34fe05 100644
--- a/drivers/net/wireless/ath/wil6210/main.c
+++ b/drivers/net/wireless/ath/wil6210/main.c
@@ -67,6 +67,36 @@ static struct kernel_param_ops mtu_max_ops = {
 module_param_cb(mtu_max, &mtu_max_ops, &mtu_max, S_IRUGO);
 MODULE_PARM_DESC(mtu_max, " Max MTU value.");
+static uint rx_ring_order = WIL_RX_RING_SIZE_ORDER_DEFAULT;
+static uint tx_ring_order = WIL_TX_RING_SIZE_ORDER_DEFAULT;
+static int ring_order_set(const char *val, const struct kernel_param *kp)
+{
+        int ret;
+        uint x;
+        ret = kstrtouint(val, 0, &x);
+        if (ret)
+                return ret;
+        if ((x < WIL_RING_SIZE_ORDER_MIN) || (x > WIL_RING_SIZE_ORDER_MAX))
+                return -EINVAL;
+        *((uint *)kp->arg) = x;
+        return 0;
+}
+static struct kernel_param_ops ring_order_ops = {
+        .set = ring_order_set,
+        .get = param_get_uint,
+};
+module_param_cb(rx_ring_order, &ring_order_ops, &rx_ring_order, S_IRUGO);
+MODULE_PARM_DESC(rx_ring_order, " Rx ring order; size = 1 << order");
+module_param_cb(tx_ring_order, &ring_order_ops, &tx_ring_order, S_IRUGO);
+MODULE_PARM_DESC(tx_ring_order, " Tx ring order; size = 1 << order");
 #define RST_DELAY (20) /* msec, for loop in @wil_target_reset */
 #define RST_COUNT (1 + 1000/RST_DELAY) /* round up to be above 1 sec total */
@@ -104,7 +134,7 @@ void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src,
 }
 static void wil_disconnect_cid(struct wil6210_priv *wil, int cid,
-                               bool from_event)
+                               u16 reason_code, bool from_event)
 {
        uint i;
        struct net_device *ndev = wil_to_ndev(wil);
@@ -117,8 +147,7 @@ static void wil_disconnect_cid(struct wil6210_priv *wil, int cid,
        sta->data_port_open = false;
        if (sta->status != wil_sta_unused) {
                if (!from_event)
-                        wmi_disconnect_sta(wil, sta->addr,
+                        wmi_disconnect_sta(wil, sta->addr, reason_code);
-                                           WLAN_REASON_DEAUTH_LEAVING);
                switch (wdev->iftype) {
                case NL80211_IFTYPE_AP:
@@ -152,7 +181,7 @@ static void wil_disconnect_cid(struct wil6210_priv *wil, int cid,
 }
 static void _wil6210_disconnect(struct wil6210_priv *wil, const u8 *bssid,
-                                bool from_event)
+                                u16 reason_code, bool from_event)
 {
        int cid = -ENOENT;
        struct net_device *ndev = wil_to_ndev(wil);
@@ -167,10 +196,10 @@ static void _wil6210_disconnect(struct wil6210_priv *wil, const u8 *bssid,
        }
        if (cid >= 0) /* disconnect 1 peer */
-                wil_disconnect_cid(wil, cid, from_event);
+                wil_disconnect_cid(wil, cid, reason_code, from_event);
        else /* disconnect all */
                for (cid = 0; cid < WIL6210_MAX_CID; cid++)
-                        wil_disconnect_cid(wil, cid, from_event);
+                        wil_disconnect_cid(wil, cid, reason_code, from_event);
        /* link state */
        switch (wdev->iftype) {
@@ -179,8 +208,7 @@ static void _wil6210_disconnect(struct wil6210_priv *wil, const u8 *bssid,
                wil_link_off(wil);
                if (test_bit(wil_status_fwconnected, &wil->status)) {
                        clear_bit(wil_status_fwconnected, &wil->status);
-                        cfg80211_disconnected(ndev,
+                        cfg80211_disconnected(ndev, reason_code,
-                                              WLAN_STATUS_UNSPECIFIED_FAILURE,
                                              NULL, 0, GFP_KERNEL);
                } else if (test_bit(wil_status_fwconnecting, &wil->status)) {
                        cfg80211_connect_result(ndev, bssid, NULL, 0, NULL, 0,
@@ -200,7 +228,7 @@ static void wil_disconnect_worker(struct work_struct *work)
                        struct wil6210_priv, disconnect_worker);
        mutex_lock(&wil->mutex);
-        _wil6210_disconnect(wil, NULL, false);
+        _wil6210_disconnect(wil, NULL, WLAN_REASON_UNSPECIFIED, false);
        mutex_unlock(&wil->mutex);
 }
@@ -222,6 +250,7 @@ static void wil_scan_timer_fn(ulong x)
        clear_bit(wil_status_fwready, &wil->status);
        wil_err(wil, "Scan timeout detected, start fw error recovery\n");
+        wil->recovery_state = fw_recovery_pending;
        schedule_work(&wil->fw_error_worker);
 }
@@ -333,7 +362,7 @@ static void wil_connect_worker(struct work_struct *work)
        wil_dbg_wmi(wil, "Configure for connection CID %d\n", cid);
-        rc = wil_vring_init_tx(wil, ringid, WIL6210_TX_RING_SIZE, cid, 0);
+        rc = wil_vring_init_tx(wil, ringid, 1 << tx_ring_order, cid, 0);
        wil->pending_connect_cid = -1;
        if (rc == 0) {
                wil->sta[cid].status = wil_sta_connected;
@@ -392,18 +421,19 @@ int wil_priv_init(struct wil6210_priv *wil)
 * wil6210_disconnect - disconnect one connection
 * @wil: driver context
 * @bssid: peer to disconnect, NULL to disconnect all
+ * @reason_code: Reason code for the Disassociation frame
 * @from_event: whether is invoked from FW event handler
 *
 * Disconnect and release associated resources. If invoked not from the
 * FW event handler, issue WMI command(s) to trigger MAC disconnect.
 */
 void wil6210_disconnect(struct wil6210_priv *wil, const u8 *bssid,
-                        bool from_event)
+                        u16 reason_code, bool from_event)
 {
        wil_dbg_misc(wil, "%s()\n", __func__);
        del_timer_sync(&wil->connect_timer);
-        _wil6210_disconnect(wil, bssid, from_event);
+        _wil6210_disconnect(wil, bssid, reason_code, from_event);
 }
 void wil_priv_deinit(struct wil6210_priv *wil)
@@ -415,7 +445,7 @@ void wil_priv_deinit(struct wil6210_priv *wil)
        cancel_work_sync(&wil->disconnect_worker);
        cancel_work_sync(&wil->fw_error_worker);
        mutex_lock(&wil->mutex);
-        wil6210_disconnect(wil, NULL, false);
+        wil6210_disconnect(wil, NULL, WLAN_REASON_DEAUTH_LEAVING, false);
        mutex_unlock(&wil->mutex);
        wmi_event_flush(wil);
        destroy_workqueue(wil->wmi_wq_conn);
@@ -463,6 +493,9 @@ static int wil_target_reset(struct wil6210_priv *wil)
        wil_halt_cpu(wil);
+        /* Clear Fw Download notification */
+        C(RGF_USER_USAGE_6, BIT(0));
        if (is_sparrow) {
                S(RGF_CAF_OSC_CONTROL, BIT_CAF_OSC_XTAL_EN);
                /* XTAL stabilization should take about 3ms */
@@ -600,7 +633,7 @@ int wil_reset(struct wil6210_priv *wil)
        WARN_ON(test_bit(wil_status_napi_en, &wil->status));
        cancel_work_sync(&wil->disconnect_worker);
-        wil6210_disconnect(wil, NULL, false);
+        wil6210_disconnect(wil, NULL, WLAN_REASON_DEAUTH_LEAVING, false);
        wil->status = 0; /* prevent NAPI from being scheduled */
@@ -705,7 +738,7 @@ int __wil_up(struct wil6210_priv *wil)
                return rc;
        /* Rx VRING. After MAC and beacon */
-        rc = wil_rx_init(wil);
+        rc = wil_rx_init(wil, 1 << rx_ring_order);
        if (rc)
                return rc;
diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c
index c680906bc0dc..e3f8bdce5abc 100644
--- a/drivers/net/wireless/ath/wil6210/txrx.c
+++ b/drivers/net/wireless/ath/wil6210/txrx.c
@@ -210,8 +210,6 @@ static int wil_vring_alloc_skb(struct wil6210_priv *wil, struct vring *vring,
        struct vring_rx_desc dd, *d = &dd;
        volatile struct vring_rx_desc *_d = &vring->va[i].rx;
        dma_addr_t pa;
-        /* TODO align */
        struct sk_buff *skb = dev_alloc_skb(sz + headroom);
        if (unlikely(!skb))
@@ -596,7 +594,7 @@ void wil_rx_handle(struct wil6210_priv *wil, int *quota)
        wil_rx_refill(wil, v->size);
 }
-int wil_rx_init(struct wil6210_priv *wil)
+int wil_rx_init(struct wil6210_priv *wil, u16 size)
 {
        struct vring *vring = &wil->vring_rx;
        int rc;
@@ -608,7 +606,7 @@ int wil_rx_init(struct wil6210_priv *wil)
                return -EINVAL;
        }
-        vring->size = WIL6210_RX_RING_SIZE;
+        vring->size = size;
        rc = wil_vring_alloc(wil, vring);
        if (rc)
                return rc;
@@ -928,8 +926,9 @@ static int wil_tx_vring(struct wil6210_priv *wil, struct vring *vring,
        wil_dbg_txrx(wil, "%s()\n", __func__);
        if (avail < 1 + nr_frags) {
-                wil_err(wil, "Tx ring full. No space for %d fragments\n",
+                wil_err_ratelimited(wil,
-                        1 + nr_frags);
+                                    "Tx ring full. No space for %d fragments\n",
+                                    1 + nr_frags);
                return -ENOMEM;
        }
        _d = &vring->va[i].tx;
diff --git a/drivers/net/wireless/ath/wil6210/wil6210.h b/drivers/net/wireless/ath/wil6210/wil6210.h
index 95d3a062d35c..c6ec5b99ac7d 100644
--- a/drivers/net/wireless/ath/wil6210/wil6210.h
+++ b/drivers/net/wireless/ath/wil6210/wil6210.h
@@ -49,8 +49,11 @@ static inline u32 WIL_GET_BITS(u32 x, int b0, int b1)
 #define WIL6210_MEM_SIZE (2*1024*1024UL)
-#define WIL6210_RX_RING_SIZE    (128)
+#define WIL_RX_RING_SIZE_ORDER_DEFAULT  (9)
-#define WIL6210_TX_RING_SIZE    (512)
+#define WIL_TX_RING_SIZE_ORDER_DEFAULT  (9)
+/* limit ring size in range [32..32k] */
+#define WIL_RING_SIZE_ORDER_MIN (5)
+#define WIL_RING_SIZE_ORDER_MAX (15)
 #define WIL6210_MAX_TX_RINGS    (24) /* HW limit */
 #define WIL6210_MAX_CID         (8) /* HW limit */
 #define WIL6210_NAPI_BUDGET     (16) /* arbitrary */
@@ -126,6 +129,7 @@ struct RGF_ICR {
        #define BIT_DMA_EP_TX_ICR_TX_DONE_N(n)  BIT(n+1) /* n = [0..23] */
 #define RGF_DMA_EP_RX_ICR               (0x881bd0) /* struct RGF_ICR */
        #define BIT_DMA_EP_RX_ICR_RX_DONE       BIT(0)
+        #define BIT_DMA_EP_RX_ICR_RX_HTRSH      BIT(1)
 #define RGF_DMA_EP_MISC_ICR             (0x881bec) /* struct RGF_ICR */
        #define BIT_DMA_EP_MISC_ICR_RX_HTRSH    BIT(0)
        #define BIT_DMA_EP_MISC_ICR_TX_NO_ACT   BIT(1)
@@ -468,13 +472,14 @@ struct wil6210_priv {
 #define wdev_to_wil(w) (struct wil6210_priv *)(wdev_priv(w))
 #define wil_to_ndev(i) (wil_to_wdev(i)->netdev)
 #define ndev_to_wil(n) (wdev_to_wil(n->ieee80211_ptr))
-#define wil_to_pcie_dev(i) (&i->pdev->dev)
 __printf(2, 3)
 void wil_dbg_trace(struct wil6210_priv *wil, const char *fmt, ...);
 __printf(2, 3)
 void wil_err(struct wil6210_priv *wil, const char *fmt, ...);
 __printf(2, 3)
+void wil_err_ratelimited(struct wil6210_priv *wil, const char *fmt, ...);
+__printf(2, 3)
 void wil_info(struct wil6210_priv *wil, const char *fmt, ...);
 #define wil_dbg(wil, fmt, arg...) do { \
        netdev_dbg(wil_to_ndev(wil), fmt, ##arg); \
@@ -586,9 +591,9 @@ int wmi_set_mac_address(struct wil6210_priv *wil, void *addr);
 int wmi_pcp_start(struct wil6210_priv *wil, int bi, u8 wmi_nettype, u8 chan);
 int wmi_pcp_stop(struct wil6210_priv *wil);
 void wil6210_disconnect(struct wil6210_priv *wil, const u8 *bssid,
-                        bool from_event);
+                        u16 reason_code, bool from_event);
-int wil_rx_init(struct wil6210_priv *wil);
+int wil_rx_init(struct wil6210_priv *wil, u16 size);
 void wil_rx_fini(struct wil6210_priv *wil);
 /* TX API */
diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
index bb1e066f756a..63476c86cd0e 100644
--- a/drivers/net/wireless/ath/wil6210/wmi.c
+++ b/drivers/net/wireless/ath/wil6210/wmi.c
@@ -478,15 +478,15 @@ static void wmi_evt_disconnect(struct wil6210_priv *wil, int id,
                               void *d, int len)
 {
        struct wmi_disconnect_event *evt = d;
+        u16 reason_code = le16_to_cpu(evt->protocol_reason_status);
-        wil_dbg_wmi(wil, "Disconnect %pM reason %d proto %d wmi\n",
+        wil_dbg_wmi(wil, "Disconnect %pM reason [proto %d wmi %d]\n",
-                    evt->bssid,
+                    evt->bssid, reason_code, evt->disconnect_reason);
-                    evt->protocol_reason_status, evt->disconnect_reason);
        wil->sinfo_gen++;
        mutex_lock(&wil->mutex);
-        wil6210_disconnect(wil, evt->bssid, true);
+        wil6210_disconnect(wil, evt->bssid, reason_code, true);
        mutex_unlock(&wil->mutex);
 }
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
index 5d4173ee55bc..47731cb0d815 100644
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -5110,7 +5110,9 @@ static void b43_op_sta_notify(struct ieee80211_hw *hw,
        B43_WARN_ON(!vif || wl->vif != vif);
 }
-static void b43_op_sw_scan_start_notifier(struct ieee80211_hw *hw)
+static void b43_op_sw_scan_start_notifier(struct ieee80211_hw *hw,
+                                          struct ieee80211_vif *vif,
+                                          const u8 *mac_addr)
 {
        struct b43_wl *wl = hw_to_b43_wl(hw);
        struct b43_wldev *dev;
@@ -5124,7 +5126,8 @@ static void b43_op_sw_scan_start_notifier(struct ieee80211_hw *hw)
        mutex_unlock(&wl->mutex);
 }
-static void b43_op_sw_scan_complete_notifier(struct ieee80211_hw *hw)
+static void b43_op_sw_scan_complete_notifier(struct ieee80211_hw *hw,
+                                             struct ieee80211_vif *vif)
 {
        struct b43_wl *wl = hw_to_b43_wl(hw);
        struct b43_wldev *dev;
diff --git a/drivers/net/wireless/b43/phy_common.c b/drivers/net/wireless/b43/phy_common.c
index 1dfc682a8055..ee27b06074e1 100644
--- a/drivers/net/wireless/b43/phy_common.c
+++ b/drivers/net/wireless/b43/phy_common.c
@@ -300,9 +300,7 @@ void b43_phy_write(struct b43_wldev *dev, u16 reg, u16 value)
 void b43_phy_copy(struct b43_wldev *dev, u16 destreg, u16 srcreg)
 {
-        assert_mac_suspended(dev);
+        b43_phy_write(dev, destreg, b43_phy_read(dev, srcreg));
-        dev->phy.ops->phy_write(dev, destreg,
-                dev->phy.ops->phy_read(dev, srcreg));
 }
 void b43_phy_mask(struct b43_wldev *dev, u16 offset, u16 mask)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
index 8822f2b8d74d..3aecc5f48719 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
@@ -299,6 +299,7 @@ static u16 chandef_to_chanspec(struct brcmu_d11inf *d11inf,
        primary_offset = ch->center_freq1 - ch->chan->center_freq;
        switch (ch->width) {
        case NL80211_CHAN_WIDTH_20:
+        case NL80211_CHAN_WIDTH_20_NOHT:
                ch_inf.bw = BRCMU_CHAN_BW_20;
                WARN_ON(primary_offset != 0);
                break;
@@ -323,6 +324,10 @@ static u16 chandef_to_chanspec(struct brcmu_d11inf *d11inf,
                                ch_inf.sb = BRCMU_CHAN_SB_LU;
                }
                break;
+        case NL80211_CHAN_WIDTH_80P80:
+        case NL80211_CHAN_WIDTH_160:
+        case NL80211_CHAN_WIDTH_5:
+        case NL80211_CHAN_WIDTH_10:
        default:
                WARN_ON_ONCE(1);
        }
@@ -333,6 +338,7 @@ static u16 chandef_to_chanspec(struct brcmu_d11inf *d11inf,
        case IEEE80211_BAND_5GHZ:
                ch_inf.band = BRCMU_CHAN_BAND_5G;
                break;
+        case IEEE80211_BAND_60GHZ:
        default:
                WARN_ON_ONCE(1);
        }
@@ -514,6 +520,95 @@ brcmf_cfg80211_update_proto_addr_mode(struct wireless_dev *wdev)
                                                ADDR_INDIRECT);
 }
+static int brcmf_cfg80211_request_ap_if(struct brcmf_if *ifp)
+{
+        struct brcmf_mbss_ssid_le mbss_ssid_le;
+        int bsscfgidx;
+        int err;
+        memset(&mbss_ssid_le, 0, sizeof(mbss_ssid_le));
+        bsscfgidx = brcmf_get_next_free_bsscfgidx(ifp->drvr);
+        if (bsscfgidx < 0)
+                return bsscfgidx;
+        mbss_ssid_le.bsscfgidx = cpu_to_le32(bsscfgidx);
+        mbss_ssid_le.SSID_len = cpu_to_le32(5);
+        sprintf(mbss_ssid_le.SSID, "ssid%d" , bsscfgidx);
+        err = brcmf_fil_bsscfg_data_set(ifp, "bsscfg:ssid", &mbss_ssid_le,
+                                        sizeof(mbss_ssid_le));
+        if (err < 0)
+                brcmf_err("setting ssid failed %d\n", err);
+        return err;
+}
+/**
+ * brcmf_ap_add_vif() - create a new AP virtual interface for multiple BSS
+ *
+ * @wiphy: wiphy device of new interface.
+ * @name: name of the new interface.
+ * @flags: not used.
+ * @params: contains mac address for AP device.
+ */
+static
+struct wireless_dev *brcmf_ap_add_vif(struct wiphy *wiphy, const char *name,
+                                      u32 *flags, struct vif_params *params)
+{
+        struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
+        struct brcmf_if *ifp = netdev_priv(cfg_to_ndev(cfg));
+        struct brcmf_cfg80211_vif *vif;
+        int err;
+        if (brcmf_cfg80211_vif_event_armed(cfg))
+                return ERR_PTR(-EBUSY);
+        brcmf_dbg(INFO, "Adding vif \"%s\"\n", name);
+        vif = brcmf_alloc_vif(cfg, NL80211_IFTYPE_AP, false);
+        if (IS_ERR(vif))
+                return (struct wireless_dev *)vif;
+        brcmf_cfg80211_arm_vif_event(cfg, vif);
+        err = brcmf_cfg80211_request_ap_if(ifp);
+        if (err) {
+                brcmf_cfg80211_arm_vif_event(cfg, NULL);
+                goto fail;
+        }
+        /* wait for firmware event */
+        err = brcmf_cfg80211_wait_vif_event_timeout(cfg, BRCMF_E_IF_ADD,
+                                                    msecs_to_jiffies(1500));
+        brcmf_cfg80211_arm_vif_event(cfg, NULL);
+        if (!err) {
+                brcmf_err("timeout occurred\n");
+                err = -EIO;
+                goto fail;
+        }
+        /* interface created in firmware */
+        ifp = vif->ifp;
+        if (!ifp) {
+                brcmf_err("no if pointer provided\n");
+                err = -ENOENT;
+                goto fail;
+        }
+        strncpy(ifp->ndev->name, name, sizeof(ifp->ndev->name) - 1);
+        err = brcmf_net_attach(ifp, true);
+        if (err) {
+                brcmf_err("Registering netdevice failed\n");
+                goto fail;
+        }
+        return &ifp->vif->wdev;
+fail:
+        brcmf_free_vif(vif);
+        return ERR_PTR(err);
+}
 static bool brcmf_is_apmode(struct brcmf_cfg80211_vif *vif)
 {
        enum nl80211_iftype iftype;
@@ -539,12 +634,16 @@ static struct wireless_dev *brcmf_cfg80211_add_iface(struct wiphy *wiphy,
        switch (type) {
        case NL80211_IFTYPE_ADHOC:
        case NL80211_IFTYPE_STATION:
-        case NL80211_IFTYPE_AP:
        case NL80211_IFTYPE_AP_VLAN:
        case NL80211_IFTYPE_WDS:
        case NL80211_IFTYPE_MONITOR:
        case NL80211_IFTYPE_MESH_POINT:
                return ERR_PTR(-EOPNOTSUPP);
+        case NL80211_IFTYPE_AP:
+                wdev = brcmf_ap_add_vif(wiphy, name, flags, params);
+                if (!IS_ERR(wdev))
+                        brcmf_cfg80211_update_proto_addr_mode(wdev);
+                return wdev;
        case NL80211_IFTYPE_P2P_CLIENT:
        case NL80211_IFTYPE_P2P_GO:
        case NL80211_IFTYPE_P2P_DEVICE:
@@ -1809,6 +1908,7 @@ brcmf_cfg80211_disconnect(struct wiphy *wiphy, struct net_device *ndev,
                return -EIO;
        clear_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state);
+        clear_bit(BRCMF_VIF_STATUS_CONNECTING, &ifp->vif->sme_state);
        cfg80211_disconnected(ndev, reason_code, NULL, 0, GFP_KERNEL);
        memcpy(&scbval.ea, &profile->bssid, ETH_ALEN);
@@ -2926,7 +3026,7 @@ brcmf_update_pmklist(struct net_device *ndev,
                     struct brcmf_cfg80211_pmk_list *pmk_list, s32 err)
 {
        int i, j;
-        int pmkid_len;
+        u32 pmkid_len;
        pmkid_len = le32_to_cpu(pmk_list->pmkids.npmkid);
@@ -2954,8 +3054,7 @@ brcmf_cfg80211_set_pmksa(struct wiphy *wiphy, struct net_device *ndev,
        struct brcmf_if *ifp = netdev_priv(ndev);
        struct pmkid_list *pmkids = &cfg->pmk_list->pmkids;
        s32 err = 0;
-        int i;
+        u32 pmkid_len, i;
-        int pmkid_len;
        brcmf_dbg(TRACE, "Enter\n");
        if (!check_vif_up(ifp->vif))
@@ -2994,7 +3093,7 @@ brcmf_cfg80211_del_pmksa(struct wiphy *wiphy, struct net_device *ndev,
        struct brcmf_if *ifp = netdev_priv(ndev);
        struct pmkid_list pmkid;
        s32 err = 0;
-        int i, pmkid_len;
+        u32 pmkid_len, i;
        brcmf_dbg(TRACE, "Enter\n");
        if (!check_vif_up(ifp->vif))
@@ -3355,11 +3454,10 @@ static bool brcmf_valid_wpa_oui(u8 *oui, bool is_rsn_ie)
 }
 static s32
-brcmf_configure_wpaie(struct net_device *ndev,
+brcmf_configure_wpaie(struct brcmf_if *ifp,
                      const struct brcmf_vs_tlv *wpa_ie,
                      bool is_rsn_ie)
 {
-        struct brcmf_if *ifp = netdev_priv(ndev);
        u32 auth = 0; /* d11 open authentication */
        u16 count;
        s32 err = 0;
@@ -3834,6 +3932,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
        enum nl80211_iftype dev_role;
        struct brcmf_fil_bss_enable_le bss_enable;
        u16 chanspec;
+        bool mbss;
        brcmf_dbg(TRACE, "ctrlchn=%d, center=%d, bw=%d, beacon_interval=%d, dtim_period=%d,\n",
                  settings->chandef.chan->hw_value,
@@ -3844,6 +3943,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
                  settings->inactivity_timeout);
        dev_role = ifp->vif->wdev.iftype;
+        mbss = ifp->vif->mbss;
        memset(&ssid_le, 0, sizeof(ssid_le));
        if (settings->ssid == NULL || settings->ssid_len == 0) {
@@ -3863,8 +3963,10 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
                ssid_le.SSID_len = cpu_to_le32((u32)settings->ssid_len);
        }
-        brcmf_set_mpc(ifp, 0);
+        if (!mbss) {
-        brcmf_configure_arp_offload(ifp, false);
+                brcmf_set_mpc(ifp, 0);
+                brcmf_configure_arp_offload(ifp, false);
+        }
        /* find the RSN_IE */
        rsn_ie = brcmf_parse_tlvs((u8 *)settings->beacon.tail,
@@ -3878,13 +3980,16 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
                brcmf_dbg(TRACE, "WPA(2) IE is found\n");
                if (wpa_ie != NULL) {
                        /* WPA IE */
-                        err = brcmf_configure_wpaie(ndev, wpa_ie, false);
+                        err = brcmf_configure_wpaie(ifp, wpa_ie, false);
                        if (err < 0)
                                goto exit;
                } else {
+                        struct brcmf_vs_tlv *tmp_ie;
+                        tmp_ie = (struct brcmf_vs_tlv *)rsn_ie;
                        /* RSN IE */
-                        err = brcmf_configure_wpaie(ndev,
+                        err = brcmf_configure_wpaie(ifp, tmp_ie, true);
-                                (struct brcmf_vs_tlv *)rsn_ie, true);
                        if (err < 0)
                                goto exit;
                }
@@ -3895,45 +4000,53 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
        brcmf_config_ap_mgmt_ie(ifp->vif, &settings->beacon);
-        chanspec = chandef_to_chanspec(&cfg->d11inf, &settings->chandef);
+        if (!mbss) {
-        err = brcmf_fil_iovar_int_set(ifp, "chanspec", chanspec);
+                chanspec = chandef_to_chanspec(&cfg->d11inf,
-        if (err < 0) {
+                                               &settings->chandef);
-                brcmf_err("Set Channel failed: chspec=%d, %d\n", chanspec, err);
+                err = brcmf_fil_iovar_int_set(ifp, "chanspec", chanspec);
-                goto exit;
-        }
-        if (settings->beacon_interval) {
-                err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_BCNPRD,
-                                            settings->beacon_interval);
                if (err < 0) {
-                        brcmf_err("Beacon Interval Set Error, %d\n", err);
+                        brcmf_err("Set Channel failed: chspec=%d, %d\n",
+                                  chanspec, err);
                        goto exit;
                }
-        }
-        if (settings->dtim_period) {
+                if (settings->beacon_interval) {
-                err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_DTIMPRD,
+                        err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_BCNPRD,
-                                            settings->dtim_period);
+                                                    settings->beacon_interval);
-                if (err < 0) {
+                        if (err < 0) {
-                        brcmf_err("DTIM Interval Set Error, %d\n", err);
+                                brcmf_err("Beacon Interval Set Error, %d\n",
-                        goto exit;
+                                          err);
+                                goto exit;
+                        }
+                }
+                if (settings->dtim_period) {
+                        err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_DTIMPRD,
+                                                    settings->dtim_period);
+                        if (err < 0) {
+                                brcmf_err("DTIM Interval Set Error, %d\n", err);
+                                goto exit;
+                        }
                }
-        }
-        if (dev_role == NL80211_IFTYPE_AP) {
+                if (dev_role == NL80211_IFTYPE_AP) {
-                err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_DOWN, 1);
+                        err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_DOWN, 1);
+                        if (err < 0) {
+                                brcmf_err("BRCMF_C_DOWN error %d\n", err);
+                                goto exit;
+                        }
+                        brcmf_fil_iovar_int_set(ifp, "apsta", 0);
+                }
+                err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_INFRA, 1);
                if (err < 0) {
-                        brcmf_err("BRCMF_C_DOWN error %d\n", err);
+                        brcmf_err("SET INFRA error %d\n", err);
                        goto exit;
                }
-                brcmf_fil_iovar_int_set(ifp, "apsta", 0);
-        }
-        err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_INFRA, 1);
-        if (err < 0) {
-                brcmf_err("SET INFRA error %d\n", err);
-                goto exit;
        }
        if (dev_role == NL80211_IFTYPE_AP) {
+                if ((brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS)) && (!mbss))
+                        brcmf_fil_iovar_int_set(ifp, "mbss", 1);
                err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_AP, 1);
                if (err < 0) {
                        brcmf_err("setting AP mode failed %d\n", err);
@@ -3978,7 +4091,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
        set_bit(BRCMF_VIF_STATUS_AP_CREATED, &ifp->vif->sme_state);
 exit:
-        if (err) {
+        if ((err) && (!mbss)) {
                brcmf_set_mpc(ifp, 1);
                brcmf_configure_arp_offload(ifp, true);
        }
@@ -3999,20 +4112,31 @@ static int brcmf_cfg80211_stop_ap(struct wiphy *wiphy, struct net_device *ndev)
                /* first to make sure they get processed by fw. */
                msleep(400);
+                if (ifp->vif->mbss) {
+                        err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_DOWN, 1);
+                        return err;
+                }
                memset(&join_params, 0, sizeof(join_params));
                err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_SSID,
                                             &join_params, sizeof(join_params));
                if (err < 0)
                        brcmf_err("SET SSID error (%d)\n", err);
-                err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_UP, 0);
+                err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_DOWN, 1);
                if (err < 0)
-                        brcmf_err("BRCMF_C_UP error %d\n", err);
+                        brcmf_err("BRCMF_C_DOWN error %d\n", err);
                err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_AP, 0);
                if (err < 0)
                        brcmf_err("setting AP mode failed %d\n", err);
                err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_INFRA, 0);
                if (err < 0)
                        brcmf_err("setting INFRA mode failed %d\n", err);
+                if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS))
+                        brcmf_fil_iovar_int_set(ifp, "mbss", 0);
+                /* Bring device back up so it can be used again */
+                err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_UP, 1);
+                if (err < 0)
+                        brcmf_err("BRCMF_C_UP error %d\n", err);
        } else {
                bss_enable.bsscfg_idx = cpu_to_le32(ifp->bssidx);
                bss_enable.enable = cpu_to_le32(0);
@@ -4045,24 +4169,24 @@ brcmf_cfg80211_change_beacon(struct wiphy *wiphy, struct net_device *ndev,
 static int
 brcmf_cfg80211_del_station(struct wiphy *wiphy, struct net_device *ndev,
-                           const u8 *mac)
+                           struct station_del_parameters *params)
 {
        struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
        struct brcmf_scb_val_le scbval;
        struct brcmf_if *ifp = netdev_priv(ndev);
        s32 err;
-        if (!mac)
+        if (!params->mac)
                return -EFAULT;
-        brcmf_dbg(TRACE, "Enter %pM\n", mac);
+        brcmf_dbg(TRACE, "Enter %pM\n", params->mac);
        if (ifp->vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif)
                ifp = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif->ifp;
        if (!check_vif_up(ifp->vif))
                return -EIO;
-        memcpy(&scbval.ea, mac, ETH_ALEN);
+        memcpy(&scbval.ea, params->mac, ETH_ALEN);
        scbval.val = cpu_to_le32(WLAN_REASON_DEAUTH_LEAVING);
        err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SCB_DEAUTHENTICATE_FOR_REASON,
                                     &scbval, sizeof(scbval));
@@ -4364,7 +4488,9 @@ struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
                                           enum nl80211_iftype type,
                                           bool pm_block)
 {
+        struct brcmf_cfg80211_vif *vif_walk;
        struct brcmf_cfg80211_vif *vif;
+        bool mbss;
        brcmf_dbg(TRACE, "allocating virtual interface (size=%zu)\n",
                  sizeof(*vif));
@@ -4380,6 +4506,17 @@ struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
        brcmf_init_prof(&vif->profile);
+        if (type == NL80211_IFTYPE_AP) {
+                mbss = false;
+                list_for_each_entry(vif_walk, &cfg->vif_list, list) {
+                        if (vif_walk->wdev.iftype == NL80211_IFTYPE_AP) {
+                                mbss = true;
+                                break;
+                        }
+                }
+                vif->mbss = mbss;
+        }
        list_add_tail(&vif->list, &cfg->vif_list);
        return vif;
 }
@@ -4622,6 +4759,7 @@ brcmf_notify_connect_status_ap(struct brcmf_cfg80211_info *cfg,
                               struct net_device *ndev,
                               const struct brcmf_event_msg *e, void *data)
 {
+        struct brcmf_if *ifp = netdev_priv(ndev);
        static int generation;
        u32 event = e->event_code;
        u32 reason = e->reason;
@@ -4632,6 +4770,8 @@ brcmf_notify_connect_status_ap(struct brcmf_cfg80211_info *cfg,
            ndev != cfg_to_ndev(cfg)) {
                brcmf_dbg(CONN, "AP mode link down\n");
                complete(&cfg->vif_disabled);
+                if (ifp->vif->mbss)
+                        brcmf_remove_interface(ifp->drvr, ifp->bssidx);
                return 0;
        }
@@ -5423,7 +5563,28 @@ static int brcmf_setup_wiphybands(struct wiphy *wiphy)
        return 0;
 }
-static const struct ieee80211_iface_limit brcmf_iface_limits[] = {
+static const struct ieee80211_iface_limit brcmf_iface_limits_mbss[] = {
+        {
+                .max = 1,
+                .types = BIT(NL80211_IFTYPE_STATION) |
+                         BIT(NL80211_IFTYPE_ADHOC)
+        },
+        {
+                .max = 4,
+                .types = BIT(NL80211_IFTYPE_AP)
+        },
+        {
+                .max = 1,
+                .types = BIT(NL80211_IFTYPE_P2P_CLIENT) |
+                         BIT(NL80211_IFTYPE_P2P_GO)
+        },
+        {
+                .max = 1,
+                .types = BIT(NL80211_IFTYPE_P2P_DEVICE)
+        }
+};
+static const struct ieee80211_iface_limit brcmf_iface_limits_sbss[] = {
        {
                .max = 2,
                .types = BIT(NL80211_IFTYPE_STATION) |
@@ -5444,8 +5605,8 @@ static struct ieee80211_iface_combination brcmf_iface_combos[] = {
        {
                 .max_interfaces = BRCMF_IFACE_MAX_CNT,
                 .num_different_channels = 1,
-                 .n_limits = ARRAY_SIZE(brcmf_iface_limits),
+                 .n_limits = ARRAY_SIZE(brcmf_iface_limits_sbss),
-                 .limits = brcmf_iface_limits
+                 .limits = brcmf_iface_limits_sbss,
        }
 };
@@ -5521,6 +5682,10 @@ static int brcmf_setup_wiphy(struct wiphy *wiphy, struct brcmf_if *ifp)
        ifc_combo = brcmf_iface_combos[0];
        if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MCHAN))
                ifc_combo.num_different_channels = 2;
+        if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS)) {
+                ifc_combo.n_limits = ARRAY_SIZE(brcmf_iface_limits_mbss),
+                ifc_combo.limits = brcmf_iface_limits_mbss;
+        }
        wiphy->iface_combinations = kmemdup(&ifc_combo,
                                            sizeof(ifc_combo),
                                            GFP_KERNEL);
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.h b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.h
index 2a5b22cb3fef..9e98b8d52757 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.h
@@ -183,6 +183,7 @@ struct vif_saved_ie {
 * @pm_block: power-management blocked.
 * @list: linked list.
 * @mgmt_rx_reg: registered rx mgmt frame types.
+ * @mbss: Multiple BSS type, set if not first AP (not relevant for P2P).
 */
 struct brcmf_cfg80211_vif {
        struct brcmf_if *ifp;
@@ -194,6 +195,7 @@ struct brcmf_cfg80211_vif {
        struct vif_saved_ie saved_ie;
        struct list_head list;
        u16 mgmt_rx_reg;
+        bool mbss;
 };
 /* association inform */
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/core.c b/drivers/net/wireless/brcm80211/brcmfmac/core.c
index f407665cb1ea..effe6d7831d9 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/core.c
@@ -836,7 +836,7 @@ struct brcmf_if *brcmf_add_if(struct brcmf_pub *drvr, s32 bssidx, s32 ifidx,
        return ifp;
 }
-void brcmf_del_if(struct brcmf_pub *drvr, s32 bssidx)
+static void brcmf_del_if(struct brcmf_pub *drvr, s32 bssidx)
 {
        struct brcmf_if *ifp;
@@ -869,6 +869,38 @@ void brcmf_del_if(struct brcmf_pub *drvr, s32 bssidx)
        }
 }
+void brcmf_remove_interface(struct brcmf_pub *drvr, u32 bssidx)
+{
+        if (drvr->iflist[bssidx]) {
+                brcmf_fws_del_interface(drvr->iflist[bssidx]);
+                brcmf_del_if(drvr, bssidx);
+        }
+}
+int brcmf_get_next_free_bsscfgidx(struct brcmf_pub *drvr)
+{
+        int ifidx;
+        int bsscfgidx;
+        bool available;
+        int highest;
+        available = false;
+        bsscfgidx = 2;
+        highest = 2;
+        for (ifidx = 0; ifidx < BRCMF_MAX_IFS; ifidx++) {
+                if (drvr->iflist[ifidx]) {
+                        if (drvr->iflist[ifidx]->bssidx == bsscfgidx)
+                                bsscfgidx = highest + 1;
+                        else if (drvr->iflist[ifidx]->bssidx > highest)
+                                highest = drvr->iflist[ifidx]->bssidx;
+                } else {
+                        available = true;
+                }
+        }
+        return available ? bsscfgidx : -ENOMEM;
+}
 int brcmf_attach(struct device *dev)
 {
        struct brcmf_pub *drvr = NULL;
@@ -1033,10 +1065,7 @@ void brcmf_detach(struct device *dev)
        /* make sure primary interface removed last */
        for (i = BRCMF_MAX_IFS-1; i > -1; i--)
-                if (drvr->iflist[i]) {
+                brcmf_remove_interface(drvr, i);
-                        brcmf_fws_del_interface(drvr->iflist[i]);
-                        brcmf_del_if(drvr, i);
-                }
        brcmf_cfg80211_detach(drvr->config);
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/core.h b/drivers/net/wireless/brcm80211/brcmfmac/core.h
index 98228e922d3a..23f74b139cc8 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/core.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/core.h
@@ -175,7 +175,8 @@ char *brcmf_ifname(struct brcmf_pub *drvr, int idx);
 int brcmf_net_attach(struct brcmf_if *ifp, bool rtnl_locked);
 struct brcmf_if *brcmf_add_if(struct brcmf_pub *drvr, s32 bssidx, s32 ifidx,
                              char *name, u8 *mac_addr);
-void brcmf_del_if(struct brcmf_pub *drvr, s32 bssidx);
+void brcmf_remove_interface(struct brcmf_pub *drvr, u32 bssidx);
+int brcmf_get_next_free_bsscfgidx(struct brcmf_pub *drvr);
 void brcmf_txflowblock_if(struct brcmf_if *ifp,
                          enum brcmf_netif_stop_reason reason, bool state);
 void brcmf_txfinalize(struct brcmf_pub *drvr, struct sk_buff *txp, u8 ifidx,
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/feature.c b/drivers/net/wireless/brcm80211/brcmfmac/feature.c
index 931f68aefaa4..defb7a44e0bc 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/feature.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/feature.c
@@ -97,6 +97,28 @@ static void brcmf_feat_iovar_int_get(struct brcmf_if *ifp,
        }
 }
+/**
+ * brcmf_feat_iovar_int_set() - determine feature through iovar set.
+ *
+ * @ifp: interface to query.
+ * @id: feature id.
+ * @name: iovar name.
+ */
+static void brcmf_feat_iovar_int_set(struct brcmf_if *ifp,
+                                     enum brcmf_feat_id id, char *name, u32 val)
+{
+        int err;
+        err = brcmf_fil_iovar_int_set(ifp, name, val);
+        if (err == 0) {
+                brcmf_dbg(INFO, "enabling feature: %s\n", brcmf_feat_names[id]);
+                ifp->drvr->feat_flags |= BIT(id);
+        } else {
+                brcmf_dbg(TRACE, "%s feature check failed: %d\n",
+                          brcmf_feat_names[id], err);
+        }
+}
 void brcmf_feat_attach(struct brcmf_pub *drvr)
 {
        struct brcmf_if *ifp = drvr->iflist[0];
@@ -104,6 +126,7 @@ void brcmf_feat_attach(struct brcmf_pub *drvr)
        brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_MCHAN, "mchan");
        if (drvr->bus_if->wowl_supported)
                brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_WOWL, "wowl");
+        brcmf_feat_iovar_int_set(ifp, BRCMF_FEAT_MBSS, "mbss", 0);
        /* set chip related quirks */
        switch (drvr->bus_if->chip) {
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/feature.h b/drivers/net/wireless/brcm80211/brcmfmac/feature.h
index b9a796d0a44d..f5832e077bb7 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/feature.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/feature.h
@@ -22,6 +22,7 @@
 * MCHAN: multi-channel for concurrent P2P.
 */
 #define BRCMF_FEAT_LIST \
+        BRCMF_FEAT_DEF(MBSS) \
        BRCMF_FEAT_DEF(MCHAN) \
        BRCMF_FEAT_DEF(WOWL)
 /*
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
index 0f157f151282..1ff787d1a36b 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/firmware.c
@@ -262,8 +262,7 @@ static void brcmf_fw_request_nvram_done(const struct firmware *fw, void *ctx)
 fail:
        brcmf_dbg(TRACE, "failed: dev=%s\n", dev_name(fwctx->dev));
-        if (fwctx->code)
+        release_firmware(fwctx->code);
-                release_firmware(fwctx->code);
        device_release_driver(fwctx->dev);
        kfree(fwctx);
 }
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
index 7338b335e153..ec62492ffa69 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
@@ -221,10 +221,8 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
        err = brcmf_fweh_call_event_handler(ifp, emsg->event_code, emsg, data);
-        if (ifp && ifevent->action == BRCMF_E_IF_DEL) {
+        if (ifp && ifevent->action == BRCMF_E_IF_DEL)
-                brcmf_fws_del_interface(ifp);
+                brcmf_remove_interface(drvr, ifevent->bssidx);
-                brcmf_del_if(drvr, ifevent->bssidx);
-        }
 }
 /**
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/fwil.c b/drivers/net/wireless/brcm80211/brcmfmac/fwil.c
index 51f88c11e642..03f2c406a17b 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/fwil.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fwil.c
@@ -136,7 +136,7 @@ brcmf_fil_cmd_data_set(struct brcmf_if *ifp, u32 cmd, void *data, u32 len)
        mutex_lock(&ifp->drvr->proto_block);
-        brcmf_dbg(FIL, "cmd=%d, len=%d\n", cmd, len);
+        brcmf_dbg(FIL, "ifidx=%d, cmd=%d, len=%d\n", ifp->ifidx, cmd, len);
        brcmf_dbg_hex_dump(BRCMF_FIL_ON(), data,
                           min_t(uint, len, MAX_HEX_DUMP_LEN), "data\n");
@@ -154,7 +154,7 @@ brcmf_fil_cmd_data_get(struct brcmf_if *ifp, u32 cmd, void *data, u32 len)
        mutex_lock(&ifp->drvr->proto_block);
        err = brcmf_fil_cmd_data(ifp, cmd, data, len, false);
-        brcmf_dbg(FIL, "cmd=%d, len=%d\n", cmd, len);
+        brcmf_dbg(FIL, "ifidx=%d, cmd=%d, len=%d\n", ifp->ifidx, cmd, len);
        brcmf_dbg_hex_dump(BRCMF_FIL_ON(), data,
                           min_t(uint, len, MAX_HEX_DUMP_LEN), "data\n");
@@ -171,7 +171,7 @@ brcmf_fil_cmd_int_set(struct brcmf_if *ifp, u32 cmd, u32 data)
        __le32 data_le = cpu_to_le32(data);
        mutex_lock(&ifp->drvr->proto_block);
-        brcmf_dbg(FIL, "cmd=%d, value=%d\n", cmd, data);
+        brcmf_dbg(FIL, "ifidx=%d, cmd=%d, value=%d\n", ifp->ifidx, cmd, data);
        err = brcmf_fil_cmd_data(ifp, cmd, &data_le, sizeof(data_le), true);
        mutex_unlock(&ifp->drvr->proto_block);
@@ -188,7 +188,7 @@ brcmf_fil_cmd_int_get(struct brcmf_if *ifp, u32 cmd, u32 *data)
        err = brcmf_fil_cmd_data(ifp, cmd, &data_le, sizeof(data_le), false);
        mutex_unlock(&ifp->drvr->proto_block);
        *data = le32_to_cpu(data_le);
-        brcmf_dbg(FIL, "cmd=%d, value=%d\n", cmd, *data);
+        brcmf_dbg(FIL, "ifidx=%d, cmd=%d, value=%d\n", ifp->ifidx, cmd, *data);
        return err;
 }
@@ -224,7 +224,7 @@ brcmf_fil_iovar_data_set(struct brcmf_if *ifp, char *name, const void *data,
        mutex_lock(&drvr->proto_block);
-        brcmf_dbg(FIL, "name=%s, len=%d\n", name, len);
+        brcmf_dbg(FIL, "ifidx=%d, name=%s, len=%d\n", ifp->ifidx, name, len);
        brcmf_dbg_hex_dump(BRCMF_FIL_ON(), data,
                           min_t(uint, len, MAX_HEX_DUMP_LEN), "data\n");
@@ -264,7 +264,7 @@ brcmf_fil_iovar_data_get(struct brcmf_if *ifp, char *name, void *data,
                brcmf_err("Creating iovar failed\n");
        }
-        brcmf_dbg(FIL, "name=%s, len=%d\n", name, len);
+        brcmf_dbg(FIL, "ifidx=%d, name=%s, len=%d\n", ifp->ifidx, name, len);
        brcmf_dbg_hex_dump(BRCMF_FIL_ON(), data,
                           min_t(uint, len, MAX_HEX_DUMP_LEN), "data\n");
@@ -347,7 +347,8 @@ brcmf_fil_bsscfg_data_set(struct brcmf_if *ifp, char *name,
        mutex_lock(&drvr->proto_block);
-        brcmf_dbg(FIL, "bssidx=%d, name=%s, len=%d\n", ifp->bssidx, name, len);
+        brcmf_dbg(FIL, "ifidx=%d, bssidx=%d, name=%s, len=%d\n", ifp->ifidx,
+                  ifp->bssidx, name, len);
        brcmf_dbg_hex_dump(BRCMF_FIL_ON(), data,
                           min_t(uint, len, MAX_HEX_DUMP_LEN), "data\n");
@@ -386,7 +387,8 @@ brcmf_fil_bsscfg_data_get(struct brcmf_if *ifp, char *name,
                err = -EPERM;
                brcmf_err("Creating bsscfg failed\n");
        }
-        brcmf_dbg(FIL, "bssidx=%d, name=%s, len=%d\n", ifp->bssidx, name, len);
+        brcmf_dbg(FIL, "ifidx=%d, bssidx=%d, name=%s, len=%d\n", ifp->ifidx,
+                  ifp->bssidx, name, len);
        brcmf_dbg_hex_dump(BRCMF_FIL_ON(), data,
                           min_t(uint, len, MAX_HEX_DUMP_LEN), "data\n");
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h
index ba64b292f7a5..50891c02c4c1 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h
@@ -519,4 +519,10 @@ struct brcmf_fil_wowl_pattern_le {
        /* u8 pattern[] - Pattern follows the mask is at 'patternoffset' */
 };
+struct brcmf_mbss_ssid_le {
+        __le32  bsscfgidx;
+        __le32  SSID_len;
+        unsigned char SSID[32];
+};
 #endif /* FWIL_TYPES_H_ */
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
index 02d39ce8dbca..456944a6a2db 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
@@ -518,8 +518,7 @@ static int brcmf_msgbuf_query_dcmd(struct brcmf_pub *drvr, int ifidx,
                memcpy(buf, skb->data, (len < msgbuf->ioctl_resp_ret_len) ?
                                       len : msgbuf->ioctl_resp_ret_len);
        }
-        if (skb)
+        brcmu_pkt_buf_free_skb(skb);
-                brcmu_pkt_buf_free_skb(skb);
        return msgbuf->ioctl_resp_status;
 }
@@ -1081,8 +1080,17 @@ brcmf_msgbuf_rx_skb(struct brcmf_msgbuf *msgbuf, struct sk_buff *skb,
 {
        struct brcmf_if *ifp;
+        /* The ifidx is the idx to map to matching netdev/ifp. When receiving
+         * events this is easy because it contains the bssidx which maps
+         * 1-on-1 to the netdev/ifp. But for data frames the ifidx is rcvd.
+         * bssidx 1 is used for p2p0 and no data can be received or
+         * transmitted on it. Therefor bssidx is ifidx + 1 if ifidx > 0
+         */
+        if (ifidx)
+                (ifidx)++;
        ifp = msgbuf->drvr->iflist[ifidx];
        if (!ifp || !ifp->ndev) {
+                brcmf_err("Received pkt for invalid ifidx %d\n", ifidx);
                brcmu_pkt_buf_free_skb(skb);
                return;
        }
@@ -1355,6 +1363,7 @@ int brcmf_proto_msgbuf_attach(struct brcmf_pub *drvr)
        }
        INIT_WORK(&msgbuf->txflow_work, brcmf_msgbuf_txflow_worker);
        count = BITS_TO_LONGS(if_msgbuf->nrof_flowrings);
+        count = count * sizeof(unsigned long);
        msgbuf->flow_map = kzalloc(count, GFP_KERNEL);
        if (!msgbuf->flow_map)
                goto fail;
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/brcm80211/brcmfmac/pcie.c
index b0ae7993e2e8..a66481976d5c 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/pcie.c
@@ -798,12 +798,14 @@ static int brcmf_pcie_request_irq(struct brcmf_pciedev_info *devinfo)
        brcmf_dbg(PCIE, "Enter\n");
        /* is it a v1 or v2 implementation */
        devinfo->irq_requested = false;
+        pci_enable_msi(pdev);
        if (devinfo->generic_corerev == BRCMF_PCIE_GENREV1) {
                if (request_threaded_irq(pdev->irq,
                                         brcmf_pcie_quick_check_isr_v1,
                                         brcmf_pcie_isr_thread_v1,
                                         IRQF_SHARED, "brcmf_pcie_intr",
                                         devinfo)) {
+                        pci_disable_msi(pdev);
                        brcmf_err("Failed to request IRQ %d\n", pdev->irq);
                        return -EIO;
                }
@@ -813,6 +815,7 @@ static int brcmf_pcie_request_irq(struct brcmf_pciedev_info *devinfo)
                                         brcmf_pcie_isr_thread_v2,
                                         IRQF_SHARED, "brcmf_pcie_intr",
                                         devinfo)) {
+                        pci_disable_msi(pdev);
                        brcmf_err("Failed to request IRQ %d\n", pdev->irq);
                        return -EIO;
                }
@@ -839,6 +842,7 @@ static void brcmf_pcie_release_irq(struct brcmf_pciedev_info *devinfo)
                return;
        devinfo->irq_requested = false;
        free_irq(pdev->irq, devinfo);
+        pci_disable_msi(pdev);
        msleep(50);
        count = 0;
@@ -1857,6 +1861,8 @@ static struct pci_device_id brcmf_pcie_devid_table[] = {
        BRCMF_PCIE_DEVICE(BRCM_PCIE_43567_DEVICE_ID),
        BRCMF_PCIE_DEVICE(BRCM_PCIE_43570_DEVICE_ID),
        BRCMF_PCIE_DEVICE(BRCM_PCIE_43602_DEVICE_ID),
+        BRCMF_PCIE_DEVICE(BRCM_PCIE_43602_2G_DEVICE_ID),
+        BRCMF_PCIE_DEVICE(BRCM_PCIE_43602_5G_DEVICE_ID),
        { /* end: all zeroes */ }
 };
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
index 72e87b51f999..0b0d51a61060 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
@@ -670,7 +670,6 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
                                  struct brcmf_sdio_dev *sdiodev)
 {
        int i;
-        uint fw_len, nv_len;
        char end;
        for (i = 0; i < ARRAY_SIZE(brcmf_fwname_data); i++) {
@@ -684,25 +683,25 @@ static int brcmf_sdio_get_fwnames(struct brcmf_chip *ci,
                return -ENODEV;
        }
-        fw_len = sizeof(sdiodev->fw_name) - 1;
-        nv_len = sizeof(sdiodev->nvram_name) - 1;
        /* check if firmware path is provided by module parameter */
        if (brcmf_firmware_path[0] != '\0') {
-                strncpy(sdiodev->fw_name, brcmf_firmware_path, fw_len);
+                strlcpy(sdiodev->fw_name, brcmf_firmware_path,
-                strncpy(sdiodev->nvram_name, brcmf_firmware_path, nv_len);
+                        sizeof(sdiodev->fw_name));
-                fw_len -= strlen(sdiodev->fw_name);
+                strlcpy(sdiodev->nvram_name, brcmf_firmware_path,
-                nv_len -= strlen(sdiodev->nvram_name);
+                        sizeof(sdiodev->nvram_name));
                end = brcmf_firmware_path[strlen(brcmf_firmware_path) - 1];
                if (end != '/') {
-                        strncat(sdiodev->fw_name, "/", fw_len);
+                        strlcat(sdiodev->fw_name, "/",
-                        strncat(sdiodev->nvram_name, "/", nv_len);
+                                sizeof(sdiodev->fw_name));
-                        fw_len--;
+                        strlcat(sdiodev->nvram_name, "/",
-                        nv_len--;
+                                sizeof(sdiodev->nvram_name));
                }
        }
-        strncat(sdiodev->fw_name, brcmf_fwname_data[i].bin, fw_len);
+        strlcat(sdiodev->fw_name, brcmf_fwname_data[i].bin,
-        strncat(sdiodev->nvram_name, brcmf_fwname_data[i].nv, nv_len);
+                sizeof(sdiodev->fw_name));
+        strlcat(sdiodev->nvram_name, brcmf_fwname_data[i].nv,
+                sizeof(sdiodev->nvram_name));
        return 0;
 }
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/vendor.c b/drivers/net/wireless/brcm80211/brcmfmac/vendor.c
index 222f26a39642..50cdf7090198 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/vendor.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/vendor.c
@@ -31,8 +31,8 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
                                                 struct wireless_dev *wdev,
                                                 const void *data, int len)
 {
-        struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
+        struct brcmf_cfg80211_vif *vif;
-        struct net_device *ndev = cfg_to_ndev(cfg);
+        struct brcmf_if *ifp;
        const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
        struct sk_buff *reply;
        int ret, payload, ret_len;
@@ -42,6 +42,9 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
        brcmf_dbg(TRACE, "cmd %x set %d len %d\n", cmdhdr->cmd, cmdhdr->set,
                  cmdhdr->len);
+        vif = container_of(wdev, struct brcmf_cfg80211_vif, wdev);
+        ifp = vif->ifp;
        len -= sizeof(struct brcmf_vndr_dcmd_hdr);
        ret_len = cmdhdr->len;
        if (ret_len > 0 || len > 0) {
@@ -63,11 +66,11 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
        }
        if (cmdhdr->set)
-                ret = brcmf_fil_cmd_data_set(netdev_priv(ndev), cmdhdr->cmd,
+                ret = brcmf_fil_cmd_data_set(ifp, cmdhdr->cmd, dcmd_buf,
-                                             dcmd_buf, ret_len);
+                                             ret_len);
        else
-                ret = brcmf_fil_cmd_data_get(netdev_priv(ndev), cmdhdr->cmd,
+                ret = brcmf_fil_cmd_data_get(ifp, cmdhdr->cmd, dcmd_buf,
-                                             dcmd_buf, ret_len);
+                                             ret_len);
        if (ret != 0)
                goto exit;
diff --git a/drivers/net/wireless/brcm80211/brcmsmac/debug.c b/drivers/net/wireless/brcm80211/brcmsmac/debug.c
index 19740c1b1566..c9a8b9360ab1 100644
--- a/drivers/net/wireless/brcm80211/brcmsmac/debug.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/debug.c
@@ -30,6 +30,7 @@
 #include "main.h"
 #include "debug.h"
 #include "brcms_trace_events.h"
+#include "phy/phy_int.h"
 static struct dentry *root_folder;
@@ -74,20 +75,33 @@ static
 int brcms_debugfs_hardware_read(struct seq_file *s, void *data)
 {
        struct brcms_pub *drvr = s->private;
+        struct brcms_hardware *hw = drvr->wlc->hw;
+        struct bcma_device *core = hw->d11core;
+        struct bcma_bus *bus = core->bus;
+        char boardrev[10];
-        seq_printf(s, "board vendor: %x\n"
+        seq_printf(s, "chipnum 0x%x\n"
-                   "board type: %x\n"
+                   "chiprev 0x%x\n"
-                   "board revision: %x\n"
+                   "chippackage 0x%x\n"
-                   "board flags: %x\n"
+                   "corerev 0x%x\n"
-                   "board flags2: %x\n"
+                   "boardid 0x%x\n"
-                   "firmware revision: %x\n",
+                   "boardvendor 0x%x\n"
-                   drvr->wlc->hw->d11core->bus->boardinfo.vendor,
+                   "boardrev %s\n"
-                   drvr->wlc->hw->d11core->bus->boardinfo.type,
+                   "boardflags 0x%x\n"
-                   drvr->wlc->hw->boardrev,
+                   "boardflags2 0x%x\n"
-                   drvr->wlc->hw->boardflags,
+                   "ucoderev 0x%x\n"
-                   drvr->wlc->hw->boardflags2,
+                   "radiorev 0x%x\n"
-                   drvr->wlc->ucode_rev);
+                   "phytype 0x%x\n"
+                   "phyrev 0x%x\n"
+                   "anarev 0x%x\n"
+                   "nvramrev %d\n",
+                   bus->chipinfo.id, bus->chipinfo.rev, bus->chipinfo.pkg,
+                   core->id.rev, bus->boardinfo.type, bus->boardinfo.vendor,
+                   brcmu_boardrev_str(hw->boardrev, boardrev),
+                   drvr->wlc->hw->boardflags, drvr->wlc->hw->boardflags2,
+                   drvr->wlc->ucode_rev, hw->band->radiorev,
+                   hw->band->phytype, hw->band->phyrev, hw->band->pi->ana_rev,
+                   hw->sromrev);
        return 0;
 }
diff --git a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
index 43c71bfaa474..f95b52442281 100644
--- a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
@@ -764,7 +764,9 @@ brcms_ops_configure_filter(struct ieee80211_hw *hw,
        return;
 }
-static void brcms_ops_sw_scan_start(struct ieee80211_hw *hw)
+static void brcms_ops_sw_scan_start(struct ieee80211_hw *hw,
+                                    struct ieee80211_vif *vif,
+                                    const u8 *mac_addr)
 {
        struct brcms_info *wl = hw->priv;
        spin_lock_bh(&wl->lock);
@@ -773,7 +775,8 @@ static void brcms_ops_sw_scan_start(struct ieee80211_hw *hw)
        return;
 }
-static void brcms_ops_sw_scan_complete(struct ieee80211_hw *hw)
+static void brcms_ops_sw_scan_complete(struct ieee80211_hw *hw,
+                                       struct ieee80211_vif *vif)
 {
        struct brcms_info *wl = hw->priv;
        spin_lock_bh(&wl->lock);
diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c b/drivers/net/wireless/brcm80211/brcmsmac/main.c
index bc9be78faafa..a104d7ac3796 100644
--- a/drivers/net/wireless/brcm80211/brcmsmac/main.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c
@@ -445,18 +445,18 @@ static void brcms_c_detach_mfree(struct brcms_c_info *wlc)
        kfree(wlc->protection);
        kfree(wlc->stf);
        kfree(wlc->bandstate[0]);
-        kfree(wlc->corestate->macstat_snapshot);
+        if (wlc->corestate)
+                kfree(wlc->corestate->macstat_snapshot);
        kfree(wlc->corestate);
-        kfree(wlc->hw->bandstate[0]);
+        if (wlc->hw)
+                kfree(wlc->hw->bandstate[0]);
        kfree(wlc->hw);
        if (wlc->beacon)
                dev_kfree_skb_any(wlc->beacon);
        if (wlc->probe_resp)
                dev_kfree_skb_any(wlc->probe_resp);
-        /* free the wlc */
        kfree(wlc);
-        wlc = NULL;
 }
 static struct brcms_bss_cfg *brcms_c_bsscfg_malloc(uint unit)
@@ -1009,8 +1009,7 @@ brcms_c_dotxstatus(struct brcms_c_info *wlc, struct tx_status *txs)
                if (txh)
                        trace_brcms_txdesc(&wlc->hw->d11core->dev, txh,
                                           sizeof(*txh));
-                if (p)
+                brcmu_pkt_buf_free_skb(p);
-                        brcmu_pkt_buf_free_skb(p);
        }
        if (dma && queue < NFIFO) {
diff --git a/drivers/net/wireless/brcm80211/brcmutil/utils.c b/drivers/net/wireless/brcm80211/brcmutil/utils.c
index 0f7e1c7b6f58..906e89ddf319 100644
--- a/drivers/net/wireless/brcm80211/brcmutil/utils.c
+++ b/drivers/net/wireless/brcm80211/brcmutil/utils.c
@@ -261,6 +261,21 @@ struct sk_buff *brcmu_pktq_mdeq(struct pktq *pq, uint prec_bmp,
 }
 EXPORT_SYMBOL(brcmu_pktq_mdeq);
+/* Produce a human-readable string for boardrev */
+char *brcmu_boardrev_str(u32 brev, char *buf)
+{
+        char c;
+        if (brev < 0x100) {
+                snprintf(buf, 8, "%d.%d", (brev & 0xf0) >> 4, brev & 0xf);
+        } else {
+                c = (brev & 0xf000) == 0x1000 ? 'P' : 'A';
+                snprintf(buf, 8, "%c%03x", c, brev & 0xfff);
+        }
+        return buf;
+}
+EXPORT_SYMBOL(brcmu_boardrev_str);
 #if defined(DEBUG)
 /* pretty hex print a pkt buffer chain */
 void brcmu_prpkt(const char *msg, struct sk_buff *p0)
@@ -292,4 +307,5 @@ void brcmu_dbg_hex_dump(const void *data, size_t size, const char *fmt, ...)
        print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, data, size);
 }
 EXPORT_SYMBOL(brcmu_dbg_hex_dump);
 #endif                          /* defined(DEBUG) */
diff --git a/drivers/net/wireless/brcm80211/include/brcm_hw_ids.h b/drivers/net/wireless/brcm80211/include/brcm_hw_ids.h
index af26e0de1e5c..6996fcc144cf 100644
--- a/drivers/net/wireless/brcm80211/include/brcm_hw_ids.h
+++ b/drivers/net/wireless/brcm80211/include/brcm_hw_ids.h
@@ -68,6 +68,8 @@
 #define BRCM_PCIE_43567_DEVICE_ID       0x43d3
 #define BRCM_PCIE_43570_DEVICE_ID       0x43d9
 #define BRCM_PCIE_43602_DEVICE_ID       0x43ba
+#define BRCM_PCIE_43602_2G_DEVICE_ID    0x43bb
+#define BRCM_PCIE_43602_5G_DEVICE_ID    0x43bc
 /* brcmsmac IDs */
 #define BCM4313_D11N2G_ID       0x4727  /* 4313 802.11n 2.4G device */
diff --git a/drivers/net/wireless/brcm80211/include/brcmu_utils.h b/drivers/net/wireless/brcm80211/include/brcmu_utils.h
index 8ba445b3fd72..a043e29f07e2 100644
--- a/drivers/net/wireless/brcm80211/include/brcmu_utils.h
+++ b/drivers/net/wireless/brcm80211/include/brcmu_utils.h
@@ -218,4 +218,6 @@ void brcmu_dbg_hex_dump(const void *data, size_t size, const char *fmt, ...)
 }
 #endif
+char *brcmu_boardrev_str(u32 brev, char *buf);
 #endif                          /* _BRCMU_UTILS_H_ */
diff --git a/drivers/net/wireless/cw1200/scan.c b/drivers/net/wireless/cw1200/scan.c
index b2fb6c632092..f2e276faca70 100644
--- a/drivers/net/wireless/cw1200/scan.c
+++ b/drivers/net/wireless/cw1200/scan.c
@@ -78,7 +78,7 @@ int cw1200_hw_scan(struct ieee80211_hw *hw,
        if (req->n_ssids > WSM_SCAN_MAX_NUM_OF_SSIDS)
                return -EINVAL;
-        frame.skb = ieee80211_probereq_get(hw, priv->vif, NULL, 0,
+        frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
                req->ie_len);
        if (!frame.skb)
                return -ENOMEM;
diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c
index 26fec54dcd03..2748fde4b90c 100644
--- a/drivers/net/wireless/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/iwlegacy/4965-mac.c
@@ -6063,7 +6063,7 @@ il4965_mac_sta_add(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
 }
 void
-il4965_mac_channel_switch(struct ieee80211_hw *hw,
+il4965_mac_channel_switch(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
                          struct ieee80211_channel_switch *ch_switch)
 {
        struct il_priv *il = hw->priv;
diff --git a/drivers/net/wireless/iwlegacy/4965.h b/drivers/net/wireless/iwlegacy/4965.h
index 337dfcf3bbde..3a57f71b8ed5 100644
--- a/drivers/net/wireless/iwlegacy/4965.h
+++ b/drivers/net/wireless/iwlegacy/4965.h
@@ -187,8 +187,9 @@ int il4965_mac_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
                            u8 buf_size);
 int il4965_mac_sta_add(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
                       struct ieee80211_sta *sta);
-void il4965_mac_channel_switch(struct ieee80211_hw *hw,
+void
-                               struct ieee80211_channel_switch *ch_switch);
+il4965_mac_channel_switch(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+                          struct ieee80211_channel_switch *ch_switch);
 void il4965_led_enable(struct il_priv *il);
diff --git a/drivers/net/wireless/iwlwifi/Kconfig b/drivers/net/wireless/iwlwifi/Kconfig
index 139de90c2aaf..ab019b45551b 100644
--- a/drivers/net/wireless/iwlwifi/Kconfig
+++ b/drivers/net/wireless/iwlwifi/Kconfig
@@ -59,7 +59,7 @@ config IWLDVM
 config IWLMVM
        tristate "Intel Wireless WiFi MVM Firmware support"
-        select BACKPORT_WANT_DEV_COREDUMP
+        select WANT_DEV_COREDUMP
        help
          This is the driver that supports the MVM firmware which is
          currently only available for 7260 and 3160 devices.
diff --git a/drivers/net/wireless/iwlwifi/dvm/commands.h b/drivers/net/wireless/iwlwifi/dvm/commands.h
index 751ae1d10b7f..7a34e4d158d1 100644
--- a/drivers/net/wireless/iwlwifi/dvm/commands.h
+++ b/drivers/net/wireless/iwlwifi/dvm/commands.h
@@ -966,21 +966,21 @@ struct iwl_rem_sta_cmd {
 /* WiFi queues mask */
-#define IWL_SCD_BK_MSK                  cpu_to_le32(BIT(0))
+#define IWL_SCD_BK_MSK                  BIT(0)
-#define IWL_SCD_BE_MSK                  cpu_to_le32(BIT(1))
+#define IWL_SCD_BE_MSK                  BIT(1)
-#define IWL_SCD_VI_MSK                  cpu_to_le32(BIT(2))
+#define IWL_SCD_VI_MSK                  BIT(2)
-#define IWL_SCD_VO_MSK                  cpu_to_le32(BIT(3))
+#define IWL_SCD_VO_MSK                  BIT(3)
-#define IWL_SCD_MGMT_MSK                cpu_to_le32(BIT(3))
+#define IWL_SCD_MGMT_MSK                BIT(3)
 /* PAN queues mask */
-#define IWL_PAN_SCD_BK_MSK              cpu_to_le32(BIT(4))
+#define IWL_PAN_SCD_BK_MSK              BIT(4)
-#define IWL_PAN_SCD_BE_MSK              cpu_to_le32(BIT(5))
+#define IWL_PAN_SCD_BE_MSK              BIT(5)
-#define IWL_PAN_SCD_VI_MSK              cpu_to_le32(BIT(6))
+#define IWL_PAN_SCD_VI_MSK              BIT(6)
-#define IWL_PAN_SCD_VO_MSK              cpu_to_le32(BIT(7))
+#define IWL_PAN_SCD_VO_MSK              BIT(7)
-#define IWL_PAN_SCD_MGMT_MSK            cpu_to_le32(BIT(7))
+#define IWL_PAN_SCD_MGMT_MSK            BIT(7)
-#define IWL_PAN_SCD_MULTICAST_MSK       cpu_to_le32(BIT(8))
+#define IWL_PAN_SCD_MULTICAST_MSK       BIT(8)
-#define IWL_AGG_TX_QUEUE_MSK            cpu_to_le32(0xffc00)
+#define IWL_AGG_TX_QUEUE_MSK            0xffc00
 #define IWL_DROP_ALL                    BIT(1)
@@ -1005,12 +1005,17 @@ struct iwl_rem_sta_cmd {
 *      1: Dump multiple MSDU according to PS, INVALID STA, TTL, TID disable.
 *      2: Dump all FIFO
 */
-struct iwl_txfifo_flush_cmd {
+struct iwl_txfifo_flush_cmd_v3 {
        __le32 queue_control;
        __le16 flush_control;
        __le16 reserved;
 } __packed;
+struct iwl_txfifo_flush_cmd_v2 {
+        __le16 queue_control;
+        __le16 flush_control;
+} __packed;
 /*
 * REPLY_WEP_KEY = 0x20
 */
diff --git a/drivers/net/wireless/iwlwifi/dvm/lib.c b/drivers/net/wireless/iwlwifi/dvm/lib.c
index 02e4ede2b042..1d2223df5cb0 100644
--- a/drivers/net/wireless/iwlwifi/dvm/lib.c
+++ b/drivers/net/wireless/iwlwifi/dvm/lib.c
@@ -137,37 +137,38 @@ int iwlagn_manage_ibss_station(struct iwl_priv *priv,
 */
 int iwlagn_txfifo_flush(struct iwl_priv *priv, u32 scd_q_msk)
 {
-        struct iwl_txfifo_flush_cmd flush_cmd;
+        struct iwl_txfifo_flush_cmd_v3 flush_cmd_v3 = {
-        struct iwl_host_cmd cmd = {
+                .flush_control = cpu_to_le16(IWL_DROP_ALL),
-                .id = REPLY_TXFIFO_FLUSH,
+        };
-                .len = { sizeof(struct iwl_txfifo_flush_cmd), },
+        struct iwl_txfifo_flush_cmd_v2 flush_cmd_v2 = {
-                .data = { &flush_cmd, },
+                .flush_control = cpu_to_le16(IWL_DROP_ALL),
        };
-        memset(&flush_cmd, 0, sizeof(flush_cmd));
+        u32 queue_control = IWL_SCD_VO_MSK | IWL_SCD_VI_MSK |
+                            IWL_SCD_BE_MSK | IWL_SCD_BK_MSK | IWL_SCD_MGMT_MSK;
-        flush_cmd.queue_control = IWL_SCD_VO_MSK | IWL_SCD_VI_MSK |
-                                  IWL_SCD_BE_MSK | IWL_SCD_BK_MSK |
-                                  IWL_SCD_MGMT_MSK;
        if ((priv->valid_contexts != BIT(IWL_RXON_CTX_BSS)))
-                flush_cmd.queue_control |= IWL_PAN_SCD_VO_MSK |
+                queue_control |= IWL_PAN_SCD_VO_MSK | IWL_PAN_SCD_VI_MSK |
-                                           IWL_PAN_SCD_VI_MSK |
+                                 IWL_PAN_SCD_BE_MSK | IWL_PAN_SCD_BK_MSK |
-                                           IWL_PAN_SCD_BE_MSK |
+                                 IWL_PAN_SCD_MGMT_MSK |
-                                           IWL_PAN_SCD_BK_MSK |
+                                 IWL_PAN_SCD_MULTICAST_MSK;
-                                           IWL_PAN_SCD_MGMT_MSK |
-                                           IWL_PAN_SCD_MULTICAST_MSK;
        if (priv->nvm_data->sku_cap_11n_enable)
-                flush_cmd.queue_control |= IWL_AGG_TX_QUEUE_MSK;
+                queue_control |= IWL_AGG_TX_QUEUE_MSK;
        if (scd_q_msk)
-                flush_cmd.queue_control = cpu_to_le32(scd_q_msk);
+                queue_control = scd_q_msk;
-        IWL_DEBUG_INFO(priv, "queue control: 0x%x\n",
+        IWL_DEBUG_INFO(priv, "queue control: 0x%x\n", queue_control);
-                       flush_cmd.queue_control);
+        flush_cmd_v3.queue_control = cpu_to_le32(queue_control);
-        flush_cmd.flush_control = cpu_to_le16(IWL_DROP_ALL);
+        flush_cmd_v2.queue_control = cpu_to_le16((u16)queue_control);
-        return iwl_dvm_send_cmd(priv, &cmd);
+        if (IWL_UCODE_API(priv->fw->ucode_ver) > 2)
+                return iwl_dvm_send_cmd_pdu(priv, REPLY_TXFIFO_FLUSH, 0,
+                                            sizeof(flush_cmd_v3),
+                                            &flush_cmd_v3);
+        return iwl_dvm_send_cmd_pdu(priv, REPLY_TXFIFO_FLUSH, 0,
+                                    sizeof(flush_cmd_v2), &flush_cmd_v2);
 }
 void iwlagn_dev_txfifo_flush(struct iwl_priv *priv)
diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
index cae692ff1013..47e64e8b9517 100644
--- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c
+++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
@@ -941,6 +941,7 @@ static int iwlagn_mac_sta_state(struct ieee80211_hw *hw,
 }
 static void iwlagn_mac_channel_switch(struct ieee80211_hw *hw,
+                                      struct ieee80211_vif *vif,
                                      struct ieee80211_channel_switch *ch_switch)
 {
        struct iwl_priv *priv = IWL_MAC80211_GET_DVM(hw);
diff --git a/drivers/net/wireless/iwlwifi/iwl-7000.c b/drivers/net/wireless/iwlwifi/iwl-7000.c
index b04b8858c690..e5be2d21868f 100644
--- a/drivers/net/wireless/iwlwifi/iwl-7000.c
+++ b/drivers/net/wireless/iwlwifi/iwl-7000.c
@@ -73,12 +73,12 @@
 #define IWL3160_UCODE_API_MAX   10
 /* Oldest version we won't warn about */
-#define IWL7260_UCODE_API_OK    9
+#define IWL7260_UCODE_API_OK    10
-#define IWL3160_UCODE_API_OK    9
+#define IWL3160_UCODE_API_OK    10
 /* Lowest firmware API version supported */
-#define IWL7260_UCODE_API_MIN   8
+#define IWL7260_UCODE_API_MIN   9
-#define IWL3160_UCODE_API_MIN   8
+#define IWL3160_UCODE_API_MIN   9
 /* NVM versions */
 #define IWL7260_NVM_VERSION             0x0a1d
@@ -89,6 +89,8 @@
 #define IWL3165_TX_POWER_VERSION        0xffff /* meaningless */
 #define IWL7265_NVM_VERSION             0x0a1d
 #define IWL7265_TX_POWER_VERSION        0xffff /* meaningless */
+#define IWL7265D_NVM_VERSION            0x0c11
+#define IWL7265_TX_POWER_VERSION        0xffff /* meaningless */
 #define IWL7260_FW_PRE "iwlwifi-7260-"
 #define IWL7260_MODULE_FIRMWARE(api) IWL7260_FW_PRE __stringify(api) ".ucode"
@@ -102,6 +104,9 @@
 #define IWL7265_FW_PRE "iwlwifi-7265-"
 #define IWL7265_MODULE_FIRMWARE(api) IWL7265_FW_PRE __stringify(api) ".ucode"
+#define IWL7265D_FW_PRE "iwlwifi-7265D-"
+#define IWL7265D_MODULE_FIRMWARE(api) IWL7265_FW_PRE __stringify(api) ".ucode"
 #define NVM_HW_SECTION_NUM_FAMILY_7000          0
 static const struct iwl_base_params iwl7000_base_params = {
@@ -132,8 +137,8 @@ static const struct iwl_ht_params iwl7000_ht_params = {
        .base_params = &iwl7000_base_params,                    \
        .led_mode = IWL_LED_RF_STATE,                           \
        .nvm_hw_section_num = NVM_HW_SECTION_NUM_FAMILY_7000,   \
-        .non_shared_ant = ANT_A
+        .non_shared_ant = ANT_A,                                \
+        .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K
 const struct iwl_cfg iwl7260_2ac_cfg = {
        .name = "Intel(R) Dual Band Wireless AC 7260",
@@ -267,7 +272,38 @@ const struct iwl_cfg iwl7265_n_cfg = {
        .pwr_tx_backoffs = iwl7265_pwr_tx_backoffs,
 };
+const struct iwl_cfg iwl7265d_2ac_cfg = {
+        .name = "Intel(R) Dual Band Wireless AC 7265",
+        .fw_name_pre = IWL7265D_FW_PRE,
+        IWL_DEVICE_7000,
+        .ht_params = &iwl7265_ht_params,
+        .nvm_ver = IWL7265D_NVM_VERSION,
+        .nvm_calib_ver = IWL7265_TX_POWER_VERSION,
+        .pwr_tx_backoffs = iwl7265_pwr_tx_backoffs,
+};
+const struct iwl_cfg iwl7265d_2n_cfg = {
+        .name = "Intel(R) Dual Band Wireless N 7265",
+        .fw_name_pre = IWL7265D_FW_PRE,
+        IWL_DEVICE_7000,
+        .ht_params = &iwl7265_ht_params,
+        .nvm_ver = IWL7265D_NVM_VERSION,
+        .nvm_calib_ver = IWL7265_TX_POWER_VERSION,
+        .pwr_tx_backoffs = iwl7265_pwr_tx_backoffs,
+};
+const struct iwl_cfg iwl7265d_n_cfg = {
+        .name = "Intel(R) Wireless N 7265",
+        .fw_name_pre = IWL7265D_FW_PRE,
+        IWL_DEVICE_7000,
+        .ht_params = &iwl7265_ht_params,
+        .nvm_ver = IWL7265D_NVM_VERSION,
+        .nvm_calib_ver = IWL7265_TX_POWER_VERSION,
+        .pwr_tx_backoffs = iwl7265_pwr_tx_backoffs,
+};
 MODULE_FIRMWARE(IWL7260_MODULE_FIRMWARE(IWL7260_UCODE_API_OK));
 MODULE_FIRMWARE(IWL3160_MODULE_FIRMWARE(IWL3160_UCODE_API_OK));
 MODULE_FIRMWARE(IWL3165_MODULE_FIRMWARE(IWL3160_UCODE_API_OK));
 MODULE_FIRMWARE(IWL7265_MODULE_FIRMWARE(IWL7260_UCODE_API_OK));
+MODULE_FIRMWARE(IWL7265D_MODULE_FIRMWARE(IWL7260_UCODE_API_OK));
diff --git a/drivers/net/wireless/iwlwifi/iwl-8000.c b/drivers/net/wireless/iwlwifi/iwl-8000.c
index 896ea906549c..bf0a95cb7153 100644
--- a/drivers/net/wireless/iwlwifi/iwl-8000.c
+++ b/drivers/net/wireless/iwlwifi/iwl-8000.c
@@ -72,10 +72,10 @@
 #define IWL8000_UCODE_API_MAX   10
 /* Oldest version we won't warn about */
-#define IWL8000_UCODE_API_OK    8
+#define IWL8000_UCODE_API_OK    10
 /* Lowest firmware API version supported */
-#define IWL8000_UCODE_API_MIN   8
+#define IWL8000_UCODE_API_MIN   9
 /* NVM versions */
 #define IWL8000_NVM_VERSION             0x0a1d
@@ -91,6 +91,10 @@
 /* Max SDIO RX aggregation size of the ADDBA request/response */
 #define MAX_RX_AGG_SIZE_8260_SDIO       28
+/* Max A-MPDU exponent for HT and VHT */
+#define MAX_HT_AMPDU_EXPONENT_8260_SDIO IEEE80211_HT_MAX_AMPDU_32K
+#define MAX_VHT_AMPDU_EXPONENT_8260_SDIO        IEEE80211_VHT_MAX_AMPDU_32K
 static const struct iwl_base_params iwl8000_base_params = {
        .eeprom_size = OTP_LOW_IMAGE_SIZE_FAMILY_8000,
        .num_of_queues = IWLAGN_NUM_QUEUES,
@@ -119,6 +123,7 @@ static const struct iwl_ht_params iwl8000_ht_params = {
        .base_params = &iwl8000_base_params,                    \
        .led_mode = IWL_LED_RF_STATE,                           \
        .nvm_hw_section_num = NVM_HW_SECTION_NUM_FAMILY_8000,   \
+        .d0i3 = true,                                           \
        .non_shared_ant = ANT_A
 const struct iwl_cfg iwl8260_2n_cfg = {
@@ -137,6 +142,7 @@ const struct iwl_cfg iwl8260_2ac_cfg = {
        .ht_params = &iwl8000_ht_params,
        .nvm_ver = IWL8000_NVM_VERSION,
        .nvm_calib_ver = IWL8000_TX_POWER_VERSION,
+        .max_ht_ampdu_exponent = IEEE80211_HT_MAX_AMPDU_64K,
 };
 const struct iwl_cfg iwl8260_2ac_sdio_cfg = {
@@ -149,6 +155,23 @@ const struct iwl_cfg iwl8260_2ac_sdio_cfg = {
        .default_nvm_file = DEFAULT_NVM_FILE_FAMILY_8000,
        .max_rx_agg_size = MAX_RX_AGG_SIZE_8260_SDIO,
        .disable_dummy_notification = true,
+        .max_ht_ampdu_exponent  = MAX_HT_AMPDU_EXPONENT_8260_SDIO,
+        .max_vht_ampdu_exponent = MAX_VHT_AMPDU_EXPONENT_8260_SDIO,
+};
+const struct iwl_cfg iwl4165_2ac_sdio_cfg = {
+        .name = "Intel(R) Dual Band Wireless-AC 4165",
+        .fw_name_pre = IWL8000_FW_PRE,
+        IWL_DEVICE_8000,
+        .ht_params = &iwl8000_ht_params,
+        .nvm_ver = IWL8000_NVM_VERSION,
+        .nvm_calib_ver = IWL8000_TX_POWER_VERSION,
+        .default_nvm_file = DEFAULT_NVM_FILE_FAMILY_8000,
+        .max_rx_agg_size = MAX_RX_AGG_SIZE_8260_SDIO,
+        .bt_shared_single_ant = true,
+        .disable_dummy_notification = true,
+        .max_ht_ampdu_exponent  = MAX_HT_AMPDU_EXPONENT_8260_SDIO,
+        .max_vht_ampdu_exponent = MAX_VHT_AMPDU_EXPONENT_8260_SDIO,
 };
 MODULE_FIRMWARE(IWL8000_MODULE_FIRMWARE(IWL8000_UCODE_API_OK));
diff --git a/drivers/net/wireless/iwlwifi/iwl-config.h b/drivers/net/wireless/iwlwifi/iwl-config.h
index f8aa9cf08279..3a4b9c7fc083 100644
--- a/drivers/net/wireless/iwlwifi/iwl-config.h
+++ b/drivers/net/wireless/iwlwifi/iwl-config.h
@@ -257,6 +257,10 @@ struct iwl_pwr_tx_backoff {
 * @pwr_tx_backoffs: translation table between power limits and backoffs
 * @max_rx_agg_size: max RX aggregation size of the ADDBA request/response
 * @max_tx_agg_size: max TX aggregation size of the ADDBA request/response
+ * @max_ht_ampdu_factor: the exponent of the max length of A-MPDU that the
+ *      station can receive in HT
+ * @max_vht_ampdu_exponent: the exponent of the max length of A-MPDU that the
+ *      station can receive in VHT
 *
 * We enable the driver to be backward compatible wrt. hardware features.
 * API differences in uCode shouldn't be handled here but through TLVs
@@ -297,6 +301,8 @@ struct iwl_cfg {
        unsigned int max_rx_agg_size;
        bool disable_dummy_notification;
        unsigned int max_tx_agg_size;
+        unsigned int max_ht_ampdu_exponent;
+        unsigned int max_vht_ampdu_exponent;
 };
 /*
@@ -358,9 +364,14 @@ extern const struct iwl_cfg iwl3165_2ac_cfg;
 extern const struct iwl_cfg iwl7265_2ac_cfg;
 extern const struct iwl_cfg iwl7265_2n_cfg;
 extern const struct iwl_cfg iwl7265_n_cfg;
+extern const struct iwl_cfg iwl7265d_2ac_cfg;
+extern const struct iwl_cfg iwl7265d_2n_cfg;
+extern const struct iwl_cfg iwl7265d_n_cfg;
 extern const struct iwl_cfg iwl8260_2n_cfg;
 extern const struct iwl_cfg iwl8260_2ac_cfg;
 extern const struct iwl_cfg iwl8260_2ac_sdio_cfg;
+extern const struct iwl_cfg iwl4265_2ac_sdio_cfg;
+extern const struct iwl_cfg iwl4165_2ac_sdio_cfg;
 #endif /* CONFIG_IWLMVM */
 #endif /* __IWL_CONFIG_H__ */
diff --git a/drivers/net/wireless/iwlwifi/iwl-csr.h b/drivers/net/wireless/iwlwifi/iwl-csr.h
index 3f6f015285e5..aff63c3f5bf8 100644
--- a/drivers/net/wireless/iwlwifi/iwl-csr.h
+++ b/drivers/net/wireless/iwlwifi/iwl-csr.h
@@ -129,6 +129,8 @@
 #define CSR_UCODE_DRV_GP1_CLR   (CSR_BASE+0x05c)
 #define CSR_UCODE_DRV_GP2       (CSR_BASE+0x060)
+#define CSR_MBOX_SET_REG        (CSR_BASE + 0x88)
 #define CSR_LED_REG             (CSR_BASE+0x094)
 #define CSR_DRAM_INT_TBL_REG    (CSR_BASE+0x0A0)
 #define CSR_MAC_SHADOW_REG_CTRL (CSR_BASE+0x0A8) /* 6000 and up */
@@ -184,6 +186,8 @@
 #define CSR_HW_IF_CONFIG_REG_PREPARE              (0x08000000) /* WAKE_ME */
 #define CSR_HW_IF_CONFIG_REG_PERSIST_MODE         (0x40000000) /* PERSISTENCE */
+#define CSR_MBOX_SET_REG_OS_ALIVE               BIT(5)
 #define CSR_INT_PERIODIC_DIS                    (0x00) /* disable periodic int*/
 #define CSR_INT_PERIODIC_ENA                    (0xFF) /* 255*32 usec ~ 8 msec*/
@@ -305,23 +309,24 @@ enum {
 };
-#define CSR_HW_REV_TYPE_MSK            (0x000FFF0)
+#define CSR_HW_REV_TYPE_MSK             (0x000FFF0)
-#define CSR_HW_REV_TYPE_5300           (0x0000020)
+#define CSR_HW_REV_TYPE_5300            (0x0000020)
-#define CSR_HW_REV_TYPE_5350           (0x0000030)
+#define CSR_HW_REV_TYPE_5350            (0x0000030)
-#define CSR_HW_REV_TYPE_5100           (0x0000050)
+#define CSR_HW_REV_TYPE_5100            (0x0000050)
-#define CSR_HW_REV_TYPE_5150           (0x0000040)
+#define CSR_HW_REV_TYPE_5150            (0x0000040)
-#define CSR_HW_REV_TYPE_1000           (0x0000060)
+#define CSR_HW_REV_TYPE_1000            (0x0000060)
-#define CSR_HW_REV_TYPE_6x00           (0x0000070)
+#define CSR_HW_REV_TYPE_6x00            (0x0000070)
-#define CSR_HW_REV_TYPE_6x50           (0x0000080)
+#define CSR_HW_REV_TYPE_6x50            (0x0000080)
-#define CSR_HW_REV_TYPE_6150           (0x0000084)
+#define CSR_HW_REV_TYPE_6150            (0x0000084)
-#define CSR_HW_REV_TYPE_6x05           (0x00000B0)
+#define CSR_HW_REV_TYPE_6x05            (0x00000B0)
-#define CSR_HW_REV_TYPE_6x30           CSR_HW_REV_TYPE_6x05
+#define CSR_HW_REV_TYPE_6x30            CSR_HW_REV_TYPE_6x05
-#define CSR_HW_REV_TYPE_6x35           CSR_HW_REV_TYPE_6x05
+#define CSR_HW_REV_TYPE_6x35            CSR_HW_REV_TYPE_6x05
-#define CSR_HW_REV_TYPE_2x30           (0x00000C0)
+#define CSR_HW_REV_TYPE_2x30            (0x00000C0)
-#define CSR_HW_REV_TYPE_2x00           (0x0000100)
+#define CSR_HW_REV_TYPE_2x00            (0x0000100)
-#define CSR_HW_REV_TYPE_105            (0x0000110)
+#define CSR_HW_REV_TYPE_105             (0x0000110)
-#define CSR_HW_REV_TYPE_135            (0x0000120)
+#define CSR_HW_REV_TYPE_135             (0x0000120)
-#define CSR_HW_REV_TYPE_NONE           (0x00001F0)
+#define CSR_HW_REV_TYPE_7265D           (0x0000210)
+#define CSR_HW_REV_TYPE_NONE            (0x00001F0)
 /* EEPROM REG */
 #define CSR_EEPROM_REG_READ_VALID_MSK   (0x00000001)
diff --git a/drivers/net/wireless/iwlwifi/iwl-debug.h b/drivers/net/wireless/iwlwifi/iwl-debug.h
index 0a70bcd241f5..684254553558 100644
--- a/drivers/net/wireless/iwlwifi/iwl-debug.h
+++ b/drivers/net/wireless/iwlwifi/iwl-debug.h
@@ -143,7 +143,7 @@ do {                                            			\
 #define IWL_DL_INFO             0x00000001
 #define IWL_DL_MAC80211         0x00000002
 #define IWL_DL_HCMD             0x00000004
-#define IWL_DL_STATE            0x00000008
+#define IWL_DL_TDLS             0x00000008
 /* 0x000000F0 - 0x00000010 */
 #define IWL_DL_QUOTA            0x00000010
 #define IWL_DL_TE               0x00000020
@@ -180,6 +180,7 @@ do {                                            			\
 #define IWL_DL_TX_QUEUES        0x80000000
 #define IWL_DEBUG_INFO(p, f, a...)      IWL_DEBUG(p, IWL_DL_INFO, f, ## a)
+#define IWL_DEBUG_TDLS(p, f, a...)      IWL_DEBUG(p, IWL_DL_TDLS, f, ## a)
 #define IWL_DEBUG_MAC80211(p, f, a...)  IWL_DEBUG(p, IWL_DL_MAC80211, f, ## a)
 #define IWL_DEBUG_EXTERNAL(p, f, a...)  IWL_DEBUG(p, IWL_DL_EXTERNAL, f, ## a)
 #define IWL_DEBUG_TEMP(p, f, a...)      IWL_DEBUG(p, IWL_DL_TEMP, f, ## a)
diff --git a/drivers/net/wireless/iwlwifi/iwl-drv.c b/drivers/net/wireless/iwlwifi/iwl-drv.c
index d9fa8e034da2..38de1513e4de 100644
--- a/drivers/net/wireless/iwlwifi/iwl-drv.c
+++ b/drivers/net/wireless/iwlwifi/iwl-drv.c
@@ -78,9 +78,6 @@
 #include "iwl-config.h"
 #include "iwl-modparams.h"
-/* private includes */
-#include "iwl-fw-file.h"
 /******************************************************************************
 *
 * module boiler plate
@@ -187,6 +184,11 @@ static void iwl_free_fw_img(struct iwl_drv *drv, struct fw_img *img)
 static void iwl_dealloc_ucode(struct iwl_drv *drv)
 {
        int i;
+        kfree(drv->fw.dbg_dest_tlv);
+        for (i = 0; i < ARRAY_SIZE(drv->fw.dbg_conf_tlv); i++)
+                kfree(drv->fw.dbg_conf_tlv[i]);
        for (i = 0; i < IWL_UCODE_TYPE_MAX; i++)
                iwl_free_fw_img(drv, drv->fw.img + i);
 }
@@ -248,6 +250,9 @@ static int iwl_request_firmware(struct iwl_drv *drv, bool first)
        /*
         * Starting 8000B - FW name format has changed. This overwrites the
         * previous name and uses the new format.
+         *
+         * TODO:
+         * Once there is only one supported step for 8000 family - delete this!
         */
        if (drv->trans->cfg->device_family == IWL_DEVICE_FAMILY_8000) {
                char rev_step[2] = {
@@ -258,6 +263,13 @@ static int iwl_request_firmware(struct iwl_drv *drv, bool first)
                if (CSR_HW_REV_STEP(drv->trans->hw_rev) == SILICON_A_STEP)
                        rev_step[0] = 0;
+                /*
+                 * If hw_rev wasn't set yet - default as B-step. If it IS A-step
+                 * we'll reload that FW later instead.
+                 */
+                if (drv->trans->hw_rev == 0)
+                        rev_step[0] = 'B';
                snprintf(drv->firmware_name, sizeof(drv->firmware_name),
                         "%s%s-%s.ucode", name_pre, rev_step, tag);
        }
@@ -301,6 +313,11 @@ struct iwl_firmware_pieces {
        u32 init_evtlog_ptr, init_evtlog_size, init_errlog_ptr;
        u32 inst_evtlog_ptr, inst_evtlog_size, inst_errlog_ptr;
+        /* FW debug data parsed for driver usage */
+        struct iwl_fw_dbg_dest_tlv *dbg_dest_tlv;
+        struct iwl_fw_dbg_conf_tlv *dbg_conf_tlv[FW_DBG_MAX];
+        size_t dbg_conf_tlv_len[FW_DBG_MAX];
 };
 /*
@@ -574,6 +591,8 @@ static int iwl_parse_tlv_firmware(struct iwl_drv *drv,
        char buildstr[25];
        u32 build;
        int num_of_cpus;
+        bool usniffer_images = false;
+        bool usniffer_req = false;
        if (len < sizeof(*ucode)) {
                IWL_ERR(drv, "uCode has invalid length: %zd\n", len);
@@ -846,12 +865,79 @@ static int iwl_parse_tlv_firmware(struct iwl_drv *drv,
                        capa->n_scan_channels =
                                le32_to_cpup((__le32 *)tlv_data);
                        break;
+                case IWL_UCODE_TLV_FW_DBG_DEST: {
+                        struct iwl_fw_dbg_dest_tlv *dest = (void *)tlv_data;
+                        if (pieces->dbg_dest_tlv) {
+                                IWL_ERR(drv,
+                                        "dbg destination ignored, already exists\n");
+                                break;
+                        }
+                        pieces->dbg_dest_tlv = dest;
+                        IWL_INFO(drv, "Found debug destination: %s\n",
+                                 get_fw_dbg_mode_string(dest->monitor_mode));
+                        drv->fw.dbg_dest_reg_num =
+                                tlv_len - offsetof(struct iwl_fw_dbg_dest_tlv,
+                                                   reg_ops);
+                        drv->fw.dbg_dest_reg_num /=
+                                sizeof(drv->fw.dbg_dest_tlv->reg_ops[0]);
+                        break;
+                        }
+                case IWL_UCODE_TLV_FW_DBG_CONF: {
+                        struct iwl_fw_dbg_conf_tlv *conf = (void *)tlv_data;
+                        if (!pieces->dbg_dest_tlv) {
+                                IWL_ERR(drv,
+                                        "Ignore dbg config %d - no destination configured\n",
+                                        conf->id);
+                                break;
+                        }
+                        if (conf->id >= ARRAY_SIZE(drv->fw.dbg_conf_tlv)) {
+                                IWL_ERR(drv,
+                                        "Skip unknown configuration: %d\n",
+                                        conf->id);
+                                break;
+                        }
+                        if (pieces->dbg_conf_tlv[conf->id]) {
+                                IWL_ERR(drv,
+                                        "Ignore duplicate dbg config %d\n",
+                                        conf->id);
+                                break;
+                        }
+                        if (conf->usniffer)
+                                usniffer_req = true;
+                        IWL_INFO(drv, "Found debug configuration: %d\n",
+                                 conf->id);
+                        pieces->dbg_conf_tlv[conf->id] = conf;
+                        pieces->dbg_conf_tlv_len[conf->id] = tlv_len;
+                        break;
+                        }
+                case IWL_UCODE_TLV_SEC_RT_USNIFFER:
+                        usniffer_images = true;
+                        iwl_store_ucode_sec(pieces, tlv_data,
+                                            IWL_UCODE_REGULAR_USNIFFER,
+                                            tlv_len);
+                        break;
                default:
                        IWL_DEBUG_INFO(drv, "unknown TLV: %d\n", tlv_type);
                        break;
                }
        }
+        if (usniffer_req && !usniffer_images) {
+                IWL_ERR(drv,
+                        "user selected to work with usniffer but usniffer image isn't available in ucode package\n");
+                return -EINVAL;
+        }
        if (len) {
                IWL_ERR(drv, "invalid TLV after parsing: %zd\n", len);
                iwl_print_hex_dump(drv, IWL_DL_FW, (u8 *)data, len);
@@ -989,13 +1075,14 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
        struct iwl_ucode_header *ucode;
        struct iwlwifi_opmode_table *op;
        int err;
-        struct iwl_firmware_pieces pieces;
+        struct iwl_firmware_pieces *pieces;
        const unsigned int api_max = drv->cfg->ucode_api_max;
        unsigned int api_ok = drv->cfg->ucode_api_ok;
        const unsigned int api_min = drv->cfg->ucode_api_min;
        u32 api_ver;
        int i;
        bool load_module = false;
+        u32 hw_rev = drv->trans->hw_rev;
        fw->ucode_capa.max_probe_length = IWL_DEFAULT_MAX_PROBE_LENGTH;
        fw->ucode_capa.standard_phy_calibration_size =
@@ -1005,7 +1092,9 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
        if (!api_ok)
                api_ok = api_max;
-        memset(&pieces, 0, sizeof(pieces));
+        pieces = kzalloc(sizeof(*pieces), GFP_KERNEL);
+        if (!pieces)
+                return;
        if (!ucode_raw) {
                if (drv->fw_index <= api_ok)
@@ -1028,10 +1117,10 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
        ucode = (struct iwl_ucode_header *)ucode_raw->data;
        if (ucode->ver)
-                err = iwl_parse_v1_v2_firmware(drv, ucode_raw, &pieces);
+                err = iwl_parse_v1_v2_firmware(drv, ucode_raw, pieces);
        else
-                err = iwl_parse_tlv_firmware(drv, ucode_raw, &pieces,
+                err = iwl_parse_tlv_firmware(drv, ucode_raw, pieces,
-                                           &fw->ucode_capa);
+                                             &fw->ucode_capa);
        if (err)
                goto try_again;
@@ -1071,7 +1160,7 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
         * In mvm uCode there is no difference between data and instructions
         * sections.
         */
-        if (!fw->mvm_fw && validate_sec_sizes(drv, &pieces, drv->cfg))
+        if (!fw->mvm_fw && validate_sec_sizes(drv, pieces, drv->cfg))
                goto try_again;
        /* Allocate ucode buffers for card's bus-master loading ... */
@@ -1080,9 +1169,33 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
         * 1) unmodified from disk
         * 2) backup cache for save/restore during power-downs */
        for (i = 0; i < IWL_UCODE_TYPE_MAX; i++)
-                if (iwl_alloc_ucode(drv, &pieces, i))
+                if (iwl_alloc_ucode(drv, pieces, i))
                        goto out_free_fw;
+        if (pieces->dbg_dest_tlv) {
+                drv->fw.dbg_dest_tlv =
+                        kmemdup(pieces->dbg_dest_tlv,
+                                sizeof(*pieces->dbg_dest_tlv) +
+                                sizeof(pieces->dbg_dest_tlv->reg_ops[0]) *
+                                drv->fw.dbg_dest_reg_num, GFP_KERNEL);
+                if (!drv->fw.dbg_dest_tlv)
+                        goto out_free_fw;
+        }
+        for (i = 0; i < ARRAY_SIZE(drv->fw.dbg_conf_tlv); i++) {
+                if (pieces->dbg_conf_tlv[i]) {
+                        drv->fw.dbg_conf_tlv_len[i] =
+                                pieces->dbg_conf_tlv_len[i];
+                        drv->fw.dbg_conf_tlv[i] =
+                                kmemdup(pieces->dbg_conf_tlv[i],
+                                        drv->fw.dbg_conf_tlv_len[i],
+                                        GFP_KERNEL);
+                        if (!drv->fw.dbg_conf_tlv[i])
+                                goto out_free_fw;
+                }
+        }
        /* Now that we can no longer fail, copy information */
        /*
@@ -1090,20 +1203,20 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
         * for each event, which is of mode 1 (including timestamp) for all
         * new microcodes that include this information.
         */
-        fw->init_evtlog_ptr = pieces.init_evtlog_ptr;
+        fw->init_evtlog_ptr = pieces->init_evtlog_ptr;
-        if (pieces.init_evtlog_size)
+        if (pieces->init_evtlog_size)
-                fw->init_evtlog_size = (pieces.init_evtlog_size - 16)/12;
+                fw->init_evtlog_size = (pieces->init_evtlog_size - 16)/12;
        else
                fw->init_evtlog_size =
                        drv->cfg->base_params->max_event_log_size;
-        fw->init_errlog_ptr = pieces.init_errlog_ptr;
+        fw->init_errlog_ptr = pieces->init_errlog_ptr;
-        fw->inst_evtlog_ptr = pieces.inst_evtlog_ptr;
+        fw->inst_evtlog_ptr = pieces->inst_evtlog_ptr;
-        if (pieces.inst_evtlog_size)
+        if (pieces->inst_evtlog_size)
-                fw->inst_evtlog_size = (pieces.inst_evtlog_size - 16)/12;
+                fw->inst_evtlog_size = (pieces->inst_evtlog_size - 16)/12;
        else
                fw->inst_evtlog_size =
                        drv->cfg->base_params->max_event_log_size;
-        fw->inst_errlog_ptr = pieces.inst_errlog_ptr;
+        fw->inst_errlog_ptr = pieces->inst_errlog_ptr;
        /*
         * figure out the offset of chain noise reset and gain commands
@@ -1162,10 +1275,55 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
                                op->name, err);
 #endif
        }
+        /*
+         * We may have loaded the wrong FW file in 8000 HW family if it is an
+         * A-step card, and if drv->trans->hw_rev wasn't properly read when
+         * the FW file had been loaded. (This might happen in SDIO.) In such a
+         * case - unload and reload the correct file.
+         *
+         * TODO:
+         * Once there is only one supported step for 8000 family - delete this!
+         */
+        if (drv->trans->cfg->device_family == IWL_DEVICE_FAMILY_8000 &&
+            CSR_HW_REV_STEP(drv->trans->hw_rev) == SILICON_A_STEP &&
+            drv->trans->hw_rev != hw_rev) {
+                char firmware_name[32];
+                /* Free previous FW resources */
+                if (drv->op_mode)
+                        _iwl_op_mode_stop(drv);
+                iwl_dealloc_ucode(drv);
+                /* Build name of correct-step FW */
+                snprintf(firmware_name, sizeof(firmware_name),
+                         strrchr(drv->firmware_name, '-'));
+                snprintf(drv->firmware_name, sizeof(drv->firmware_name),
+                         "%s%s", drv->cfg->fw_name_pre, firmware_name);
+                /* Clear data before loading correct FW */
+                list_del(&drv->list);
+                /* Request correct FW file this time */
+                IWL_DEBUG_INFO(drv, "attempting to load A-step FW %s\n",
+                               drv->firmware_name);
+                err = request_firmware(&ucode_raw, drv->firmware_name,
+                                       drv->trans->dev);
+                if (err) {
+                        IWL_ERR(drv, "Failed swapping FW!\n");
+                        goto out_unbind;
+                }
+                /* Redo callback function - this time with right FW */
+                iwl_req_fw_callback(ucode_raw, context);
+        }
+        kfree(pieces);
        return;
 try_again:
        /* try next, if any */
+        kfree(pieces);
        release_firmware(ucode_raw);
        if (iwl_request_firmware(drv, false))
                goto out_unbind;
@@ -1176,6 +1334,7 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
        iwl_dealloc_ucode(drv);
        release_firmware(ucode_raw);
 out_unbind:
+        kfree(pieces);
        complete(&drv->request_firmware_complete);
        device_release_driver(drv->trans->dev);
 }
diff --git a/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c b/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c
index 74b796dc4242..41ff85de7334 100644
--- a/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c
+++ b/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c
@@ -764,7 +764,7 @@ void iwl_init_ht_hw_capab(const struct iwl_cfg *cfg,
        if (iwlwifi_mod_params.amsdu_size_8K)
                ht_info->cap |= IEEE80211_HT_CAP_MAX_AMSDU;
-        ht_info->ampdu_factor = IEEE80211_HT_MAX_AMPDU_64K;
+        ht_info->ampdu_factor = cfg->max_ht_ampdu_exponent;
        ht_info->ampdu_density = IEEE80211_HT_MPDU_DENSITY_4;
        ht_info->mcs.rx_mask[0] = 0xFF;
diff --git a/drivers/net/wireless/iwlwifi/iwl-fw-error-dump.h b/drivers/net/wireless/iwlwifi/iwl-fw-error-dump.h
index e30a41d04c8b..20a8a64c9fe3 100644
--- a/drivers/net/wireless/iwlwifi/iwl-fw-error-dump.h
+++ b/drivers/net/wireless/iwlwifi/iwl-fw-error-dump.h
@@ -81,6 +81,7 @@
 * @IWL_FW_ERROR_DUMP_FW_MONITOR: firmware monitor
 * @IWL_FW_ERROR_DUMP_PRPH: range of periphery registers - there can be several
 *      sections like this in a single file.
+ * @IWL_FW_ERROR_DUMP_FH_REGS: range of FH registers
 */
 enum iwl_fw_error_dump_type {
        IWL_FW_ERROR_DUMP_SRAM = 0,
@@ -90,6 +91,8 @@ enum iwl_fw_error_dump_type {
        IWL_FW_ERROR_DUMP_DEV_FW_INFO = 4,
        IWL_FW_ERROR_DUMP_FW_MONITOR = 5,
        IWL_FW_ERROR_DUMP_PRPH = 6,
+        IWL_FW_ERROR_DUMP_TXF = 7,
+        IWL_FW_ERROR_DUMP_FH_REGS = 8,
        IWL_FW_ERROR_DUMP_MAX,
 };
diff --git a/drivers/net/wireless/iwlwifi/iwl-fw-file.h b/drivers/net/wireless/iwlwifi/iwl-fw-file.h
index 401f7be36b93..f2a047f6bb3e 100644
--- a/drivers/net/wireless/iwlwifi/iwl-fw-file.h
+++ b/drivers/net/wireless/iwlwifi/iwl-fw-file.h
@@ -131,6 +131,9 @@ enum iwl_ucode_tlv_type {
        IWL_UCODE_TLV_API_CHANGES_SET   = 29,
        IWL_UCODE_TLV_ENABLED_CAPABILITIES      = 30,
        IWL_UCODE_TLV_N_SCAN_CHANNELS           = 31,
+        IWL_UCODE_TLV_SEC_RT_USNIFFER   = 34,
+        IWL_UCODE_TLV_FW_DBG_DEST       = 38,
+        IWL_UCODE_TLV_FW_DBG_CONF       = 39,
 };
 struct iwl_ucode_tlv {
@@ -179,4 +182,309 @@ struct iwl_ucode_capa {
        __le32 api_capa;
 } __packed;
+/**
+ * enum iwl_ucode_tlv_flag - ucode API flags
+ * @IWL_UCODE_TLV_FLAGS_PAN: This is PAN capable microcode; this previously
+ *      was a separate TLV but moved here to save space.
+ * @IWL_UCODE_TLV_FLAGS_NEWSCAN: new uCode scan behaviour on hidden SSID,
+ *      treats good CRC threshold as a boolean
+ * @IWL_UCODE_TLV_FLAGS_MFP: This uCode image supports MFP (802.11w).
+ * @IWL_UCODE_TLV_FLAGS_P2P: This uCode image supports P2P.
+ * @IWL_UCODE_TLV_FLAGS_DW_BC_TABLE: The SCD byte count table is in DWORDS
+ * @IWL_UCODE_TLV_FLAGS_UAPSD_SUPPORT: This uCode image supports uAPSD
+ * @IWL_UCODE_TLV_FLAGS_SHORT_BL: 16 entries of black list instead of 64 in scan
+ *      offload profile config command.
+ * @IWL_UCODE_TLV_FLAGS_D3_6_IPV6_ADDRS: D3 image supports up to six
+ *      (rather than two) IPv6 addresses
+ * @IWL_UCODE_TLV_FLAGS_NO_BASIC_SSID: not sending a probe with the SSID element
+ *      from the probe request template.
+ * @IWL_UCODE_TLV_FLAGS_NEW_NSOFFL_SMALL: new NS offload (small version)
+ * @IWL_UCODE_TLV_FLAGS_NEW_NSOFFL_LARGE: new NS offload (large version)
+ * @IWL_UCODE_TLV_FLAGS_P2P_PM: P2P client supports PM as a stand alone MAC
+ * @IWL_UCODE_TLV_FLAGS_P2P_BSS_PS_DCM: support power save on BSS station and
+ *      P2P client interfaces simultaneously if they are in different bindings.
+ * @IWL_UCODE_TLV_FLAGS_P2P_BSS_PS_SCM: support power save on BSS station and
+ *      P2P client interfaces simultaneously if they are in same bindings.
+ * @IWL_UCODE_TLV_FLAGS_UAPSD_SUPPORT: General support for uAPSD
+ * @IWL_UCODE_TLV_FLAGS_P2P_PS_UAPSD: P2P client supports uAPSD power save
+ * @IWL_UCODE_TLV_FLAGS_BCAST_FILTERING: uCode supports broadcast filtering.
+ * @IWL_UCODE_TLV_FLAGS_GO_UAPSD: AP/GO interfaces support uAPSD clients
+ * @IWL_UCODE_TLV_FLAGS_EBS_SUPPORT: this uCode image supports EBS.
+ */
+enum iwl_ucode_tlv_flag {
+        IWL_UCODE_TLV_FLAGS_PAN                 = BIT(0),
+        IWL_UCODE_TLV_FLAGS_NEWSCAN             = BIT(1),
+        IWL_UCODE_TLV_FLAGS_MFP                 = BIT(2),
+        IWL_UCODE_TLV_FLAGS_P2P                 = BIT(3),
+        IWL_UCODE_TLV_FLAGS_DW_BC_TABLE         = BIT(4),
+        IWL_UCODE_TLV_FLAGS_SHORT_BL            = BIT(7),
+        IWL_UCODE_TLV_FLAGS_D3_6_IPV6_ADDRS     = BIT(10),
+        IWL_UCODE_TLV_FLAGS_NO_BASIC_SSID       = BIT(12),
+        IWL_UCODE_TLV_FLAGS_NEW_NSOFFL_SMALL    = BIT(15),
+        IWL_UCODE_TLV_FLAGS_NEW_NSOFFL_LARGE    = BIT(16),
+        IWL_UCODE_TLV_FLAGS_P2P_PM              = BIT(21),
+        IWL_UCODE_TLV_FLAGS_BSS_P2P_PS_DCM      = BIT(22),
+        IWL_UCODE_TLV_FLAGS_BSS_P2P_PS_SCM      = BIT(23),
+        IWL_UCODE_TLV_FLAGS_UAPSD_SUPPORT       = BIT(24),
+        IWL_UCODE_TLV_FLAGS_EBS_SUPPORT         = BIT(25),
+        IWL_UCODE_TLV_FLAGS_P2P_PS_UAPSD        = BIT(26),
+        IWL_UCODE_TLV_FLAGS_BCAST_FILTERING     = BIT(29),
+        IWL_UCODE_TLV_FLAGS_GO_UAPSD            = BIT(30),
+};
+/**
+ * enum iwl_ucode_tlv_api - ucode api
+ * @IWL_UCODE_TLV_API_WOWLAN_CONFIG_TID: wowlan config includes tid field.
+ * @IWL_UCODE_TLV_CAPA_EXTENDED_BEACON: Support Extended beacon notification
+ * @IWL_UCODE_TLV_API_BT_COEX_SPLIT: new API for BT Coex
+ * @IWL_UCODE_TLV_API_CSA_FLOW: ucode can do unbind-bind flow for CSA.
+ * @IWL_UCODE_TLV_API_DISABLE_STA_TX: ucode supports tx_disable bit.
+ * @IWL_UCODE_TLV_API_LMAC_SCAN: This ucode uses LMAC unified scan API.
+ * @IWL_UCODE_TLV_API_SF_NO_DUMMY_NOTIF: ucode supports disabling dummy notif.
+ * @IWL_UCODE_TLV_API_FRAGMENTED_SCAN: This ucode supports active dwell time
+ *      longer than the passive one, which is essential for fragmented scan.
+ */
+enum iwl_ucode_tlv_api {
+        IWL_UCODE_TLV_API_WOWLAN_CONFIG_TID     = BIT(0),
+        IWL_UCODE_TLV_CAPA_EXTENDED_BEACON      = BIT(1),
+        IWL_UCODE_TLV_API_BT_COEX_SPLIT         = BIT(3),
+        IWL_UCODE_TLV_API_CSA_FLOW              = BIT(4),
+        IWL_UCODE_TLV_API_DISABLE_STA_TX        = BIT(5),
+        IWL_UCODE_TLV_API_LMAC_SCAN             = BIT(6),
+        IWL_UCODE_TLV_API_SF_NO_DUMMY_NOTIF     = BIT(7),
+        IWL_UCODE_TLV_API_FRAGMENTED_SCAN       = BIT(8),
+};
+/**
+ * enum iwl_ucode_tlv_capa - ucode capabilities
+ * @IWL_UCODE_TLV_CAPA_D0I3_SUPPORT: supports D0i3
+ * @IWL_UCODE_TLV_CAPA_LAR_SUPPORT: supports Location Aware Regulatory
+ * @IWL_UCODE_TLV_CAPA_UMAC_SCAN: supports UMAC scan.
+ * @IWL_UCODE_TLV_CAPA_TDLS_SUPPORT: support basic TDLS functionality
+ * @IWL_UCODE_TLV_CAPA_TXPOWER_INSERTION_SUPPORT: supports insertion of current
+ *      tx power value into TPC Report action frame and Link Measurement Report
+ *      action frame
+ * @IWL_UCODE_TLV_CAPA_DS_PARAM_SET_IE_SUPPORT: supports updating current
+ *      channel in DS parameter set element in probe requests.
+ * @IWL_UCODE_TLV_CAPA_WFA_TPC_REP_IE_SUPPORT: supports adding TPC Report IE in
+ *      probe requests.
+ * @IWL_UCODE_TLV_CAPA_QUIET_PERIOD_SUPPORT: supports Quiet Period requests
+ * @IWL_UCODE_TLV_CAPA_DQA_SUPPORT: supports dynamic queue allocation (DQA),
+ *      which also implies support for the scheduler configuration command
+ * @IWL_UCODE_TLV_CAPA_TDLS_CHANNEL_SWITCH: supports TDLS channel switching
+ * @IWL_UCODE_TLV_CAPA_HOTSPOT_SUPPORT: supports Hot Spot Command
+ */
+enum iwl_ucode_tlv_capa {
+        IWL_UCODE_TLV_CAPA_D0I3_SUPPORT                 = BIT(0),
+        IWL_UCODE_TLV_CAPA_LAR_SUPPORT                  = BIT(1),
+        IWL_UCODE_TLV_CAPA_UMAC_SCAN                    = BIT(2),
+        IWL_UCODE_TLV_CAPA_TDLS_SUPPORT                 = BIT(6),
+        IWL_UCODE_TLV_CAPA_TXPOWER_INSERTION_SUPPORT    = BIT(8),
+        IWL_UCODE_TLV_CAPA_DS_PARAM_SET_IE_SUPPORT      = BIT(9),
+        IWL_UCODE_TLV_CAPA_WFA_TPC_REP_IE_SUPPORT       = BIT(10),
+        IWL_UCODE_TLV_CAPA_QUIET_PERIOD_SUPPORT         = BIT(11),
+        IWL_UCODE_TLV_CAPA_DQA_SUPPORT                  = BIT(12),
+        IWL_UCODE_TLV_CAPA_TDLS_CHANNEL_SWITCH          = BIT(13),
+        IWL_UCODE_TLV_CAPA_HOTSPOT_SUPPORT              = BIT(18),
+};
+/* The default calibrate table size if not specified by firmware file */
+#define IWL_DEFAULT_STANDARD_PHY_CALIBRATE_TBL_SIZE     18
+#define IWL_MAX_STANDARD_PHY_CALIBRATE_TBL_SIZE         19
+#define IWL_MAX_PHY_CALIBRATE_TBL_SIZE                  253
+/* The default max probe length if not specified by the firmware file */
+#define IWL_DEFAULT_MAX_PROBE_LENGTH    200
+/*
+ * For 16.0 uCode and above, there is no differentiation between sections,
+ * just an offset to the HW address.
+ */
+#define IWL_UCODE_SECTION_MAX 12
+#define IWL_API_ARRAY_SIZE      1
+#define IWL_CAPABILITIES_ARRAY_SIZE     1
+#define CPU1_CPU2_SEPARATOR_SECTION     0xFFFFCCCC
+/* uCode version contains 4 values: Major/Minor/API/Serial */
+#define IWL_UCODE_MAJOR(ver)    (((ver) & 0xFF000000) >> 24)
+#define IWL_UCODE_MINOR(ver)    (((ver) & 0x00FF0000) >> 16)
+#define IWL_UCODE_API(ver)      (((ver) & 0x0000FF00) >> 8)
+#define IWL_UCODE_SERIAL(ver)   ((ver) & 0x000000FF)
+/*
+ * Calibration control struct.
+ * Sent as part of the phy configuration command.
+ * @flow_trigger: bitmap for which calibrations to perform according to
+ *              flow triggers.
+ * @event_trigger: bitmap for which calibrations to perform according to
+ *              event triggers.
+ */
+struct iwl_tlv_calib_ctrl {
+        __le32 flow_trigger;
+        __le32 event_trigger;
+} __packed;
+enum iwl_fw_phy_cfg {
+        FW_PHY_CFG_RADIO_TYPE_POS = 0,
+        FW_PHY_CFG_RADIO_TYPE = 0x3 << FW_PHY_CFG_RADIO_TYPE_POS,
+        FW_PHY_CFG_RADIO_STEP_POS = 2,
+        FW_PHY_CFG_RADIO_STEP = 0x3 << FW_PHY_CFG_RADIO_STEP_POS,
+        FW_PHY_CFG_RADIO_DASH_POS = 4,
+        FW_PHY_CFG_RADIO_DASH = 0x3 << FW_PHY_CFG_RADIO_DASH_POS,
+        FW_PHY_CFG_TX_CHAIN_POS = 16,
+        FW_PHY_CFG_TX_CHAIN = 0xf << FW_PHY_CFG_TX_CHAIN_POS,
+        FW_PHY_CFG_RX_CHAIN_POS = 20,
+        FW_PHY_CFG_RX_CHAIN = 0xf << FW_PHY_CFG_RX_CHAIN_POS,
+};
+#define IWL_UCODE_MAX_CS                1
+/**
+ * struct iwl_fw_cipher_scheme - a cipher scheme supported by FW.
+ * @cipher: a cipher suite selector
+ * @flags: cipher scheme flags (currently reserved for a future use)
+ * @hdr_len: a size of MPDU security header
+ * @pn_len: a size of PN
+ * @pn_off: an offset of pn from the beginning of the security header
+ * @key_idx_off: an offset of key index byte in the security header
+ * @key_idx_mask: a bit mask of key_idx bits
+ * @key_idx_shift: bit shift needed to get key_idx
+ * @mic_len: mic length in bytes
+ * @hw_cipher: a HW cipher index used in host commands
+ */
+struct iwl_fw_cipher_scheme {
+        __le32 cipher;
+        u8 flags;
+        u8 hdr_len;
+        u8 pn_len;
+        u8 pn_off;
+        u8 key_idx_off;
+        u8 key_idx_mask;
+        u8 key_idx_shift;
+        u8 mic_len;
+        u8 hw_cipher;
+} __packed;
+enum iwl_fw_dbg_reg_operator {
+        CSR_ASSIGN,
+        CSR_SETBIT,
+        CSR_CLEARBIT,
+        PRPH_ASSIGN,
+        PRPH_SETBIT,
+        PRPH_CLEARBIT,
+};
+/**
+ * struct iwl_fw_dbg_reg_op - an operation on a register
+ *
+ * @op: %enum iwl_fw_dbg_reg_operator
+ * @addr: offset of the register
+ * @val: value
+ */
+struct iwl_fw_dbg_reg_op {
+        u8 op;
+        u8 reserved[3];
+        __le32 addr;
+        __le32 val;
+} __packed;
+/**
+ * enum iwl_fw_dbg_monitor_mode - available monitor recording modes
+ *
+ * @SMEM_MODE: monitor stores the data in SMEM
+ * @EXTERNAL_MODE: monitor stores the data in allocated DRAM
+ * @MARBH_MODE: monitor stores the data in MARBH buffer
+ */
+enum iwl_fw_dbg_monitor_mode {
+        SMEM_MODE = 0,
+        EXTERNAL_MODE = 1,
+        MARBH_MODE = 2,
+};
+/**
+ * struct iwl_fw_dbg_dest_tlv - configures the destination of the debug data
+ *
+ * @version: version of the TLV - currently 0
+ * @monitor_mode: %enum iwl_fw_dbg_monitor_mode
+ * @base_reg: addr of the base addr register (PRPH)
+ * @end_reg:  addr of the end addr register (PRPH)
+ * @write_ptr_reg: the addr of the reg of the write pointer
+ * @wrap_count: the addr of the reg of the wrap_count
+ * @base_shift: shift right of the base addr reg
+ * @end_shift: shift right of the end addr reg
+ * @reg_ops: array of registers operations
+ *
+ * This parses IWL_UCODE_TLV_FW_DBG_DEST
+ */
+struct iwl_fw_dbg_dest_tlv {
+        u8 version;
+        u8 monitor_mode;
+        u8 reserved[2];
+        __le32 base_reg;
+        __le32 end_reg;
+        __le32 write_ptr_reg;
+        __le32 wrap_count;
+        u8 base_shift;
+        u8 end_shift;
+        struct iwl_fw_dbg_reg_op reg_ops[0];
+} __packed;
+struct iwl_fw_dbg_conf_hcmd {
+        u8 id;
+        u8 reserved;
+        __le16 len;
+        u8 data[0];
+} __packed;
+/**
+ * struct iwl_fw_dbg_trigger - a TLV that describes a debug configuration
+ *
+ * @enabled: is this trigger enabled
+ * @reserved:
+ * @len: length, in bytes, of the %trigger field
+ * @trigger: pointer to a trigger struct
+ */
+struct iwl_fw_dbg_trigger {
+        u8 enabled;
+        u8 reserved;
+        u8 len;
+        u8 trigger[0];
+} __packed;
+/**
+ * enum iwl_fw_dbg_conf - configurations available
+ *
+ * @FW_DBG_CUSTOM: take this configuration from alive
+ *      Note that the trigger is NO-OP for this configuration
+ */
+enum iwl_fw_dbg_conf {
+        FW_DBG_CUSTOM = 0,
+        /* must be last */
+        FW_DBG_MAX,
+        FW_DBG_INVALID = 0xff,
+};
+/**
+ * struct iwl_fw_dbg_conf_tlv - a TLV that describes a debug configuration
+ *
+ * @id: %enum iwl_fw_dbg_conf
+ * @usniffer: should the uSniffer image be used
+ * @num_of_hcmds: how many HCMDs to send are present here
+ * @hcmd: a variable length host command to be sent to apply the configuration.
+ *      If there is more than one HCMD to send, they will appear one after the
+ *      other and be sent in the order that they appear in.
+ * This parses IWL_UCODE_TLV_FW_DBG_CONF
+ */
+struct iwl_fw_dbg_conf_tlv {
+        u8 id;
+        u8 usniffer;
+        u8 reserved;
+        u8 num_of_hcmds;
+        struct iwl_fw_dbg_conf_hcmd hcmd;
+        /* struct iwl_fw_dbg_trigger sits after all variable length hcmds */
+} __packed;
 #endif  /* __iwl_fw_file_h__ */
diff --git a/drivers/net/wireless/iwlwifi/iwl-fw.h b/drivers/net/wireless/iwlwifi/iwl-fw.h
index 6f7ae5f7bdae..e6dc3b870949 100644
--- a/drivers/net/wireless/iwlwifi/iwl-fw.h
+++ b/drivers/net/wireless/iwlwifi/iwl-fw.h
@@ -70,110 +70,6 @@
 #include "iwl-fw-file.h"
 /**
- * enum iwl_ucode_tlv_flag - ucode API flags
- * @IWL_UCODE_TLV_FLAGS_PAN: This is PAN capable microcode; this previously
- *      was a separate TLV but moved here to save space.
- * @IWL_UCODE_TLV_FLAGS_NEWSCAN: new uCode scan behaviour on hidden SSID,
- *      treats good CRC threshold as a boolean
- * @IWL_UCODE_TLV_FLAGS_MFP: This uCode image supports MFP (802.11w).
- * @IWL_UCODE_TLV_FLAGS_P2P: This uCode image supports P2P.
- * @IWL_UCODE_TLV_FLAGS_DW_BC_TABLE: The SCD byte count table is in DWORDS
- * @IWL_UCODE_TLV_FLAGS_UAPSD_SUPPORT: This uCode image supports uAPSD
- * @IWL_UCODE_TLV_FLAGS_SHORT_BL: 16 entries of black list instead of 64 in scan
- *      offload profile config command.
- * @IWL_UCODE_TLV_FLAGS_D3_6_IPV6_ADDRS: D3 image supports up to six
- *      (rather than two) IPv6 addresses
- * @IWL_UCODE_TLV_FLAGS_NO_BASIC_SSID: not sending a probe with the SSID element
- *      from the probe request template.
- * @IWL_UCODE_TLV_FLAGS_NEW_NSOFFL_SMALL: new NS offload (small version)
- * @IWL_UCODE_TLV_FLAGS_NEW_NSOFFL_LARGE: new NS offload (large version)
- * @IWL_UCODE_TLV_FLAGS_P2P_PM: P2P client supports PM as a stand alone MAC
- * @IWL_UCODE_TLV_FLAGS_P2P_BSS_PS_DCM: support power save on BSS station and
- *      P2P client interfaces simultaneously if they are in different bindings.
- * @IWL_UCODE_TLV_FLAGS_P2P_BSS_PS_SCM: support power save on BSS station and
- *      P2P client interfaces simultaneously if they are in same bindings.
- * @IWL_UCODE_TLV_FLAGS_UAPSD_SUPPORT: General support for uAPSD
- * @IWL_UCODE_TLV_FLAGS_P2P_PS_UAPSD: P2P client supports uAPSD power save
- * @IWL_UCODE_TLV_FLAGS_BCAST_FILTERING: uCode supports broadcast filtering.
- * @IWL_UCODE_TLV_FLAGS_GO_UAPSD: AP/GO interfaces support uAPSD clients
- * @IWL_UCODE_TLV_FLAGS_EBS_SUPPORT: this uCode image supports EBS.
- */
-enum iwl_ucode_tlv_flag {
-        IWL_UCODE_TLV_FLAGS_PAN                 = BIT(0),
-        IWL_UCODE_TLV_FLAGS_NEWSCAN             = BIT(1),
-        IWL_UCODE_TLV_FLAGS_MFP                 = BIT(2),
-        IWL_UCODE_TLV_FLAGS_P2P                 = BIT(3),
-        IWL_UCODE_TLV_FLAGS_DW_BC_TABLE         = BIT(4),
-        IWL_UCODE_TLV_FLAGS_SHORT_BL            = BIT(7),
-        IWL_UCODE_TLV_FLAGS_D3_6_IPV6_ADDRS     = BIT(10),
-        IWL_UCODE_TLV_FLAGS_NO_BASIC_SSID       = BIT(12),
-        IWL_UCODE_TLV_FLAGS_NEW_NSOFFL_SMALL    = BIT(15),
-        IWL_UCODE_TLV_FLAGS_NEW_NSOFFL_LARGE    = BIT(16),
-        IWL_UCODE_TLV_FLAGS_P2P_PM              = BIT(21),
-        IWL_UCODE_TLV_FLAGS_BSS_P2P_PS_DCM      = BIT(22),
-        IWL_UCODE_TLV_FLAGS_BSS_P2P_PS_SCM      = BIT(23),
-        IWL_UCODE_TLV_FLAGS_UAPSD_SUPPORT       = BIT(24),
-        IWL_UCODE_TLV_FLAGS_EBS_SUPPORT         = BIT(25),
-        IWL_UCODE_TLV_FLAGS_P2P_PS_UAPSD        = BIT(26),
-        IWL_UCODE_TLV_FLAGS_BCAST_FILTERING     = BIT(29),
-        IWL_UCODE_TLV_FLAGS_GO_UAPSD            = BIT(30),
-};
-/**
- * enum iwl_ucode_tlv_api - ucode api
- * @IWL_UCODE_TLV_API_WOWLAN_CONFIG_TID: wowlan config includes tid field.
- * @IWL_UCODE_TLV_CAPA_EXTENDED_BEACON: Support Extended beacon notification
- * @IWL_UCODE_TLV_API_BT_COEX_SPLIT: new API for BT Coex
- * @IWL_UCODE_TLV_API_CSA_FLOW: ucode can do unbind-bind flow for CSA.
- * @IWL_UCODE_TLV_API_DISABLE_STA_TX: ucode supports tx_disable bit.
- * @IWL_UCODE_TLV_API_LMAC_SCAN: This ucode uses LMAC unified scan API.
- * @IWL_UCODE_TLV_API_SF_NO_DUMMY_NOTIF: ucode supports disabling dummy notif.
- * @IWL_UCODE_TLV_API_FRAGMENTED_SCAN: This ucode supports active dwell time
- *      longer than the passive one, which is essential for fragmented scan.
- */
-enum iwl_ucode_tlv_api {
-        IWL_UCODE_TLV_API_WOWLAN_CONFIG_TID     = BIT(0),
-        IWL_UCODE_TLV_CAPA_EXTENDED_BEACON      = BIT(1),
-        IWL_UCODE_TLV_API_BT_COEX_SPLIT         = BIT(3),
-        IWL_UCODE_TLV_API_CSA_FLOW              = BIT(4),
-        IWL_UCODE_TLV_API_DISABLE_STA_TX        = BIT(5),
-        IWL_UCODE_TLV_API_LMAC_SCAN             = BIT(6),
-        IWL_UCODE_TLV_API_SF_NO_DUMMY_NOTIF     = BIT(7),
-        IWL_UCODE_TLV_API_FRAGMENTED_SCAN       = BIT(8),
-};
-/**
- * enum iwl_ucode_tlv_capa - ucode capabilities
- * @IWL_UCODE_TLV_CAPA_D0I3_SUPPORT: supports D0i3
- * @IWL_UCODE_TLV_CAPA_TXPOWER_INSERTION_SUPPORT: supports insertion of current
- *      tx power value into TPC Report action frame and Link Measurement Report
- *      action frame
- * @IWL_UCODE_TLV_CAPA_DS_PARAM_SET_IE_SUPPORT: supports adding DS params
- *      element in probe requests.
- * @IWL_UCODE_TLV_CAPA_WFA_TPC_REP_IE_SUPPORT: supports adding TPC Report IE in
- *      probe requests.
- * @IWL_UCODE_TLV_CAPA_QUIET_PERIOD_SUPPORT: supports Quiet Period requests
- * @IWL_UCODE_TLV_CAPA_DQA_SUPPORT: supports dynamic queue allocation (DQA),
- *      which also implies support for the scheduler configuration command
- */
-enum iwl_ucode_tlv_capa {
-        IWL_UCODE_TLV_CAPA_D0I3_SUPPORT                 = BIT(0),
-        IWL_UCODE_TLV_CAPA_TXPOWER_INSERTION_SUPPORT    = BIT(8),
-        IWL_UCODE_TLV_CAPA_DS_PARAM_SET_IE_SUPPORT      = BIT(9),
-        IWL_UCODE_TLV_CAPA_WFA_TPC_REP_IE_SUPPORT       = BIT(10),
-        IWL_UCODE_TLV_CAPA_QUIET_PERIOD_SUPPORT         = BIT(11),
-        IWL_UCODE_TLV_CAPA_DQA_SUPPORT                  = BIT(12),
-};
-/* The default calibrate table size if not specified by firmware file */
-#define IWL_DEFAULT_STANDARD_PHY_CALIBRATE_TBL_SIZE     18
-#define IWL_MAX_STANDARD_PHY_CALIBRATE_TBL_SIZE         19
-#define IWL_MAX_PHY_CALIBRATE_TBL_SIZE                  253
-/* The default max probe length if not specified by the firmware file */
-#define IWL_DEFAULT_MAX_PROBE_LENGTH    200
-/**
 * enum iwl_ucode_type
 *
 * The type of ucode.
@@ -181,11 +77,13 @@ enum iwl_ucode_tlv_capa {
 * @IWL_UCODE_REGULAR: Normal runtime ucode
 * @IWL_UCODE_INIT: Initial ucode
 * @IWL_UCODE_WOWLAN: Wake on Wireless enabled ucode
+ * @IWL_UCODE_REGULAR_USNIFFER: Normal runtime ucode when using usniffer image
 */
 enum iwl_ucode_type {
        IWL_UCODE_REGULAR,
        IWL_UCODE_INIT,
        IWL_UCODE_WOWLAN,
+        IWL_UCODE_REGULAR_USNIFFER,
        IWL_UCODE_TYPE_MAX,
 };
@@ -200,14 +98,6 @@ enum iwl_ucode_sec {
        IWL_UCODE_SECTION_DATA,
        IWL_UCODE_SECTION_INST,
 };
-/*
- * For 16.0 uCode and above, there is no differentiation between sections,
- * just an offset to the HW address.
- */
-#define IWL_UCODE_SECTION_MAX 12
-#define IWL_API_ARRAY_SIZE      1
-#define IWL_CAPABILITIES_ARRAY_SIZE     1
-#define CPU1_CPU2_SEPARATOR_SECTION     0xFFFFCCCC
 struct iwl_ucode_capabilities {
        u32 max_probe_length;
@@ -235,66 +125,6 @@ struct iwl_sf_region {
        u32 size;
 };
-/* uCode version contains 4 values: Major/Minor/API/Serial */
-#define IWL_UCODE_MAJOR(ver)    (((ver) & 0xFF000000) >> 24)
-#define IWL_UCODE_MINOR(ver)    (((ver) & 0x00FF0000) >> 16)
-#define IWL_UCODE_API(ver)      (((ver) & 0x0000FF00) >> 8)
-#define IWL_UCODE_SERIAL(ver)   ((ver) & 0x000000FF)
-/*
- * Calibration control struct.
- * Sent as part of the phy configuration command.
- * @flow_trigger: bitmap for which calibrations to perform according to
- *              flow triggers.
- * @event_trigger: bitmap for which calibrations to perform according to
- *              event triggers.
- */
-struct iwl_tlv_calib_ctrl {
-        __le32 flow_trigger;
-        __le32 event_trigger;
-} __packed;
-enum iwl_fw_phy_cfg {
-        FW_PHY_CFG_RADIO_TYPE_POS = 0,
-        FW_PHY_CFG_RADIO_TYPE = 0x3 << FW_PHY_CFG_RADIO_TYPE_POS,
-        FW_PHY_CFG_RADIO_STEP_POS = 2,
-        FW_PHY_CFG_RADIO_STEP = 0x3 << FW_PHY_CFG_RADIO_STEP_POS,
-        FW_PHY_CFG_RADIO_DASH_POS = 4,
-        FW_PHY_CFG_RADIO_DASH = 0x3 << FW_PHY_CFG_RADIO_DASH_POS,
-        FW_PHY_CFG_TX_CHAIN_POS = 16,
-        FW_PHY_CFG_TX_CHAIN = 0xf << FW_PHY_CFG_TX_CHAIN_POS,
-        FW_PHY_CFG_RX_CHAIN_POS = 20,
-        FW_PHY_CFG_RX_CHAIN = 0xf << FW_PHY_CFG_RX_CHAIN_POS,
-};
-#define IWL_UCODE_MAX_CS                1
-/**
- * struct iwl_fw_cipher_scheme - a cipher scheme supported by FW.
- * @cipher: a cipher suite selector
- * @flags: cipher scheme flags (currently reserved for a future use)
- * @hdr_len: a size of MPDU security header
- * @pn_len: a size of PN
- * @pn_off: an offset of pn from the beginning of the security header
- * @key_idx_off: an offset of key index byte in the security header
- * @key_idx_mask: a bit mask of key_idx bits
- * @key_idx_shift: bit shift needed to get key_idx
- * @mic_len: mic length in bytes
- * @hw_cipher: a HW cipher index used in host commands
- */
-struct iwl_fw_cipher_scheme {
-        __le32 cipher;
-        u8 flags;
-        u8 hdr_len;
-        u8 pn_len;
-        u8 pn_off;
-        u8 key_idx_off;
-        u8 key_idx_mask;
-        u8 key_idx_shift;
-        u8 mic_len;
-        u8 hw_cipher;
-} __packed;
 /**
 * struct iwl_fw_cscheme_list - a cipher scheme list
 * @size: a number of entries
@@ -321,6 +151,11 @@ struct iwl_fw_cscheme_list {
 * @inst_errlog_ptr: error log offfset for runtime ucode.
 * @mvm_fw: indicates this is MVM firmware
 * @cipher_scheme: optional external cipher scheme.
+ * @human_readable: human readable version
+ * @dbg_dest_tlv: points to the destination TLV for debug
+ * @dbg_conf_tlv: array of pointers to configuration TLVs for debug
+ * @dbg_conf_tlv_len: lengths of the @dbg_conf_tlv entries
+ * @dbg_dest_reg_num: num of reg_ops in %dbg_dest_tlv
 */
 struct iwl_fw {
        u32 ucode_ver;
@@ -345,6 +180,68 @@ struct iwl_fw {
        struct ieee80211_cipher_scheme cs[IWL_UCODE_MAX_CS];
        u8 human_readable[FW_VER_HUMAN_READABLE_SZ];
+        struct iwl_fw_dbg_dest_tlv *dbg_dest_tlv;
+        struct iwl_fw_dbg_conf_tlv *dbg_conf_tlv[FW_DBG_MAX];
+        size_t dbg_conf_tlv_len[FW_DBG_MAX];
+        u8 dbg_dest_reg_num;
 };
+static inline const char *get_fw_dbg_mode_string(int mode)
+{
+        switch (mode) {
+        case SMEM_MODE:
+                return "SMEM";
+        case EXTERNAL_MODE:
+                return "EXTERNAL_DRAM";
+        case MARBH_MODE:
+                return "MARBH";
+        default:
+                return "UNKNOWN";
+        }
+}
+static inline const struct iwl_fw_dbg_trigger *
+iwl_fw_dbg_conf_get_trigger(const struct iwl_fw *fw, u8 id)
+{
+        const struct iwl_fw_dbg_conf_tlv *conf_tlv = fw->dbg_conf_tlv[id];
+        u8 *ptr;
+        int i;
+        if (!conf_tlv)
+                return NULL;
+        ptr = (void *)&conf_tlv->hcmd;
+        for (i = 0; i < conf_tlv->num_of_hcmds; i++) {
+                ptr += sizeof(conf_tlv->hcmd);
+                ptr += le16_to_cpu(conf_tlv->hcmd.len);
+        }
+        return (const struct iwl_fw_dbg_trigger *)ptr;
+}
+static inline bool
+iwl_fw_dbg_conf_enabled(const struct iwl_fw *fw, u8 id)
+{
+        const struct iwl_fw_dbg_trigger *trigger =
+                iwl_fw_dbg_conf_get_trigger(fw, id);
+        if (!trigger)
+                return false;
+        return trigger->enabled;
+}
+static inline bool
+iwl_fw_dbg_conf_usniffer(const struct iwl_fw *fw, u8 id)
+{
+        const struct iwl_fw_dbg_conf_tlv *conf_tlv = fw->dbg_conf_tlv[id];
+        if (!conf_tlv)
+                return false;
+        return conf_tlv->usniffer;
+}
 #endif  /* __iwl_fw_h__ */
diff --git a/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c b/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
index c302e7468559..06e02fcd6f7b 100644
--- a/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
+++ b/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
@@ -325,6 +325,8 @@ static void iwl_init_vht_hw_capab(const struct iwl_cfg *cfg,
 {
        int num_rx_ants = num_of_ant(rx_chains);
        int num_tx_ants = num_of_ant(tx_chains);
+        unsigned int max_ampdu_exponent = (cfg->max_vht_ampdu_exponent ?:
+                                           IEEE80211_VHT_MAX_AMPDU_1024K);
        vht_cap->vht_supported = true;
@@ -332,7 +334,8 @@ static void iwl_init_vht_hw_capab(const struct iwl_cfg *cfg,
                       IEEE80211_VHT_CAP_RXSTBC_1 |
                       IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
                       3 << IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT |
-                       7 << IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_SHIFT;
+                       max_ampdu_exponent <<
+                       IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_SHIFT;
        if (cfg->ht_params->ldpc)
                vht_cap->cap |= IEEE80211_VHT_CAP_RXLDPC;
diff --git a/drivers/net/wireless/iwlwifi/iwl-op-mode.h b/drivers/net/wireless/iwlwifi/iwl-op-mode.h
index b6d666ee8359..17de6d46222a 100644
--- a/drivers/net/wireless/iwlwifi/iwl-op-mode.h
+++ b/drivers/net/wireless/iwlwifi/iwl-op-mode.h
@@ -138,7 +138,8 @@ struct iwl_cfg;
 * @nic_config: configure NIC, called before firmware is started.
 *      May sleep
 * @wimax_active: invoked when WiMax becomes active. May sleep
- * @enter_d0i3: configure the fw to enter d0i3. May sleep.
+ * @enter_d0i3: configure the fw to enter d0i3. return 1 to indicate d0i3
+ *      entrance is aborted (e.g. due to held reference). May sleep.
 * @exit_d0i3: configure the fw to exit d0i3. May sleep.
 */
 struct iwl_op_mode_ops {
diff --git a/drivers/net/wireless/iwlwifi/iwl-prph.h b/drivers/net/wireless/iwlwifi/iwl-prph.h
index 1560f4576c7d..2df51eab1348 100644
--- a/drivers/net/wireless/iwlwifi/iwl-prph.h
+++ b/drivers/net/wireless/iwlwifi/iwl-prph.h
@@ -322,6 +322,7 @@ enum secure_boot_config_reg {
        LMPM_SECURE_BOOT_CONFIG_INSPECTOR_NOT_REQ       = 0x00000002,
 };
+#define LMPM_SECURE_BOOT_CPU1_STATUS_ADDR_B0    (0xA01E30)
 #define LMPM_SECURE_BOOT_CPU1_STATUS_ADDR       (0x1E30)
 #define LMPM_SECURE_BOOT_CPU2_STATUS_ADDR       (0x1E34)
 enum secure_boot_status_reg {
@@ -333,6 +334,7 @@ enum secure_boot_status_reg {
        LMPM_SECURE_BOOT_STATUS_SUCCESS                 = 0x00000003,
 };
+#define FH_UCODE_LOAD_STATUS            (0x1AF0)
 #define CSR_UCODE_LOAD_STATUS_ADDR      (0x1E70)
 enum secure_load_status_reg {
        LMPM_CPU_UCODE_LOADING_STARTED                  = 0x00000001,
@@ -352,7 +354,7 @@ enum secure_load_status_reg {
 #define LMPM_SECURE_CPU1_HDR_MEM_SPACE          (0x420000)
 #define LMPM_SECURE_CPU2_HDR_MEM_SPACE          (0x420400)
-#define LMPM_SECURE_TIME_OUT    (100)
+#define LMPM_SECURE_TIME_OUT    (100) /* 10 micro */
 /* Rx FIFO */
 #define RXF_SIZE_ADDR                   (0xa00c88)
@@ -368,4 +370,10 @@ enum secure_load_status_reg {
 #define MON_BUFF_WRPTR                  (0xa03c44)
 #define MON_BUFF_CYCLE_CNT              (0xa03c48)
+/* FW chicken bits */
+#define LMPM_CHICK                      0xA01FF8
+enum {
+        LMPM_CHICK_EXTENDED_ADDR_SPACE = BIT(0),
+};
 #endif                          /* __iwl_prph_h__ */
diff --git a/drivers/net/wireless/iwlwifi/iwl-trans.h b/drivers/net/wireless/iwlwifi/iwl-trans.h
index 0768f83e709d..028408a6ecba 100644
--- a/drivers/net/wireless/iwlwifi/iwl-trans.h
+++ b/drivers/net/wireless/iwlwifi/iwl-trans.h
@@ -534,6 +534,8 @@ struct iwl_trans_ops {
                              u32 value);
        void (*ref)(struct iwl_trans *trans);
        void (*unref)(struct iwl_trans *trans);
+        void (*suspend)(struct iwl_trans *trans);
+        void (*resume)(struct iwl_trans *trans);
        struct iwl_trans_dump_data *(*dump_data)(struct iwl_trans *trans);
 };
@@ -572,6 +574,9 @@ enum iwl_trans_state {
 * @rx_mpdu_cmd_hdr_size: used for tracing, amount of data before the
 *      start of the 802.11 header in the @rx_mpdu_cmd
 * @dflt_pwr_limit: default power limit fetched from the platform (ACPI)
+ * @dbg_dest_tlv: points to the destination TLV for debug
+ * @dbg_conf_tlv: array of pointers to configuration TLVs for debug
+ * @dbg_dest_reg_num: num of reg_ops in %dbg_dest_tlv
 */
 struct iwl_trans {
        const struct iwl_trans_ops *ops;
@@ -603,6 +608,10 @@ struct iwl_trans {
        u64 dflt_pwr_limit;
+        const struct iwl_fw_dbg_dest_tlv *dbg_dest_tlv;
+        const struct iwl_fw_dbg_conf_tlv *dbg_conf_tlv[FW_DBG_MAX];
+        u8 dbg_dest_reg_num;
        /* pointer to trans specific struct */
        /*Ensure that this pointer will always be aligned to sizeof pointer */
        char trans_specific[0] __aligned(sizeof(void *));
@@ -702,6 +711,18 @@ static inline void iwl_trans_unref(struct iwl_trans *trans)
                trans->ops->unref(trans);
 }
+static inline void iwl_trans_suspend(struct iwl_trans *trans)
+{
+        if (trans->ops->suspend)
+                trans->ops->suspend(trans);
+}
+static inline void iwl_trans_resume(struct iwl_trans *trans)
+{
+        if (trans->ops->resume)
+                trans->ops->resume(trans);
+}
 static inline struct iwl_trans_dump_data *
 iwl_trans_dump_data(struct iwl_trans *trans)
 {
diff --git a/drivers/net/wireless/iwlwifi/mvm/coex.c b/drivers/net/wireless/iwlwifi/mvm/coex.c
index 508c81359e41..a3bfda45d9e6 100644
--- a/drivers/net/wireless/iwlwifi/mvm/coex.c
+++ b/drivers/net/wireless/iwlwifi/mvm/coex.c
@@ -1137,6 +1137,22 @@ bool iwl_mvm_bt_coex_is_mimo_allowed(struct iwl_mvm *mvm,
        return lut_type != BT_COEX_LOOSE_LUT;
 }
+bool iwl_mvm_bt_coex_is_ant_avail(struct iwl_mvm *mvm, u8 ant)
+{
+        /* there is no other antenna, shared antenna is always available */
+        if (mvm->cfg->bt_shared_single_ant)
+                return true;
+        if (ant & mvm->cfg->non_shared_ant)
+                return true;
+        if (!(mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_BT_COEX_SPLIT))
+                return iwl_mvm_bt_coex_is_shared_ant_avail_old(mvm);
+        return le32_to_cpu(mvm->last_bt_notif.bt_activity_grading) <
+                BT_HIGH_TRAFFIC;
+}
 bool iwl_mvm_bt_coex_is_shared_ant_avail(struct iwl_mvm *mvm)
 {
        /* there is no other antenna, shared antenna is always available */
diff --git a/drivers/net/wireless/iwlwifi/mvm/coex_legacy.c b/drivers/net/wireless/iwlwifi/mvm/coex_legacy.c
index b571e1b0550c..b3210cfbecc8 100644
--- a/drivers/net/wireless/iwlwifi/mvm/coex_legacy.c
+++ b/drivers/net/wireless/iwlwifi/mvm/coex_legacy.c
@@ -612,7 +612,9 @@ int iwl_send_bt_init_conf_old(struct iwl_mvm *mvm)
                                            BT_VALID_ANT_ISOLATION_THRS |
                                            BT_VALID_TXTX_DELTA_FREQ_THRS |
                                            BT_VALID_TXRX_MAX_FREQ_0 |
-                                            BT_VALID_SYNC_TO_SCO);
+                                            BT_VALID_SYNC_TO_SCO |
+                                            BT_VALID_TTC |
+                                            BT_VALID_RRC);
        if (IWL_MVM_BT_COEX_SYNC2SCO)
                bt_cmd->flags |= cpu_to_le32(BT_COEX_SYNC2SCO);
@@ -628,6 +630,12 @@ int iwl_send_bt_init_conf_old(struct iwl_mvm *mvm)
                bt_cmd->valid_bit_msk |= cpu_to_le32(BT_VALID_MULTI_PRIO_LUT);
        }
+        if (IWL_MVM_BT_COEX_TTC)
+                bt_cmd->flags |= cpu_to_le32(BT_COEX_TTC);
+        if (IWL_MVM_BT_COEX_RRC)
+                bt_cmd->flags |= cpu_to_le32(BT_COEX_RRC);
        if (mvm->cfg->bt_shared_single_ant)
                memcpy(&bt_cmd->decision_lut, iwl_single_shared_ant,
                       sizeof(iwl_single_shared_ant));
@@ -824,6 +832,9 @@ static void iwl_mvm_bt_notif_iterator(void *_data, u8 *mac,
        if (!vif->bss_conf.assoc)
                smps_mode = IEEE80211_SMPS_AUTOMATIC;
+        if (data->notif->rrc_enabled & BIT(mvmvif->phy_ctxt->id))
+                smps_mode = IEEE80211_SMPS_AUTOMATIC;
        IWL_DEBUG_COEX(data->mvm,
                       "mac %d: bt_status %d bt_activity_grading %d smps_req %d\n",
                       mvmvif->id, data->notif->bt_status, bt_activity_grading,
@@ -1156,6 +1167,12 @@ bool iwl_mvm_bt_coex_is_mimo_allowed_old(struct iwl_mvm *mvm,
        return lut_type != BT_COEX_LOOSE_LUT;
 }
+bool iwl_mvm_bt_coex_is_ant_avail_old(struct iwl_mvm *mvm, u8 ant)
+{
+        u32 ag = le32_to_cpu(mvm->last_bt_notif_old.bt_activity_grading);
+        return ag < BT_HIGH_TRAFFIC;
+}
 bool iwl_mvm_bt_coex_is_shared_ant_avail_old(struct iwl_mvm *mvm)
 {
        u32 ag = le32_to_cpu(mvm->last_bt_notif_old.bt_activity_grading);
diff --git a/drivers/net/wireless/iwlwifi/mvm/constants.h b/drivers/net/wireless/iwlwifi/mvm/constants.h
index 5c1ea80d5e3b..3bd93476ec1c 100644
--- a/drivers/net/wireless/iwlwifi/mvm/constants.h
+++ b/drivers/net/wireless/iwlwifi/mvm/constants.h
@@ -92,8 +92,10 @@
 #define IWL_MVM_BT_COEX_SYNC2SCO                1
 #define IWL_MVM_BT_COEX_CORUNNING               0
 #define IWL_MVM_BT_COEX_MPLUT                   1
-#define IWL_MVM_BT_COEX_MPLUT_REG0              0x2e402280
+#define IWL_MVM_BT_COEX_RRC                     1
-#define IWL_MVM_BT_COEX_MPLUT_REG1              0x7711a751
+#define IWL_MVM_BT_COEX_TTC                     1
+#define IWL_MVM_BT_COEX_MPLUT_REG0              0x28412201
+#define IWL_MVM_BT_COEX_MPLUT_REG1              0x11118451
 #define IWL_MVM_BT_COEX_ANTENNA_COUPLING_THRS   30
 #define IWL_MVM_FW_MCAST_FILTER_PASS_ALL        0
 #define IWL_MVM_FW_BCAST_FILTER_PASS_ALL        0
diff --git a/drivers/net/wireless/iwlwifi/mvm/d3.c b/drivers/net/wireless/iwlwifi/mvm/d3.c
index 3bbb511b0b38..744de262373e 100644
--- a/drivers/net/wireless/iwlwifi/mvm/d3.c
+++ b/drivers/net/wireless/iwlwifi/mvm/d3.c
@@ -786,32 +786,18 @@ static int iwl_mvm_switch_to_d3(struct iwl_mvm *mvm)
 }
 static int
-iwl_mvm_send_wowlan_config_cmd(struct iwl_mvm *mvm,
-                               const struct iwl_wowlan_config_cmd_v3 *cmd)
-{
-        /* start only with the v2 part of the command */
-        u16 cmd_len = sizeof(cmd->common);
-        if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_WOWLAN_CONFIG_TID)
-                cmd_len = sizeof(*cmd);
-        return iwl_mvm_send_cmd_pdu(mvm, WOWLAN_CONFIGURATION, 0,
-                                    cmd_len, cmd);
-}
-static int
 iwl_mvm_get_wowlan_config(struct iwl_mvm *mvm,
                          struct cfg80211_wowlan *wowlan,
-                          struct iwl_wowlan_config_cmd_v3 *wowlan_config_cmd,
+                          struct iwl_wowlan_config_cmd *wowlan_config_cmd,
                          struct ieee80211_vif *vif, struct iwl_mvm_vif *mvmvif,
                          struct ieee80211_sta *ap_sta)
 {
        int ret;
        struct iwl_mvm_sta *mvm_ap_sta = (struct iwl_mvm_sta *)ap_sta->drv_priv;
-        /* TODO: wowlan_config_cmd->common.wowlan_ba_teardown_tids */
+        /* TODO: wowlan_config_cmd->wowlan_ba_teardown_tids */
-        wowlan_config_cmd->common.is_11n_connection =
+        wowlan_config_cmd->is_11n_connection =
                                        ap_sta->ht_cap.ht_supported;
        /* Query the last used seqno and set it */
@@ -819,32 +805,32 @@ iwl_mvm_get_wowlan_config(struct iwl_mvm *mvm,
        if (ret < 0)
                return ret;
-        wowlan_config_cmd->common.non_qos_seq = cpu_to_le16(ret);
+        wowlan_config_cmd->non_qos_seq = cpu_to_le16(ret);
-        iwl_mvm_set_wowlan_qos_seq(mvm_ap_sta, &wowlan_config_cmd->common);
+        iwl_mvm_set_wowlan_qos_seq(mvm_ap_sta, wowlan_config_cmd);
        if (wowlan->disconnect)
-                wowlan_config_cmd->common.wakeup_filter |=
+                wowlan_config_cmd->wakeup_filter |=
                        cpu_to_le32(IWL_WOWLAN_WAKEUP_BEACON_MISS |
                                    IWL_WOWLAN_WAKEUP_LINK_CHANGE);
        if (wowlan->magic_pkt)
-                wowlan_config_cmd->common.wakeup_filter |=
+                wowlan_config_cmd->wakeup_filter |=
                        cpu_to_le32(IWL_WOWLAN_WAKEUP_MAGIC_PACKET);
        if (wowlan->gtk_rekey_failure)
-                wowlan_config_cmd->common.wakeup_filter |=
+                wowlan_config_cmd->wakeup_filter |=
                        cpu_to_le32(IWL_WOWLAN_WAKEUP_GTK_REKEY_FAIL);
        if (wowlan->eap_identity_req)
-                wowlan_config_cmd->common.wakeup_filter |=
+                wowlan_config_cmd->wakeup_filter |=
                        cpu_to_le32(IWL_WOWLAN_WAKEUP_EAP_IDENT_REQ);
        if (wowlan->four_way_handshake)
-                wowlan_config_cmd->common.wakeup_filter |=
+                wowlan_config_cmd->wakeup_filter |=
                        cpu_to_le32(IWL_WOWLAN_WAKEUP_4WAY_HANDSHAKE);
        if (wowlan->n_patterns)
-                wowlan_config_cmd->common.wakeup_filter |=
+                wowlan_config_cmd->wakeup_filter |=
                        cpu_to_le32(IWL_WOWLAN_WAKEUP_PATTERN_MATCH);
        if (wowlan->rfkill_release)
-                wowlan_config_cmd->common.wakeup_filter |=
+                wowlan_config_cmd->wakeup_filter |=
                        cpu_to_le32(IWL_WOWLAN_WAKEUP_RF_KILL_DEASSERT);
        if (wowlan->tcp) {
@@ -852,7 +838,7 @@ iwl_mvm_get_wowlan_config(struct iwl_mvm *mvm,
                 * Set the "link change" (really "link lost") flag as well
                 * since that implies losing the TCP connection.
                 */
-                wowlan_config_cmd->common.wakeup_filter |=
+                wowlan_config_cmd->wakeup_filter |=
                        cpu_to_le32(IWL_WOWLAN_WAKEUP_REMOTE_LINK_LOSS |
                                    IWL_WOWLAN_WAKEUP_REMOTE_SIGNATURE_TABLE |
                                    IWL_WOWLAN_WAKEUP_REMOTE_WAKEUP_PACKET |
@@ -865,7 +851,7 @@ iwl_mvm_get_wowlan_config(struct iwl_mvm *mvm,
 static int
 iwl_mvm_wowlan_config(struct iwl_mvm *mvm,
                      struct cfg80211_wowlan *wowlan,
-                      struct iwl_wowlan_config_cmd_v3 *wowlan_config_cmd,
+                      struct iwl_wowlan_config_cmd *wowlan_config_cmd,
                      struct ieee80211_vif *vif, struct iwl_mvm_vif *mvmvif,
                      struct ieee80211_sta *ap_sta)
 {
@@ -878,6 +864,10 @@ iwl_mvm_wowlan_config(struct iwl_mvm *mvm,
        };
        int ret;
+        ret = iwl_mvm_switch_to_d3(mvm);
+        if (ret)
+                return ret;
        ret = iwl_mvm_d3_reprogram(mvm, vif, ap_sta);
        if (ret)
                return ret;
@@ -943,7 +933,9 @@ iwl_mvm_wowlan_config(struct iwl_mvm *mvm,
                }
        }
-        ret = iwl_mvm_send_wowlan_config_cmd(mvm, wowlan_config_cmd);
+        ret = iwl_mvm_send_cmd_pdu(mvm, WOWLAN_CONFIGURATION, 0,
+                                   sizeof(*wowlan_config_cmd),
+                                   wowlan_config_cmd);
        if (ret)
                goto out;
@@ -962,6 +954,68 @@ out:
        return ret;
 }
+static int
+iwl_mvm_netdetect_config(struct iwl_mvm *mvm,
+                         struct cfg80211_wowlan *wowlan,
+                         struct cfg80211_sched_scan_request *nd_config,
+                         struct ieee80211_vif *vif)
+{
+        struct iwl_wowlan_config_cmd wowlan_config_cmd = {};
+        int ret;
+        ret = iwl_mvm_switch_to_d3(mvm);
+        if (ret)
+                return ret;
+        /* rfkill release can be either for wowlan or netdetect */
+        if (wowlan->rfkill_release)
+                wowlan_config_cmd.wakeup_filter |=
+                        cpu_to_le32(IWL_WOWLAN_WAKEUP_RF_KILL_DEASSERT);
+        ret = iwl_mvm_send_cmd_pdu(mvm, WOWLAN_CONFIGURATION, 0,
+                                   sizeof(wowlan_config_cmd),
+                                   &wowlan_config_cmd);
+        if (ret)
+                return ret;
+        ret = iwl_mvm_scan_offload_start(mvm, vif, nd_config, &mvm->nd_ies);
+        if (ret)
+                return ret;
+        if (WARN_ON(mvm->nd_match_sets || mvm->nd_channels))
+                return -EBUSY;
+        /* save the sched scan matchsets... */
+        if (nd_config->n_match_sets) {
+                mvm->nd_match_sets = kmemdup(nd_config->match_sets,
+                                             sizeof(*nd_config->match_sets) *
+                                             nd_config->n_match_sets,
+                                             GFP_KERNEL);
+                if (mvm->nd_match_sets)
+                        mvm->n_nd_match_sets = nd_config->n_match_sets;
+        }
+        /* ...and the sched scan channels for later reporting */
+        mvm->nd_channels = kmemdup(nd_config->channels,
+                                   sizeof(*nd_config->channels) *
+                                   nd_config->n_channels,
+                                   GFP_KERNEL);
+        if (mvm->nd_channels)
+                mvm->n_nd_channels = nd_config->n_channels;
+        return 0;
+}
+static void iwl_mvm_free_nd(struct iwl_mvm *mvm)
+{
+        kfree(mvm->nd_match_sets);
+        mvm->nd_match_sets = NULL;
+        mvm->n_nd_match_sets = 0;
+        kfree(mvm->nd_channels);
+        mvm->nd_channels = NULL;
+        mvm->n_nd_channels = 0;
+}
 static int __iwl_mvm_suspend(struct ieee80211_hw *hw,
                             struct cfg80211_wowlan *wowlan,
                             bool test)
@@ -970,7 +1024,6 @@ static int __iwl_mvm_suspend(struct ieee80211_hw *hw,
        struct ieee80211_vif *vif = NULL;
        struct iwl_mvm_vif *mvmvif = NULL;
        struct ieee80211_sta *ap_sta = NULL;
-        struct iwl_wowlan_config_cmd_v3 wowlan_config_cmd = {};
        struct iwl_d3_manager_config d3_cfg_cmd_data = {
                /*
                 * Program the minimum sleep time to 10 seconds, as many
@@ -1007,8 +1060,22 @@ static int __iwl_mvm_suspend(struct ieee80211_hw *hw,
        mvmvif = iwl_mvm_vif_from_mac80211(vif);
-        /* if we're associated, this is wowlan */
+        if (mvmvif->ap_sta_id == IWL_MVM_STATION_COUNT) {
-        if (mvmvif->ap_sta_id != IWL_MVM_STATION_COUNT) {
+                /* if we're not associated, this must be netdetect */
+                if (!wowlan->nd_config && !mvm->nd_config) {
+                        ret = 1;
+                        goto out_noreset;
+                }
+                ret = iwl_mvm_netdetect_config(
+                        mvm, wowlan, wowlan->nd_config ?: mvm->nd_config, vif);
+                if (ret)
+                        goto out;
+                mvm->net_detect = true;
+        } else {
+                struct iwl_wowlan_config_cmd wowlan_config_cmd = {};
                ap_sta = rcu_dereference_protected(
                        mvm->fw_id_to_mac_id[mvmvif->ap_sta_id],
                        lockdep_is_held(&mvm->mutex));
@@ -1021,27 +1088,12 @@ static int __iwl_mvm_suspend(struct ieee80211_hw *hw,
                                                vif, mvmvif, ap_sta);
                if (ret)
                        goto out_noreset;
-                ret = iwl_mvm_switch_to_d3(mvm);
-                if (ret)
-                        goto out;
                ret = iwl_mvm_wowlan_config(mvm, wowlan, &wowlan_config_cmd,
                                            vif, mvmvif, ap_sta);
                if (ret)
                        goto out;
-        } else if (mvm->nd_config) {
-                ret = iwl_mvm_switch_to_d3(mvm);
-                if (ret)
-                        goto out;
-                ret = iwl_mvm_scan_offload_start(mvm, vif, mvm->nd_config,
+                mvm->net_detect = false;
-                                                 mvm->nd_ies);
-                if (ret)
-                        goto out;
-        } else {
-                ret = 1;
-                goto out_noreset;
        }
        ret = iwl_mvm_power_update_device(mvm);
@@ -1075,8 +1127,10 @@ static int __iwl_mvm_suspend(struct ieee80211_hw *hw,
        iwl_trans_d3_suspend(mvm->trans, test);
 out:
-        if (ret < 0)
+        if (ret < 0) {
                ieee80211_restart_hw(mvm->hw);
+                iwl_mvm_free_nd(mvm);
+        }
 out_noreset:
        mutex_unlock(&mvm->mutex);
@@ -1087,6 +1141,7 @@ int iwl_mvm_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
 {
        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+        iwl_trans_suspend(mvm->trans);
        if (iwl_mvm_is_d0i3_supported(mvm)) {
                mutex_lock(&mvm->d0i3_suspend_mutex);
                __set_bit(D0I3_DEFER_WAKEUP, &mvm->d0i3_suspend_flags);
@@ -1465,9 +1520,8 @@ out:
        return true;
 }
-/* releases the MVM mutex */
+static struct iwl_wowlan_status *
-static bool iwl_mvm_query_wakeup_reasons(struct iwl_mvm *mvm,
+iwl_mvm_get_wakeup_status(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
-                                         struct ieee80211_vif *vif)
 {
        u32 base = mvm->error_event_table;
        struct error_table_start {
@@ -1479,19 +1533,15 @@ static bool iwl_mvm_query_wakeup_reasons(struct iwl_mvm *mvm,
                .id = WOWLAN_GET_STATUSES,
                .flags = CMD_WANT_SKB,
        };
-        struct iwl_wowlan_status_data status;
+        struct iwl_wowlan_status *status, *fw_status;
-        struct iwl_wowlan_status *fw_status;
+        int ret, len, status_size;
-        int ret, len, status_size, i;
-        bool keep;
-        struct ieee80211_sta *ap_sta;
-        struct iwl_mvm_sta *mvm_ap_sta;
        iwl_trans_read_mem_bytes(mvm->trans, base,
                                 &err_info, sizeof(err_info));
        if (err_info.valid) {
-                IWL_INFO(mvm, "error table is valid (%d)\n",
+                IWL_INFO(mvm, "error table is valid (%d) with error (%d)\n",
-                         err_info.valid);
+                         err_info.valid, err_info.error_id);
                if (err_info.error_id == RF_KILL_INDICATOR_FOR_WOWLAN) {
                        struct cfg80211_wowlan_wakeup wakeup = {
                                .rfkill_release = true,
@@ -1499,7 +1549,7 @@ static bool iwl_mvm_query_wakeup_reasons(struct iwl_mvm *mvm,
                        ieee80211_report_wowlan_wakeup(vif, &wakeup,
                                                       GFP_KERNEL);
                }
-                goto out_unlock;
+                return ERR_PTR(-EIO);
        }
        /* only for tracing for now */
@@ -1510,22 +1560,53 @@ static bool iwl_mvm_query_wakeup_reasons(struct iwl_mvm *mvm,
        ret = iwl_mvm_send_cmd(mvm, &cmd);
        if (ret) {
                IWL_ERR(mvm, "failed to query status (%d)\n", ret);
-                goto out_unlock;
+                return ERR_PTR(ret);
        }
        /* RF-kill already asserted again... */
-        if (!cmd.resp_pkt)
+        if (!cmd.resp_pkt) {
-                goto out_unlock;
+                ret = -ERFKILL;
+                goto out_free_resp;
+        }
        status_size = sizeof(*fw_status);
        len = iwl_rx_packet_payload_len(cmd.resp_pkt);
        if (len < status_size) {
                IWL_ERR(mvm, "Invalid WoWLAN status response!\n");
+                ret = -EIO;
                goto out_free_resp;
        }
-        fw_status = (void *)cmd.resp_pkt->data;
+        status = (void *)cmd.resp_pkt->data;
+        if (len != (status_size +
+                    ALIGN(le32_to_cpu(status->wake_packet_bufsize), 4))) {
+                IWL_ERR(mvm, "Invalid WoWLAN status response!\n");
+                ret = -EIO;
+                goto out_free_resp;
+        }
+        fw_status = kmemdup(status, len, GFP_KERNEL);
+out_free_resp:
+        iwl_free_resp(&cmd);
+        return ret ? ERR_PTR(ret) : fw_status;
+}
+/* releases the MVM mutex */
+static bool iwl_mvm_query_wakeup_reasons(struct iwl_mvm *mvm,
+                                         struct ieee80211_vif *vif)
+{
+        struct iwl_wowlan_status_data status;
+        struct iwl_wowlan_status *fw_status;
+        int i;
+        bool keep;
+        struct ieee80211_sta *ap_sta;
+        struct iwl_mvm_sta *mvm_ap_sta;
+        fw_status = iwl_mvm_get_wakeup_status(mvm, vif);
+        if (IS_ERR_OR_NULL(fw_status))
+                goto out_unlock;
        status.pattern_number = le16_to_cpu(fw_status->pattern_number);
        for (i = 0; i < 8; i++)
@@ -1538,17 +1619,12 @@ static bool iwl_mvm_query_wakeup_reasons(struct iwl_mvm *mvm,
                le32_to_cpu(fw_status->wake_packet_bufsize);
        status.wake_packet = fw_status->wake_packet;
-        if (len != status_size + ALIGN(status.wake_packet_bufsize, 4)) {
-                IWL_ERR(mvm, "Invalid WoWLAN status response!\n");
-                goto out_free_resp;
-        }
        /* still at hard-coded place 0 for D3 image */
        ap_sta = rcu_dereference_protected(
                        mvm->fw_id_to_mac_id[0],
                        lockdep_is_held(&mvm->mutex));
        if (IS_ERR_OR_NULL(ap_sta))
-                goto out_free_resp;
+                goto out_free;
        mvm_ap_sta = (struct iwl_mvm_sta *)ap_sta->drv_priv;
        for (i = 0; i < IWL_MAX_TID_COUNT; i++) {
@@ -1565,16 +1641,151 @@ static bool iwl_mvm_query_wakeup_reasons(struct iwl_mvm *mvm,
        keep = iwl_mvm_setup_connection_keep(mvm, vif, fw_status);
-        iwl_free_resp(&cmd);
+        kfree(fw_status);
        return keep;
- out_free_resp:
+out_free:
-        iwl_free_resp(&cmd);
+        kfree(fw_status);
- out_unlock:
+out_unlock:
        mutex_unlock(&mvm->mutex);
        return false;
 }
+struct iwl_mvm_nd_query_results {
+        u32 matched_profiles;
+        struct iwl_scan_offload_profile_match matches[IWL_SCAN_MAX_PROFILES];
+};
+static int
+iwl_mvm_netdetect_query_results(struct iwl_mvm *mvm,
+                                struct iwl_mvm_nd_query_results *results)
+{
+        struct iwl_scan_offload_profiles_query *query;
+        struct iwl_host_cmd cmd = {
+                .id = SCAN_OFFLOAD_PROFILES_QUERY_CMD,
+                .flags = CMD_WANT_SKB,
+        };
+        int ret, len;
+        ret = iwl_mvm_send_cmd(mvm, &cmd);
+        if (ret) {
+                IWL_ERR(mvm, "failed to query matched profiles (%d)\n", ret);
+                return ret;
+        }
+        /* RF-kill already asserted again... */
+        if (!cmd.resp_pkt) {
+                ret = -ERFKILL;
+                goto out_free_resp;
+        }
+        len = iwl_rx_packet_payload_len(cmd.resp_pkt);
+        if (len < sizeof(*query)) {
+                IWL_ERR(mvm, "Invalid scan offload profiles query response!\n");
+                ret = -EIO;
+                goto out_free_resp;
+        }
+        query = (void *)cmd.resp_pkt->data;
+        results->matched_profiles = le32_to_cpu(query->matched_profiles);
+        memcpy(results->matches, query->matches, sizeof(results->matches));
+out_free_resp:
+        iwl_free_resp(&cmd);
+        return ret;
+}
+static void iwl_mvm_query_netdetect_reasons(struct iwl_mvm *mvm,
+                                            struct ieee80211_vif *vif)
+{
+        struct cfg80211_wowlan_nd_info *net_detect = NULL;
+        struct cfg80211_wowlan_wakeup wakeup = {
+                .pattern_idx = -1,
+        };
+        struct cfg80211_wowlan_wakeup *wakeup_report = &wakeup;
+        struct iwl_mvm_nd_query_results query;
+        struct iwl_wowlan_status *fw_status;
+        unsigned long matched_profiles;
+        u32 reasons = 0;
+        int i, j, n_matches, ret;
+        fw_status = iwl_mvm_get_wakeup_status(mvm, vif);
+        if (!IS_ERR_OR_NULL(fw_status))
+                reasons = le32_to_cpu(fw_status->wakeup_reasons);
+        if (reasons & IWL_WOWLAN_WAKEUP_BY_RFKILL_DEASSERTED)
+                wakeup.rfkill_release = true;
+        if (reasons != IWL_WOWLAN_WAKEUP_BY_NON_WIRELESS)
+                goto out;
+        ret = iwl_mvm_netdetect_query_results(mvm, &query);
+        if (ret || !query.matched_profiles) {
+                wakeup_report = NULL;
+                goto out;
+        }
+        matched_profiles = query.matched_profiles;
+        if (mvm->n_nd_match_sets) {
+                n_matches = hweight_long(matched_profiles);
+        } else {
+                IWL_ERR(mvm, "no net detect match information available\n");
+                n_matches = 0;
+        }
+        net_detect = kzalloc(sizeof(*net_detect) +
+                             (n_matches * sizeof(net_detect->matches[0])),
+                             GFP_KERNEL);
+        if (!net_detect || !n_matches)
+                goto out_report_nd;
+        for_each_set_bit(i, &matched_profiles, mvm->n_nd_match_sets) {
+                struct iwl_scan_offload_profile_match *fw_match;
+                struct cfg80211_wowlan_nd_match *match;
+                int n_channels = 0;
+                fw_match = &query.matches[i];
+                for (j = 0; j < SCAN_OFFLOAD_MATCHING_CHANNELS_LEN; j++)
+                        n_channels += hweight8(fw_match->matching_channels[j]);
+                match = kzalloc(sizeof(*match) +
+                                (n_channels * sizeof(*match->channels)),
+                                GFP_KERNEL);
+                if (!match)
+                        goto out_report_nd;
+                net_detect->matches[net_detect->n_matches++] = match;
+                match->ssid.ssid_len = mvm->nd_match_sets[i].ssid.ssid_len;
+                memcpy(match->ssid.ssid, mvm->nd_match_sets[i].ssid.ssid,
+                       match->ssid.ssid_len);
+                if (mvm->n_nd_channels < n_channels)
+                        continue;
+                for (j = 0; j < SCAN_OFFLOAD_MATCHING_CHANNELS_LEN * 8; j++)
+                        if (fw_match->matching_channels[j / 8] & (BIT(j % 8)))
+                                match->channels[match->n_channels++] =
+                                        mvm->nd_channels[j]->center_freq;
+        }
+out_report_nd:
+        wakeup.net_detect = net_detect;
+out:
+        iwl_mvm_free_nd(mvm);
+        mutex_unlock(&mvm->mutex);
+        ieee80211_report_wowlan_wakeup(vif, wakeup_report, GFP_KERNEL);
+        if (net_detect) {
+                for (i = 0; i < net_detect->n_matches; i++)
+                        kfree(net_detect->matches[i]);
+                kfree(net_detect);
+        }
+}
 static void iwl_mvm_read_d3_sram(struct iwl_mvm *mvm)
 {
 #ifdef CONFIG_IWLWIFI_DEBUGFS
@@ -1632,11 +1843,15 @@ static int __iwl_mvm_resume(struct iwl_mvm *mvm, bool test)
        /* query SRAM first in case we want event logging */
        iwl_mvm_read_d3_sram(mvm);
-        keep = iwl_mvm_query_wakeup_reasons(mvm, vif);
+        if (mvm->net_detect) {
+                iwl_mvm_query_netdetect_reasons(mvm, vif);
+        } else {
+                keep = iwl_mvm_query_wakeup_reasons(mvm, vif);
 #ifdef CONFIG_IWLWIFI_DEBUGFS
-        if (keep)
+                if (keep)
-                mvm->keep_vif = vif;
+                        mvm->keep_vif = vif;
 #endif
+        }
        /* has unlocked the mutex, so skip that */
        goto out;
@@ -1651,6 +1866,7 @@ static int __iwl_mvm_resume(struct iwl_mvm *mvm, bool test)
        /* return 1 to reconfigure the device */
        set_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status);
+        set_bit(IWL_MVM_STATUS_D3_RECONFIG, &mvm->status);
        return 1;
 }
@@ -1658,18 +1874,10 @@ int iwl_mvm_resume(struct ieee80211_hw *hw)
 {
        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
-        if (iwl_mvm_is_d0i3_supported(mvm)) {
+        iwl_trans_resume(mvm->trans);
-                bool exit_now;
-                mutex_lock(&mvm->d0i3_suspend_mutex);
+        if (iwl_mvm_is_d0i3_supported(mvm))
-                __clear_bit(D0I3_DEFER_WAKEUP, &mvm->d0i3_suspend_flags);
-                exit_now = __test_and_clear_bit(D0I3_PENDING_WAKEUP,
-                                                &mvm->d0i3_suspend_flags);
-                mutex_unlock(&mvm->d0i3_suspend_mutex);
-                if (exit_now)
-                        _iwl_mvm_exit_d0i3(mvm);
                return 0;
-        }
        return __iwl_mvm_resume(mvm, false);
 }
diff --git a/drivers/net/wireless/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/iwlwifi/mvm/debugfs.c
index 51b7116965ed..33bf915cd7ea 100644
--- a/drivers/net/wireless/iwlwifi/mvm/debugfs.c
+++ b/drivers/net/wireless/iwlwifi/mvm/debugfs.c
@@ -936,7 +936,11 @@ iwl_dbgfs_scan_ant_rxchain_write(struct iwl_mvm *mvm, char *buf,
        if (scan_rx_ant & ~mvm->fw->valid_rx_ant)
                return -EINVAL;
-        mvm->scan_rx_ant = scan_rx_ant;
+        if (mvm->scan_rx_ant != scan_rx_ant) {
+                mvm->scan_rx_ant = scan_rx_ant;
+                if (mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN)
+                        iwl_mvm_config_scan(mvm);
+        }
        return count;
 }
@@ -1194,14 +1198,8 @@ static ssize_t iwl_dbgfs_netdetect_write(struct iwl_mvm *mvm, char *buf,
                kfree(mvm->nd_config->match_sets);
                kfree(mvm->nd_config);
                mvm->nd_config = NULL;
-                kfree(mvm->nd_ies);
-                mvm->nd_ies = NULL;
        }
-        mvm->nd_ies = kzalloc(sizeof(*mvm->nd_ies), GFP_KERNEL);
-        if (!mvm->nd_ies)
-                return -ENOMEM;
        mvm->nd_config = kzalloc(sizeof(*mvm->nd_config) +
                                 (11 * sizeof(struct ieee80211_channel *)),
                                 GFP_KERNEL);
@@ -1258,8 +1256,6 @@ out_free:
                kfree(mvm->nd_config->match_sets);
        kfree(mvm->nd_config);
        mvm->nd_config = NULL;
-        kfree(mvm->nd_ies);
-        mvm->nd_ies = NULL;
 out:
        return ret;
 }
@@ -1343,6 +1339,7 @@ static ssize_t iwl_dbgfs_d0i3_refs_read(struct file *file,
        PRINT_MVM_REF(IWL_MVM_REF_NMI);
        PRINT_MVM_REF(IWL_MVM_REF_TM_CMD);
        PRINT_MVM_REF(IWL_MVM_REF_EXIT_WORK);
+        PRINT_MVM_REF(IWL_MVM_REF_PROTECT_CSA);
        return simple_read_from_buffer(user_buf, count, ppos, buf, pos);
 }
diff --git a/drivers/net/wireless/iwlwifi/mvm/fw-api-coex.h b/drivers/net/wireless/iwlwifi/mvm/fw-api-coex.h
index 816883f9ff94..f3b11897991e 100644
--- a/drivers/net/wireless/iwlwifi/mvm/fw-api-coex.h
+++ b/drivers/net/wireless/iwlwifi/mvm/fw-api-coex.h
@@ -84,6 +84,8 @@
 * @BT_COEX_SYNC2SCO:
 * @BT_COEX_CORUNNING:
 * @BT_COEX_MPLUT:
+ * @BT_COEX_TTC:
+ * @BT_COEX_RRC:
 *
 * The COEX_MODE must be set for each command. Even if it is not changed.
 */
@@ -100,6 +102,8 @@ enum iwl_bt_coex_flags {
        BT_COEX_SYNC2SCO                = BIT(7),
        BT_COEX_CORUNNING               = BIT(8),
        BT_COEX_MPLUT                   = BIT(9),
+        BT_COEX_TTC                     = BIT(20),
+        BT_COEX_RRC                     = BIT(21),
 };
 /*
@@ -127,6 +131,8 @@ enum iwl_bt_coex_valid_bit_msk {
        BT_VALID_TXTX_DELTA_FREQ_THRS   = BIT(16),
        BT_VALID_TXRX_MAX_FREQ_0        = BIT(17),
        BT_VALID_SYNC_TO_SCO            = BIT(18),
+        BT_VALID_TTC                    = BIT(20),
+        BT_VALID_RRC                    = BIT(21),
 };
 /**
@@ -506,7 +512,8 @@ struct iwl_bt_coex_profile_notif_old {
        u8 bt_agg_traffic_load;
        u8 bt_ci_compliance;
        u8 ttc_enabled;
-        __le16 reserved;
+        u8 rrc_enabled;
+        u8 reserved;
        __le32 primary_ch_lut;
        __le32 secondary_ch_lut;
diff --git a/drivers/net/wireless/iwlwifi/mvm/fw-api-d3.h b/drivers/net/wireless/iwlwifi/mvm/fw-api-d3.h
index e74cdf2132f8..6d3bea5c59d1 100644
--- a/drivers/net/wireless/iwlwifi/mvm/fw-api-d3.h
+++ b/drivers/net/wireless/iwlwifi/mvm/fw-api-d3.h
@@ -241,16 +241,12 @@ enum iwl_wowlan_wakeup_filters {
        IWL_WOWLAN_WAKEUP_BCN_FILTERING                 = BIT(16),
 }; /* WOWLAN_WAKEUP_FILTER_API_E_VER_4 */
-struct iwl_wowlan_config_cmd_v2 {
+struct iwl_wowlan_config_cmd {
        __le32 wakeup_filter;
        __le16 non_qos_seq;
        __le16 qos_seq[8];
        u8 wowlan_ba_teardown_tids;
        u8 is_11n_connection;
-} __packed; /* WOWLAN_CONFIG_API_S_VER_2 */
-struct iwl_wowlan_config_cmd_v3 {
-        struct iwl_wowlan_config_cmd_v2 common;
        u8 offloading_tid;
        u8 reserved[3];
 } __packed; /* WOWLAN_CONFIG_API_S_VER_3 */
diff --git a/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h b/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h
index 2fd8ad4633e0..430020047b77 100644
--- a/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h
+++ b/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h
@@ -370,7 +370,7 @@ struct iwl_beacon_filter_cmd {
 #define IWL_BF_DEBUG_FLAG_DEFAULT 0
 #define IWL_BF_DEBUG_FLAG_D0I3 0
-#define IWL_BF_ESCAPE_TIMER_DEFAULT 50
+#define IWL_BF_ESCAPE_TIMER_DEFAULT 0
 #define IWL_BF_ESCAPE_TIMER_D0I3 0
 #define IWL_BF_ESCAPE_TIMER_MAX 1024
 #define IWL_BF_ESCAPE_TIMER_MIN 0
diff --git a/drivers/net/wireless/iwlwifi/mvm/fw-api-scan.h b/drivers/net/wireless/iwlwifi/mvm/fw-api-scan.h
index 1354c68f6468..1f2acf47bfb2 100644
--- a/drivers/net/wireless/iwlwifi/mvm/fw-api-scan.h
+++ b/drivers/net/wireless/iwlwifi/mvm/fw-api-scan.h
@@ -794,4 +794,301 @@ struct iwl_periodic_scan_complete {
        __le32 reserved;
 } __packed;
+/* UMAC Scan API */
+/**
+ * struct iwl_mvm_umac_cmd_hdr - Command header for UMAC commands
+ * @size:       size of the command (not including header)
+ * @reserved0:  for future use and alignment
+ * @ver:        API version number
+ */
+struct iwl_mvm_umac_cmd_hdr {
+        __le16 size;
+        u8 reserved0;
+        u8 ver;
+} __packed;
+#define IWL_MVM_MAX_SIMULTANEOUS_SCANS 8
+enum scan_config_flags {
+        SCAN_CONFIG_FLAG_ACTIVATE                       = BIT(0),
+        SCAN_CONFIG_FLAG_DEACTIVATE                     = BIT(1),
+        SCAN_CONFIG_FLAG_FORBID_CHUB_REQS               = BIT(2),
+        SCAN_CONFIG_FLAG_ALLOW_CHUB_REQS                = BIT(3),
+        SCAN_CONFIG_FLAG_SET_TX_CHAINS                  = BIT(8),
+        SCAN_CONFIG_FLAG_SET_RX_CHAINS                  = BIT(9),
+        SCAN_CONFIG_FLAG_SET_AUX_STA_ID                 = BIT(10),
+        SCAN_CONFIG_FLAG_SET_ALL_TIMES                  = BIT(11),
+        SCAN_CONFIG_FLAG_SET_EFFECTIVE_TIMES            = BIT(12),
+        SCAN_CONFIG_FLAG_SET_CHANNEL_FLAGS              = BIT(13),
+        SCAN_CONFIG_FLAG_SET_LEGACY_RATES               = BIT(14),
+        SCAN_CONFIG_FLAG_SET_MAC_ADDR                   = BIT(15),
+        SCAN_CONFIG_FLAG_SET_FRAGMENTED                 = BIT(16),
+        SCAN_CONFIG_FLAG_CLEAR_FRAGMENTED               = BIT(17),
+        SCAN_CONFIG_FLAG_SET_CAM_MODE                   = BIT(18),
+        SCAN_CONFIG_FLAG_CLEAR_CAM_MODE                 = BIT(19),
+        SCAN_CONFIG_FLAG_SET_PROMISC_MODE               = BIT(20),
+        SCAN_CONFIG_FLAG_CLEAR_PROMISC_MODE             = BIT(21),
+        /* Bits 26-31 are for num of channels in channel_array */
+#define SCAN_CONFIG_N_CHANNELS(n) ((n) << 26)
+};
+enum scan_config_rates {
+        /* OFDM basic rates */
+        SCAN_CONFIG_RATE_6M     = BIT(0),
+        SCAN_CONFIG_RATE_9M     = BIT(1),
+        SCAN_CONFIG_RATE_12M    = BIT(2),
+        SCAN_CONFIG_RATE_18M    = BIT(3),
+        SCAN_CONFIG_RATE_24M    = BIT(4),
+        SCAN_CONFIG_RATE_36M    = BIT(5),
+        SCAN_CONFIG_RATE_48M    = BIT(6),
+        SCAN_CONFIG_RATE_54M    = BIT(7),
+        /* CCK basic rates */
+        SCAN_CONFIG_RATE_1M     = BIT(8),
+        SCAN_CONFIG_RATE_2M     = BIT(9),
+        SCAN_CONFIG_RATE_5M     = BIT(10),
+        SCAN_CONFIG_RATE_11M    = BIT(11),
+        /* Bits 16-27 are for supported rates */
+#define SCAN_CONFIG_SUPPORTED_RATE(rate)        ((rate) << 16)
+};
+enum iwl_channel_flags {
+        IWL_CHANNEL_FLAG_EBS                            = BIT(0),
+        IWL_CHANNEL_FLAG_ACCURATE_EBS                   = BIT(1),
+        IWL_CHANNEL_FLAG_EBS_ADD                        = BIT(2),
+        IWL_CHANNEL_FLAG_PRE_SCAN_PASSIVE2ACTIVE        = BIT(3),
+};
+/**
+ * struct iwl_scan_config
+ * @hdr: umac command header
+ * @flags:                      enum scan_config_flags
+ * @tx_chains:                  valid_tx antenna - ANT_* definitions
+ * @rx_chains:                  valid_rx antenna - ANT_* definitions
+ * @legacy_rates:               default legacy rates - enum scan_config_rates
+ * @out_of_channel_time:        default max out of serving channel time
+ * @suspend_time:               default max suspend time
+ * @dwell_active:               default dwell time for active scan
+ * @dwell_passive:              default dwell time for passive scan
+ * @dwell_fragmented:           default dwell time for fragmented scan
+ * @reserved:                   for future use and alignment
+ * @mac_addr:                   default mac address to be used in probes
+ * @bcast_sta_id:               the index of the station in the fw
+ * @channel_flags:              default channel flags - enum iwl_channel_flags
+ *                              scan_config_channel_flag
+ * @channel_array:              default supported channels
+ */
+struct iwl_scan_config {
+        struct iwl_mvm_umac_cmd_hdr hdr;
+        __le32 flags;
+        __le32 tx_chains;
+        __le32 rx_chains;
+        __le32 legacy_rates;
+        __le32 out_of_channel_time;
+        __le32 suspend_time;
+        u8 dwell_active;
+        u8 dwell_passive;
+        u8 dwell_fragmented;
+        u8 reserved;
+        u8 mac_addr[ETH_ALEN];
+        u8 bcast_sta_id;
+        u8 channel_flags;
+        u8 channel_array[];
+} __packed; /* SCAN_CONFIG_DB_CMD_API_S */
+/**
+ * iwl_umac_scan_flags
+ *@IWL_UMAC_SCAN_FLAG_PREEMPTIVE: scan process triggered by this scan request
+ *      can be preempted by other scan requests with higher priority.
+ *      The low priority scan is aborted.
+ *@IWL_UMAC_SCAN_FLAG_START_NOTIF: notification will be sent to the driver
+ *      when scan starts.
+ */
+enum iwl_umac_scan_flags {
+        IWL_UMAC_SCAN_FLAG_PREEMPTIVE           = BIT(0),
+        IWL_UMAC_SCAN_FLAG_START_NOTIF          = BIT(1),
+};
+enum iwl_umac_scan_uid_offsets {
+        IWL_UMAC_SCAN_UID_TYPE_OFFSET           = 0,
+        IWL_UMAC_SCAN_UID_SEQ_OFFSET            = 8,
+};
+enum iwl_umac_scan_general_flags {
+        IWL_UMAC_SCAN_GEN_FLAGS_PERIODIC        = BIT(0),
+        IWL_UMAC_SCAN_GEN_FLAGS_OVER_BT         = BIT(1),
+        IWL_UMAC_SCAN_GEN_FLAGS_PASS_ALL        = BIT(2),
+        IWL_UMAC_SCAN_GEN_FLAGS_PASSIVE         = BIT(3),
+        IWL_UMAC_SCAN_GEN_FLAGS_PRE_CONNECT     = BIT(4),
+        IWL_UMAC_SCAN_GEN_FLAGS_ITER_COMPLETE   = BIT(5),
+        IWL_UMAC_SCAN_GEN_FLAGS_MULTIPLE_SSID   = BIT(6),
+        IWL_UMAC_SCAN_GEN_FLAGS_FRAGMENTED      = BIT(7),
+        IWL_UMAC_SCAN_GEN_FLAGS_RRM_ENABLED     = BIT(8),
+        IWL_UMAC_SCAN_GEN_FLAGS_MATCH           = BIT(9)
+};
+/**
+ * struct iwl_scan_channel_cfg_umac
+ * @flags:              bitmap - 0-19:  directed scan to i'th ssid.
+ * @channel_num:        channel number 1-13 etc.
+ * @iter_count:         repetition count for the channel.
+ * @iter_interval:      interval between two scan interations on one channel.
+ */
+struct iwl_scan_channel_cfg_umac {
+        __le32 flags;
+        u8 channel_num;
+        u8 iter_count;
+        __le16 iter_interval;
+} __packed; /* SCAN_CHANNEL_CFG_S_VER2 */
+/**
+ * struct iwl_scan_umac_schedule
+ * @interval: interval in seconds between scan iterations
+ * @iter_count: num of scan iterations for schedule plan, 0xff for infinite loop
+ * @reserved: for alignment and future use
+ */
+struct iwl_scan_umac_schedule {
+        __le16 interval;
+        u8 iter_count;
+        u8 reserved;
+} __packed; /* SCAN_SCHED_PARAM_API_S_VER_1 */
+/**
+ * struct iwl_scan_req_umac_tail - the rest of the UMAC scan request command
+ *      parameters following channels configuration array.
+ * @schedule: two scheduling plans.
+ * @delay: delay in TUs before starting the first scan iteration
+ * @reserved: for future use and alignment
+ * @preq: probe request with IEs blocks
+ * @direct_scan: list of SSIDs for directed active scan
+ */
+struct iwl_scan_req_umac_tail {
+        /* SCAN_PERIODIC_PARAMS_API_S_VER_1 */
+        struct iwl_scan_umac_schedule schedule[2];
+        __le16 delay;
+        __le16 reserved;
+        /* SCAN_PROBE_PARAMS_API_S_VER_1 */
+        struct iwl_scan_probe_req preq;
+        struct iwl_ssid_ie direct_scan[PROBE_OPTION_MAX];
+} __packed;
+/**
+ * struct iwl_scan_req_umac
+ * @hdr: umac command header
+ * @flags: &enum iwl_umac_scan_flags
+ * @uid: scan id, &enum iwl_umac_scan_uid_offsets
+ * @ooc_priority: out of channel priority - &enum iwl_scan_priority
+ * @general_flags: &enum iwl_umac_scan_general_flags
+ * @reserved1: for future use and alignment
+ * @active_dwell: dwell time for active scan
+ * @passive_dwell: dwell time for passive scan
+ * @fragmented_dwell: dwell time for fragmented passive scan
+ * @max_out_time: max out of serving channel time
+ * @suspend_time: max suspend time
+ * @scan_priority: scan internal prioritization &enum iwl_scan_priority
+ * @channel_flags: &enum iwl_scan_channel_flags
+ * @n_channels: num of channels in scan request
+ * @reserved2: for future use and alignment
+ * @data: &struct iwl_scan_channel_cfg_umac and
+ *      &struct iwl_scan_req_umac_tail
+ */
+struct iwl_scan_req_umac {
+        struct iwl_mvm_umac_cmd_hdr hdr;
+        __le32 flags;
+        __le32 uid;
+        __le32 ooc_priority;
+        /* SCAN_GENERAL_PARAMS_API_S_VER_1 */
+        __le32 general_flags;
+        u8 reserved1;
+        u8 active_dwell;
+        u8 passive_dwell;
+        u8 fragmented_dwell;
+        __le32 max_out_time;
+        __le32 suspend_time;
+        __le32 scan_priority;
+        /* SCAN_CHANNEL_PARAMS_API_S_VER_1 */
+        u8 channel_flags;
+        u8 n_channels;
+        __le16 reserved2;
+        u8 data[];
+} __packed; /* SCAN_REQUEST_CMD_UMAC_API_S_VER_1 */
+/**
+ * struct iwl_umac_scan_abort
+ * @hdr: umac command header
+ * @uid: scan id, &enum iwl_umac_scan_uid_offsets
+ * @flags: reserved
+ */
+struct iwl_umac_scan_abort {
+        struct iwl_mvm_umac_cmd_hdr hdr;
+        __le32 uid;
+        __le32 flags;
+} __packed; /* SCAN_ABORT_CMD_UMAC_API_S_VER_1 */
+/**
+ * struct iwl_umac_scan_complete
+ * @uid: scan id, &enum iwl_umac_scan_uid_offsets
+ * @last_schedule: last scheduling line
+ * @last_iter:  last scan iteration number
+ * @scan status: &enum iwl_scan_offload_complete_status
+ * @ebs_status: &enum iwl_scan_ebs_status
+ * @time_from_last_iter: time elapsed from last iteration
+ * @reserved: for future use
+ */
+struct iwl_umac_scan_complete {
+        __le32 uid;
+        u8 last_schedule;
+        u8 last_iter;
+        u8 status;
+        u8 ebs_status;
+        __le32 time_from_last_iter;
+        __le32 reserved;
+} __packed; /* SCAN_COMPLETE_NTF_UMAC_API_S_VER_1 */
+#define SCAN_OFFLOAD_MATCHING_CHANNELS_LEN 5
+/**
+ * struct iwl_scan_offload_profile_match - match information
+ * @bssid: matched bssid
+ * @channel: channel where the match occurred
+ * @energy:
+ * @matching_feature:
+ * @matching_channels: bitmap of channels that matched, referencing
+ *      the channels passed in tue scan offload request
+ */
+struct iwl_scan_offload_profile_match {
+        u8 bssid[ETH_ALEN];
+        __le16 reserved;
+        u8 channel;
+        u8 energy;
+        u8 matching_feature;
+        u8 matching_channels[SCAN_OFFLOAD_MATCHING_CHANNELS_LEN];
+} __packed; /* SCAN_OFFLOAD_PROFILE_MATCH_RESULTS_S_VER_1 */
+/**
+ * struct iwl_scan_offload_profiles_query - match results query response
+ * @matched_profiles: bitmap of matched profiles, referencing the
+ *      matches passed in the scan offload request
+ * @last_scan_age: age of the last offloaded scan
+ * @n_scans_done: number of offloaded scans done
+ * @gp2_d0u: GP2 when D0U occurred
+ * @gp2_invoked: GP2 when scan offload was invoked
+ * @resume_while_scanning: not used
+ * @self_recovery: obsolete
+ * @reserved: reserved
+ * @matches: array of match information, one for each match
+ */
+struct iwl_scan_offload_profiles_query {
+        __le32 matched_profiles;
+        __le32 last_scan_age;
+        __le32 n_scans_done;
+        __le32 gp2_d0u;
+        __le32 gp2_invoked;
+        u8 resume_while_scanning;
+        u8 self_recovery;
+        __le16 reserved;
+        struct iwl_scan_offload_profile_match matches[IWL_SCAN_MAX_PROFILES];
+} __packed; /* SCAN_OFFLOAD_PROFILES_QUERY_RSP_S_VER_2 */
 #endif
diff --git a/drivers/net/wireless/iwlwifi/mvm/fw-api.h b/drivers/net/wireless/iwlwifi/mvm/fw-api.h
index c62575d86bcd..88af6dd2ceaa 100644
--- a/drivers/net/wireless/iwlwifi/mvm/fw-api.h
+++ b/drivers/net/wireless/iwlwifi/mvm/fw-api.h
@@ -106,6 +106,12 @@ enum {
        DBG_CFG = 0x9,
        ANTENNA_COUPLING_NOTIFICATION = 0xa,
+        /* UMAC scan commands */
+        SCAN_CFG_CMD = 0xc,
+        SCAN_REQ_UMAC = 0xd,
+        SCAN_ABORT_UMAC = 0xe,
+        SCAN_COMPLETE_UMAC = 0xf,
        /* station table */
        ADD_STA_KEY = 0x17,
        ADD_STA = 0x18,
@@ -122,6 +128,11 @@ enum {
        /* global key */
        WEP_KEY = 0x20,
+        /* TDLS */
+        TDLS_CHANNEL_SWITCH_CMD = 0x27,
+        TDLS_CHANNEL_SWITCH_NOTIFICATION = 0xaa,
+        TDLS_CONFIG_CMD = 0xa7,
        /* MAC and Binding commands */
        MAC_CONTEXT_CMD = 0x28,
        TIME_EVENT_CMD = 0x29, /* both CMD and response */
@@ -190,6 +201,8 @@ enum {
        /* Power - new power table command */
        MAC_PM_POWER_TABLE = 0xa9,
+        MFUART_LOAD_NOTIFICATION = 0xb1,
        REPLY_RX_PHY_CMD = 0xc0,
        REPLY_RX_MPDU_CMD = 0xc1,
        BA_NOTIF = 0xc5,
@@ -236,11 +249,9 @@ enum {
        WOWLAN_TX_POWER_PER_DB = 0xe6,
        /* and for NetDetect */
-        NET_DETECT_CONFIG_CMD = 0x54,
+        SCAN_OFFLOAD_PROFILES_QUERY_CMD = 0x56,
-        NET_DETECT_PROFILES_QUERY_CMD = 0x56,
+        SCAN_OFFLOAD_HOTSPOTS_CONFIG_CMD = 0x58,
-        NET_DETECT_PROFILES_CMD = 0x57,
+        SCAN_OFFLOAD_HOTSPOTS_QUERY_CMD = 0x59,
-        NET_DETECT_HOTSPOTS_CMD = 0x58,
-        NET_DETECT_HOTSPOTS_QUERY_CMD = 0x59,
        REPLY_MAX = 0xff,
 };
@@ -1201,6 +1212,21 @@ struct iwl_missed_beacons_notif {
 } __packed; /* MISSED_BEACON_NTFY_API_S_VER_3 */
 /**
+ * struct iwl_mfuart_load_notif - mfuart image version & status
+ * ( MFUART_LOAD_NOTIFICATION = 0xb1 )
+ * @installed_ver: installed image version
+ * @external_ver: external image version
+ * @status: MFUART loading status
+ * @duration: MFUART loading time
+*/
+struct iwl_mfuart_load_notif {
+        __le32 installed_ver;
+        __le32 external_ver;
+        __le32 status;
+        __le32 duration;
+} __packed; /*MFU_LOADER_NTFY_API_S_VER_1*/
+/**
 * struct iwl_set_calib_default_cmd - set default value for calibration.
 * ( SET_CALIB_DEFAULT_CMD = 0x8e )
 * @calib_index: the calibration to set value for
@@ -1589,7 +1615,7 @@ enum iwl_sf_scenario {
 #define SF_NUM_TIMEOUT_TYPES 2          /* Aging timer and Idle timer */
 /* smart FIFO default values */
-#define SF_W_MARK_SISO 4096
+#define SF_W_MARK_SISO 6144
 #define SF_W_MARK_MIMO2 8192
 #define SF_W_MARK_MIMO3 6144
 #define SF_W_MARK_LEGACY 4096
@@ -1711,4 +1737,145 @@ struct iwl_scd_txq_cfg_cmd {
        u8 flags;
 } __packed;
+/***********************************
+ * TDLS API
+ ***********************************/
+/* Type of TDLS request */
+enum iwl_tdls_channel_switch_type {
+        TDLS_SEND_CHAN_SW_REQ = 0,
+        TDLS_SEND_CHAN_SW_RESP_AND_MOVE_CH,
+        TDLS_MOVE_CH,
+}; /* TDLS_STA_CHANNEL_SWITCH_CMD_TYPE_API_E_VER_1 */
+/**
+ * Switch timing sub-element in a TDLS channel-switch command
+ * @frame_timestamp: GP2 timestamp of channel-switch request/response packet
+ *      received from peer
+ * @max_offchan_duration: What amount of microseconds out of a DTIM is given
+ *      to the TDLS off-channel communication. For instance if the DTIM is
+ *      200TU and the TDLS peer is to be given 25% of the time, the value
+ *      given will be 50TU, or 50 * 1024 if translated into microseconds.
+ * @switch_time: switch time the peer sent in its channel switch timing IE
+ * @switch_timout: switch timeout the peer sent in its channel switch timing IE
+ */
+struct iwl_tdls_channel_switch_timing {
+        __le32 frame_timestamp; /* GP2 time of peer packet Rx */
+        __le32 max_offchan_duration; /* given in micro-seconds */
+        __le32 switch_time; /* given in micro-seconds */
+        __le32 switch_timeout; /* given in micro-seconds */
+} __packed; /* TDLS_STA_CHANNEL_SWITCH_TIMING_DATA_API_S_VER_1 */
+#define IWL_TDLS_CH_SW_FRAME_MAX_SIZE 200
+/**
+ * TDLS channel switch frame template
+ *
+ * A template representing a TDLS channel-switch request or response frame
+ *
+ * @switch_time_offset: offset to the channel switch timing IE in the template
+ * @tx_cmd: Tx parameters for the frame
+ * @data: frame data
+ */
+struct iwl_tdls_channel_switch_frame {
+        __le32 switch_time_offset;
+        struct iwl_tx_cmd tx_cmd;
+        u8 data[IWL_TDLS_CH_SW_FRAME_MAX_SIZE];
+} __packed; /* TDLS_STA_CHANNEL_SWITCH_FRAME_API_S_VER_1 */
+/**
+ * TDLS channel switch command
+ *
+ * The command is sent to initiate a channel switch and also in response to
+ * incoming TDLS channel-switch request/response packets from remote peers.
+ *
+ * @switch_type: see &enum iwl_tdls_channel_switch_type
+ * @peer_sta_id: station id of TDLS peer
+ * @ci: channel we switch to
+ * @timing: timing related data for command
+ * @frame: channel-switch request/response template, depending to switch_type
+ */
+struct iwl_tdls_channel_switch_cmd {
+        u8 switch_type;
+        __le32 peer_sta_id;
+        struct iwl_fw_channel_info ci;
+        struct iwl_tdls_channel_switch_timing timing;
+        struct iwl_tdls_channel_switch_frame frame;
+} __packed; /* TDLS_STA_CHANNEL_SWITCH_CMD_API_S_VER_1 */
+/**
+ * TDLS channel switch start notification
+ *
+ * @status: non-zero on success
+ * @offchannel_duration: duration given in microseconds
+ * @sta_id: peer currently performing the channel-switch with
+ */
+struct iwl_tdls_channel_switch_notif {
+        __le32 status;
+        __le32 offchannel_duration;
+        __le32 sta_id;
+} __packed; /* TDLS_STA_CHANNEL_SWITCH_NTFY_API_S_VER_1 */
+/**
+ * TDLS station info
+ *
+ * @sta_id: station id of the TDLS peer
+ * @tx_to_peer_tid: TID reserved vs. the peer for FW based Tx
+ * @tx_to_peer_ssn: initial SSN the FW should use for Tx on its TID vs the peer
+ * @is_initiator: 1 if the peer is the TDLS link initiator, 0 otherwise
+ */
+struct iwl_tdls_sta_info {
+        u8 sta_id;
+        u8 tx_to_peer_tid;
+        __le16 tx_to_peer_ssn;
+        __le32 is_initiator;
+} __packed; /* TDLS_STA_INFO_VER_1 */
+/**
+ * TDLS basic config command
+ *
+ * @id_and_color: MAC id and color being configured
+ * @tdls_peer_count: amount of currently connected TDLS peers
+ * @tx_to_ap_tid: TID reverved vs. the AP for FW based Tx
+ * @tx_to_ap_ssn: initial SSN the FW should use for Tx on its TID vs. the AP
+ * @sta_info: per-station info. Only the first tdls_peer_count entries are set
+ * @pti_req_data_offset: offset of network-level data for the PTI template
+ * @pti_req_tx_cmd: Tx parameters for PTI request template
+ * @pti_req_template: PTI request template data
+ */
+struct iwl_tdls_config_cmd {
+        __le32 id_and_color; /* mac id and color */
+        u8 tdls_peer_count;
+        u8 tx_to_ap_tid;
+        __le16 tx_to_ap_ssn;
+        struct iwl_tdls_sta_info sta_info[IWL_MVM_TDLS_STA_COUNT];
+        __le32 pti_req_data_offset;
+        struct iwl_tx_cmd pti_req_tx_cmd;
+        u8 pti_req_template[0];
+} __packed; /* TDLS_CONFIG_CMD_API_S_VER_1 */
+/**
+ * TDLS per-station config information from FW
+ *
+ * @sta_id: station id of the TDLS peer
+ * @tx_to_peer_last_seq: last sequence number used by FW during FW-based Tx to
+ *      the peer
+ */
+struct iwl_tdls_config_sta_info_res {
+        __le16 sta_id;
+        __le16 tx_to_peer_last_seq;
+} __packed; /* TDLS_STA_INFO_RSP_VER_1 */
+/**
+ * TDLS config information from FW
+ *
+ * @tx_to_ap_last_seq: last sequence number used by FW during FW-based Tx to AP
+ * @sta_info: per-station TDLS config information
+ */
+struct iwl_tdls_config_res {
+        __le32 tx_to_ap_last_seq;
+        struct iwl_tdls_config_sta_info_res sta_info[IWL_MVM_TDLS_STA_COUNT];
+} __packed; /* TDLS_CONFIG_RSP_API_S_VER_1 */
 #endif /* __fw_api_h__ */
diff --git a/drivers/net/wireless/iwlwifi/mvm/fw.c b/drivers/net/wireless/iwlwifi/mvm/fw.c
index e0d9f19650b0..d0fa6e9ed590 100644
--- a/drivers/net/wireless/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/iwlwifi/mvm/fw.c
@@ -186,7 +186,12 @@ static int iwl_mvm_load_ucode_wait_alive(struct iwl_mvm *mvm,
        static const u8 alive_cmd[] = { MVM_ALIVE };
        struct iwl_sf_region st_fwrd_space;
-        fw = iwl_get_ucode_image(mvm, ucode_type);
+        if (ucode_type == IWL_UCODE_REGULAR &&
+            iwl_fw_dbg_conf_usniffer(mvm->fw, FW_DBG_CUSTOM) &&
+            iwl_fw_dbg_conf_enabled(mvm->fw, FW_DBG_CUSTOM))
+                fw = iwl_get_ucode_image(mvm, IWL_UCODE_REGULAR_USNIFFER);
+        else
+                fw = iwl_get_ucode_image(mvm, ucode_type);
        if (WARN_ON(!fw))
                return -EINVAL;
        mvm->cur_ucode = ucode_type;
@@ -227,6 +232,10 @@ static int iwl_mvm_load_ucode_wait_alive(struct iwl_mvm *mvm,
        st_fwrd_space.addr = mvm->sf_space.addr;
        st_fwrd_space.size = mvm->sf_space.size;
        ret = iwl_trans_update_sf(mvm->trans, &st_fwrd_space);
+        if (ret) {
+                IWL_ERR(mvm, "Failed to update SF size. ret %d\n", ret);
+                return ret;
+        }
        iwl_trans_fw_alive(mvm->trans, alive_data.scd_base_addr);
@@ -284,7 +293,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
        lockdep_assert_held(&mvm->mutex);
-        if (WARN_ON_ONCE(mvm->init_ucode_complete))
+        if (WARN_ON_ONCE(mvm->init_ucode_complete || mvm->calibrating))
                return 0;
        iwl_init_notification_wait(&mvm->notif_wait,
@@ -334,6 +343,8 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
                goto out;
        }
+        mvm->calibrating = true;
        /* Send TX valid antennas before triggering calibrations */
        ret = iwl_send_tx_ant_cfg(mvm, mvm->fw->valid_tx_ant);
        if (ret)
@@ -358,11 +369,17 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm, bool read_nvm)
                        MVM_UCODE_CALIB_TIMEOUT);
        if (!ret)
                mvm->init_ucode_complete = true;
+        if (ret && iwl_mvm_is_radio_killed(mvm)) {
+                IWL_DEBUG_RF_KILL(mvm, "RFKILL while calibrating.\n");
+                ret = 1;
+        }
        goto out;
 error:
        iwl_remove_notification(&mvm->notif_wait, &calib_wait);
 out:
+        mvm->calibrating = false;
        if (iwlmvm_mod_params.init_dbg && !mvm->nvm_data) {
                /* we want to debug INIT and we have no NVM - fake */
                mvm->nvm_data = kzalloc(sizeof(struct iwl_nvm_data) +
@@ -382,6 +399,42 @@ out:
        return ret;
 }
+static int iwl_mvm_start_fw_dbg_conf(struct iwl_mvm *mvm,
+                                     enum iwl_fw_dbg_conf conf_id)
+{
+        u8 *ptr;
+        int ret;
+        int i;
+        if (WARN_ONCE(conf_id >= ARRAY_SIZE(mvm->fw->dbg_conf_tlv),
+                      "Invalid configuration %d\n", conf_id))
+                return -EINVAL;
+        if (!mvm->fw->dbg_conf_tlv[conf_id])
+                return -EINVAL;
+        if (mvm->fw_dbg_conf != FW_DBG_INVALID)
+                IWL_WARN(mvm, "FW already configured (%d) - re-configuring\n",
+                         mvm->fw_dbg_conf);
+        /* Send all HCMDs for configuring the FW debug */
+        ptr = (void *)&mvm->fw->dbg_conf_tlv[conf_id]->hcmd;
+        for (i = 0; i < mvm->fw->dbg_conf_tlv[conf_id]->num_of_hcmds; i++) {
+                struct iwl_fw_dbg_conf_hcmd *cmd = (void *)ptr;
+                ret = iwl_mvm_send_cmd_pdu(mvm, cmd->id, 0,
+                                           le16_to_cpu(cmd->len), cmd->data);
+                if (ret)
+                        return ret;
+                ptr += sizeof(*cmd);
+                ptr += le16_to_cpu(cmd->len);
+        }
+        mvm->fw_dbg_conf = conf_id;
+        return ret;
+}
 int iwl_mvm_up(struct iwl_mvm *mvm)
 {
        int ret, i;
@@ -433,6 +486,9 @@ int iwl_mvm_up(struct iwl_mvm *mvm)
        if (ret)
                IWL_ERR(mvm, "Failed to initialize Smart Fifo\n");
+        mvm->fw_dbg_conf = FW_DBG_INVALID;
+        iwl_mvm_start_fw_dbg_conf(mvm, FW_DBG_CUSTOM);
        ret = iwl_send_tx_ant_cfg(mvm, mvm->fw->valid_tx_ant);
        if (ret)
                goto error;
@@ -454,6 +510,8 @@ int iwl_mvm_up(struct iwl_mvm *mvm)
        for (i = 0; i < IWL_MVM_STATION_COUNT; i++)
                RCU_INIT_POINTER(mvm->fw_id_to_mac_id[i], NULL);
+        mvm->tdls_cs.peer.sta_id = IWL_MVM_STATION_COUNT;
        /* reset quota debouncing buffer - 0xff will yield invalid data */
        memset(&mvm->last_quota_cmd, 0xff, sizeof(mvm->last_quota_cmd));
@@ -493,6 +551,12 @@ int iwl_mvm_up(struct iwl_mvm *mvm)
        if (ret)
                goto error;
+        if (mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN) {
+                ret = iwl_mvm_config_scan(mvm);
+                if (ret)
+                        goto error;
+        }
        /* allow FW/transport low power modes if not during restart */
        if (!test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status))
                iwl_mvm_unref(mvm, IWL_MVM_REF_UCODE_DOWN);
@@ -579,3 +643,19 @@ int iwl_mvm_rx_radio_ver(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
                       le32_to_cpu(radio_version->radio_dash));
        return 0;
 }
+int iwl_mvm_rx_mfuart_notif(struct iwl_mvm *mvm,
+                            struct iwl_rx_cmd_buffer *rxb,
+                            struct iwl_device_cmd *cmd)
+{
+        struct iwl_rx_packet *pkt = rxb_addr(rxb);
+        struct iwl_mfuart_load_notif *mfuart_notif = (void *)pkt->data;
+        IWL_DEBUG_INFO(mvm,
+                       "MFUART: installed ver: 0x%08x, external ver: 0x%08x, status: 0x%08x, duration: 0x%08x\n",
+                       le32_to_cpu(mfuart_notif->installed_ver),
+                       le32_to_cpu(mfuart_notif->external_ver),
+                       le32_to_cpu(mfuart_notif->status),
+                       le32_to_cpu(mfuart_notif->duration));
+        return 0;
+}
diff --git a/drivers/net/wireless/iwlwifi/mvm/mac-ctxt.c b/drivers/net/wireless/iwlwifi/mvm/mac-ctxt.c
index b8ab4a108720..f6d86ccce6a8 100644
--- a/drivers/net/wireless/iwlwifi/mvm/mac-ctxt.c
+++ b/drivers/net/wireless/iwlwifi/mvm/mac-ctxt.c
@@ -83,11 +83,15 @@ struct iwl_mvm_mac_iface_iterator_data {
        struct ieee80211_vif *vif;
        unsigned long available_mac_ids[BITS_TO_LONGS(NUM_MAC_INDEX_DRIVER)];
        unsigned long available_tsf_ids[BITS_TO_LONGS(NUM_TSF_IDS)];
-        u32 used_hw_queues;
        enum iwl_tsf_id preferred_tsf;
        bool found_vif;
 };
+struct iwl_mvm_hw_queues_iface_iterator_data {
+        struct ieee80211_vif *exclude_vif;
+        unsigned long used_hw_queues;
+};
 static void iwl_mvm_mac_tsf_id_iter(void *_data, u8 *mac,
                                    struct ieee80211_vif *vif)
 {
@@ -213,6 +217,54 @@ u32 iwl_mvm_mac_get_queues_mask(struct ieee80211_vif *vif)
        return qmask;
 }
+static void iwl_mvm_iface_hw_queues_iter(void *_data, u8 *mac,
+                                         struct ieee80211_vif *vif)
+{
+        struct iwl_mvm_hw_queues_iface_iterator_data *data = _data;
+        /* exclude the given vif */
+        if (vif == data->exclude_vif)
+                return;
+        data->used_hw_queues |= iwl_mvm_mac_get_queues_mask(vif);
+}
+static void iwl_mvm_mac_sta_hw_queues_iter(void *_data,
+                                           struct ieee80211_sta *sta)
+{
+        struct iwl_mvm_hw_queues_iface_iterator_data *data = _data;
+        struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
+        /* Mark the queues used by the sta */
+        data->used_hw_queues |= mvmsta->tfd_queue_msk;
+}
+unsigned long iwl_mvm_get_used_hw_queues(struct iwl_mvm *mvm,
+                                         struct ieee80211_vif *exclude_vif)
+{
+        struct iwl_mvm_hw_queues_iface_iterator_data data = {
+                .exclude_vif = exclude_vif,
+                .used_hw_queues =
+                        BIT(IWL_MVM_OFFCHANNEL_QUEUE) |
+                        BIT(mvm->aux_queue) |
+                        BIT(IWL_MVM_CMD_QUEUE),
+        };
+        lockdep_assert_held(&mvm->mutex);
+        /* mark all VIF used hw queues */
+        ieee80211_iterate_active_interfaces_atomic(
+                mvm->hw, IEEE80211_IFACE_ITER_RESUME_ALL,
+                iwl_mvm_iface_hw_queues_iter, &data);
+        /* don't assign the same hw queues as TDLS stations */
+        ieee80211_iterate_stations_atomic(mvm->hw,
+                                          iwl_mvm_mac_sta_hw_queues_iter,
+                                          &data);
+        return data.used_hw_queues;
+}
 static void iwl_mvm_mac_iface_iterator(void *_data, u8 *mac,
                                       struct ieee80211_vif *vif)
 {
@@ -225,9 +277,6 @@ static void iwl_mvm_mac_iface_iterator(void *_data, u8 *mac,
                return;
        }
-        /* Mark the queues used by the vif */
-        data->used_hw_queues |= iwl_mvm_mac_get_queues_mask(vif);
        /* Mark MAC IDs as used by clearing the available bit, and
         * (below) mark TSFs as used if their existing use is not
         * compatible with the new interface type.
@@ -274,10 +323,6 @@ static int iwl_mvm_mac_ctxt_allocate_resources(struct iwl_mvm *mvm,
                .available_tsf_ids = { (1 << NUM_TSF_IDS) - 1 },
                /* no preference yet */
                .preferred_tsf = NUM_TSF_IDS,
-                .used_hw_queues =
-                        BIT(IWL_MVM_OFFCHANNEL_QUEUE) |
-                        BIT(mvm->aux_queue) |
-                        BIT(IWL_MVM_CMD_QUEUE),
                .found_vif = false,
        };
        u32 ac;
@@ -316,6 +361,8 @@ static int iwl_mvm_mac_ctxt_allocate_resources(struct iwl_mvm *mvm,
                mvm->hw, IEEE80211_IFACE_ITER_RESUME_ALL,
                iwl_mvm_mac_iface_iterator, &data);
+        used_hw_queues = iwl_mvm_get_used_hw_queues(mvm, vif);
        /*
         * In the case we're getting here during resume, it's similar to
         * firmware restart, and with RESUME_ALL the iterator will find
@@ -365,8 +412,6 @@ static int iwl_mvm_mac_ctxt_allocate_resources(struct iwl_mvm *mvm,
                return 0;
        }
-        used_hw_queues = data.used_hw_queues;
        /* Find available queues, and allocate them to the ACs */
        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
                u8 queue = find_first_zero_bit(&used_hw_queues,
@@ -1218,17 +1263,25 @@ int iwl_mvm_mac_ctxt_remove(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
 }
 static void iwl_mvm_csa_count_down(struct iwl_mvm *mvm,
-                                   struct ieee80211_vif *csa_vif, u32 gp2)
+                                   struct ieee80211_vif *csa_vif, u32 gp2,
+                                   bool tx_success)
 {
        struct iwl_mvm_vif *mvmvif =
                        iwl_mvm_vif_from_mac80211(csa_vif);
+        /* Don't start to countdown from a failed beacon */
+        if (!tx_success && !mvmvif->csa_countdown)
+                return;
+        mvmvif->csa_countdown = true;
        if (!ieee80211_csa_is_complete(csa_vif)) {
                int c = ieee80211_csa_update_counter(csa_vif);
                iwl_mvm_mac_ctxt_beacon_changed(mvm, csa_vif);
                if (csa_vif->p2p &&
-                    !iwl_mvm_te_scheduled(&mvmvif->time_event_data) && gp2) {
+                    !iwl_mvm_te_scheduled(&mvmvif->time_event_data) && gp2 &&
+                    tx_success) {
                        u32 rel_time = (c + 1) *
                                       csa_vif->bss_conf.beacon_int -
                                       IWL_MVM_CHANNEL_SWITCH_TIME_GO;
@@ -1251,38 +1304,30 @@ int iwl_mvm_rx_beacon_notif(struct iwl_mvm *mvm,
                            struct iwl_device_cmd *cmd)
 {
        struct iwl_rx_packet *pkt = rxb_addr(rxb);
+        struct iwl_extended_beacon_notif *beacon = (void *)pkt->data;
        struct iwl_mvm_tx_resp *beacon_notify_hdr;
        struct ieee80211_vif *csa_vif;
        struct ieee80211_vif *tx_blocked_vif;
-        u64 tsf;
+        u16 status;
        lockdep_assert_held(&mvm->mutex);
-        if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_CAPA_EXTENDED_BEACON) {
+        beacon_notify_hdr = &beacon->beacon_notify_hdr;
-                struct iwl_extended_beacon_notif *beacon = (void *)pkt->data;
+        mvm->ap_last_beacon_gp2 = le32_to_cpu(beacon->gp2);
-                beacon_notify_hdr = &beacon->beacon_notify_hdr;
-                tsf = le64_to_cpu(beacon->tsf);
-                mvm->ap_last_beacon_gp2 = le32_to_cpu(beacon->gp2);
-        } else {
-                struct iwl_beacon_notif *beacon = (void *)pkt->data;
-                beacon_notify_hdr = &beacon->beacon_notify_hdr;
-                tsf = le64_to_cpu(beacon->tsf);
-        }
+        status = le16_to_cpu(beacon_notify_hdr->status.status) & TX_STATUS_MSK;
        IWL_DEBUG_RX(mvm,
                     "beacon status %#x retries:%d tsf:0x%16llX gp2:0x%X rate:%d\n",
-                     le16_to_cpu(beacon_notify_hdr->status.status) &
+                     status, beacon_notify_hdr->failure_frame,
-                                                                TX_STATUS_MSK,
+                     le64_to_cpu(beacon->tsf),
-                     beacon_notify_hdr->failure_frame, tsf,
                     mvm->ap_last_beacon_gp2,
                     le32_to_cpu(beacon_notify_hdr->initial_rate));
        csa_vif = rcu_dereference_protected(mvm->csa_vif,
                                            lockdep_is_held(&mvm->mutex));
        if (unlikely(csa_vif && csa_vif->csa_active))
-                iwl_mvm_csa_count_down(mvm, csa_vif, mvm->ap_last_beacon_gp2);
+                iwl_mvm_csa_count_down(mvm, csa_vif, mvm->ap_last_beacon_gp2,
+                                       (status == TX_STATUS_SUCCESS));
        tx_blocked_vif = rcu_dereference_protected(mvm->csa_tx_blocked_vif,
                                                lockdep_is_held(&mvm->mutex));
diff --git a/drivers/net/wireless/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
index 3276b31898da..31a5b3f4266c 100644
--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
@@ -254,6 +254,26 @@ static void iwl_mvm_unref_all_except(struct iwl_mvm *mvm,
        spin_unlock_bh(&mvm->refs_lock);
 }
+bool iwl_mvm_ref_taken(struct iwl_mvm *mvm)
+{
+        int i;
+        bool taken = false;
+        if (!iwl_mvm_is_d0i3_supported(mvm))
+                return true;
+        spin_lock_bh(&mvm->refs_lock);
+        for (i = 0; i < IWL_MVM_REF_COUNT; i++) {
+                if (mvm->refs[i]) {
+                        taken = true;
+                        break;
+                }
+        }
+        spin_unlock_bh(&mvm->refs_lock);
+        return taken;
+}
 int iwl_mvm_ref_sync(struct iwl_mvm *mvm, enum iwl_mvm_ref_type ref_type)
 {
        iwl_mvm_ref(mvm, ref_type);
@@ -303,7 +323,8 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm)
        hw->offchannel_tx_hw_queue = IWL_MVM_OFFCHANNEL_QUEUE;
        hw->radiotap_mcs_details |= IEEE80211_RADIOTAP_MCS_HAVE_FEC |
                                    IEEE80211_RADIOTAP_MCS_HAVE_STBC;
-        hw->radiotap_vht_details |= IEEE80211_RADIOTAP_VHT_KNOWN_STBC;
+        hw->radiotap_vht_details |= IEEE80211_RADIOTAP_VHT_KNOWN_STBC |
+                IEEE80211_RADIOTAP_VHT_KNOWN_BEAMFORMED;
        hw->rate_control_algorithm = "iwl-mvm-rs";
        /*
@@ -316,15 +337,19 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm)
                hw->flags |= IEEE80211_HW_MFP_CAPABLE;
        if (mvm->fw->ucode_capa.flags & IWL_UCODE_TLV_FLAGS_UAPSD_SUPPORT &&
-            IWL_UCODE_API(mvm->fw->ucode_ver) >= 9 &&
            !iwlwifi_mod_params.uapsd_disable) {
                hw->flags |= IEEE80211_HW_SUPPORTS_UAPSD;
                hw->uapsd_queues = IWL_MVM_UAPSD_QUEUES;
                hw->uapsd_max_sp_len = IWL_UAPSD_MAX_SP;
        }
-        if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN)
+        if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN ||
+            mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN) {
                hw->flags |= IEEE80211_SINGLE_HW_SCAN_ON_ALL_BANDS;
+                hw->wiphy->features |=
+                        NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR |
+                        NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
+        }
        hw->sta_data_size = sizeof(struct iwl_mvm_sta);
        hw->vif_data_size = sizeof(struct iwl_mvm_vif);
@@ -344,8 +369,7 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm)
        if (mvm->fw->ucode_capa.flags & IWL_UCODE_TLV_FLAGS_GO_UAPSD)
                hw->wiphy->flags |= WIPHY_FLAG_AP_UAPSD;
-        if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_CSA_FLOW)
+        hw->wiphy->flags |= WIPHY_FLAG_HAS_CHANNEL_SWITCH;
-                hw->wiphy->flags |= WIPHY_FLAG_HAS_CHANNEL_SWITCH;
        hw->wiphy->iface_combinations = iwl_mvm_iface_combinations;
        hw->wiphy->n_iface_combinations =
@@ -403,7 +427,8 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm)
                               NL80211_FEATURE_LOW_PRIORITY_SCAN |
                               NL80211_FEATURE_P2P_GO_OPPPS |
                               NL80211_FEATURE_DYNAMIC_SMPS |
-                               NL80211_FEATURE_STATIC_SMPS;
+                               NL80211_FEATURE_STATIC_SMPS |
+                               NL80211_FEATURE_SUPPORTS_WMM_ADMISSION;
        if (mvm->fw->ucode_capa.capa[0] &
            IWL_UCODE_TLV_CAPA_TXPOWER_INSERTION_SUPPORT)
@@ -441,7 +466,8 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm)
                mvm->wowlan.flags = WIPHY_WOWLAN_MAGIC_PKT |
                                    WIPHY_WOWLAN_DISCONNECT |
                                    WIPHY_WOWLAN_EAP_IDENTITY_REQ |
-                                    WIPHY_WOWLAN_RFKILL_RELEASE;
+                                    WIPHY_WOWLAN_RFKILL_RELEASE |
+                                    WIPHY_WOWLAN_NET_DETECT;
                if (!iwlwifi_mod_params.sw_crypto)
                        mvm->wowlan.flags |= WIPHY_WOWLAN_SUPPORTS_GTK_REKEY |
                                             WIPHY_WOWLAN_GTK_REKEY_FAILURE |
@@ -450,6 +476,7 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm)
                mvm->wowlan.n_patterns = IWL_WOWLAN_MAX_PATTERNS;
                mvm->wowlan.pattern_min_len = IWL_WOWLAN_MIN_PATTERN_LEN;
                mvm->wowlan.pattern_max_len = IWL_WOWLAN_MAX_PATTERN_LEN;
+                mvm->wowlan.max_nd_match_sets = IWL_SCAN_MAX_PROFILES;
                mvm->wowlan.tcp = &iwl_mvm_wowlan_tcp_support;
                hw->wiphy->wowlan = &mvm->wowlan;
        }
@@ -464,6 +491,17 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm)
        if (ret)
                return ret;
+        if (mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_TDLS_SUPPORT) {
+                IWL_DEBUG_TDLS(mvm, "TDLS supported\n");
+                hw->wiphy->flags |= WIPHY_FLAG_SUPPORTS_TDLS;
+        }
+        if (mvm->fw->ucode_capa.capa[0] &
+            IWL_UCODE_TLV_CAPA_TDLS_CHANNEL_SWITCH) {
+                IWL_DEBUG_TDLS(mvm, "TDLS channel switch supported\n");
+                hw->wiphy->features |= NL80211_FEATURE_TDLS_CHANNEL_SWITCH;
+        }
        ret = ieee80211_register_hw(mvm->hw);
        if (ret)
                iwl_mvm_leds_exit(mvm);
@@ -819,12 +857,18 @@ void iwl_mvm_fw_error_dump(struct iwl_mvm *mvm)
 static void iwl_mvm_restart_cleanup(struct iwl_mvm *mvm)
 {
-        iwl_mvm_fw_error_dump(mvm);
+        /* clear the D3 reconfig, we only need it to avoid dumping a
+         * firmware coredump on reconfiguration, we shouldn't do that
+         * on D3->D0 transition
+         */
+        if (!test_and_clear_bit(IWL_MVM_STATUS_D3_RECONFIG, &mvm->status))
+                iwl_mvm_fw_error_dump(mvm);
        iwl_trans_stop_device(mvm->trans);
        mvm->scan_status = IWL_MVM_SCAN_NONE;
        mvm->ps_disabled = false;
+        mvm->calibrating = false;
        /* just in case one was running */
        ieee80211_remain_on_channel_expired(mvm->hw);
@@ -839,6 +883,7 @@ static void iwl_mvm_restart_cleanup(struct iwl_mvm *mvm)
        iwl_mvm_reset_phy_ctxts(mvm);
        memset(mvm->fw_key_table, 0, sizeof(mvm->fw_key_table));
        memset(mvm->sta_drained, 0, sizeof(mvm->sta_drained));
+        memset(mvm->tfd_drained, 0, sizeof(mvm->tfd_drained));
        memset(&mvm->last_bt_notif, 0, sizeof(mvm->last_bt_notif));
        memset(&mvm->last_bt_notif_old, 0, sizeof(mvm->last_bt_notif_old));
        memset(&mvm->last_bt_ci_cmd, 0, sizeof(mvm->last_bt_ci_cmd));
@@ -895,9 +940,8 @@ static int iwl_mvm_mac_start(struct ieee80211_hw *hw)
        return ret;
 }
-static void iwl_mvm_mac_restart_complete(struct ieee80211_hw *hw)
+static void iwl_mvm_restart_complete(struct iwl_mvm *mvm)
 {
-        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
        int ret;
        mutex_lock(&mvm->mutex);
@@ -912,9 +956,50 @@ static void iwl_mvm_mac_restart_complete(struct ieee80211_hw *hw)
        /* allow transport/FW low power modes */
        iwl_mvm_unref(mvm, IWL_MVM_REF_UCODE_DOWN);
+        /*
+         * If we have TDLS peers, remove them. We don't know the last seqno/PN
+         * of packets the FW sent out, so we must reconnect.
+         */
+        iwl_mvm_teardown_tdls_peers(mvm);
        mutex_unlock(&mvm->mutex);
 }
+static void iwl_mvm_resume_complete(struct iwl_mvm *mvm)
+{
+        bool exit_now;
+        if (!iwl_mvm_is_d0i3_supported(mvm))
+                return;
+        mutex_lock(&mvm->d0i3_suspend_mutex);
+        __clear_bit(D0I3_DEFER_WAKEUP, &mvm->d0i3_suspend_flags);
+        exit_now = __test_and_clear_bit(D0I3_PENDING_WAKEUP,
+                                        &mvm->d0i3_suspend_flags);
+        mutex_unlock(&mvm->d0i3_suspend_mutex);
+        if (exit_now) {
+                IWL_DEBUG_RPM(mvm, "Run deferred d0i3 exit\n");
+                _iwl_mvm_exit_d0i3(mvm);
+        }
+}
+static void
+iwl_mvm_mac_reconfig_complete(struct ieee80211_hw *hw,
+                              enum ieee80211_reconfig_type reconfig_type)
+{
+        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+        switch (reconfig_type) {
+        case IEEE80211_RECONFIG_TYPE_RESTART:
+                iwl_mvm_restart_complete(mvm);
+                break;
+        case IEEE80211_RECONFIG_TYPE_SUSPEND:
+                iwl_mvm_resume_complete(mvm);
+                break;
+        }
+}
 void __iwl_mvm_mac_stop(struct iwl_mvm *mvm)
 {
        lockdep_assert_held(&mvm->mutex);
@@ -1874,9 +1959,11 @@ static int iwl_mvm_mac_hw_scan(struct ieee80211_hw *hw,
            req->n_channels > mvm->fw->ucode_capa.n_scan_channels)
                return -EINVAL;
-        ret = iwl_mvm_cancel_scan_wait_notif(mvm, IWL_MVM_SCAN_SCHED);
+        if (!(mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN)) {
-        if (ret)
+                ret = iwl_mvm_cancel_scan_wait_notif(mvm, IWL_MVM_SCAN_SCHED);
-                return ret;
+                if (ret)
+                        return ret;
+        }
        mutex_lock(&mvm->mutex);
@@ -1887,7 +1974,9 @@ static int iwl_mvm_mac_hw_scan(struct ieee80211_hw *hw,
        iwl_mvm_ref(mvm, IWL_MVM_REF_SCAN);
-        if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN)
+        if (mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN)
+                ret = iwl_mvm_scan_umac(mvm, vif, hw_req);
+        else if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN)
                ret = iwl_mvm_unified_scan_lmac(mvm, vif, hw_req);
        else
                ret = iwl_mvm_scan_request(mvm, vif, req);
@@ -2104,6 +2193,15 @@ static int iwl_mvm_mac_sta_state(struct ieee80211_hw *hw,
 out_unlock:
        mutex_unlock(&mvm->mutex);
+        if (sta->tdls && ret == 0) {
+                if (old_state == IEEE80211_STA_NOTEXIST &&
+                    new_state == IEEE80211_STA_NONE)
+                        ieee80211_reserve_tid(sta, IWL_MVM_TDLS_FW_TID);
+                else if (old_state == IEEE80211_STA_NONE &&
+                         new_state == IEEE80211_STA_NOTEXIST)
+                        ieee80211_unreserve_tid(sta, IWL_MVM_TDLS_FW_TID);
+        }
        return ret;
 }
@@ -2186,9 +2284,11 @@ static int iwl_mvm_mac_sched_scan_start(struct ieee80211_hw *hw,
        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
        int ret;
-        ret = iwl_mvm_cancel_scan_wait_notif(mvm, IWL_MVM_SCAN_OS);
+        if (!(mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN)) {
-        if (ret)
+                ret = iwl_mvm_cancel_scan_wait_notif(mvm, IWL_MVM_SCAN_OS);
-                return ret;
+                if (ret)
+                        return ret;
+        }
        mutex_lock(&mvm->mutex);
@@ -2208,11 +2308,10 @@ static int iwl_mvm_mac_sched_scan_start(struct ieee80211_hw *hw,
                goto out;
        }
-        mvm->scan_status = IWL_MVM_SCAN_SCHED;
        ret = iwl_mvm_scan_offload_start(mvm, vif, req, ies);
        if (ret)
                mvm->scan_status = IWL_MVM_SCAN_NONE;
 out:
        mutex_unlock(&mvm->mutex);
        return ret;
@@ -2230,6 +2329,7 @@ static int iwl_mvm_mac_sched_scan_stop(struct ieee80211_hw *hw,
        iwl_mvm_wait_for_async_handlers(mvm);
        return ret;
 }
 static int iwl_mvm_mac_set_key(struct ieee80211_hw *hw,
@@ -2258,12 +2358,16 @@ static int iwl_mvm_mac_set_key(struct ieee80211_hw *hw,
                break;
        case WLAN_CIPHER_SUITE_WEP40:
        case WLAN_CIPHER_SUITE_WEP104:
-                /*
+                /* For non-client mode, only use WEP keys for TX as we probably
-                 * Support for TX only, at least for now, so accept
+                 * don't have a station yet anyway and would then have to keep
-                 * the key and do nothing else. Then mac80211 will
+                 * track of the keys, linking them to each of the clients/peers
-                 * pass it for TX but we don't have to use it for RX.
+                 * as they appear. For now, don't do that, for performance WEP
+                 * offload doesn't really matter much, but we need it for some
+                 * other offload features in client mode.
                 */
-                return 0;
+                if (vif->type != NL80211_IFTYPE_STATION)
+                        return 0;
+                break;
        default:
                /* currently FW supports only one optional cipher scheme */
                if (hw->n_cipher_schemes &&
@@ -2471,9 +2575,15 @@ static int iwl_mvm_roc(struct ieee80211_hw *hw,
        switch (vif->type) {
        case NL80211_IFTYPE_STATION:
-                /* Use aux roc framework (HS20) */
+                if (mvm->fw->ucode_capa.capa[0] &
-                ret = iwl_mvm_send_aux_roc_cmd(mvm, channel,
+                    IWL_UCODE_TLV_CAPA_HOTSPOT_SUPPORT) {
-                                               vif, duration);
+                        /* Use aux roc framework (HS20) */
+                        ret = iwl_mvm_send_aux_roc_cmd(mvm, channel,
+                                                       vif, duration);
+                        goto out_unlock;
+                }
+                IWL_ERR(mvm, "hotspot not supported\n");
+                ret = -EINVAL;
                goto out_unlock;
        case NL80211_IFTYPE_P2P_DEVICE:
                /* handle below */
@@ -2580,7 +2690,7 @@ static int iwl_mvm_cancel_roc(struct ieee80211_hw *hw)
        IWL_DEBUG_MAC80211(mvm, "enter\n");
        mutex_lock(&mvm->mutex);
-        iwl_mvm_stop_p2p_roc(mvm);
+        iwl_mvm_stop_roc(mvm);
        mutex_unlock(&mvm->mutex);
        IWL_DEBUG_MAC80211(mvm, "leave\n");
@@ -2693,8 +2803,8 @@ static int __iwl_mvm_assign_vif_chanctx(struct iwl_mvm *mvm,
        switch (vif->type) {
        case NL80211_IFTYPE_AP:
-                /* Unless it's a CSA flow we have nothing to do here */
+                /* only needed if we're switching chanctx (i.e. during CSA) */
-                if (vif->csa_active) {
+                if (switching_chanctx) {
                        mvmvif->ap_ibss_active = true;
                        break;
                }
@@ -2738,23 +2848,32 @@ static int __iwl_mvm_assign_vif_chanctx(struct iwl_mvm *mvm,
        }
        /* Handle binding during CSA */
-        if ((vif->type == NL80211_IFTYPE_AP) ||
+        if (vif->type == NL80211_IFTYPE_AP) {
-            (switching_chanctx && (vif->type == NL80211_IFTYPE_STATION))) {
                iwl_mvm_update_quotas(mvm, NULL);
                iwl_mvm_mac_ctxt_changed(mvm, vif, false, NULL);
        }
-        if (vif->csa_active && vif->type == NL80211_IFTYPE_STATION) {
+        if (switching_chanctx && vif->type == NL80211_IFTYPE_STATION) {
-                struct iwl_mvm_sta *mvmsta;
+                u32 duration = 2 * vif->bss_conf.beacon_int;
-                mvmsta = iwl_mvm_sta_from_staid_protected(mvm,
+                /* iwl_mvm_protect_session() reads directly from the
-                                                          mvmvif->ap_sta_id);
+                 * device (the system time), so make sure it is
+                 * available.
+                 */
+                ret = iwl_mvm_ref_sync(mvm, IWL_MVM_REF_PROTECT_CSA);
+                if (ret)
+                        goto out_remove_binding;
-                if (WARN_ON(!mvmsta))
+                /* Protect the session to make sure we hear the first
-                        goto out;
+                 * beacon on the new channel.
+                 */
+                iwl_mvm_protect_session(mvm, vif, duration, duration,
+                                        vif->bss_conf.beacon_int / 2,
+                                        true);
-                /* TODO: only re-enable after the first beacon */
+                iwl_mvm_unref(mvm, IWL_MVM_REF_PROTECT_CSA);
-                iwl_mvm_sta_modify_disable_tx(mvm, mvmsta, false);
+                iwl_mvm_update_quotas(mvm, NULL);
        }
        goto out;
@@ -2788,7 +2907,6 @@ static void __iwl_mvm_unassign_vif_chanctx(struct iwl_mvm *mvm,
 {
        struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
        struct ieee80211_vif *disabled_vif = NULL;
-        struct iwl_mvm_sta *mvmsta;
        lockdep_assert_held(&mvm->mutex);
@@ -2803,9 +2921,11 @@ static void __iwl_mvm_unassign_vif_chanctx(struct iwl_mvm *mvm,
                break;
        case NL80211_IFTYPE_AP:
                /* This part is triggered only during CSA */
-                if (!vif->csa_active || !mvmvif->ap_ibss_active)
+                if (!switching_chanctx || !mvmvif->ap_ibss_active)
                        goto out;
+                mvmvif->csa_countdown = false;
                /* Set CS bit on all the stations */
                iwl_mvm_modify_all_sta_disable_tx(mvm, mvmvif, true);
@@ -2820,12 +2940,6 @@ static void __iwl_mvm_unassign_vif_chanctx(struct iwl_mvm *mvm,
                disabled_vif = vif;
-                mvmsta = iwl_mvm_sta_from_staid_protected(mvm,
-                                                          mvmvif->ap_sta_id);
-                if (!WARN_ON(!mvmsta))
-                        iwl_mvm_sta_modify_disable_tx(mvm, mvmsta, true);
                iwl_mvm_mac_ctxt_changed(mvm, vif, true, NULL);
                break;
        default:
@@ -2851,18 +2965,12 @@ static void iwl_mvm_unassign_vif_chanctx(struct ieee80211_hw *hw,
        mutex_unlock(&mvm->mutex);
 }
-static int iwl_mvm_switch_vif_chanctx(struct ieee80211_hw *hw,
+static int
-                                      struct ieee80211_vif_chanctx_switch *vifs,
+iwl_mvm_switch_vif_chanctx_swap(struct iwl_mvm *mvm,
-                                      int n_vifs,
+                                struct ieee80211_vif_chanctx_switch *vifs)
-                                      enum ieee80211_chanctx_switch_mode mode)
 {
-        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
        int ret;
-        /* we only support SWAP_CONTEXTS and with a single-vif right now */
-        if (mode != CHANCTX_SWMODE_SWAP_CONTEXTS || n_vifs > 1)
-                return -EOPNOTSUPP;
        mutex_lock(&mvm->mutex);
        __iwl_mvm_unassign_vif_chanctx(mvm, vifs[0].vif, vifs[0].old_ctx, true);
        __iwl_mvm_remove_chanctx(mvm, vifs[0].old_ctx);
@@ -2891,15 +2999,51 @@ out_remove:
        __iwl_mvm_remove_chanctx(mvm, vifs[0].new_ctx);
 out_reassign:
-        ret = __iwl_mvm_add_chanctx(mvm, vifs[0].old_ctx);
+        if (__iwl_mvm_add_chanctx(mvm, vifs[0].old_ctx)) {
-        if (ret) {
                IWL_ERR(mvm, "failed to add old_ctx back after failure.\n");
                goto out_restart;
        }
-        ret = __iwl_mvm_assign_vif_chanctx(mvm, vifs[0].vif, vifs[0].old_ctx,
+        if (__iwl_mvm_assign_vif_chanctx(mvm, vifs[0].vif, vifs[0].old_ctx,
+                                         true)) {
+                IWL_ERR(mvm, "failed to reassign old_ctx after failure.\n");
+                goto out_restart;
+        }
+        goto out;
+out_restart:
+        /* things keep failing, better restart the hw */
+        iwl_mvm_nic_restart(mvm, false);
+out:
+        mutex_unlock(&mvm->mutex);
+        return ret;
+}
+static int
+iwl_mvm_switch_vif_chanctx_reassign(struct iwl_mvm *mvm,
+                                    struct ieee80211_vif_chanctx_switch *vifs)
+{
+        int ret;
+        mutex_lock(&mvm->mutex);
+        __iwl_mvm_unassign_vif_chanctx(mvm, vifs[0].vif, vifs[0].old_ctx, true);
+        ret = __iwl_mvm_assign_vif_chanctx(mvm, vifs[0].vif, vifs[0].new_ctx,
                                           true);
        if (ret) {
+                IWL_ERR(mvm,
+                        "failed to assign new_ctx during channel switch\n");
+                goto out_reassign;
+        }
+        goto out;
+out_reassign:
+        if (__iwl_mvm_assign_vif_chanctx(mvm, vifs[0].vif, vifs[0].old_ctx,
+                                         true)) {
                IWL_ERR(mvm, "failed to reassign old_ctx after failure.\n");
                goto out_restart;
        }
@@ -2912,6 +3056,34 @@ out_restart:
 out:
        mutex_unlock(&mvm->mutex);
+        return ret;
+}
+static int iwl_mvm_switch_vif_chanctx(struct ieee80211_hw *hw,
+                                      struct ieee80211_vif_chanctx_switch *vifs,
+                                      int n_vifs,
+                                      enum ieee80211_chanctx_switch_mode mode)
+{
+        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+        int ret;
+        /* we only support a single-vif right now */
+        if (n_vifs > 1)
+                return -EOPNOTSUPP;
+        switch (mode) {
+        case CHANCTX_SWMODE_SWAP_CONTEXTS:
+                ret = iwl_mvm_switch_vif_chanctx_swap(mvm, vifs);
+                break;
+        case CHANCTX_SWMODE_REASSIGN_VIF:
+                ret = iwl_mvm_switch_vif_chanctx_reassign(mvm, vifs);
+                break;
+        default:
+                ret = -EOPNOTSUPP;
+                break;
+        }
        return ret;
 }
@@ -2997,27 +3169,134 @@ static int iwl_mvm_mac_testmode_cmd(struct ieee80211_hw *hw,
 }
 #endif
-static void iwl_mvm_channel_switch_beacon(struct ieee80211_hw *hw,
+static void iwl_mvm_channel_switch(struct ieee80211_hw *hw,
-                                          struct ieee80211_vif *vif,
+                                   struct ieee80211_vif *vif,
-                                          struct cfg80211_chan_def *chandef)
+                                   struct ieee80211_channel_switch *chsw)
+{
+        /* By implementing this operation, we prevent mac80211 from
+         * starting its own channel switch timer, so that we can call
+         * ieee80211_chswitch_done() ourselves at the right time
+         * (which is when the absence time event starts).
+         */
+        IWL_DEBUG_MAC80211(IWL_MAC80211_GET_MVM(hw),
+                           "dummy channel switch op\n");
+}
+static int iwl_mvm_pre_channel_switch(struct ieee80211_hw *hw,
+                                      struct ieee80211_vif *vif,
+                                      struct ieee80211_channel_switch *chsw)
 {
        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
        struct ieee80211_vif *csa_vif;
+        struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
+        u32 apply_time;
+        int ret;
        mutex_lock(&mvm->mutex);
-        csa_vif = rcu_dereference_protected(mvm->csa_vif,
+        IWL_DEBUG_MAC80211(mvm, "pre CSA to freq %d\n",
-                                            lockdep_is_held(&mvm->mutex));
+                           chsw->chandef.center_freq1);
-        if (WARN(csa_vif && csa_vif->csa_active,
-                 "Another CSA is already in progress"))
+        switch (vif->type) {
+        case NL80211_IFTYPE_AP:
+                csa_vif =
+                        rcu_dereference_protected(mvm->csa_vif,
+                                                  lockdep_is_held(&mvm->mutex));
+                if (WARN_ONCE(csa_vif && csa_vif->csa_active,
+                              "Another CSA is already in progress")) {
+                        ret = -EBUSY;
+                        goto out_unlock;
+                }
+                rcu_assign_pointer(mvm->csa_vif, vif);
+                if (WARN_ONCE(mvmvif->csa_countdown,
+                              "Previous CSA countdown didn't complete")) {
+                        ret = -EBUSY;
+                        goto out_unlock;
+                }
+                break;
+        case NL80211_IFTYPE_STATION:
+                /* Schedule the time event to a bit before beacon 1,
+                 * to make sure we're in the new channel when the
+                 * GO/AP arrives.
+                 */
+                apply_time = chsw->device_timestamp +
+                        ((vif->bss_conf.beacon_int * (chsw->count - 1) -
+                          IWL_MVM_CHANNEL_SWITCH_TIME_CLIENT) * 1024);
+                if (chsw->block_tx)
+                        iwl_mvm_csa_client_absent(mvm, vif);
+                iwl_mvm_schedule_csa_period(mvm, vif, vif->bss_conf.beacon_int,
+                                            apply_time);
+                if (mvmvif->bf_data.bf_enabled) {
+                        ret = iwl_mvm_disable_beacon_filter(mvm, vif, 0);
+                        if (ret)
+                                goto out_unlock;
+                }
+                break;
+        default:
+                break;
+        }
+        mvmvif->ps_disabled = true;
+        ret = iwl_mvm_power_update_ps(mvm);
+        if (ret)
                goto out_unlock;
-        IWL_DEBUG_MAC80211(mvm, "CSA started to freq %d\n",
+        /* we won't be on this channel any longer */
-                           chandef->center_freq1);
+        iwl_mvm_teardown_tdls_peers(mvm);
-        rcu_assign_pointer(mvm->csa_vif, vif);
+out_unlock:
+        mutex_unlock(&mvm->mutex);
+        return ret;
+}
+static int iwl_mvm_post_channel_switch(struct ieee80211_hw *hw,
+                                       struct ieee80211_vif *vif)
+{
+        struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
+        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+        int ret;
+        mutex_lock(&mvm->mutex);
+        if (vif->type == NL80211_IFTYPE_STATION) {
+                struct iwl_mvm_sta *mvmsta;
+                mvmsta = iwl_mvm_sta_from_staid_protected(mvm,
+                                                          mvmvif->ap_sta_id);
+                if (WARN_ON(!mvmsta)) {
+                        ret = -EIO;
+                        goto out_unlock;
+                }
+                iwl_mvm_sta_modify_disable_tx(mvm, mvmsta, false);
+                iwl_mvm_mac_ctxt_changed(mvm, vif, false, NULL);
+                ret = iwl_mvm_enable_beacon_filter(mvm, vif, 0);
+                if (ret)
+                        goto out_unlock;
+                iwl_mvm_stop_session_protection(mvm, vif);
+        }
+        mvmvif->ps_disabled = false;
+        ret = iwl_mvm_power_update_ps(mvm);
 out_unlock:
        mutex_unlock(&mvm->mutex);
+        return ret;
 }
 static void iwl_mvm_mac_flush(struct ieee80211_hw *hw,
@@ -3026,31 +3305,44 @@ static void iwl_mvm_mac_flush(struct ieee80211_hw *hw,
        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
        struct iwl_mvm_vif *mvmvif;
        struct iwl_mvm_sta *mvmsta;
+        struct ieee80211_sta *sta;
+        int i;
+        u32 msk = 0;
        if (!vif || vif->type != NL80211_IFTYPE_STATION)
                return;
        mutex_lock(&mvm->mutex);
        mvmvif = iwl_mvm_vif_from_mac80211(vif);
-        mvmsta = iwl_mvm_sta_from_staid_protected(mvm, mvmvif->ap_sta_id);
-        if (WARN_ON_ONCE(!mvmsta)) {
+        /* flush the AP-station and all TDLS peers */
-                mutex_unlock(&mvm->mutex);
+        for (i = 0; i < IWL_MVM_STATION_COUNT; i++) {
-                return;
+                sta = rcu_dereference_protected(mvm->fw_id_to_mac_id[i],
+                                                lockdep_is_held(&mvm->mutex));
+                if (IS_ERR_OR_NULL(sta))
+                        continue;
+                mvmsta = iwl_mvm_sta_from_mac80211(sta);
+                if (mvmsta->vif != vif)
+                        continue;
+                /* make sure only TDLS peers or the AP are flushed */
+                WARN_ON(i != mvmvif->ap_sta_id && !sta->tdls);
+                msk |= mvmsta->tfd_queue_msk;
        }
        if (drop) {
-                if (iwl_mvm_flush_tx_path(mvm, mvmsta->tfd_queue_msk, true))
+                if (iwl_mvm_flush_tx_path(mvm, msk, true))
                        IWL_ERR(mvm, "flush request fail\n");
                mutex_unlock(&mvm->mutex);
        } else {
-                u32 tfd_queue_msk = mvmsta->tfd_queue_msk;
                mutex_unlock(&mvm->mutex);
                /* this can take a while, and we may need/want other operations
                 * to succeed while doing this, so do it without the mutex held
                 */
-                iwl_trans_wait_tx_queue_empty(mvm->trans, tfd_queue_msk);
+                iwl_trans_wait_tx_queue_empty(mvm->trans, msk);
        }
 }
@@ -3058,7 +3350,7 @@ const struct ieee80211_ops iwl_mvm_hw_ops = {
        .tx = iwl_mvm_mac_tx,
        .ampdu_action = iwl_mvm_mac_ampdu_action,
        .start = iwl_mvm_mac_start,
-        .restart_complete = iwl_mvm_mac_restart_complete,
+        .reconfig_complete = iwl_mvm_mac_reconfig_complete,
        .stop = iwl_mvm_mac_stop,
        .add_interface = iwl_mvm_mac_add_interface,
        .remove_interface = iwl_mvm_mac_remove_interface,
@@ -3099,7 +3391,13 @@ const struct ieee80211_ops iwl_mvm_hw_ops = {
        .set_tim = iwl_mvm_set_tim,
-        .channel_switch_beacon = iwl_mvm_channel_switch_beacon,
+        .channel_switch = iwl_mvm_channel_switch,
+        .pre_channel_switch = iwl_mvm_pre_channel_switch,
+        .post_channel_switch = iwl_mvm_post_channel_switch,
+        .tdls_channel_switch = iwl_mvm_tdls_channel_switch,
+        .tdls_cancel_channel_switch = iwl_mvm_tdls_cancel_channel_switch,
+        .tdls_recv_channel_switch = iwl_mvm_tdls_recv_channel_switch,
        CFG80211_TESTMODE_CMD(iwl_mvm_mac_testmode_cmd)
diff --git a/drivers/net/wireless/iwlwifi/mvm/mvm.h b/drivers/net/wireless/iwlwifi/mvm/mvm.h
index 256765accbc6..d24660fb4ef2 100644
--- a/drivers/net/wireless/iwlwifi/mvm/mvm.h
+++ b/drivers/net/wireless/iwlwifi/mvm/mvm.h
@@ -87,12 +87,18 @@
 /* A TimeUnit is 1024 microsecond */
 #define MSEC_TO_TU(_msec)       (_msec*1000/1024)
-/* This value represents the number of TUs before CSA "beacon 0" TBTT
+/* For GO, this value represents the number of TUs before CSA "beacon
- * when the CSA time-event needs to be scheduled to start.  It must be
+ * 0" TBTT when the CSA time-event needs to be scheduled to start.  It
- * big enough to ensure that we switch in time.
+ * must be big enough to ensure that we switch in time.
 */
 #define IWL_MVM_CHANNEL_SWITCH_TIME_GO          40
+/* For client, this value represents the number of TUs before CSA
+ * "beacon 1" TBTT, instead.  This is because we don't know when the
+ * GO/AP will be in the new channel, so we switch early enough.
+ */
+#define IWL_MVM_CHANNEL_SWITCH_TIME_CLIENT      10
 /*
 * This value (in TUs) is used to fine tune the CSA NoA end time which should
 * be just before "beacon 0" TBTT.
@@ -269,6 +275,7 @@ enum iwl_mvm_ref_type {
        IWL_MVM_REF_NMI,
        IWL_MVM_REF_TM_CMD,
        IWL_MVM_REF_EXIT_WORK,
+        IWL_MVM_REF_PROTECT_CSA,
        /* update debugfs.c when changing this */
@@ -288,7 +295,6 @@ enum iwl_bt_force_ant_mode {
 * struct iwl_mvm_vif_bf_data - beacon filtering related data
 * @bf_enabled: indicates if beacon filtering is enabled
 * @ba_enabled: indicated if beacon abort is enabled
-* @last_beacon_signal: last beacon rssi signal in dbm
 * @ave_beacon_signal: average beacon signal
 * @last_cqm_event: rssi of the last cqm event
 * @bt_coex_min_thold: minimum threshold for BT coex
@@ -399,6 +405,9 @@ struct iwl_mvm_vif {
        /* FW identified misbehaving AP */
        u8 uapsd_misbehaving_bssid[ETH_ALEN];
+        /* Indicates that CSA countdown may be started */
+        bool csa_countdown;
 };
 static inline struct iwl_mvm_vif *
@@ -519,6 +528,13 @@ enum {
 #define IWL_MVM_DEBUG_SET_TEMPERATURE_MIN -100
 #define IWL_MVM_DEBUG_SET_TEMPERATURE_MAX 200
+enum iwl_mvm_tdls_cs_state {
+        IWL_MVM_TDLS_SW_IDLE = 0,
+        IWL_MVM_TDLS_SW_REQ_SENT,
+        IWL_MVM_TDLS_SW_REQ_RCVD,
+        IWL_MVM_TDLS_SW_ACTIVE,
+};
 struct iwl_mvm {
        /* for logger access */
        struct device *dev;
@@ -548,6 +564,7 @@ struct iwl_mvm {
        enum iwl_ucode_type cur_ucode;
        bool ucode_loaded;
        bool init_ucode_complete;
+        bool calibrating;
        u32 error_event_table;
        u32 log_event_table;
        u32 umac_error_event_table;
@@ -577,6 +594,7 @@ struct iwl_mvm {
        struct work_struct sta_drained_wk;
        unsigned long sta_drained[BITS_TO_LONGS(IWL_MVM_STATION_COUNT)];
        atomic_t pending_frames[IWL_MVM_STATION_COUNT];
+        u32 tfd_drained[IWL_MVM_STATION_COUNT];
        u8 rx_ba_sessions;
        /* configured by mac80211 */
@@ -587,6 +605,10 @@ struct iwl_mvm {
        void *scan_cmd;
        struct iwl_mcast_filter_cmd *mcast_filter_cmd;
+        /* UMAC scan tracking */
+        u32 scan_uid[IWL_MVM_MAX_SIMULTANEOUS_SCANS];
+        u8 scan_seq_num, sched_scan_seq_num;
        /* rx chain antennas set through debugfs for the scan command */
        u8 scan_rx_ant;
@@ -648,6 +670,7 @@ struct iwl_mvm {
        /* -1 for always, 0 for never, >0 for that many times */
        s8 restart_fw;
        struct work_struct fw_error_dump_wk;
+        enum iwl_fw_dbg_conf fw_dbg_conf;
 #ifdef CONFIG_IWLWIFI_LEDS
        struct led_classdev led;
@@ -661,7 +684,12 @@ struct iwl_mvm {
        /* sched scan settings for net detect */
        struct cfg80211_sched_scan_request *nd_config;
-        struct ieee80211_scan_ies *nd_ies;
+        struct ieee80211_scan_ies nd_ies;
+        struct cfg80211_match_set *nd_match_sets;
+        int n_nd_match_sets;
+        struct ieee80211_channel **nd_channels;
+        int n_nd_channels;
+        bool net_detect;
 #ifdef CONFIG_IWLWIFI_DEBUGFS
        u32 d3_wake_sysassert; /* must be u32 for debugfs_create_bool */
        bool d3_test_active;
@@ -734,6 +762,28 @@ struct iwl_mvm {
        u32 ap_last_beacon_gp2;
        u8 low_latency_agg_frame_limit;
+        /* TDLS channel switch data */
+        struct {
+                struct delayed_work dwork;
+                enum iwl_mvm_tdls_cs_state state;
+                /*
+                 * Current cs sta - might be different from periodic cs peer
+                 * station. Value is meaningless when the cs-state is idle.
+                 */
+                u8 cur_sta_id;
+                /* TDLS periodic channel-switch peer */
+                struct {
+                        u8 sta_id;
+                        u8 op_class;
+                        bool initiator; /* are we the link initiator */
+                        struct cfg80211_chan_def chandef;
+                        struct sk_buff *skb; /* ch sw template */
+                        u32 ch_sw_tm_ie;
+                } peer;
+        } tdls_cs;
 };
 /* Extract MVM priv from op_mode and _hw */
@@ -750,6 +800,7 @@ enum iwl_mvm_status {
        IWL_MVM_STATUS_IN_HW_RESTART,
        IWL_MVM_STATUS_IN_D0I3,
        IWL_MVM_STATUS_ROC_AUX_RUNNING,
+        IWL_MVM_STATUS_D3_RECONFIG,
 };
 static inline bool iwl_mvm_is_radio_killed(struct iwl_mvm *mvm)
@@ -758,6 +809,26 @@ static inline bool iwl_mvm_is_radio_killed(struct iwl_mvm *mvm)
               test_bit(IWL_MVM_STATUS_HW_CTKILL, &mvm->status);
 }
+/* Must be called with rcu_read_lock() held and it can only be
+ * released when mvmsta is not needed anymore.
+ */
+static inline struct iwl_mvm_sta *
+iwl_mvm_sta_from_staid_rcu(struct iwl_mvm *mvm, u8 sta_id)
+{
+        struct ieee80211_sta *sta;
+        if (sta_id >= ARRAY_SIZE(mvm->fw_id_to_mac_id))
+                return NULL;
+        sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_id]);
+        /* This can happen if the station has been removed right now */
+        if (IS_ERR_OR_NULL(sta))
+                return NULL;
+        return iwl_mvm_sta_from_mac80211(sta);
+}
 static inline struct iwl_mvm_sta *
 iwl_mvm_sta_from_staid_protected(struct iwl_mvm *mvm, u8 sta_id)
 {
@@ -831,6 +902,16 @@ int __must_check iwl_mvm_send_cmd_pdu_status(struct iwl_mvm *mvm, u8 id,
 int iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
                   struct ieee80211_sta *sta);
 int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb);
+void iwl_mvm_set_tx_cmd(struct iwl_mvm *mvm, struct sk_buff *skb,
+                        struct iwl_tx_cmd *tx_cmd,
+                        struct ieee80211_tx_info *info, u8 sta_id);
+void iwl_mvm_set_tx_cmd_crypto(struct iwl_mvm *mvm,
+                               struct ieee80211_tx_info *info,
+                               struct iwl_tx_cmd *tx_cmd,
+                               struct sk_buff *skb_frag);
+void iwl_mvm_set_tx_cmd_rate(struct iwl_mvm *mvm, struct iwl_tx_cmd *tx_cmd,
+                            struct ieee80211_tx_info *info,
+                            struct ieee80211_sta *sta, __le16 fc);
 #ifdef CONFIG_IWLWIFI_DEBUG
 const char *iwl_mvm_get_tx_fail_reason(u32 status);
 #else
@@ -887,6 +968,8 @@ int iwl_mvm_rx_card_state_notif(struct iwl_mvm *mvm,
                                struct iwl_device_cmd *cmd);
 int iwl_mvm_rx_radio_ver(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
                         struct iwl_device_cmd *cmd);
+int iwl_mvm_rx_mfuart_notif(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
+                            struct iwl_device_cmd *cmd);
 /* MVM PHY */
 int iwl_mvm_phy_ctxt_add(struct iwl_mvm *mvm, struct iwl_mvm_phy_ctxt *ctxt,
@@ -900,6 +983,8 @@ void iwl_mvm_phy_ctxt_ref(struct iwl_mvm *mvm,
 void iwl_mvm_phy_ctxt_unref(struct iwl_mvm *mvm,
                            struct iwl_mvm_phy_ctxt *ctxt);
 int iwl_mvm_phy_ctx_count(struct iwl_mvm *mvm);
+u8 iwl_mvm_get_channel_width(struct cfg80211_chan_def *chandef);
+u8 iwl_mvm_get_ctrl_pos(struct cfg80211_chan_def *chandef);
 /* MAC (virtual interface) programming */
 int iwl_mvm_mac_ctxt_init(struct iwl_mvm *mvm, struct ieee80211_vif *vif);
@@ -919,6 +1004,8 @@ int iwl_mvm_rx_missed_beacons_notif(struct iwl_mvm *mvm,
                                    struct iwl_device_cmd *cmd);
 void iwl_mvm_mac_ctxt_recalc_tsf_id(struct iwl_mvm *mvm,
                                    struct ieee80211_vif *vif);
+unsigned long iwl_mvm_get_used_hw_queues(struct iwl_mvm *mvm,
+                                         struct ieee80211_vif *exclude_vif);
 /* Bindings */
 int iwl_mvm_binding_add_vif(struct iwl_mvm *mvm, struct ieee80211_vif *vif);
@@ -929,6 +1016,7 @@ int iwl_mvm_update_quotas(struct iwl_mvm *mvm,
                          struct ieee80211_vif *disabled_vif);
 /* Scanning */
+int iwl_mvm_scan_size(struct iwl_mvm *mvm);
 int iwl_mvm_scan_request(struct iwl_mvm *mvm,
                         struct ieee80211_vif *vif,
                         struct cfg80211_scan_request *req);
@@ -969,6 +1057,17 @@ int iwl_mvm_unified_sched_scan_lmac(struct iwl_mvm *mvm,
                                    struct cfg80211_sched_scan_request *req,
                                    struct ieee80211_scan_ies *ies);
+/* UMAC scan */
+int iwl_mvm_config_scan(struct iwl_mvm *mvm);
+int iwl_mvm_scan_umac(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
+                      struct ieee80211_scan_request *req);
+int iwl_mvm_sched_scan_umac(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
+                            struct cfg80211_sched_scan_request *req,
+                            struct ieee80211_scan_ies *ies);
+int iwl_mvm_rx_umac_scan_complete_notif(struct iwl_mvm *mvm,
+                                        struct iwl_rx_cmd_buffer *rxb,
+                                        struct iwl_device_cmd *cmd);
 /* MVM debugfs */
 #ifdef CONFIG_IWLWIFI_DEBUGFS
 int iwl_mvm_dbgfs_register(struct iwl_mvm *mvm, struct dentry *dbgfs_dir);
@@ -1048,7 +1147,7 @@ iwl_mvm_set_last_nonqos_seq(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
 }
 #endif
 void iwl_mvm_set_wowlan_qos_seq(struct iwl_mvm_sta *mvm_ap_sta,
-                                struct iwl_wowlan_config_cmd_v2 *cmd);
+                                struct iwl_wowlan_config_cmd *cmd);
 int iwl_mvm_send_proto_offload(struct iwl_mvm *mvm,
                               struct ieee80211_vif *vif,
                               bool disable_offloading,
@@ -1058,6 +1157,7 @@ int iwl_mvm_send_proto_offload(struct iwl_mvm *mvm,
 void iwl_mvm_ref(struct iwl_mvm *mvm, enum iwl_mvm_ref_type ref_type);
 void iwl_mvm_unref(struct iwl_mvm *mvm, enum iwl_mvm_ref_type ref_type);
 int iwl_mvm_ref_sync(struct iwl_mvm *mvm, enum iwl_mvm_ref_type ref_type);
+bool iwl_mvm_ref_taken(struct iwl_mvm *mvm);
 void iwl_mvm_d0i3_enable_tx(struct iwl_mvm *mvm, __le16 *qos_seq);
 int _iwl_mvm_exit_d0i3(struct iwl_mvm *mvm);
@@ -1073,12 +1173,14 @@ u16 iwl_mvm_coex_agg_time_limit(struct iwl_mvm *mvm,
                                struct ieee80211_sta *sta);
 bool iwl_mvm_bt_coex_is_mimo_allowed(struct iwl_mvm *mvm,
                                     struct ieee80211_sta *sta);
+bool iwl_mvm_bt_coex_is_ant_avail(struct iwl_mvm *mvm, u8 ant);
 bool iwl_mvm_bt_coex_is_shared_ant_avail(struct iwl_mvm *mvm);
 bool iwl_mvm_bt_coex_is_tpc_allowed(struct iwl_mvm *mvm,
                                    enum ieee80211_band band);
 u8 iwl_mvm_bt_coex_tx_prio(struct iwl_mvm *mvm, struct ieee80211_hdr *hdr,
                           struct ieee80211_tx_info *info, u8 ac);
+bool iwl_mvm_bt_coex_is_ant_avail_old(struct iwl_mvm *mvm, u8 ant);
 bool iwl_mvm_bt_coex_is_shared_ant_avail_old(struct iwl_mvm *mvm);
 void iwl_mvm_bt_coex_vif_change_old(struct iwl_mvm *mvm);
 int iwl_send_bt_init_conf_old(struct iwl_mvm *mvm);
@@ -1194,6 +1296,10 @@ bool iwl_mvm_is_idle(struct iwl_mvm *mvm);
 /* Thermal management and CT-kill */
 void iwl_mvm_tt_tx_backoff(struct iwl_mvm *mvm, u32 backoff);
+void iwl_mvm_tt_temp_changed(struct iwl_mvm *mvm, u32 temp);
+int iwl_mvm_temp_notif(struct iwl_mvm *mvm,
+                       struct iwl_rx_cmd_buffer *rxb,
+                       struct iwl_device_cmd *cmd);
 void iwl_mvm_tt_handler(struct iwl_mvm *mvm);
 void iwl_mvm_tt_initialize(struct iwl_mvm *mvm, u32 min_backoff);
 void iwl_mvm_tt_exit(struct iwl_mvm *mvm);
@@ -1205,12 +1311,33 @@ int iwl_mvm_sf_update(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
                      bool added_vif);
 /* TDLS */
+/*
+ * We use TID 4 (VI) as a FW-used-only TID when TDLS connections are present.
+ * This TID is marked as used vs the AP and all connected TDLS peers.
+ */
+#define IWL_MVM_TDLS_FW_TID 4
 int iwl_mvm_tdls_sta_count(struct iwl_mvm *mvm, struct ieee80211_vif *vif);
 void iwl_mvm_teardown_tdls_peers(struct iwl_mvm *mvm);
 void iwl_mvm_recalc_tdls_state(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
                               bool sta_added);
 void iwl_mvm_mac_mgd_protect_tdls_discover(struct ieee80211_hw *hw,
                                           struct ieee80211_vif *vif);
+int iwl_mvm_tdls_channel_switch(struct ieee80211_hw *hw,
+                                struct ieee80211_vif *vif,
+                                struct ieee80211_sta *sta, u8 oper_class,
+                                struct cfg80211_chan_def *chandef,
+                                struct sk_buff *tmpl_skb, u32 ch_sw_tm_ie);
+void iwl_mvm_tdls_recv_channel_switch(struct ieee80211_hw *hw,
+                                      struct ieee80211_vif *vif,
+                                      struct ieee80211_tdls_ch_sw_params *params);
+void iwl_mvm_tdls_cancel_channel_switch(struct ieee80211_hw *hw,
+                                        struct ieee80211_vif *vif,
+                                        struct ieee80211_sta *sta);
+int iwl_mvm_rx_tdls_notif(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
+                          struct iwl_device_cmd *cmd);
+void iwl_mvm_tdls_ch_switch_work(struct work_struct *work);
 struct ieee80211_vif *iwl_mvm_get_bss_vif(struct iwl_mvm *mvm);
diff --git a/drivers/net/wireless/iwlwifi/mvm/nvm.c b/drivers/net/wireless/iwlwifi/mvm/nvm.c
index af074563e770..d55fd8e3654c 100644
--- a/drivers/net/wireless/iwlwifi/mvm/nvm.c
+++ b/drivers/net/wireless/iwlwifi/mvm/nvm.c
@@ -339,11 +339,15 @@ static int iwl_mvm_read_external_nvm(struct iwl_mvm *mvm)
        } *file_sec;
        const u8 *eof, *temp;
        int max_section_size;
+        const __le32 *dword_buff;
 #define NVM_WORD1_LEN(x) (8 * (x & 0x03FF))
 #define NVM_WORD2_ID(x) (x >> 12)
 #define NVM_WORD2_LEN_FAMILY_8000(x) (2 * ((x & 0xFF) << 8 | x >> 8))
 #define NVM_WORD1_ID_FAMILY_8000(x) (x >> 4)
+#define NVM_HEADER_0    (0x2A504C54)
+#define NVM_HEADER_1    (0x4E564D2A)
+#define NVM_HEADER_SIZE (4 * sizeof(u32))
        IWL_DEBUG_EEPROM(mvm->trans->dev, "Read from external NVM\n");
@@ -372,12 +376,6 @@ static int iwl_mvm_read_external_nvm(struct iwl_mvm *mvm)
        IWL_INFO(mvm, "Loaded NVM file %s (%zu bytes)\n",
                 mvm->nvm_file_name, fw_entry->size);
-        if (fw_entry->size < sizeof(*file_sec)) {
-                IWL_ERR(mvm, "NVM file too small\n");
-                ret = -EINVAL;
-                goto out;
-        }
        if (fw_entry->size > MAX_NVM_FILE_LEN) {
                IWL_ERR(mvm, "NVM file too large\n");
                ret = -EINVAL;
@@ -385,8 +383,25 @@ static int iwl_mvm_read_external_nvm(struct iwl_mvm *mvm)
        }
        eof = fw_entry->data + fw_entry->size;
+        dword_buff = (__le32 *)fw_entry->data;
-        file_sec = (void *)fw_entry->data;
+        /* some NVM file will contain a header.
+         * The header is identified by 2 dwords header as follow:
+         * dword[0] = 0x2A504C54
+         * dword[1] = 0x4E564D2A
+         *
+         * This header must be skipped when providing the NVM data to the FW.
+         */
+        if (fw_entry->size > NVM_HEADER_SIZE &&
+            dword_buff[0] == cpu_to_le32(NVM_HEADER_0) &&
+            dword_buff[1] == cpu_to_le32(NVM_HEADER_1)) {
+                file_sec = (void *)(fw_entry->data + NVM_HEADER_SIZE);
+                IWL_INFO(mvm, "NVM Version %08X\n", le32_to_cpu(dword_buff[2]));
+                IWL_INFO(mvm, "NVM Manufacturing date %08X\n",
+                         le32_to_cpu(dword_buff[3]));
+        } else {
+                file_sec = (void *)fw_entry->data;
+        }
        while (true) {
                if (file_sec->data > eof) {
diff --git a/drivers/net/wireless/iwlwifi/mvm/offloading.c b/drivers/net/wireless/iwlwifi/mvm/offloading.c
index adcbf4c8edd8..68b0169c8892 100644
--- a/drivers/net/wireless/iwlwifi/mvm/offloading.c
+++ b/drivers/net/wireless/iwlwifi/mvm/offloading.c
@@ -67,7 +67,7 @@
 #include "mvm.h"
 void iwl_mvm_set_wowlan_qos_seq(struct iwl_mvm_sta *mvm_ap_sta,
-                                struct iwl_wowlan_config_cmd_v2 *cmd)
+                                struct iwl_wowlan_config_cmd *cmd)
 {
        int i;
diff --git a/drivers/net/wireless/iwlwifi/mvm/ops.c b/drivers/net/wireless/iwlwifi/mvm/ops.c
index bd52ecfabedb..97dfba50c682 100644
--- a/drivers/net/wireless/iwlwifi/mvm/ops.c
+++ b/drivers/net/wireless/iwlwifi/mvm/ops.c
@@ -244,6 +244,8 @@ static const struct iwl_rx_handlers iwl_mvm_rx_handlers[] = {
                   iwl_mvm_rx_scan_offload_complete_notif, true),
        RX_HANDLER(MATCH_FOUND_NOTIFICATION, iwl_mvm_rx_scan_offload_results,
                   false),
+        RX_HANDLER(SCAN_COMPLETE_UMAC, iwl_mvm_rx_umac_scan_complete_notif,
+                   true),
        RX_HANDLER(RADIO_VERSION_NOTIFICATION, iwl_mvm_rx_radio_ver, false),
        RX_HANDLER(CARD_STATE_NOTIFICATION, iwl_mvm_rx_card_state_notif, false),
@@ -254,6 +256,12 @@ static const struct iwl_rx_handlers iwl_mvm_rx_handlers[] = {
        RX_HANDLER(REPLY_ERROR, iwl_mvm_rx_fw_error, false),
        RX_HANDLER(PSM_UAPSD_AP_MISBEHAVING_NOTIFICATION,
                   iwl_mvm_power_uapsd_misbehaving_ap_notif, false),
+        RX_HANDLER(DTS_MEASUREMENT_NOTIFICATION, iwl_mvm_temp_notif, true),
+        RX_HANDLER(TDLS_CHANNEL_SWITCH_NOTIFICATION, iwl_mvm_rx_tdls_notif,
+                   true),
+        RX_HANDLER(MFUART_LOAD_NOTIFICATION, iwl_mvm_rx_mfuart_notif, false),
 };
 #undef RX_HANDLER
 #define CMD(x) [x] = #x
@@ -317,11 +325,9 @@ static const char *const iwl_mvm_cmd_strings[REPLY_MAX] = {
        CMD(WOWLAN_KEK_KCK_MATERIAL),
        CMD(WOWLAN_GET_STATUSES),
        CMD(WOWLAN_TX_POWER_PER_DB),
-        CMD(NET_DETECT_CONFIG_CMD),
+        CMD(SCAN_OFFLOAD_PROFILES_QUERY_CMD),
-        CMD(NET_DETECT_PROFILES_QUERY_CMD),
+        CMD(SCAN_OFFLOAD_HOTSPOTS_CONFIG_CMD),
-        CMD(NET_DETECT_PROFILES_CMD),
+        CMD(SCAN_OFFLOAD_HOTSPOTS_QUERY_CMD),
-        CMD(NET_DETECT_HOTSPOTS_CMD),
-        CMD(NET_DETECT_HOTSPOTS_QUERY_CMD),
        CMD(CARD_STATE_NOTIFICATION),
        CMD(MISSED_BEACONS_NOTIFICATION),
        CMD(BT_COEX_PRIO_TABLE),
@@ -344,6 +350,13 @@ static const char *const iwl_mvm_cmd_strings[REPLY_MAX] = {
        CMD(PSM_UAPSD_AP_MISBEHAVING_NOTIFICATION),
        CMD(ANTENNA_COUPLING_NOTIFICATION),
        CMD(SCD_QUEUE_CFG),
+        CMD(SCAN_CFG_CMD),
+        CMD(SCAN_REQ_UMAC),
+        CMD(SCAN_ABORT_UMAC),
+        CMD(SCAN_COMPLETE_UMAC),
+        CMD(TDLS_CHANNEL_SWITCH_CMD),
+        CMD(TDLS_CHANNEL_SWITCH_NOTIFICATION),
+        CMD(TDLS_CONFIG_CMD),
 };
 #undef CMD
@@ -427,6 +440,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
        }
        mvm->sf_state = SF_UNINIT;
        mvm->low_latency_agg_frame_limit = 6;
+        mvm->cur_ucode = IWL_UCODE_INIT;
        mutex_init(&mvm->mutex);
        mutex_init(&mvm->d0i3_suspend_mutex);
@@ -441,6 +455,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
        INIT_WORK(&mvm->sta_drained_wk, iwl_mvm_sta_drained_wk);
        INIT_WORK(&mvm->d0i3_exit_work, iwl_mvm_d0i3_exit_work);
        INIT_WORK(&mvm->fw_error_dump_wk, iwl_mvm_fw_error_dump_wk);
+        INIT_DELAYED_WORK(&mvm->tdls_cs.dwork, iwl_mvm_tdls_ch_switch_work);
        spin_lock_init(&mvm->d0i3_tx_lock);
        spin_lock_init(&mvm->refs_lock);
@@ -481,6 +496,10 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
        trans->rx_mpdu_cmd = REPLY_RX_MPDU_CMD;
        trans->rx_mpdu_cmd_hdr_size = sizeof(struct iwl_rx_mpdu_res_start);
+        trans->dbg_dest_tlv = mvm->fw->dbg_dest_tlv;
+        trans->dbg_dest_reg_num = mvm->fw->dbg_dest_reg_num;
+        memcpy(trans->dbg_conf_tlv, mvm->fw->dbg_conf_tlv,
+               sizeof(trans->dbg_conf_tlv));
        /* set up notification wait support */
        iwl_notification_wait_init(&mvm->notif_wait);
@@ -524,7 +543,8 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
                mutex_lock(&mvm->mutex);
                err = iwl_run_init_mvm_ucode(mvm, true);
-                iwl_trans_stop_device(trans);
+                if (!err || !iwlmvm_mod_params.init_dbg)
+                        iwl_trans_stop_device(trans);
                mutex_unlock(&mvm->mutex);
                /* returns 0 if successful, 1 if success but in rfkill */
                if (err < 0 && !iwlmvm_mod_params.init_dbg) {
@@ -533,16 +553,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
                }
        }
-        if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN)
+        scan_size = iwl_mvm_scan_size(mvm);
-                scan_size = sizeof(struct iwl_scan_req_unified_lmac) +
-                        sizeof(struct iwl_scan_channel_cfg_lmac) *
-                                mvm->fw->ucode_capa.n_scan_channels +
-                        sizeof(struct iwl_scan_probe_req);
-        else
-                scan_size = sizeof(struct iwl_scan_cmd) +
-                        mvm->fw->ucode_capa.max_probe_length +
-                        mvm->fw->ucode_capa.n_scan_channels *
-                                sizeof(struct iwl_scan_channel);
        mvm->scan_cmd = kmalloc(scan_size, GFP_KERNEL);
        if (!mvm->scan_cmd)
@@ -596,8 +607,6 @@ static void iwl_op_mode_mvm_stop(struct iwl_op_mode *op_mode)
                kfree(mvm->nd_config->match_sets);
                kfree(mvm->nd_config);
                mvm->nd_config = NULL;
-                kfree(mvm->nd_ies);
-                mvm->nd_ies = NULL;
        }
 #endif
@@ -757,6 +766,7 @@ void iwl_mvm_set_hw_ctkill_state(struct iwl_mvm *mvm, bool state)
 static bool iwl_mvm_set_hw_rfkill_state(struct iwl_op_mode *op_mode, bool state)
 {
        struct iwl_mvm *mvm = IWL_OP_MODE_GET_MVM(op_mode);
+        bool calibrating = ACCESS_ONCE(mvm->calibrating);
        if (state)
                set_bit(IWL_MVM_STATUS_HW_RFKILL, &mvm->status);
@@ -765,7 +775,15 @@ static bool iwl_mvm_set_hw_rfkill_state(struct iwl_op_mode *op_mode, bool state)
        wiphy_rfkill_set_hw_state(mvm->hw->wiphy, iwl_mvm_is_radio_killed(mvm));
-        return state && mvm->cur_ucode != IWL_UCODE_INIT;
+        /* iwl_run_init_mvm_ucode is waiting for results, abort it */
+        if (calibrating)
+                iwl_abort_notification_waits(&mvm->notif_wait);
+        /*
+         * Stop the device if we run OPERATIONAL firmware or if we are in the
+         * middle of the calibrations.
+         */
+        return state && (mvm->cur_ucode != IWL_UCODE_INIT || calibrating);
 }
 static void iwl_mvm_free_skb(struct iwl_op_mode *op_mode, struct sk_buff *skb)
@@ -986,7 +1004,7 @@ static void iwl_mvm_enter_d0i3_iterator(void *_data, u8 *mac,
 }
 static void iwl_mvm_set_wowlan_data(struct iwl_mvm *mvm,
-                                    struct iwl_wowlan_config_cmd_v3 *cmd,
+                                    struct iwl_wowlan_config_cmd *cmd,
                                    struct iwl_d0i3_iter_data *iter_data)
 {
        struct ieee80211_sta *ap_sta;
@@ -1002,14 +1020,14 @@ static void iwl_mvm_set_wowlan_data(struct iwl_mvm *mvm,
                goto out;
        mvm_ap_sta = iwl_mvm_sta_from_mac80211(ap_sta);
-        cmd->common.is_11n_connection = ap_sta->ht_cap.ht_supported;
+        cmd->is_11n_connection = ap_sta->ht_cap.ht_supported;
        cmd->offloading_tid = iter_data->offloading_tid;
        /*
         * The d0i3 uCode takes care of the nonqos counters,
         * so configure only the qos seq ones.
         */
-        iwl_mvm_set_wowlan_qos_seq(mvm_ap_sta, &cmd->common);
+        iwl_mvm_set_wowlan_qos_seq(mvm_ap_sta, cmd);
 out:
        rcu_read_unlock();
 }
@@ -1021,14 +1039,11 @@ static int iwl_mvm_enter_d0i3(struct iwl_op_mode *op_mode)
        struct iwl_d0i3_iter_data d0i3_iter_data = {
                .mvm = mvm,
        };
-        struct iwl_wowlan_config_cmd_v3 wowlan_config_cmd = {
+        struct iwl_wowlan_config_cmd wowlan_config_cmd = {
-                .common = {
+                .wakeup_filter = cpu_to_le32(IWL_WOWLAN_WAKEUP_RX_FRAME |
-                        .wakeup_filter =
+                                             IWL_WOWLAN_WAKEUP_BEACON_MISS |
-                                cpu_to_le32(IWL_WOWLAN_WAKEUP_RX_FRAME |
+                                             IWL_WOWLAN_WAKEUP_LINK_CHANGE |
-                                            IWL_WOWLAN_WAKEUP_BEACON_MISS |
+                                             IWL_WOWLAN_WAKEUP_BCN_FILTERING),
-                                            IWL_WOWLAN_WAKEUP_LINK_CHANGE |
-                                            IWL_WOWLAN_WAKEUP_BCN_FILTERING),
-                },
        };
        struct iwl_d3_manager_config d3_cfg_cmd = {
                .min_sleep_time = cpu_to_le32(1000),
@@ -1040,6 +1055,19 @@ static int iwl_mvm_enter_d0i3(struct iwl_op_mode *op_mode)
        set_bit(IWL_MVM_STATUS_IN_D0I3, &mvm->status);
        synchronize_net();
+        /*
+         * iwl_mvm_ref_sync takes a reference before checking the flag.
+         * so by checking there is no held reference we prevent a state
+         * in which iwl_mvm_ref_sync continues successfully while we
+         * configure the firmware to enter d0i3
+         */
+        if (iwl_mvm_ref_taken(mvm)) {
+                IWL_DEBUG_RPM(mvm->trans, "abort d0i3 due to taken ref\n");
+                clear_bit(IWL_MVM_STATUS_IN_D0I3, &mvm->status);
+                wake_up(&mvm->d0i3_exit_waitq);
+                return 1;
+        }
        ieee80211_iterate_active_interfaces_atomic(mvm->hw,
                                                   IEEE80211_IFACE_ITER_NORMAL,
                                                   iwl_mvm_enter_d0i3_iterator,
diff --git a/drivers/net/wireless/iwlwifi/mvm/phy-ctxt.c b/drivers/net/wireless/iwlwifi/mvm/phy-ctxt.c
index 12283b55ee84..1c0d4a45c1a8 100644
--- a/drivers/net/wireless/iwlwifi/mvm/phy-ctxt.c
+++ b/drivers/net/wireless/iwlwifi/mvm/phy-ctxt.c
@@ -68,7 +68,7 @@
 #include "mvm.h"
 /* Maps the driver specific channel width definition to the the fw values */
-static inline u8 iwl_mvm_get_channel_width(struct cfg80211_chan_def *chandef)
+u8 iwl_mvm_get_channel_width(struct cfg80211_chan_def *chandef)
 {
        switch (chandef->width) {
        case NL80211_CHAN_WIDTH_20_NOHT:
@@ -90,7 +90,7 @@ static inline u8 iwl_mvm_get_channel_width(struct cfg80211_chan_def *chandef)
 * Maps the driver specific control channel position (relative to the center
 * freq) definitions to the the fw values
 */
-static inline u8 iwl_mvm_get_ctrl_pos(struct cfg80211_chan_def *chandef)
+u8 iwl_mvm_get_ctrl_pos(struct cfg80211_chan_def *chandef)
 {
        switch (chandef->chan->center_freq - chandef->center_freq1) {
        case -70:
diff --git a/drivers/net/wireless/iwlwifi/mvm/power.c b/drivers/net/wireless/iwlwifi/mvm/power.c
index 5b85b0cc7a2a..2620dd0c45f9 100644
--- a/drivers/net/wireless/iwlwifi/mvm/power.c
+++ b/drivers/net/wireless/iwlwifi/mvm/power.c
@@ -286,6 +286,27 @@ static bool iwl_mvm_power_allow_uapsd(struct iwl_mvm *mvm,
        return true;
 }
+static int iwl_mvm_power_get_skip_over_dtim(int dtimper, int bi)
+{
+        int numerator;
+        int dtim_interval = dtimper * bi;
+        if (WARN_ON(!dtim_interval))
+                return 0;
+        if (dtimper == 1) {
+                if (bi > 100)
+                        numerator = 408;
+                else
+                        numerator = 510;
+        } else if (dtimper < 10) {
+                numerator = 612;
+        } else {
+                return 0;
+        }
+        return max(1, (numerator / dtim_interval));
+}
 static bool iwl_mvm_power_is_radar(struct ieee80211_vif *vif)
 {
        struct ieee80211_chanctx_conf *chanctx_conf;
@@ -308,7 +329,7 @@ static void iwl_mvm_power_build_cmd(struct iwl_mvm *mvm,
                                    struct ieee80211_vif *vif,
                                    struct iwl_mac_power_cmd *cmd)
 {
-        int dtimper, dtimper_msec;
+        int dtimper, bi;
        int keep_alive;
        bool radar_detect = false;
        struct iwl_mvm_vif *mvmvif __maybe_unused =
@@ -317,6 +338,7 @@ static void iwl_mvm_power_build_cmd(struct iwl_mvm *mvm,
        cmd->id_and_color = cpu_to_le32(FW_CMD_ID_AND_COLOR(mvmvif->id,
                                                            mvmvif->color));
        dtimper = vif->bss_conf.dtim_period;
+        bi = vif->bss_conf.beacon_int;
        /*
         * Regardless of power management state the driver must set
@@ -324,10 +346,9 @@ static void iwl_mvm_power_build_cmd(struct iwl_mvm *mvm,
         * immediately after association. Check that keep alive period
         * is at least 3 * DTIM
         */
-        dtimper_msec = dtimper * vif->bss_conf.beacon_int;
+        keep_alive = DIV_ROUND_UP(ieee80211_tu_to_usec(3 * dtimper * bi),
-        keep_alive = max_t(int, 3 * dtimper_msec,
+                                  USEC_PER_SEC);
-                           MSEC_PER_SEC * POWER_KEEP_ALIVE_PERIOD_SEC);
+        keep_alive = max(keep_alive, POWER_KEEP_ALIVE_PERIOD_SEC);
-        keep_alive = DIV_ROUND_UP(keep_alive, MSEC_PER_SEC);
        cmd->keep_alive_seconds = cpu_to_le16(keep_alive);
        if (mvm->ps_disabled)
@@ -352,11 +373,14 @@ static void iwl_mvm_power_build_cmd(struct iwl_mvm *mvm,
        radar_detect = iwl_mvm_power_is_radar(vif);
        /* Check skip over DTIM conditions */
-        if (!radar_detect && (dtimper <= 10) &&
+        if (!radar_detect && (dtimper < 10) &&
            (iwlmvm_mod_params.power_scheme == IWL_POWER_SCHEME_LP ||
             mvm->cur_ucode == IWL_UCODE_WOWLAN)) {
-                cmd->flags |= cpu_to_le16(POWER_FLAGS_SKIP_OVER_DTIM_MSK);
+                cmd->skip_dtim_periods =
-                cmd->skip_dtim_periods = 3;
+                        iwl_mvm_power_get_skip_over_dtim(dtimper, bi);
+                if (cmd->skip_dtim_periods)
+                        cmd->flags |=
+                                cpu_to_le16(POWER_FLAGS_SKIP_OVER_DTIM_MSK);
        }
        if (mvm->cur_ucode != IWL_UCODE_WOWLAN) {
diff --git a/drivers/net/wireless/iwlwifi/mvm/rs.c b/drivers/net/wireless/iwlwifi/mvm/rs.c
index ce884847cc8a..30ceb67ed7a7 100644
--- a/drivers/net/wireless/iwlwifi/mvm/rs.c
+++ b/drivers/net/wireless/iwlwifi/mvm/rs.c
@@ -158,6 +158,12 @@ struct rs_tx_column {
        allow_column_func_t checks[MAX_COLUMN_CHECKS];
 };
+static bool rs_ant_allow(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
+                         struct iwl_scale_tbl_info *tbl)
+{
+        return iwl_mvm_bt_coex_is_ant_avail(mvm, tbl->rate.ant);
+}
 static bool rs_mimo_allow(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
                          struct iwl_scale_tbl_info *tbl)
 {
@@ -218,6 +224,9 @@ static const struct rs_tx_column rs_tx_columns[] = {
                        RS_COLUMN_INVALID,
                        RS_COLUMN_INVALID,
                },
+                .checks = {
+                        rs_ant_allow,
+                },
        },
        [RS_COLUMN_LEGACY_ANT_B] = {
                .mode = RS_LEGACY,
@@ -231,6 +240,9 @@ static const struct rs_tx_column rs_tx_columns[] = {
                        RS_COLUMN_INVALID,
                        RS_COLUMN_INVALID,
                },
+                .checks = {
+                        rs_ant_allow,
+                },
        },
        [RS_COLUMN_SISO_ANT_A] = {
                .mode = RS_SISO,
@@ -246,6 +258,7 @@ static const struct rs_tx_column rs_tx_columns[] = {
                },
                .checks = {
                        rs_siso_allow,
+                        rs_ant_allow,
                },
        },
        [RS_COLUMN_SISO_ANT_B] = {
@@ -262,6 +275,7 @@ static const struct rs_tx_column rs_tx_columns[] = {
                },
                .checks = {
                        rs_siso_allow,
+                        rs_ant_allow,
                },
        },
        [RS_COLUMN_SISO_ANT_A_SGI] = {
@@ -279,6 +293,7 @@ static const struct rs_tx_column rs_tx_columns[] = {
                },
                .checks = {
                        rs_siso_allow,
+                        rs_ant_allow,
                        rs_sgi_allow,
                },
        },
@@ -297,6 +312,7 @@ static const struct rs_tx_column rs_tx_columns[] = {
                },
                .checks = {
                        rs_siso_allow,
+                        rs_ant_allow,
                        rs_sgi_allow,
                },
        },
@@ -506,7 +522,7 @@ static inline void rs_dump_rate(struct iwl_mvm *mvm, const struct rs_rate *rate,
                                const char *prefix)
 {
        IWL_DEBUG_RATE(mvm,
-                       "%s: (%s: %d) ANT: %s BW: %d SGI: %d LDPC: %d STBC %d\n",
+                       "%s: (%s: %d) ANT: %s BW: %d SGI: %d LDPC: %d STBC: %d\n",
                       prefix, rs_pretty_lq_type(rate->type),
                       rate->index, rs_pretty_ant(rate->ant),
                       rate->bw, rate->sgi, rate->ldpc, rate->stbc);
@@ -816,7 +832,7 @@ static int rs_rate_from_ucode_rate(const u32 ucode_rate,
                if (nss == 1) {
                        rate->type = LQ_VHT_SISO;
-                        WARN_ON_ONCE(num_of_ant != 1);
+                        WARN_ON_ONCE(!rate->stbc && num_of_ant != 1);
                } else if (nss == 2) {
                        rate->type = LQ_VHT_MIMO2;
                        WARN_ON_ONCE(num_of_ant != 2);
@@ -1110,10 +1126,11 @@ void iwl_mvm_rs_tx_status(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
        if (time_after(jiffies,
                       (unsigned long)(lq_sta->last_tx + RS_IDLE_TIMEOUT))) {
-                int tid;
+                int t;
                IWL_DEBUG_RATE(mvm, "Tx idle for too long. reinit rs\n");
-                for (tid = 0; tid < IWL_MAX_TID_COUNT; tid++)
+                for (t = 0; t < IWL_MAX_TID_COUNT; t++)
-                        ieee80211_stop_tx_ba_session(sta, tid);
+                        ieee80211_stop_tx_ba_session(sta, t);
                iwl_mvm_rs_rate_init(mvm, sta, info->band, false);
                return;
@@ -1154,16 +1171,15 @@ void iwl_mvm_rs_tx_status(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
                /* Rate did match, so reset the missed_rate_counter */
                lq_sta->missed_rate_counter = 0;
-        /* Figure out if rate scale algorithm is in active or search table */
+        if (!lq_sta->search_better_tbl) {
-        if (rs_rate_match(&rate,
-                          &(lq_sta->lq_info[lq_sta->active_tbl].rate))) {
                curr_tbl = &(lq_sta->lq_info[lq_sta->active_tbl]);
                other_tbl = &(lq_sta->lq_info[1 - lq_sta->active_tbl]);
-        } else if (rs_rate_match(&rate,
+        } else {
-                         &lq_sta->lq_info[1 - lq_sta->active_tbl].rate)) {
                curr_tbl = &(lq_sta->lq_info[1 - lq_sta->active_tbl]);
                other_tbl = &(lq_sta->lq_info[lq_sta->active_tbl]);
-        } else {
+        }
+        if (WARN_ON_ONCE(!rs_rate_match(&rate, &curr_tbl->rate))) {
                IWL_DEBUG_RATE(mvm,
                               "Neither active nor search matches tx rate\n");
                tmp_tbl = &(lq_sta->lq_info[lq_sta->active_tbl]);
@@ -1188,6 +1204,13 @@ void iwl_mvm_rs_tx_status(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
         * first index into rate scale table.
         */
        if (info->flags & IEEE80211_TX_STAT_AMPDU) {
+                /* ampdu_ack_len = 0 marks no BA was received. In this case
+                 * treat it as a single frame loss as we don't want the success
+                 * ratio to dip too quickly because a BA wasn't received
+                 */
+                if (info->status.ampdu_ack_len == 0)
+                        info->status.ampdu_len = 1;
                ucode_rate = le32_to_cpu(table->rs_table[0]);
                rs_rate_from_ucode_rate(ucode_rate, info->band, &rate);
                rs_collect_tx_data(lq_sta, curr_tbl, rate.index,
diff --git a/drivers/net/wireless/iwlwifi/mvm/rx.c b/drivers/net/wireless/iwlwifi/mvm/rx.c
index 3cf40f3f58ec..94b6e7297a1e 100644
--- a/drivers/net/wireless/iwlwifi/mvm/rx.c
+++ b/drivers/net/wireless/iwlwifi/mvm/rx.c
@@ -96,27 +96,27 @@ int iwl_mvm_rx_rx_phy_cmd(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
 * Adds the rxb to a new skb and give it to mac80211
 */
 static void iwl_mvm_pass_packet_to_mac80211(struct iwl_mvm *mvm,
+                                            struct sk_buff *skb,
                                            struct ieee80211_hdr *hdr, u16 len,
-                                            u32 ampdu_status,
+                                            u32 ampdu_status, u8 crypt_len,
-                                            struct iwl_rx_cmd_buffer *rxb,
+                                            struct iwl_rx_cmd_buffer *rxb)
-                                            struct ieee80211_rx_status *stats)
 {
-        struct sk_buff *skb;
        unsigned int hdrlen, fraglen;
-        /* Dont use dev_alloc_skb(), we'll have enough headroom once
-         * ieee80211_hdr pulled.
-         */
-        skb = alloc_skb(128, GFP_ATOMIC);
-        if (!skb) {
-                IWL_ERR(mvm, "alloc_skb failed\n");
-                return;
-        }
        /* If frame is small enough to fit in skb->head, pull it completely.
-         * If not, only pull ieee80211_hdr so that splice() or TCP coalesce
+         * If not, only pull ieee80211_hdr (including crypto if present, and
-         * are more efficient.
+         * an additional 8 bytes for SNAP/ethertype, see below) so that
+         * splice() or TCP coalesce are more efficient.
+         *
+         * Since, in addition, ieee80211_data_to_8023() always pull in at
+         * least 8 bytes (possibly more for mesh) we can do the same here
+         * to save the cost of doing it later. That still doesn't pull in
+         * the actual IP header since the typical case has a SNAP header.
+         * If the latter changes (there are efforts in the standards group
+         * to do so) we should revisit this and ieee80211_data_to_8023().
         */
-        hdrlen = (len <= skb_tailroom(skb)) ? len : sizeof(*hdr);
+        hdrlen = (len <= skb_tailroom(skb)) ? len :
+                                              sizeof(*hdr) + crypt_len + 8;
        memcpy(skb_put(skb, hdrlen), hdr, hdrlen);
        fraglen = len - hdrlen;
@@ -129,8 +129,6 @@ static void iwl_mvm_pass_packet_to_mac80211(struct iwl_mvm *mvm,
                                fraglen, rxb->truesize);
        }
-        memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats));
        ieee80211_rx(mvm->hw, skb);
 }
@@ -185,7 +183,8 @@ static void iwl_mvm_get_signal_strength(struct iwl_mvm *mvm,
 static u32 iwl_mvm_set_mac80211_rx_flag(struct iwl_mvm *mvm,
                                        struct ieee80211_hdr *hdr,
                                        struct ieee80211_rx_status *stats,
-                                        u32 rx_pkt_status)
+                                        u32 rx_pkt_status,
+                                        u8 *crypt_len)
 {
        if (!ieee80211_has_protected(hdr->frame_control) ||
            (rx_pkt_status & RX_MPDU_RES_STATUS_SEC_ENC_MSK) ==
@@ -205,12 +204,14 @@ static u32 iwl_mvm_set_mac80211_rx_flag(struct iwl_mvm *mvm,
                stats->flag |= RX_FLAG_DECRYPTED;
                IWL_DEBUG_WEP(mvm, "hw decrypted CCMP successfully\n");
+                *crypt_len = IEEE80211_CCMP_HDR_LEN;
                return 0;
        case RX_MPDU_RES_STATUS_SEC_TKIP_ENC:
                /* Don't drop the frame and decrypt it in SW */
                if (!(rx_pkt_status & RX_MPDU_RES_STATUS_TTAK_OK))
                        return 0;
+                *crypt_len = IEEE80211_TKIP_IV_LEN;
                /* fall through if TTAK OK */
        case RX_MPDU_RES_STATUS_SEC_WEP_ENC:
@@ -218,6 +219,9 @@ static u32 iwl_mvm_set_mac80211_rx_flag(struct iwl_mvm *mvm,
                        return -1;
                stats->flag |= RX_FLAG_DECRYPTED;
+                if ((rx_pkt_status & RX_MPDU_RES_STATUS_SEC_ENC_MSK) ==
+                                RX_MPDU_RES_STATUS_SEC_WEP_ENC)
+                        *crypt_len = IEEE80211_WEP_IV_LEN;
                return 0;
        case RX_MPDU_RES_STATUS_SEC_EXT_ENC:
@@ -242,15 +246,17 @@ int iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
                       struct iwl_device_cmd *cmd)
 {
        struct ieee80211_hdr *hdr;
-        struct ieee80211_rx_status rx_status = {};
+        struct ieee80211_rx_status *rx_status;
        struct iwl_rx_packet *pkt = rxb_addr(rxb);
        struct iwl_rx_phy_info *phy_info;
        struct iwl_rx_mpdu_res_start *rx_res;
        struct ieee80211_sta *sta;
+        struct sk_buff *skb;
        u32 len;
        u32 ampdu_status;
        u32 rate_n_flags;
        u32 rx_pkt_status;
+        u8 crypt_len = 0;
        phy_info = &mvm->last_phy_info;
        rx_res = (struct iwl_rx_mpdu_res_start *)pkt->data;
@@ -259,20 +265,32 @@ int iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
        rx_pkt_status = le32_to_cpup((__le32 *)
                (pkt->data + sizeof(*rx_res) + len));
-        memset(&rx_status, 0, sizeof(rx_status));
+        /* Dont use dev_alloc_skb(), we'll have enough headroom once
+         * ieee80211_hdr pulled.
+         */
+        skb = alloc_skb(128, GFP_ATOMIC);
+        if (!skb) {
+                IWL_ERR(mvm, "alloc_skb failed\n");
+                return 0;
+        }
+        rx_status = IEEE80211_SKB_RXCB(skb);
        /*
         * drop the packet if it has failed being decrypted by HW
         */
-        if (iwl_mvm_set_mac80211_rx_flag(mvm, hdr, &rx_status, rx_pkt_status)) {
+        if (iwl_mvm_set_mac80211_rx_flag(mvm, hdr, rx_status, rx_pkt_status,
+                                         &crypt_len)) {
                IWL_DEBUG_DROP(mvm, "Bad decryption results 0x%08x\n",
                               rx_pkt_status);
+                kfree_skb(skb);
                return 0;
        }
        if ((unlikely(phy_info->cfg_phy_cnt > 20))) {
                IWL_DEBUG_DROP(mvm, "dsp size out of range [0,20]: %d\n",
                               phy_info->cfg_phy_cnt);
+                kfree_skb(skb);
                return 0;
        }
@@ -283,31 +301,31 @@ int iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
        if (!(rx_pkt_status & RX_MPDU_RES_STATUS_CRC_OK) ||
            !(rx_pkt_status & RX_MPDU_RES_STATUS_OVERRUN_OK)) {
                IWL_DEBUG_RX(mvm, "Bad CRC or FIFO: 0x%08X.\n", rx_pkt_status);
-                rx_status.flag |= RX_FLAG_FAILED_FCS_CRC;
+                rx_status->flag |= RX_FLAG_FAILED_FCS_CRC;
        }
        /* This will be used in several places later */
        rate_n_flags = le32_to_cpu(phy_info->rate_n_flags);
        /* rx_status carries information about the packet to mac80211 */
-        rx_status.mactime = le64_to_cpu(phy_info->timestamp);
+        rx_status->mactime = le64_to_cpu(phy_info->timestamp);
-        rx_status.device_timestamp = le32_to_cpu(phy_info->system_timestamp);
+        rx_status->device_timestamp = le32_to_cpu(phy_info->system_timestamp);
-        rx_status.band =
+        rx_status->band =
                (phy_info->phy_flags & cpu_to_le16(RX_RES_PHY_FLAGS_BAND_24)) ?
                                IEEE80211_BAND_2GHZ : IEEE80211_BAND_5GHZ;
-        rx_status.freq =
+        rx_status->freq =
                ieee80211_channel_to_frequency(le16_to_cpu(phy_info->channel),
-                                               rx_status.band);
+                                               rx_status->band);
        /*
         * TSF as indicated by the fw is at INA time, but mac80211 expects the
         * TSF at the beginning of the MPDU.
         */
-        /*rx_status.flag |= RX_FLAG_MACTIME_MPDU;*/
+        /*rx_status->flag |= RX_FLAG_MACTIME_MPDU;*/
-        iwl_mvm_get_signal_strength(mvm, phy_info, &rx_status);
+        iwl_mvm_get_signal_strength(mvm, phy_info, rx_status);
-        IWL_DEBUG_STATS_LIMIT(mvm, "Rssi %d, TSF %llu\n", rx_status.signal,
+        IWL_DEBUG_STATS_LIMIT(mvm, "Rssi %d, TSF %llu\n", rx_status->signal,
-                              (unsigned long long)rx_status.mactime);
+                              (unsigned long long)rx_status->mactime);
        rcu_read_lock();
        /*
@@ -326,15 +344,14 @@ int iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
        if (sta) {
                struct iwl_mvm_sta *mvmsta;
                mvmsta = iwl_mvm_sta_from_mac80211(sta);
-                rs_update_last_rssi(mvm, &mvmsta->lq_sta,
+                rs_update_last_rssi(mvm, &mvmsta->lq_sta, rx_status);
-                                    &rx_status);
        }
        rcu_read_unlock();
        /* set the preamble flag if appropriate */
        if (phy_info->phy_flags & cpu_to_le16(RX_RES_PHY_FLAGS_SHORT_PREAMBLE))
-                rx_status.flag |= RX_FLAG_SHORTPRE;
+                rx_status->flag |= RX_FLAG_SHORTPRE;
        if (phy_info->phy_flags & cpu_to_le16(RX_RES_PHY_FLAGS_AGG)) {
                /*
@@ -342,8 +359,8 @@ int iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
                 * together since we get a single PHY response
                 * from the firmware for all of them
                 */
-                rx_status.flag |= RX_FLAG_AMPDU_DETAILS;
+                rx_status->flag |= RX_FLAG_AMPDU_DETAILS;
-                rx_status.ampdu_reference = mvm->ampdu_ref;
+                rx_status->ampdu_reference = mvm->ampdu_ref;
        }
        /* Set up the HT phy flags */
@@ -351,50 +368,50 @@ int iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
        case RATE_MCS_CHAN_WIDTH_20:
                break;
        case RATE_MCS_CHAN_WIDTH_40:
-                rx_status.flag |= RX_FLAG_40MHZ;
+                rx_status->flag |= RX_FLAG_40MHZ;
                break;
        case RATE_MCS_CHAN_WIDTH_80:
-                rx_status.vht_flag |= RX_VHT_FLAG_80MHZ;
+                rx_status->vht_flag |= RX_VHT_FLAG_80MHZ;
                break;
        case RATE_MCS_CHAN_WIDTH_160:
-                rx_status.vht_flag |= RX_VHT_FLAG_160MHZ;
+                rx_status->vht_flag |= RX_VHT_FLAG_160MHZ;
                break;
        }
        if (rate_n_flags & RATE_MCS_SGI_MSK)
-                rx_status.flag |= RX_FLAG_SHORT_GI;
+                rx_status->flag |= RX_FLAG_SHORT_GI;
        if (rate_n_flags & RATE_HT_MCS_GF_MSK)
-                rx_status.flag |= RX_FLAG_HT_GF;
+                rx_status->flag |= RX_FLAG_HT_GF;
        if (rate_n_flags & RATE_MCS_LDPC_MSK)
-                rx_status.flag |= RX_FLAG_LDPC;
+                rx_status->flag |= RX_FLAG_LDPC;
        if (rate_n_flags & RATE_MCS_HT_MSK) {
                u8 stbc = (rate_n_flags & RATE_MCS_HT_STBC_MSK) >>
                                RATE_MCS_STBC_POS;
-                rx_status.flag |= RX_FLAG_HT;
+                rx_status->flag |= RX_FLAG_HT;
-                rx_status.rate_idx = rate_n_flags & RATE_HT_MCS_INDEX_MSK;
+                rx_status->rate_idx = rate_n_flags & RATE_HT_MCS_INDEX_MSK;
-                rx_status.flag |= stbc << RX_FLAG_STBC_SHIFT;
+                rx_status->flag |= stbc << RX_FLAG_STBC_SHIFT;
        } else if (rate_n_flags & RATE_MCS_VHT_MSK) {
                u8 stbc = (rate_n_flags & RATE_MCS_VHT_STBC_MSK) >>
                                RATE_MCS_STBC_POS;
-                rx_status.vht_nss =
+                rx_status->vht_nss =
                        ((rate_n_flags & RATE_VHT_MCS_NSS_MSK) >>
                                                RATE_VHT_MCS_NSS_POS) + 1;
-                rx_status.rate_idx = rate_n_flags & RATE_VHT_MCS_RATE_CODE_MSK;
+                rx_status->rate_idx = rate_n_flags & RATE_VHT_MCS_RATE_CODE_MSK;
-                rx_status.flag |= RX_FLAG_VHT;
+                rx_status->flag |= RX_FLAG_VHT;
-                rx_status.flag |= stbc << RX_FLAG_STBC_SHIFT;
+                rx_status->flag |= stbc << RX_FLAG_STBC_SHIFT;
                if (rate_n_flags & RATE_MCS_BF_MSK)
-                        rx_status.vht_flag |= RX_VHT_FLAG_BF;
+                        rx_status->vht_flag |= RX_VHT_FLAG_BF;
        } else {
-                rx_status.rate_idx =
+                rx_status->rate_idx =
                        iwl_mvm_legacy_rate_to_mac80211_idx(rate_n_flags,
-                                                            rx_status.band);
+                                                            rx_status->band);
        }
 #ifdef CONFIG_IWLWIFI_DEBUGFS
        iwl_mvm_update_frame_stats(mvm, &mvm->drv_rx_stats, rate_n_flags,
-                                   rx_status.flag & RX_FLAG_AMPDU_DETAILS);
+                                   rx_status->flag & RX_FLAG_AMPDU_DETAILS);
 #endif
-        iwl_mvm_pass_packet_to_mac80211(mvm, hdr, len, ampdu_status,
+        iwl_mvm_pass_packet_to_mac80211(mvm, skb, hdr, len, ampdu_status,
-                                        rxb, &rx_status);
+                                        crypt_len, rxb);
        return 0;
 }
@@ -500,29 +517,8 @@ int iwl_mvm_rx_statistics(struct iwl_mvm *mvm,
                .mvm = mvm,
        };
-        /*
+        iwl_mvm_tt_temp_changed(mvm, le32_to_cpu(common->temperature));
-         * set temperature debug enabled - ignore FW temperature updates
-         * and use the user set temperature.
-         */
-        if (mvm->temperature_test) {
-                if (mvm->temperature < le32_to_cpu(common->temperature))
-                        IWL_DEBUG_TEMP(mvm,
-                                       "Ignoring FW temperature update that is greater than the debug set temperature (debug temp = %d, fw temp = %d)\n",
-                                       mvm->temperature,
-                                       le32_to_cpu(common->temperature));
-                /*
-                 * skip iwl_mvm_tt_handler since we are in
-                 * temperature debug mode and we are ignoring
-                 * the new temperature value
-                 */
-                goto update;
-        }
-        if (mvm->temperature != le32_to_cpu(common->temperature)) {
-                mvm->temperature = le32_to_cpu(common->temperature);
-                iwl_mvm_tt_handler(mvm);
-        }
-update:
        iwl_mvm_update_rx_statistics(mvm, stats);
        ieee80211_iterate_active_interfaces(mvm->hw,
diff --git a/drivers/net/wireless/iwlwifi/mvm/scan.c b/drivers/net/wireless/iwlwifi/mvm/scan.c
index 5cd59a43e1da..e5294d01181e 100644
--- a/drivers/net/wireless/iwlwifi/mvm/scan.c
+++ b/drivers/net/wireless/iwlwifi/mvm/scan.c
@@ -83,15 +83,29 @@ struct iwl_mvm_scan_params {
        } dwell[IEEE80211_NUM_BANDS];
 };
+enum iwl_umac_scan_uid_type {
+        IWL_UMAC_SCAN_UID_REG_SCAN      = BIT(0),
+        IWL_UMAC_SCAN_UID_SCHED_SCAN    = BIT(1),
+        IWL_UMAC_SCAN_UID_ALL           = IWL_UMAC_SCAN_UID_REG_SCAN |
+                                          IWL_UMAC_SCAN_UID_SCHED_SCAN,
+};
+static int iwl_umac_scan_stop(struct iwl_mvm *mvm,
+                              enum iwl_umac_scan_uid_type type, bool notify);
+static u8 iwl_mvm_scan_rx_ant(struct iwl_mvm *mvm)
+{
+        if (mvm->scan_rx_ant != ANT_NONE)
+                return mvm->scan_rx_ant;
+        return mvm->fw->valid_rx_ant;
+}
 static inline __le16 iwl_mvm_scan_rx_chain(struct iwl_mvm *mvm)
 {
        u16 rx_chain;
        u8 rx_ant;
-        if (mvm->scan_rx_ant != ANT_NONE)
+        rx_ant = iwl_mvm_scan_rx_ant(mvm);
-                rx_ant = mvm->scan_rx_ant;
-        else
-                rx_ant = mvm->fw->valid_rx_ant;
        rx_chain = rx_ant << PHY_RX_CHAIN_VALID_POS;
        rx_chain |= rx_ant << PHY_RX_CHAIN_FORCE_MIMO_SEL_POS;
        rx_chain |= rx_ant << PHY_RX_CHAIN_FORCE_SEL_POS;
@@ -366,6 +380,10 @@ static int iwl_mvm_max_scan_ie_fw_cmd_room(struct iwl_mvm *mvm,
            !is_sched_scan)
                max_probe_len -= 32;
+        /* DS parameter set element is added on 2.4GHZ band if required */
+        if (iwl_mvm_rrm_scan_needed(mvm))
+                max_probe_len -= 3;
        return max_probe_len;
 }
@@ -537,23 +555,17 @@ int iwl_mvm_rx_scan_offload_results(struct iwl_mvm *mvm,
                                    struct iwl_device_cmd *cmd)
 {
        struct iwl_rx_packet *pkt = rxb_addr(rxb);
-        u8 client_bitmap = 0;
-        if (!(mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN)) {
+        if (!(mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN) &&
+            !(mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN)) {
                struct iwl_sched_scan_results *notif = (void *)pkt->data;
-                client_bitmap = notif->client_bitmap;
+                if (!(notif->client_bitmap & SCAN_CLIENT_SCHED_SCAN))
+                        return 0;
        }
-        if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN ||
+        IWL_DEBUG_SCAN(mvm, "Scheduled scan results\n");
-            client_bitmap & SCAN_CLIENT_SCHED_SCAN) {
+        ieee80211_sched_scan_results(mvm->hw);
-                if (mvm->scan_status == IWL_MVM_SCAN_SCHED) {
-                        IWL_DEBUG_SCAN(mvm, "Scheduled scan results\n");
-                        ieee80211_sched_scan_results(mvm->hw);
-                } else {
-                        IWL_DEBUG_SCAN(mvm, "Scan results\n");
-                }
-        }
        return 0;
 }
@@ -603,16 +615,6 @@ static int iwl_mvm_cancel_regular_scan(struct iwl_mvm *mvm)
                                               SCAN_COMPLETE_NOTIFICATION };
        int ret;
-        if (mvm->scan_status == IWL_MVM_SCAN_NONE)
-                return 0;
-        if (iwl_mvm_is_radio_killed(mvm)) {
-                ieee80211_scan_completed(mvm->hw, true);
-                iwl_mvm_unref(mvm, IWL_MVM_REF_SCAN);
-                mvm->scan_status = IWL_MVM_SCAN_NONE;
-                return 0;
-        }
        iwl_init_notification_wait(&mvm->notif_wait, &wait_scan_abort,
                                   scan_abort_notif,
                                   ARRAY_SIZE(scan_abort_notif),
@@ -975,6 +977,20 @@ free_blacklist:
        return ret;
 }
+static bool iwl_mvm_scan_pass_all(struct iwl_mvm *mvm,
+                                  struct cfg80211_sched_scan_request *req)
+{
+        if (req->n_match_sets && req->match_sets[0].ssid.ssid_len) {
+                IWL_DEBUG_SCAN(mvm,
+                               "Sending scheduled scan with filtering, n_match_sets %d\n",
+                               req->n_match_sets);
+                return false;
+        }
+        IWL_DEBUG_SCAN(mvm, "Sending Scheduled scan without filtering\n");
+        return true;
+}
 int iwl_mvm_sched_scan_start(struct iwl_mvm *mvm,
                             struct cfg80211_sched_scan_request *req)
 {
@@ -990,15 +1006,8 @@ int iwl_mvm_sched_scan_start(struct iwl_mvm *mvm,
                .schedule_line[1].full_scan_mul = IWL_FULL_SCAN_MULTIPLIER,
        };
-        if (req->n_match_sets && req->match_sets[0].ssid.ssid_len) {
+        if (iwl_mvm_scan_pass_all(mvm, req))
-                IWL_DEBUG_SCAN(mvm,
-                               "Sending scheduled scan with filtering, filter len %d\n",
-                               req->n_match_sets);
-        } else {
-                IWL_DEBUG_SCAN(mvm,
-                               "Sending Scheduled scan without filtering\n");
                scan_req.flags |= cpu_to_le16(IWL_SCAN_OFFLOAD_FLAG_PASS_ALL);
-        }
        if (mvm->last_ebs_successful &&
            mvm->fw->ucode_capa.flags & IWL_UCODE_TLV_FLAGS_EBS_SUPPORT)
@@ -1016,12 +1025,19 @@ int iwl_mvm_scan_offload_start(struct iwl_mvm *mvm,
 {
        int ret;
-        if ((mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN)) {
+        if (mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN) {
+                ret = iwl_mvm_config_sched_scan_profiles(mvm, req);
+                if (ret)
+                        return ret;
+                ret = iwl_mvm_sched_scan_umac(mvm, vif, req, ies);
+        } else if ((mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN)) {
+                mvm->scan_status = IWL_MVM_SCAN_SCHED;
                ret = iwl_mvm_config_sched_scan_profiles(mvm, req);
                if (ret)
                        return ret;
                ret = iwl_mvm_unified_sched_scan_lmac(mvm, vif, req, ies);
        } else {
+                mvm->scan_status = IWL_MVM_SCAN_SCHED;
                ret = iwl_mvm_config_sched_scan(mvm, vif, req, ies);
                if (ret)
                        return ret;
@@ -1078,6 +1094,10 @@ int iwl_mvm_scan_offload_stop(struct iwl_mvm *mvm, bool notify)
        lockdep_assert_held(&mvm->mutex);
+        if (mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN)
+                return iwl_umac_scan_stop(mvm, IWL_UMAC_SCAN_UID_SCHED_SCAN,
+                                          notify);
        if (mvm->scan_status != IWL_MVM_SCAN_SCHED &&
            (!(mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN) ||
             mvm->scan_status != IWL_MVM_SCAN_OS)) {
@@ -1165,20 +1185,64 @@ iwl_mvm_lmac_scan_cfg_channels(struct iwl_mvm *mvm,
        }
 }
+static u8 *iwl_mvm_copy_and_insert_ds_elem(struct iwl_mvm *mvm, const u8 *ies,
+                                           size_t len, u8 *const pos)
+{
+        static const u8 before_ds_params[] = {
+                        WLAN_EID_SSID,
+                        WLAN_EID_SUPP_RATES,
+                        WLAN_EID_REQUEST,
+                        WLAN_EID_EXT_SUPP_RATES,
+        };
+        size_t offs;
+        u8 *newpos = pos;
+        if (!iwl_mvm_rrm_scan_needed(mvm)) {
+                memcpy(newpos, ies, len);
+                return newpos + len;
+        }
+        offs = ieee80211_ie_split(ies, len,
+                                  before_ds_params,
+                                  ARRAY_SIZE(before_ds_params),
+                                  0);
+        memcpy(newpos, ies, offs);
+        newpos += offs;
+        /* Add a placeholder for DS Parameter Set element */
+        *newpos++ = WLAN_EID_DS_PARAMS;
+        *newpos++ = 1;
+        *newpos++ = 0;
+        memcpy(newpos, ies + offs, len - offs);
+        newpos += len - offs;
+        return newpos;
+}
 static void
 iwl_mvm_build_unified_scan_probe(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
                                 struct ieee80211_scan_ies *ies,
-                                 struct iwl_scan_req_unified_lmac *cmd)
+                                 struct iwl_scan_probe_req *preq,
+                                 const u8 *mac_addr, const u8 *mac_addr_mask)
 {
-        struct iwl_scan_probe_req *preq = (void *)(cmd->data +
-                sizeof(struct iwl_scan_channel_cfg_lmac) *
-                        mvm->fw->ucode_capa.n_scan_channels);
        struct ieee80211_mgmt *frame = (struct ieee80211_mgmt *)preq->buf;
-        u8 *pos;
+        u8 *pos, *newpos;
+        /*
+         * Unfortunately, right now the offload scan doesn't support randomising
+         * within the firmware, so until the firmware API is ready we implement
+         * it in the driver. This means that the scan iterations won't really be
+         * random, only when it's restarted, but at least that helps a bit.
+         */
+        if (mac_addr)
+                get_random_mask_addr(frame->sa, mac_addr, mac_addr_mask);
+        else
+                memcpy(frame->sa, vif->addr, ETH_ALEN);
        frame->frame_control = cpu_to_le16(IEEE80211_STYPE_PROBE_REQ);
        eth_broadcast_addr(frame->da);
-        memcpy(frame->sa, vif->addr, ETH_ALEN);
        eth_broadcast_addr(frame->bssid);
        frame->seq_ctrl = 0;
@@ -1189,11 +1253,14 @@ iwl_mvm_build_unified_scan_probe(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
        preq->mac_header.offset = 0;
        preq->mac_header.len = cpu_to_le16(24 + 2);
-        memcpy(pos, ies->ies[IEEE80211_BAND_2GHZ],
+        /* Insert ds parameter set element on 2.4 GHz band */
-               ies->len[IEEE80211_BAND_2GHZ]);
+        newpos = iwl_mvm_copy_and_insert_ds_elem(mvm,
+                                                 ies->ies[IEEE80211_BAND_2GHZ],
+                                                 ies->len[IEEE80211_BAND_2GHZ],
+                                                 pos);
        preq->band_data[0].offset = cpu_to_le16(pos - preq->buf);
-        preq->band_data[0].len = cpu_to_le16(ies->len[IEEE80211_BAND_2GHZ]);
+        preq->band_data[0].len = cpu_to_le16(newpos - pos);
-        pos += ies->len[IEEE80211_BAND_2GHZ];
+        pos = newpos;
        memcpy(pos, ies->ies[IEEE80211_BAND_5GHZ],
               ies->len[IEEE80211_BAND_5GHZ]);
@@ -1254,9 +1321,10 @@ int iwl_mvm_unified_scan_lmac(struct iwl_mvm *mvm,
                .dataflags = { IWL_HCMD_DFL_NOCOPY, },
        };
        struct iwl_scan_req_unified_lmac *cmd = mvm->scan_cmd;
+        struct iwl_scan_probe_req *preq;
        struct iwl_mvm_scan_params params = {};
        u32 flags;
-        int ssid_bitmap = 0;
+        u32 ssid_bitmap = 0;
        int ret, i;
        lockdep_assert_held(&mvm->mutex);
@@ -1315,7 +1383,13 @@ int iwl_mvm_unified_scan_lmac(struct iwl_mvm *mvm,
                                       req->req.n_channels, ssid_bitmap,
                                       cmd);
-        iwl_mvm_build_unified_scan_probe(mvm, vif, &req->ies, cmd);
+        preq = (void *)(cmd->data + sizeof(struct iwl_scan_channel_cfg_lmac) *
+                        mvm->fw->ucode_capa.n_scan_channels);
+        iwl_mvm_build_unified_scan_probe(mvm, vif, &req->ies, preq,
+                req->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR ?
+                        req->req.mac_addr : NULL,
+                req->req.mac_addr_mask);
        ret = iwl_mvm_send_cmd(mvm, &hcmd);
        if (!ret) {
@@ -1348,6 +1422,7 @@ int iwl_mvm_unified_sched_scan_lmac(struct iwl_mvm *mvm,
                .dataflags = { IWL_HCMD_DFL_NOCOPY, },
        };
        struct iwl_scan_req_unified_lmac *cmd = mvm->scan_cmd;
+        struct iwl_scan_probe_req *preq;
        struct iwl_mvm_scan_params params = {};
        int ret;
        u32 flags = 0, ssid_bitmap = 0;
@@ -1371,15 +1446,8 @@ int iwl_mvm_unified_sched_scan_lmac(struct iwl_mvm *mvm,
        cmd->n_channels = (u8)req->n_channels;
-        if (req->n_match_sets && req->match_sets[0].ssid.ssid_len) {
+        if (iwl_mvm_scan_pass_all(mvm, req))
-                IWL_DEBUG_SCAN(mvm,
-                               "Sending scheduled scan with filtering, n_match_sets %d\n",
-                               req->n_match_sets);
-        } else {
-                IWL_DEBUG_SCAN(mvm,
-                               "Sending Scheduled scan without filtering\n");
                flags |= IWL_MVM_LMAC_SCAN_FLAG_PASS_ALL;
-        }
        if (req->n_ssids == 1 && req->ssids[0].ssid_len != 0)
                flags |= IWL_MVM_LMAC_SCAN_FLAG_PRE_CONNECTION;
@@ -1409,7 +1477,13 @@ int iwl_mvm_unified_sched_scan_lmac(struct iwl_mvm *mvm,
        iwl_mvm_lmac_scan_cfg_channels(mvm, req->channels, req->n_channels,
                                       ssid_bitmap, cmd);
-        iwl_mvm_build_unified_scan_probe(mvm, vif, ies, cmd);
+        preq = (void *)(cmd->data + sizeof(struct iwl_scan_channel_cfg_lmac) *
+                        mvm->fw->ucode_capa.n_scan_channels);
+        iwl_mvm_build_unified_scan_probe(mvm, vif, ies, preq,
+                req->flags & NL80211_SCAN_FLAG_RANDOM_ADDR ?
+                        req->mac_addr : NULL,
+                req->mac_addr_mask);
        ret = iwl_mvm_send_cmd(mvm, &hcmd);
        if (!ret) {
@@ -1431,7 +1505,594 @@ int iwl_mvm_unified_sched_scan_lmac(struct iwl_mvm *mvm,
 int iwl_mvm_cancel_scan(struct iwl_mvm *mvm)
 {
+        if (mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN)
+                return iwl_umac_scan_stop(mvm, IWL_UMAC_SCAN_UID_REG_SCAN,
+                                          true);
+        if (mvm->scan_status == IWL_MVM_SCAN_NONE)
+                return 0;
+        if (iwl_mvm_is_radio_killed(mvm)) {
+                ieee80211_scan_completed(mvm->hw, true);
+                iwl_mvm_unref(mvm, IWL_MVM_REF_SCAN);
+                mvm->scan_status = IWL_MVM_SCAN_NONE;
+                return 0;
+        }
        if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN)
                return iwl_mvm_scan_offload_stop(mvm, true);
        return iwl_mvm_cancel_regular_scan(mvm);
 }
+/* UMAC scan API */
+struct iwl_umac_scan_done {
+        struct iwl_mvm *mvm;
+        enum iwl_umac_scan_uid_type type;
+};
+static int rate_to_scan_rate_flag(unsigned int rate)
+{
+        static const int rate_to_scan_rate[IWL_RATE_COUNT] = {
+                [IWL_RATE_1M_INDEX]     = SCAN_CONFIG_RATE_1M,
+                [IWL_RATE_2M_INDEX]     = SCAN_CONFIG_RATE_2M,
+                [IWL_RATE_5M_INDEX]     = SCAN_CONFIG_RATE_5M,
+                [IWL_RATE_11M_INDEX]    = SCAN_CONFIG_RATE_11M,
+                [IWL_RATE_6M_INDEX]     = SCAN_CONFIG_RATE_6M,
+                [IWL_RATE_9M_INDEX]     = SCAN_CONFIG_RATE_9M,
+                [IWL_RATE_12M_INDEX]    = SCAN_CONFIG_RATE_12M,
+                [IWL_RATE_18M_INDEX]    = SCAN_CONFIG_RATE_18M,
+                [IWL_RATE_24M_INDEX]    = SCAN_CONFIG_RATE_24M,
+                [IWL_RATE_36M_INDEX]    = SCAN_CONFIG_RATE_36M,
+                [IWL_RATE_48M_INDEX]    = SCAN_CONFIG_RATE_48M,
+                [IWL_RATE_54M_INDEX]    = SCAN_CONFIG_RATE_54M,
+        };
+        return rate_to_scan_rate[rate];
+}
+static __le32 iwl_mvm_scan_config_rates(struct iwl_mvm *mvm)
+{
+        struct ieee80211_supported_band *band;
+        unsigned int rates = 0;
+        int i;
+        band = &mvm->nvm_data->bands[IEEE80211_BAND_2GHZ];
+        for (i = 0; i < band->n_bitrates; i++)
+                rates |= rate_to_scan_rate_flag(band->bitrates[i].hw_value);
+        band = &mvm->nvm_data->bands[IEEE80211_BAND_5GHZ];
+        for (i = 0; i < band->n_bitrates; i++)
+                rates |= rate_to_scan_rate_flag(band->bitrates[i].hw_value);
+        /* Set both basic rates and supported rates */
+        rates |= SCAN_CONFIG_SUPPORTED_RATE(rates);
+        return cpu_to_le32(rates);
+}
+int iwl_mvm_config_scan(struct iwl_mvm *mvm)
+{
+        struct iwl_scan_config *scan_config;
+        struct ieee80211_supported_band *band;
+        int num_channels =
+                mvm->nvm_data->bands[IEEE80211_BAND_2GHZ].n_channels +
+                mvm->nvm_data->bands[IEEE80211_BAND_5GHZ].n_channels;
+        int ret, i, j = 0, cmd_size, data_size;
+        struct iwl_host_cmd cmd = {
+                .id = SCAN_CFG_CMD,
+        };
+        if (WARN_ON(num_channels > mvm->fw->ucode_capa.n_scan_channels))
+                return -ENOBUFS;
+        cmd_size = sizeof(*scan_config) + mvm->fw->ucode_capa.n_scan_channels;
+        scan_config = kzalloc(cmd_size, GFP_KERNEL);
+        if (!scan_config)
+                return -ENOMEM;
+        data_size = cmd_size - sizeof(struct iwl_mvm_umac_cmd_hdr);
+        scan_config->hdr.size = cpu_to_le16(data_size);
+        scan_config->flags = cpu_to_le32(SCAN_CONFIG_FLAG_ACTIVATE |
+                                         SCAN_CONFIG_FLAG_ALLOW_CHUB_REQS |
+                                         SCAN_CONFIG_FLAG_SET_TX_CHAINS |
+                                         SCAN_CONFIG_FLAG_SET_RX_CHAINS |
+                                         SCAN_CONFIG_FLAG_SET_ALL_TIMES |
+                                         SCAN_CONFIG_FLAG_SET_LEGACY_RATES |
+                                         SCAN_CONFIG_FLAG_SET_MAC_ADDR |
+                                         SCAN_CONFIG_FLAG_SET_CHANNEL_FLAGS|
+                                         SCAN_CONFIG_N_CHANNELS(num_channels));
+        scan_config->tx_chains = cpu_to_le32(mvm->fw->valid_tx_ant);
+        scan_config->rx_chains = cpu_to_le32(iwl_mvm_scan_rx_ant(mvm));
+        scan_config->legacy_rates = iwl_mvm_scan_config_rates(mvm);
+        scan_config->out_of_channel_time = cpu_to_le32(170);
+        scan_config->suspend_time = cpu_to_le32(30);
+        scan_config->dwell_active = 20;
+        scan_config->dwell_passive = 110;
+        scan_config->dwell_fragmented = 20;
+        memcpy(&scan_config->mac_addr, &mvm->addresses[0].addr, ETH_ALEN);
+        scan_config->bcast_sta_id = mvm->aux_sta.sta_id;
+        scan_config->channel_flags = IWL_CHANNEL_FLAG_EBS |
+                                     IWL_CHANNEL_FLAG_ACCURATE_EBS |
+                                     IWL_CHANNEL_FLAG_EBS_ADD |
+                                     IWL_CHANNEL_FLAG_PRE_SCAN_PASSIVE2ACTIVE;
+        band = &mvm->nvm_data->bands[IEEE80211_BAND_2GHZ];
+        for (i = 0; i < band->n_channels; i++, j++)
+                scan_config->channel_array[j] = band->channels[i].center_freq;
+        band = &mvm->nvm_data->bands[IEEE80211_BAND_5GHZ];
+        for (i = 0; i < band->n_channels; i++, j++)
+                scan_config->channel_array[j] = band->channels[i].center_freq;
+        cmd.data[0] = scan_config;
+        cmd.len[0] = cmd_size;
+        cmd.dataflags[0] = IWL_HCMD_DFL_NOCOPY;
+        IWL_DEBUG_SCAN(mvm, "Sending UMAC scan config\n");
+        ret = iwl_mvm_send_cmd(mvm, &cmd);
+        kfree(scan_config);
+        return ret;
+}
+static int iwl_mvm_find_scan_uid(struct iwl_mvm *mvm, u32 uid)
+{
+        int i;
+        for (i = 0; i < IWL_MVM_MAX_SIMULTANEOUS_SCANS; i++)
+                if (mvm->scan_uid[i] == uid)
+                        return i;
+        return i;
+}
+static int iwl_mvm_find_free_scan_uid(struct iwl_mvm *mvm)
+{
+        return iwl_mvm_find_scan_uid(mvm, 0);
+}
+static bool iwl_mvm_find_scan_type(struct iwl_mvm *mvm,
+                                   enum iwl_umac_scan_uid_type type)
+{
+        int i;
+        for (i = 0; i < IWL_MVM_MAX_SIMULTANEOUS_SCANS; i++)
+                if (mvm->scan_uid[i] & type)
+                        return true;
+        return false;
+}
+static u32 iwl_generate_scan_uid(struct iwl_mvm *mvm,
+                                 enum iwl_umac_scan_uid_type type)
+{
+        u32 uid;
+        /* make sure exactly one bit is on in scan type */
+        WARN_ON(hweight8(type) != 1);
+        /*
+         * Make sure scan uids are unique. If one scan lasts long time while
+         * others are completing frequently, the seq number will wrap up and
+         * we may have more than one scan with the same uid.
+         */
+        do {
+                uid = type | (mvm->scan_seq_num <<
+                              IWL_UMAC_SCAN_UID_SEQ_OFFSET);
+                mvm->scan_seq_num++;
+        } while (iwl_mvm_find_scan_uid(mvm, uid) <
+                 IWL_MVM_MAX_SIMULTANEOUS_SCANS);
+        IWL_DEBUG_SCAN(mvm, "Generated scan UID %u\n", uid);
+        return uid;
+}
+static void
+iwl_mvm_build_generic_umac_scan_cmd(struct iwl_mvm *mvm,
+                                    struct iwl_scan_req_umac *cmd,
+                                    struct iwl_mvm_scan_params *params)
+{
+        memset(cmd, 0, ksize(cmd));
+        cmd->hdr.size = cpu_to_le16(iwl_mvm_scan_size(mvm) -
+                                    sizeof(struct iwl_mvm_umac_cmd_hdr));
+        cmd->active_dwell = params->dwell[IEEE80211_BAND_2GHZ].active;
+        cmd->passive_dwell = params->dwell[IEEE80211_BAND_2GHZ].passive;
+        if (params->passive_fragmented)
+                cmd->fragmented_dwell =
+                                params->dwell[IEEE80211_BAND_2GHZ].passive;
+        cmd->max_out_time = cpu_to_le32(params->max_out_time);
+        cmd->suspend_time = cpu_to_le32(params->suspend_time);
+        cmd->scan_priority = cpu_to_le32(IWL_SCAN_PRIORITY_HIGH);
+}
+static void
+iwl_mvm_umac_scan_cfg_channels(struct iwl_mvm *mvm,
+                               struct ieee80211_channel **channels,
+                               int n_channels, u32 ssid_bitmap,
+                               struct iwl_scan_req_umac *cmd)
+{
+        struct iwl_scan_channel_cfg_umac *channel_cfg = (void *)&cmd->data;
+        int i;
+        for (i = 0; i < n_channels; i++) {
+                channel_cfg[i].flags = cpu_to_le32(ssid_bitmap);
+                channel_cfg[i].channel_num = channels[i]->hw_value;
+                channel_cfg[i].iter_count = 1;
+                channel_cfg[i].iter_interval = 0;
+        }
+}
+static u32 iwl_mvm_scan_umac_common_flags(struct iwl_mvm *mvm, int n_ssids,
+                                          struct cfg80211_ssid *ssids,
+                                          int fragmented)
+{
+        int flags = 0;
+        if (n_ssids == 0)
+                flags = IWL_UMAC_SCAN_GEN_FLAGS_PASSIVE;
+        if (n_ssids == 1 && ssids[0].ssid_len != 0)
+                flags |= IWL_UMAC_SCAN_GEN_FLAGS_PRE_CONNECT;
+        if (fragmented)
+                flags |= IWL_UMAC_SCAN_GEN_FLAGS_FRAGMENTED;
+        if (iwl_mvm_rrm_scan_needed(mvm))
+                flags |= IWL_UMAC_SCAN_GEN_FLAGS_RRM_ENABLED;
+        return flags;
+}
+int iwl_mvm_scan_umac(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
+                      struct ieee80211_scan_request *req)
+{
+        struct iwl_host_cmd hcmd = {
+                .id = SCAN_REQ_UMAC,
+                .len = { iwl_mvm_scan_size(mvm), },
+                .data = { mvm->scan_cmd, },
+                .dataflags = { IWL_HCMD_DFL_NOCOPY, },
+        };
+        struct iwl_scan_req_umac *cmd = mvm->scan_cmd;
+        struct iwl_scan_req_umac_tail *sec_part = (void *)&cmd->data +
+                sizeof(struct iwl_scan_channel_cfg_umac) *
+                        mvm->fw->ucode_capa.n_scan_channels;
+        struct iwl_mvm_scan_params params = {};
+        u32 uid, flags;
+        u32 ssid_bitmap = 0;
+        int ret, i, uid_idx;
+        lockdep_assert_held(&mvm->mutex);
+        uid_idx = iwl_mvm_find_free_scan_uid(mvm);
+        if (uid_idx >= IWL_MVM_MAX_SIMULTANEOUS_SCANS)
+                return -EBUSY;
+        /* we should have failed registration if scan_cmd was NULL */
+        if (WARN_ON(mvm->scan_cmd == NULL))
+                return -ENOMEM;
+        if (WARN_ON(req->req.n_ssids > PROBE_OPTION_MAX ||
+                    req->ies.common_ie_len +
+                    req->ies.len[NL80211_BAND_2GHZ] +
+                    req->ies.len[NL80211_BAND_5GHZ] + 24 + 2 >
+                    SCAN_OFFLOAD_PROBE_REQ_SIZE || req->req.n_channels >
+                    mvm->fw->ucode_capa.n_scan_channels))
+                return -ENOBUFS;
+        iwl_mvm_scan_calc_params(mvm, vif, req->req.n_ssids, req->req.flags,
+                                 &params);
+        iwl_mvm_build_generic_umac_scan_cmd(mvm, cmd, &params);
+        uid = iwl_generate_scan_uid(mvm, IWL_UMAC_SCAN_UID_REG_SCAN);
+        mvm->scan_uid[uid_idx] = uid;
+        cmd->uid = cpu_to_le32(uid);
+        cmd->ooc_priority = cpu_to_le32(IWL_SCAN_PRIORITY_HIGH);
+        flags = iwl_mvm_scan_umac_common_flags(mvm, req->req.n_ssids,
+                                               req->req.ssids,
+                                               params.passive_fragmented);
+        flags |= IWL_UMAC_SCAN_GEN_FLAGS_PASS_ALL;
+        cmd->general_flags = cpu_to_le32(flags);
+        cmd->n_channels = req->req.n_channels;
+        for (i = 0; i < req->req.n_ssids; i++)
+                ssid_bitmap |= BIT(i);
+        iwl_mvm_umac_scan_cfg_channels(mvm, req->req.channels,
+                                       req->req.n_channels, ssid_bitmap, cmd);
+        sec_part->schedule[0].iter_count = 1;
+        sec_part->delay = 0;
+        iwl_mvm_build_unified_scan_probe(mvm, vif, &req->ies, &sec_part->preq,
+                req->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR ?
+                        req->req.mac_addr : NULL,
+                req->req.mac_addr_mask);
+        iwl_mvm_scan_fill_ssids(sec_part->direct_scan, req->req.ssids,
+                                req->req.n_ssids, 0);
+        ret = iwl_mvm_send_cmd(mvm, &hcmd);
+        if (!ret) {
+                IWL_DEBUG_SCAN(mvm,
+                               "Scan request was sent successfully\n");
+        } else {
+                /*
+                 * If the scan failed, it usually means that the FW was unable
+                 * to allocate the time events. Warn on it, but maybe we
+                 * should try to send the command again with different params.
+                 */
+                IWL_ERR(mvm, "Scan failed! ret %d\n", ret);
+        }
+        return ret;
+}
+int iwl_mvm_sched_scan_umac(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
+                            struct cfg80211_sched_scan_request *req,
+                            struct ieee80211_scan_ies *ies)
+{
+        struct iwl_host_cmd hcmd = {
+                .id = SCAN_REQ_UMAC,
+                .len = { iwl_mvm_scan_size(mvm), },
+                .data = { mvm->scan_cmd, },
+                .dataflags = { IWL_HCMD_DFL_NOCOPY, },
+        };
+        struct iwl_scan_req_umac *cmd = mvm->scan_cmd;
+        struct iwl_scan_req_umac_tail *sec_part = (void *)&cmd->data +
+                sizeof(struct iwl_scan_channel_cfg_umac) *
+                        mvm->fw->ucode_capa.n_scan_channels;
+        struct iwl_mvm_scan_params params = {};
+        u32 uid, flags;
+        u32 ssid_bitmap = 0;
+        int ret, uid_idx;
+        lockdep_assert_held(&mvm->mutex);
+        uid_idx = iwl_mvm_find_free_scan_uid(mvm);
+        if (uid_idx >= IWL_MVM_MAX_SIMULTANEOUS_SCANS)
+                return -EBUSY;
+        /* we should have failed registration if scan_cmd was NULL */
+        if (WARN_ON(mvm->scan_cmd == NULL))
+                return -ENOMEM;
+        if (WARN_ON(req->n_ssids > PROBE_OPTION_MAX ||
+                    ies->common_ie_len + ies->len[NL80211_BAND_2GHZ] +
+                    ies->len[NL80211_BAND_5GHZ] + 24 + 2 >
+                    SCAN_OFFLOAD_PROBE_REQ_SIZE || req->n_channels >
+                    mvm->fw->ucode_capa.n_scan_channels))
+                return -ENOBUFS;
+        iwl_mvm_scan_calc_params(mvm, vif, req->n_ssids, req->flags,
+                                         &params);
+        iwl_mvm_build_generic_umac_scan_cmd(mvm, cmd, &params);
+        cmd->flags = cpu_to_le32(IWL_UMAC_SCAN_FLAG_PREEMPTIVE);
+        uid = iwl_generate_scan_uid(mvm, IWL_UMAC_SCAN_UID_SCHED_SCAN);
+        mvm->scan_uid[uid_idx] = uid;
+        cmd->uid = cpu_to_le32(uid);
+        cmd->ooc_priority = cpu_to_le32(IWL_SCAN_PRIORITY_LOW);
+        flags = iwl_mvm_scan_umac_common_flags(mvm, req->n_ssids, req->ssids,
+                                               params.passive_fragmented);
+        flags |= IWL_UMAC_SCAN_GEN_FLAGS_PERIODIC;
+        if (iwl_mvm_scan_pass_all(mvm, req))
+                flags |= IWL_UMAC_SCAN_GEN_FLAGS_PASS_ALL;
+        else
+                flags |= IWL_UMAC_SCAN_GEN_FLAGS_MATCH;
+        cmd->general_flags = cpu_to_le32(flags);
+        if (mvm->fw->ucode_capa.flags & IWL_UCODE_TLV_FLAGS_EBS_SUPPORT &&
+            mvm->last_ebs_successful)
+                cmd->channel_flags = IWL_SCAN_CHANNEL_FLAG_EBS |
+                                     IWL_SCAN_CHANNEL_FLAG_EBS_ACCURATE |
+                                     IWL_SCAN_CHANNEL_FLAG_CACHE_ADD;
+        cmd->n_channels = req->n_channels;
+        iwl_scan_offload_build_ssid(req, sec_part->direct_scan, &ssid_bitmap,
+                                    false);
+        /* This API uses bits 0-19 instead of 1-20. */
+        ssid_bitmap = ssid_bitmap >> 1;
+        iwl_mvm_umac_scan_cfg_channels(mvm, req->channels, req->n_channels,
+                                       ssid_bitmap, cmd);
+        sec_part->schedule[0].interval =
+                                cpu_to_le16(req->interval / MSEC_PER_SEC);
+        sec_part->schedule[0].iter_count = 0xff;
+        sec_part->delay = 0;
+        iwl_mvm_build_unified_scan_probe(mvm, vif, ies, &sec_part->preq,
+                req->flags & NL80211_SCAN_FLAG_RANDOM_ADDR ?
+                        req->mac_addr : NULL,
+                req->mac_addr_mask);
+        ret = iwl_mvm_send_cmd(mvm, &hcmd);
+        if (!ret) {
+                IWL_DEBUG_SCAN(mvm,
+                               "Sched scan request was sent successfully\n");
+        } else {
+                /*
+                 * If the scan failed, it usually means that the FW was unable
+                 * to allocate the time events. Warn on it, but maybe we
+                 * should try to send the command again with different params.
+                 */
+                IWL_ERR(mvm, "Sched scan failed! ret %d\n", ret);
+        }
+        return ret;
+}
+int iwl_mvm_rx_umac_scan_complete_notif(struct iwl_mvm *mvm,
+                                        struct iwl_rx_cmd_buffer *rxb,
+                                        struct iwl_device_cmd *cmd)
+{
+        struct iwl_rx_packet *pkt = rxb_addr(rxb);
+        struct iwl_umac_scan_complete *notif = (void *)pkt->data;
+        u32 uid = __le32_to_cpu(notif->uid);
+        bool sched = !!(uid & IWL_UMAC_SCAN_UID_SCHED_SCAN);
+        int uid_idx = iwl_mvm_find_scan_uid(mvm, uid);
+        /*
+         * Scan uid may be set to zero in case of scan abort request from above.
+         */
+        if (uid_idx >= IWL_MVM_MAX_SIMULTANEOUS_SCANS)
+                return 0;
+        IWL_DEBUG_SCAN(mvm,
+                       "Scan completed, uid %u type %s, status %s, EBS status %s\n",
+                       uid, sched ? "sched" : "regular",
+                       notif->status == IWL_SCAN_OFFLOAD_COMPLETED ?
+                                "completed" : "aborted",
+                       notif->ebs_status == IWL_SCAN_EBS_SUCCESS ?
+                                "success" : "failed");
+        mvm->last_ebs_successful = !notif->ebs_status;
+        mvm->scan_uid[uid_idx] = 0;
+        if (!sched) {
+                ieee80211_scan_completed(mvm->hw,
+                                         notif->status ==
+                                                IWL_SCAN_OFFLOAD_ABORTED);
+                iwl_mvm_unref(mvm, IWL_MVM_REF_SCAN);
+        } else if (!iwl_mvm_find_scan_type(mvm, IWL_UMAC_SCAN_UID_SCHED_SCAN)) {
+                ieee80211_sched_scan_stopped(mvm->hw);
+        } else {
+                IWL_DEBUG_SCAN(mvm, "Another sched scan is running\n");
+        }
+        return 0;
+}
+static bool iwl_scan_umac_done_check(struct iwl_notif_wait_data *notif_wait,
+                                     struct iwl_rx_packet *pkt, void *data)
+{
+        struct iwl_umac_scan_done *scan_done = data;
+        struct iwl_umac_scan_complete *notif = (void *)pkt->data;
+        u32 uid = __le32_to_cpu(notif->uid);
+        int uid_idx = iwl_mvm_find_scan_uid(scan_done->mvm, uid);
+        if (WARN_ON(pkt->hdr.cmd != SCAN_COMPLETE_UMAC))
+                return false;
+        if (uid_idx >= IWL_MVM_MAX_SIMULTANEOUS_SCANS)
+                return false;
+        /*
+         * Clear scan uid of scans that was aborted from above and completed
+         * in FW so the RX handler does nothing.
+         */
+        scan_done->mvm->scan_uid[uid_idx] = 0;
+        return !iwl_mvm_find_scan_type(scan_done->mvm, scan_done->type);
+}
+static int iwl_umac_scan_abort_one(struct iwl_mvm *mvm, u32 uid)
+{
+        struct iwl_umac_scan_abort cmd = {
+                .hdr.size = cpu_to_le16(sizeof(struct iwl_umac_scan_abort) -
+                                        sizeof(struct iwl_mvm_umac_cmd_hdr)),
+                .uid = cpu_to_le32(uid),
+        };
+        lockdep_assert_held(&mvm->mutex);
+        IWL_DEBUG_SCAN(mvm, "Sending scan abort, uid %u\n", uid);
+        return iwl_mvm_send_cmd_pdu(mvm, SCAN_ABORT_UMAC, 0, sizeof(cmd), &cmd);
+}
+static int iwl_umac_scan_stop(struct iwl_mvm *mvm,
+                              enum iwl_umac_scan_uid_type type, bool notify)
+{
+        struct iwl_notification_wait wait_scan_done;
+        static const u8 scan_done_notif[] = { SCAN_COMPLETE_UMAC, };
+        struct iwl_umac_scan_done scan_done = {
+                .mvm = mvm,
+                .type = type,
+        };
+        int i, ret = -EIO;
+        iwl_init_notification_wait(&mvm->notif_wait, &wait_scan_done,
+                                   scan_done_notif,
+                                   ARRAY_SIZE(scan_done_notif),
+                                   iwl_scan_umac_done_check, &scan_done);
+        IWL_DEBUG_SCAN(mvm, "Preparing to stop scan, type %x\n", type);
+        for (i = 0; i < IWL_MVM_MAX_SIMULTANEOUS_SCANS; i++) {
+                if (mvm->scan_uid[i] & type) {
+                        int err;
+                        if (iwl_mvm_is_radio_killed(mvm) &&
+                            (type & IWL_UMAC_SCAN_UID_REG_SCAN)) {
+                                ieee80211_scan_completed(mvm->hw, true);
+                                iwl_mvm_unref(mvm, IWL_MVM_REF_SCAN);
+                                break;
+                        }
+                        err = iwl_umac_scan_abort_one(mvm, mvm->scan_uid[i]);
+                        if (!err)
+                                ret = 0;
+                }
+        }
+        if (ret) {
+                IWL_DEBUG_SCAN(mvm, "Couldn't stop scan\n");
+                iwl_remove_notification(&mvm->notif_wait, &wait_scan_done);
+                return ret;
+        }
+        ret = iwl_wait_notification(&mvm->notif_wait, &wait_scan_done, 1 * HZ);
+        if (ret)
+                return ret;
+        if (notify) {
+                if (type & IWL_UMAC_SCAN_UID_SCHED_SCAN)
+                        ieee80211_sched_scan_stopped(mvm->hw);
+                if (type & IWL_UMAC_SCAN_UID_REG_SCAN) {
+                        ieee80211_scan_completed(mvm->hw, true);
+                        iwl_mvm_unref(mvm, IWL_MVM_REF_SCAN);
+                }
+        }
+        return ret;
+}
+int iwl_mvm_scan_size(struct iwl_mvm *mvm)
+{
+        if (mvm->fw->ucode_capa.capa[0] & IWL_UCODE_TLV_CAPA_UMAC_SCAN)
+                return sizeof(struct iwl_scan_req_umac) +
+                        sizeof(struct iwl_scan_channel_cfg_umac) *
+                                mvm->fw->ucode_capa.n_scan_channels +
+                        sizeof(struct iwl_scan_req_umac_tail);
+        if (mvm->fw->ucode_capa.api[0] & IWL_UCODE_TLV_API_LMAC_SCAN)
+                return sizeof(struct iwl_scan_req_unified_lmac) +
+                        sizeof(struct iwl_scan_channel_cfg_lmac) *
+                                mvm->fw->ucode_capa.n_scan_channels +
+                        sizeof(struct iwl_scan_probe_req);
+        return sizeof(struct iwl_scan_cmd) +
+                mvm->fw->ucode_capa.max_probe_length +
+                        mvm->fw->ucode_capa.n_scan_channels *
+                sizeof(struct iwl_scan_channel);
+}
diff --git a/drivers/net/wireless/iwlwifi/mvm/sta.c b/drivers/net/wireless/iwlwifi/mvm/sta.c
index dd0dc5bf8583..d86fe432e51f 100644
--- a/drivers/net/wireless/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/iwlwifi/mvm/sta.c
@@ -204,6 +204,56 @@ int iwl_mvm_sta_send_to_fw(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
        return ret;
 }
+static int iwl_mvm_tdls_sta_init(struct iwl_mvm *mvm,
+                                 struct ieee80211_sta *sta)
+{
+        unsigned long used_hw_queues;
+        struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
+        u32 ac;
+        lockdep_assert_held(&mvm->mutex);
+        used_hw_queues = iwl_mvm_get_used_hw_queues(mvm, NULL);
+        /* Find available queues, and allocate them to the ACs */
+        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+                u8 queue = find_first_zero_bit(&used_hw_queues,
+                                               mvm->first_agg_queue);
+                if (queue >= mvm->first_agg_queue) {
+                        IWL_ERR(mvm, "Failed to allocate STA queue\n");
+                        return -EBUSY;
+                }
+                __set_bit(queue, &used_hw_queues);
+                mvmsta->hw_queue[ac] = queue;
+        }
+        /* Found a place for all queues - enable them */
+        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+                iwl_mvm_enable_ac_txq(mvm, mvmsta->hw_queue[ac],
+                                      iwl_mvm_ac_to_tx_fifo[ac]);
+                mvmsta->tfd_queue_msk |= BIT(mvmsta->hw_queue[ac]);
+        }
+        return 0;
+}
+static void iwl_mvm_tdls_sta_deinit(struct iwl_mvm *mvm,
+                                    struct ieee80211_sta *sta)
+{
+        struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
+        unsigned long sta_msk;
+        int i;
+        lockdep_assert_held(&mvm->mutex);
+        /* disable the TDLS STA-specific queues */
+        sta_msk = mvmsta->tfd_queue_msk;
+        for_each_set_bit(i, &sta_msk, sizeof(sta_msk))
+                iwl_mvm_disable_txq(mvm, i);
+}
 int iwl_mvm_add_sta(struct iwl_mvm *mvm,
                    struct ieee80211_vif *vif,
                    struct ieee80211_sta *sta)
@@ -237,9 +287,17 @@ int iwl_mvm_add_sta(struct iwl_mvm *mvm,
        atomic_set(&mvm->pending_frames[sta_id], 0);
        mvm_sta->tid_disable_agg = 0;
        mvm_sta->tfd_queue_msk = 0;
-        for (i = 0; i < IEEE80211_NUM_ACS; i++)
-                if (vif->hw_queue[i] != IEEE80211_INVAL_HW_QUEUE)
+        /* allocate new queues for a TDLS station */
-                        mvm_sta->tfd_queue_msk |= BIT(vif->hw_queue[i]);
+        if (sta->tdls) {
+                ret = iwl_mvm_tdls_sta_init(mvm, sta);
+                if (ret)
+                        return ret;
+        } else {
+                for (i = 0; i < IEEE80211_NUM_ACS; i++)
+                        if (vif->hw_queue[i] != IEEE80211_INVAL_HW_QUEUE)
+                                mvm_sta->tfd_queue_msk |= BIT(vif->hw_queue[i]);
+        }
        /* for HW restart - reset everything but the sequence number */
        for (i = 0; i < IWL_MAX_TID_COUNT; i++) {
@@ -251,7 +309,7 @@ int iwl_mvm_add_sta(struct iwl_mvm *mvm,
        ret = iwl_mvm_sta_send_to_fw(mvm, sta, false);
        if (ret)
-                return ret;
+                goto err;
        if (vif->type == NL80211_IFTYPE_STATION) {
                if (!sta->tdls) {
@@ -265,6 +323,10 @@ int iwl_mvm_add_sta(struct iwl_mvm *mvm,
        rcu_assign_pointer(mvm->fw_id_to_mac_id[sta_id], sta);
        return 0;
+err:
+        iwl_mvm_tdls_sta_deinit(mvm, sta);
+        return ret;
 }
 int iwl_mvm_update_sta(struct iwl_mvm *mvm,
@@ -398,6 +460,17 @@ void iwl_mvm_sta_drained_wk(struct work_struct *wk)
                }
                RCU_INIT_POINTER(mvm->fw_id_to_mac_id[sta_id], NULL);
                clear_bit(sta_id, mvm->sta_drained);
+                if (mvm->tfd_drained[sta_id]) {
+                        unsigned long i, msk = mvm->tfd_drained[sta_id];
+                        for_each_set_bit(i, &msk, sizeof(msk))
+                                iwl_mvm_disable_txq(mvm, i);
+                        mvm->tfd_drained[sta_id] = 0;
+                        IWL_DEBUG_TDLS(mvm, "Drained sta %d, with queues %ld\n",
+                                       sta_id, msk);
+                }
        }
        mutex_unlock(&mvm->mutex);
@@ -431,6 +504,15 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm,
        }
        /*
+         * This shouldn't happen - the TDLS channel switch should be canceled
+         * before the STA is removed.
+         */
+        if (WARN_ON_ONCE(mvm->tdls_cs.peer.sta_id == mvm_sta->sta_id)) {
+                mvm->tdls_cs.peer.sta_id = IWL_MVM_STATION_COUNT;
+                cancel_delayed_work(&mvm->tdls_cs.dwork);
+        }
+        /*
         * Make sure that the tx response code sees the station as -EBUSY and
         * calls the drain worker.
         */
@@ -443,9 +525,22 @@ int iwl_mvm_rm_sta(struct iwl_mvm *mvm,
                rcu_assign_pointer(mvm->fw_id_to_mac_id[mvm_sta->sta_id],
                                   ERR_PTR(-EBUSY));
                spin_unlock_bh(&mvm_sta->lock);
+                /* disable TDLS sta queues on drain complete */
+                if (sta->tdls) {
+                        mvm->tfd_drained[mvm_sta->sta_id] =
+                                                        mvm_sta->tfd_queue_msk;
+                        IWL_DEBUG_TDLS(mvm, "Draining TDLS sta %d\n",
+                                       mvm_sta->sta_id);
+                }
                ret = iwl_mvm_drain_sta(mvm, mvm_sta, true);
        } else {
                spin_unlock_bh(&mvm_sta->lock);
+                if (sta->tdls)
+                        iwl_mvm_tdls_sta_deinit(mvm, sta);
                ret = iwl_mvm_rm_sta_common(mvm, mvm_sta->sta_id);
                RCU_INIT_POINTER(mvm->fw_id_to_mac_id[mvm_sta->sta_id], NULL);
        }
@@ -1071,15 +1166,16 @@ static u8 iwl_mvm_get_key_sta_id(struct ieee80211_vif *vif,
 static int iwl_mvm_send_sta_key(struct iwl_mvm *mvm,
                                struct iwl_mvm_sta *mvm_sta,
-                                struct ieee80211_key_conf *keyconf,
+                                struct ieee80211_key_conf *keyconf, bool mcast,
-                                u8 sta_id, u32 tkip_iv32, u16 *tkip_p1k,
+                                u32 tkip_iv32, u16 *tkip_p1k, u32 cmd_flags)
-                                u32 cmd_flags)
 {
        struct iwl_mvm_add_sta_key_cmd cmd = {};
        __le16 key_flags;
-        int ret, status;
+        int ret;
+        u32 status;
        u16 keyidx;
        int i;
+        u8 sta_id = mvm_sta->sta_id;
        keyidx = (keyconf->keyidx << STA_KEY_FLG_KEYID_POS) &
                 STA_KEY_FLG_KEYID_MSK;
@@ -1098,12 +1194,18 @@ static int iwl_mvm_send_sta_key(struct iwl_mvm *mvm,
                key_flags |= cpu_to_le16(STA_KEY_FLG_CCM);
                memcpy(cmd.key, keyconf->key, keyconf->keylen);
                break;
+        case WLAN_CIPHER_SUITE_WEP104:
+                key_flags |= cpu_to_le16(STA_KEY_FLG_WEP_13BYTES);
+        case WLAN_CIPHER_SUITE_WEP40:
+                key_flags |= cpu_to_le16(STA_KEY_FLG_WEP);
+                memcpy(cmd.key + 3, keyconf->key, keyconf->keylen);
+                break;
        default:
                key_flags |= cpu_to_le16(STA_KEY_FLG_EXT);
                memcpy(cmd.key, keyconf->key, keyconf->keylen);
        }
-        if (!(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE))
+        if (mcast)
                key_flags |= cpu_to_le16(STA_KEY_MULTICAST);
        cmd.key_offset = keyconf->hw_key_idx;
@@ -1195,17 +1297,88 @@ static inline u8 *iwl_mvm_get_mac_addr(struct iwl_mvm *mvm,
        return NULL;
 }
+static int __iwl_mvm_set_sta_key(struct iwl_mvm *mvm,
+                                 struct ieee80211_vif *vif,
+                                 struct ieee80211_sta *sta,
+                                 struct ieee80211_key_conf *keyconf,
+                                 bool mcast)
+{
+        struct iwl_mvm_sta *mvm_sta = iwl_mvm_sta_from_mac80211(sta);
+        int ret;
+        const u8 *addr;
+        struct ieee80211_key_seq seq;
+        u16 p1k[5];
+        switch (keyconf->cipher) {
+        case WLAN_CIPHER_SUITE_TKIP:
+                addr = iwl_mvm_get_mac_addr(mvm, vif, sta);
+                /* get phase 1 key from mac80211 */
+                ieee80211_get_key_rx_seq(keyconf, 0, &seq);
+                ieee80211_get_tkip_rx_p1k(keyconf, addr, seq.tkip.iv32, p1k);
+                ret = iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, mcast,
+                                           seq.tkip.iv32, p1k, 0);
+                break;
+        case WLAN_CIPHER_SUITE_CCMP:
+        case WLAN_CIPHER_SUITE_WEP40:
+        case WLAN_CIPHER_SUITE_WEP104:
+                ret = iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, mcast,
+                                           0, NULL, 0);
+                break;
+        default:
+                ret = iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, mcast,
+                                           0, NULL, 0);
+        }
+        return ret;
+}
+static int __iwl_mvm_remove_sta_key(struct iwl_mvm *mvm, u8 sta_id,
+                                    struct ieee80211_key_conf *keyconf,
+                                    bool mcast)
+{
+        struct iwl_mvm_add_sta_key_cmd cmd = {};
+        __le16 key_flags;
+        int ret;
+        u32 status;
+        key_flags = cpu_to_le16((keyconf->keyidx << STA_KEY_FLG_KEYID_POS) &
+                                 STA_KEY_FLG_KEYID_MSK);
+        key_flags |= cpu_to_le16(STA_KEY_FLG_NO_ENC | STA_KEY_FLG_WEP_KEY_MAP);
+        key_flags |= cpu_to_le16(STA_KEY_NOT_VALID);
+        if (mcast)
+                key_flags |= cpu_to_le16(STA_KEY_MULTICAST);
+        cmd.key_flags = key_flags;
+        cmd.key_offset = keyconf->hw_key_idx;
+        cmd.sta_id = sta_id;
+        status = ADD_STA_SUCCESS;
+        ret = iwl_mvm_send_cmd_pdu_status(mvm, ADD_STA_KEY, sizeof(cmd),
+                                          &cmd, &status);
+        switch (status) {
+        case ADD_STA_SUCCESS:
+                IWL_DEBUG_WEP(mvm, "MODIFY_STA: remove sta key passed\n");
+                break;
+        default:
+                ret = -EIO;
+                IWL_ERR(mvm, "MODIFY_STA: remove sta key failed\n");
+                break;
+        }
+        return ret;
+}
 int iwl_mvm_set_sta_key(struct iwl_mvm *mvm,
                        struct ieee80211_vif *vif,
                        struct ieee80211_sta *sta,
                        struct ieee80211_key_conf *keyconf,
                        bool have_key_offset)
 {
-        struct iwl_mvm_sta *mvm_sta;
+        bool mcast = !(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE);
+        u8 sta_id;
        int ret;
-        u8 *addr, sta_id;
-        struct ieee80211_key_seq seq;
-        u16 p1k[5];
        lockdep_assert_held(&mvm->mutex);
@@ -1234,8 +1407,7 @@ int iwl_mvm_set_sta_key(struct iwl_mvm *mvm,
                }
        }
-        mvm_sta = (struct iwl_mvm_sta *)sta->drv_priv;
+        if (WARN_ON_ONCE(iwl_mvm_sta_from_mac80211(sta)->vif != vif))
-        if (WARN_ON_ONCE(mvm_sta->vif != vif))
                return -EINVAL;
        if (!have_key_offset) {
@@ -1249,26 +1421,26 @@ int iwl_mvm_set_sta_key(struct iwl_mvm *mvm,
                        return -ENOSPC;
        }
-        switch (keyconf->cipher) {
+        ret = __iwl_mvm_set_sta_key(mvm, vif, sta, keyconf, mcast);
-        case WLAN_CIPHER_SUITE_TKIP:
+        if (ret) {
-                addr = iwl_mvm_get_mac_addr(mvm, vif, sta);
+                __clear_bit(keyconf->hw_key_idx, mvm->fw_key_table);
-                /* get phase 1 key from mac80211 */
+                goto end;
-                ieee80211_get_key_rx_seq(keyconf, 0, &seq);
-                ieee80211_get_tkip_rx_p1k(keyconf, addr, seq.tkip.iv32, p1k);
-                ret = iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, sta_id,
-                                           seq.tkip.iv32, p1k, 0);
-                break;
-        case WLAN_CIPHER_SUITE_CCMP:
-                ret = iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, sta_id,
-                                           0, NULL, 0);
-                break;
-        default:
-                ret = iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf,
-                                           sta_id, 0, NULL, 0);
        }
-        if (ret)
+        /*
-                __clear_bit(keyconf->hw_key_idx, mvm->fw_key_table);
+         * For WEP, the same key is used for multicast and unicast. Upload it
+         * again, using the same key offset, and now pointing the other one
+         * to the same key slot (offset).
+         * If this fails, remove the original as well.
+         */
+        if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 ||
+            keyconf->cipher == WLAN_CIPHER_SUITE_WEP104) {
+                ret = __iwl_mvm_set_sta_key(mvm, vif, sta, keyconf, !mcast);
+                if (ret) {
+                        __clear_bit(keyconf->hw_key_idx, mvm->fw_key_table);
+                        __iwl_mvm_remove_sta_key(mvm, sta_id, keyconf, mcast);
+                }
+        }
 end:
        IWL_DEBUG_WEP(mvm, "key: cipher=%x len=%d idx=%d sta=%pM ret=%d\n",
@@ -1282,11 +1454,9 @@ int iwl_mvm_remove_sta_key(struct iwl_mvm *mvm,
                           struct ieee80211_sta *sta,
                           struct ieee80211_key_conf *keyconf)
 {
-        struct iwl_mvm_sta *mvm_sta;
+        bool mcast = !(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE);
-        struct iwl_mvm_add_sta_key_cmd cmd = {};
-        __le16 key_flags;
-        int ret, status;
        u8 sta_id;
+        int ret;
        lockdep_assert_held(&mvm->mutex);
@@ -1299,8 +1469,7 @@ int iwl_mvm_remove_sta_key(struct iwl_mvm *mvm,
        if (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC)
                return iwl_mvm_send_sta_igtk(mvm, keyconf, sta_id, true);
-        ret = __test_and_clear_bit(keyconf->hw_key_idx, mvm->fw_key_table);
+        if (!__test_and_clear_bit(keyconf->hw_key_idx, mvm->fw_key_table)) {
-        if (!ret) {
                IWL_ERR(mvm, "offset %d not used in fw key table.\n",
                        keyconf->hw_key_idx);
                return -ENOENT;
@@ -1326,35 +1495,17 @@ int iwl_mvm_remove_sta_key(struct iwl_mvm *mvm,
                }
        }
-        mvm_sta = (struct iwl_mvm_sta *)sta->drv_priv;
+        if (WARN_ON_ONCE(iwl_mvm_sta_from_mac80211(sta)->vif != vif))
-        if (WARN_ON_ONCE(mvm_sta->vif != vif))
                return -EINVAL;
-        key_flags = cpu_to_le16((keyconf->keyidx << STA_KEY_FLG_KEYID_POS) &
+        ret = __iwl_mvm_remove_sta_key(mvm, sta_id, keyconf, mcast);
-                                 STA_KEY_FLG_KEYID_MSK);
+        if (ret)
-        key_flags |= cpu_to_le16(STA_KEY_FLG_NO_ENC | STA_KEY_FLG_WEP_KEY_MAP);
+                return ret;
-        key_flags |= cpu_to_le16(STA_KEY_NOT_VALID);
-        if (!(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE))
-                key_flags |= cpu_to_le16(STA_KEY_MULTICAST);
-        cmd.key_flags = key_flags;
-        cmd.key_offset = keyconf->hw_key_idx;
-        cmd.sta_id = sta_id;
-        status = ADD_STA_SUCCESS;
-        ret = iwl_mvm_send_cmd_pdu_status(mvm, ADD_STA_KEY, sizeof(cmd),
-                                          &cmd, &status);
-        switch (status) {
+        /* delete WEP key twice to get rid of (now useless) offset */
-        case ADD_STA_SUCCESS:
+        if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 ||
-                IWL_DEBUG_WEP(mvm, "MODIFY_STA: remove sta key passed\n");
+            keyconf->cipher == WLAN_CIPHER_SUITE_WEP104)
-                break;
+                ret = __iwl_mvm_remove_sta_key(mvm, sta_id, keyconf, !mcast);
-        default:
-                ret = -EIO;
-                IWL_ERR(mvm, "MODIFY_STA: remove sta key failed\n");
-                break;
-        }
        return ret;
 }
@@ -1367,6 +1518,7 @@ void iwl_mvm_update_tkip_key(struct iwl_mvm *mvm,
 {
        struct iwl_mvm_sta *mvm_sta;
        u8 sta_id = iwl_mvm_get_key_sta_id(vif, sta);
+        bool mcast = !(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE);
        if (WARN_ON_ONCE(sta_id == IWL_MVM_STATION_COUNT))
                return;
@@ -1381,8 +1533,8 @@ void iwl_mvm_update_tkip_key(struct iwl_mvm *mvm,
                }
        }
-        mvm_sta = (void *)sta->drv_priv;
+        mvm_sta = iwl_mvm_sta_from_mac80211(sta);
-        iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, sta_id,
+        iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, mcast,
                             iv32, phase1key, CMD_ASYNC);
        rcu_read_unlock();
 }
@@ -1580,3 +1732,18 @@ void iwl_mvm_modify_all_sta_disable_tx(struct iwl_mvm *mvm,
                iwl_mvm_sta_modify_disable_tx_ap(mvm, sta, disable);
        }
 }
+void iwl_mvm_csa_client_absent(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
+{
+        struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
+        struct iwl_mvm_sta *mvmsta;
+        rcu_read_lock();
+        mvmsta = iwl_mvm_sta_from_staid_rcu(mvm, mvmvif->ap_sta_id);
+        if (!WARN_ON(!mvmsta))
+                iwl_mvm_sta_modify_disable_tx(mvm, mvmsta, true);
+        rcu_read_unlock();
+}
diff --git a/drivers/net/wireless/iwlwifi/mvm/sta.h b/drivers/net/wireless/iwlwifi/mvm/sta.h
index d9c0d7b0e9d4..d8f48975ad08 100644
--- a/drivers/net/wireless/iwlwifi/mvm/sta.h
+++ b/drivers/net/wireless/iwlwifi/mvm/sta.h
@@ -264,6 +264,7 @@ enum iwl_mvm_agg_state {
 *      the first packet to be sent in legacy HW queue in Tx AGG stop flow.
 *      Basically when next_reclaimed reaches ssn, we can tell mac80211 that
 *      we are ready to finish the Tx AGG stop / start flow.
+ * @tx_time: medium time consumed by this A-MPDU
 */
 struct iwl_mvm_tid_data {
        u16 seq_number;
@@ -274,6 +275,7 @@ struct iwl_mvm_tid_data {
        enum iwl_mvm_agg_state state;
        u16 txq_id;
        u16 ssn;
+        u16 tx_time;
 };
 static inline u16 iwl_mvm_tid_queued(struct iwl_mvm_tid_data *tid_data)
@@ -286,6 +288,7 @@ static inline u16 iwl_mvm_tid_queued(struct iwl_mvm_tid_data *tid_data)
 * struct iwl_mvm_sta - representation of a station in the driver
 * @sta_id: the index of the station in the fw (will be replaced by id_n_color)
 * @tfd_queue_msk: the tfd queues used by the station
+ * @hw_queue: per-AC mapping of the TFD queues used by station
 * @mac_id_n_color: the MAC context this station is linked to
 * @tid_disable_agg: bitmap: if bit(tid) is set, the fw won't send ampdus for
 *      tid.
@@ -309,6 +312,7 @@ static inline u16 iwl_mvm_tid_queued(struct iwl_mvm_tid_data *tid_data)
 struct iwl_mvm_sta {
        u32 sta_id;
        u32 tfd_queue_msk;
+        u8 hw_queue[IEEE80211_NUM_ACS];
        u32 mac_id_n_color;
        u16 tid_disable_agg;
        u8 max_agg_bufsize;
@@ -418,5 +422,6 @@ void iwl_mvm_sta_modify_disable_tx_ap(struct iwl_mvm *mvm,
 void iwl_mvm_modify_all_sta_disable_tx(struct iwl_mvm *mvm,
                                       struct iwl_mvm_vif *mvmvif,
                                       bool disable);
+void iwl_mvm_csa_client_absent(struct iwl_mvm *mvm, struct ieee80211_vif *vif);
 #endif /* __sta_h__ */
diff --git a/drivers/net/wireless/iwlwifi/mvm/tdls.c b/drivers/net/wireless/iwlwifi/mvm/tdls.c
index 66c82df2d0a1..c0e00bae5bd0 100644
--- a/drivers/net/wireless/iwlwifi/mvm/tdls.c
+++ b/drivers/net/wireless/iwlwifi/mvm/tdls.c
@@ -61,9 +61,13 @@
 *
 *****************************************************************************/
+#include <linux/etherdevice.h>
 #include "mvm.h"
 #include "time-event.h"
+#define TU_TO_US(x) (x * 1024)
+#define TU_TO_MS(x) (TU_TO_US(x) / 1000)
 void iwl_mvm_teardown_tdls_peers(struct iwl_mvm *mvm)
 {
        struct ieee80211_sta *sta;
@@ -113,17 +117,85 @@ int iwl_mvm_tdls_sta_count(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
        return count;
 }
+static void iwl_mvm_tdls_config(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
+{
+        struct iwl_rx_packet *pkt;
+        struct iwl_tdls_config_res *resp;
+        struct iwl_tdls_config_cmd tdls_cfg_cmd = {};
+        struct iwl_host_cmd cmd = {
+                .id = TDLS_CONFIG_CMD,
+                .flags = CMD_WANT_SKB,
+                .data = { &tdls_cfg_cmd, },
+                .len = { sizeof(struct iwl_tdls_config_cmd), },
+        };
+        struct ieee80211_sta *sta;
+        int ret, i, cnt;
+        struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
+        lockdep_assert_held(&mvm->mutex);
+        tdls_cfg_cmd.id_and_color =
+                cpu_to_le32(FW_CMD_ID_AND_COLOR(mvmvif->id, mvmvif->color));
+        tdls_cfg_cmd.tx_to_ap_tid = IWL_MVM_TDLS_FW_TID;
+        tdls_cfg_cmd.tx_to_ap_ssn = cpu_to_le16(0); /* not used for now */
+        /* for now the Tx cmd is empty and unused */
+        /* populate TDLS peer data */
+        cnt = 0;
+        for (i = 0; i < IWL_MVM_STATION_COUNT; i++) {
+                sta = rcu_dereference_protected(mvm->fw_id_to_mac_id[i],
+                                                lockdep_is_held(&mvm->mutex));
+                if (IS_ERR_OR_NULL(sta) || !sta->tdls)
+                        continue;
+                tdls_cfg_cmd.sta_info[cnt].sta_id = i;
+                tdls_cfg_cmd.sta_info[cnt].tx_to_peer_tid =
+                                                        IWL_MVM_TDLS_FW_TID;
+                tdls_cfg_cmd.sta_info[cnt].tx_to_peer_ssn = cpu_to_le16(0);
+                tdls_cfg_cmd.sta_info[cnt].is_initiator =
+                                cpu_to_le32(sta->tdls_initiator ? 1 : 0);
+                cnt++;
+        }
+        tdls_cfg_cmd.tdls_peer_count = cnt;
+        IWL_DEBUG_TDLS(mvm, "send TDLS config to FW for %d peers\n", cnt);
+        ret = iwl_mvm_send_cmd(mvm, &cmd);
+        if (WARN_ON_ONCE(ret))
+                return;
+        pkt = cmd.resp_pkt;
+        if (pkt->hdr.flags & IWL_CMD_FAILED_MSK) {
+                IWL_ERR(mvm, "Bad return from TDLS_CONFIG_COMMAND (0x%08X)\n",
+                        pkt->hdr.flags);
+                goto exit;
+        }
+        if (WARN_ON_ONCE(iwl_rx_packet_payload_len(pkt) != sizeof(*resp)))
+                goto exit;
+        /* we don't really care about the response at this point */
+exit:
+        iwl_free_resp(&cmd);
+}
 void iwl_mvm_recalc_tdls_state(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
                               bool sta_added)
 {
        int tdls_sta_cnt = iwl_mvm_tdls_sta_count(mvm, vif);
-        /*
+        /* when the first peer joins, send a power update first */
-         * Disable ps when the first TDLS sta is added and re-enable it
+        if (tdls_sta_cnt == 1 && sta_added)
-         * when the last TDLS sta is removed
+                iwl_mvm_power_update_mac(mvm);
-         */
-        if ((tdls_sta_cnt == 1 && sta_added) ||
+        /* configure the FW with TDLS peer info */
-            (tdls_sta_cnt == 0 && !sta_added))
+        iwl_mvm_tdls_config(mvm, vif);
+        /* when the last peer leaves, send a power update last */
+        if (tdls_sta_cnt == 0 && !sta_added)
                iwl_mvm_power_update_mac(mvm);
 }
@@ -147,3 +219,488 @@ void iwl_mvm_mac_mgd_protect_tdls_discover(struct ieee80211_hw *hw,
        iwl_mvm_unref(mvm, IWL_MVM_REF_PROTECT_TDLS);
 }
+static const char *
+iwl_mvm_tdls_cs_state_str(enum iwl_mvm_tdls_cs_state state)
+{
+        switch (state) {
+        case IWL_MVM_TDLS_SW_IDLE:
+                return "IDLE";
+        case IWL_MVM_TDLS_SW_REQ_SENT:
+                return "REQ SENT";
+        case IWL_MVM_TDLS_SW_REQ_RCVD:
+                return "REQ RECEIVED";
+        case IWL_MVM_TDLS_SW_ACTIVE:
+                return "ACTIVE";
+        }
+        return NULL;
+}
+static void iwl_mvm_tdls_update_cs_state(struct iwl_mvm *mvm,
+                                         enum iwl_mvm_tdls_cs_state state)
+{
+        if (mvm->tdls_cs.state == state)
+                return;
+        IWL_DEBUG_TDLS(mvm, "TDLS channel switch state: %s -> %s\n",
+                       iwl_mvm_tdls_cs_state_str(mvm->tdls_cs.state),
+                       iwl_mvm_tdls_cs_state_str(state));
+        mvm->tdls_cs.state = state;
+        if (state == IWL_MVM_TDLS_SW_IDLE)
+                mvm->tdls_cs.cur_sta_id = IWL_MVM_STATION_COUNT;
+}
+int iwl_mvm_rx_tdls_notif(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb,
+                          struct iwl_device_cmd *cmd)
+{
+        struct iwl_rx_packet *pkt = rxb_addr(rxb);
+        struct iwl_tdls_channel_switch_notif *notif = (void *)pkt->data;
+        struct ieee80211_sta *sta;
+        unsigned int delay;
+        struct iwl_mvm_sta *mvmsta;
+        struct ieee80211_vif *vif;
+        u32 sta_id = le32_to_cpu(notif->sta_id);
+        lockdep_assert_held(&mvm->mutex);
+        /* can fail sometimes */
+        if (!le32_to_cpu(notif->status)) {
+                iwl_mvm_tdls_update_cs_state(mvm, IWL_MVM_TDLS_SW_IDLE);
+                goto out;
+        }
+        if (WARN_ON(sta_id >= IWL_MVM_STATION_COUNT))
+                goto out;
+        sta = rcu_dereference_protected(mvm->fw_id_to_mac_id[sta_id],
+                                        lockdep_is_held(&mvm->mutex));
+        /* the station may not be here, but if it is, it must be a TDLS peer */
+        if (IS_ERR_OR_NULL(sta) || WARN_ON(!sta->tdls))
+                goto out;
+        mvmsta = iwl_mvm_sta_from_mac80211(sta);
+        vif = mvmsta->vif;
+        /*
+         * Update state and possibly switch again after this is over (DTIM).
+         * Also convert TU to msec.
+         */
+        delay = TU_TO_MS(vif->bss_conf.dtim_period * vif->bss_conf.beacon_int);
+        mod_delayed_work(system_wq, &mvm->tdls_cs.dwork,
+                         msecs_to_jiffies(delay));
+        iwl_mvm_tdls_update_cs_state(mvm, IWL_MVM_TDLS_SW_ACTIVE);
+out:
+        return 0;
+}
+static int
+iwl_mvm_tdls_check_action(struct iwl_mvm *mvm,
+                          enum iwl_tdls_channel_switch_type type,
+                          const u8 *peer, bool peer_initiator)
+{
+        bool same_peer = false;
+        int ret = 0;
+        /* get the existing peer if it's there */
+        if (mvm->tdls_cs.state != IWL_MVM_TDLS_SW_IDLE &&
+            mvm->tdls_cs.cur_sta_id != IWL_MVM_STATION_COUNT) {
+                struct ieee80211_sta *sta = rcu_dereference_protected(
+                                mvm->fw_id_to_mac_id[mvm->tdls_cs.cur_sta_id],
+                                lockdep_is_held(&mvm->mutex));
+                if (!IS_ERR_OR_NULL(sta))
+                        same_peer = ether_addr_equal(peer, sta->addr);
+        }
+        switch (mvm->tdls_cs.state) {
+        case IWL_MVM_TDLS_SW_IDLE:
+                /*
+                 * might be spurious packet from the peer after the switch is
+                 * already done
+                 */
+                if (type == TDLS_MOVE_CH)
+                        ret = -EINVAL;
+                break;
+        case IWL_MVM_TDLS_SW_REQ_SENT:
+                /*
+                 * We received a ch-switch request while an outgoing one is
+                 * pending. Allow it to proceed if the other peer is the same
+                 * one we sent to, and we are not the link initiator.
+                 */
+                if (type == TDLS_SEND_CHAN_SW_RESP_AND_MOVE_CH) {
+                        if (!same_peer)
+                                ret = -EBUSY;
+                        else if (!peer_initiator) /* we are the initiator */
+                                ret = -EBUSY;
+                }
+                break;
+        case IWL_MVM_TDLS_SW_REQ_RCVD:
+                /* as above, allow the link initiator to proceed */
+                if (type == TDLS_SEND_CHAN_SW_REQ) {
+                        if (!same_peer)
+                                ret = -EBUSY;
+                        else if (peer_initiator) /* they are the initiator */
+                                ret = -EBUSY;
+                } else if (type == TDLS_MOVE_CH) {
+                        ret = -EINVAL;
+                }
+                break;
+        case IWL_MVM_TDLS_SW_ACTIVE:
+                /* we don't allow initiations during active channel switch */
+                if (type == TDLS_SEND_CHAN_SW_REQ)
+                        ret = -EINVAL;
+                break;
+        }
+        if (ret)
+                IWL_DEBUG_TDLS(mvm,
+                               "Invalid TDLS action %d state %d peer %pM same_peer %d initiator %d\n",
+                               type, mvm->tdls_cs.state, peer, same_peer,
+                               peer_initiator);
+        return ret;
+}
+static int
+iwl_mvm_tdls_config_channel_switch(struct iwl_mvm *mvm,
+                                   struct ieee80211_vif *vif,
+                                   enum iwl_tdls_channel_switch_type type,
+                                   const u8 *peer, bool peer_initiator,
+                                   u8 oper_class,
+                                   struct cfg80211_chan_def *chandef,
+                                   u32 timestamp, u16 switch_time,
+                                   u16 switch_timeout, struct sk_buff *skb,
+                                   u32 ch_sw_tm_ie)
+{
+        struct ieee80211_sta *sta;
+        struct iwl_mvm_sta *mvmsta;
+        struct ieee80211_tx_info *info;
+        struct ieee80211_hdr *hdr;
+        struct iwl_tdls_channel_switch_cmd cmd = {0};
+        int ret;
+        lockdep_assert_held(&mvm->mutex);
+        ret = iwl_mvm_tdls_check_action(mvm, type, peer, peer_initiator);
+        if (ret)
+                return ret;
+        if (!skb || WARN_ON(skb->len > IWL_TDLS_CH_SW_FRAME_MAX_SIZE)) {
+                ret = -EINVAL;
+                goto out;
+        }
+        cmd.switch_type = type;
+        cmd.timing.frame_timestamp = cpu_to_le32(timestamp);
+        cmd.timing.switch_time = cpu_to_le32(switch_time);
+        cmd.timing.switch_timeout = cpu_to_le32(switch_timeout);
+        rcu_read_lock();
+        sta = ieee80211_find_sta(vif, peer);
+        if (!sta) {
+                rcu_read_unlock();
+                ret = -ENOENT;
+                goto out;
+        }
+        mvmsta = iwl_mvm_sta_from_mac80211(sta);
+        cmd.peer_sta_id = cpu_to_le32(mvmsta->sta_id);
+        if (!chandef) {
+                if (mvm->tdls_cs.state == IWL_MVM_TDLS_SW_REQ_SENT &&
+                    mvm->tdls_cs.peer.chandef.chan) {
+                        /* actually moving to the channel */
+                        chandef = &mvm->tdls_cs.peer.chandef;
+                } else if (mvm->tdls_cs.state == IWL_MVM_TDLS_SW_ACTIVE &&
+                           type == TDLS_MOVE_CH) {
+                        /* we need to return to base channel */
+                        struct ieee80211_chanctx_conf *chanctx =
+                                        rcu_dereference(vif->chanctx_conf);
+                        if (WARN_ON_ONCE(!chanctx)) {
+                                rcu_read_unlock();
+                                goto out;
+                        }
+                        chandef = &chanctx->def;
+                }
+        }
+        if (chandef) {
+                cmd.ci.band = (chandef->chan->band == IEEE80211_BAND_2GHZ ?
+                               PHY_BAND_24 : PHY_BAND_5);
+                cmd.ci.channel = chandef->chan->hw_value;
+                cmd.ci.width = iwl_mvm_get_channel_width(chandef);
+                cmd.ci.ctrl_pos = iwl_mvm_get_ctrl_pos(chandef);
+        }
+        /* keep quota calculation simple for now - 50% of DTIM for TDLS */
+        cmd.timing.max_offchan_duration =
+                        cpu_to_le32(TU_TO_US(vif->bss_conf.dtim_period *
+                                             vif->bss_conf.beacon_int) / 2);
+        /* Switch time is the first element in the switch-timing IE. */
+        cmd.frame.switch_time_offset = cpu_to_le32(ch_sw_tm_ie + 2);
+        info = IEEE80211_SKB_CB(skb);
+        if (info->control.hw_key)
+                iwl_mvm_set_tx_cmd_crypto(mvm, info, &cmd.frame.tx_cmd, skb);
+        iwl_mvm_set_tx_cmd(mvm, skb, &cmd.frame.tx_cmd, info,
+                           mvmsta->sta_id);
+        hdr = (void *)skb->data;
+        iwl_mvm_set_tx_cmd_rate(mvm, &cmd.frame.tx_cmd, info, sta,
+                                hdr->frame_control);
+        rcu_read_unlock();
+        memcpy(cmd.frame.data, skb->data, skb->len);
+        ret = iwl_mvm_send_cmd_pdu(mvm, TDLS_CHANNEL_SWITCH_CMD, 0,
+                                   sizeof(cmd), &cmd);
+        if (ret) {
+                IWL_ERR(mvm, "Failed to send TDLS_CHANNEL_SWITCH cmd: %d\n",
+                        ret);
+                goto out;
+        }
+        /* channel switch has started, update state */
+        if (type != TDLS_MOVE_CH) {
+                mvm->tdls_cs.cur_sta_id = mvmsta->sta_id;
+                iwl_mvm_tdls_update_cs_state(mvm,
+                                             type == TDLS_SEND_CHAN_SW_REQ ?
+                                             IWL_MVM_TDLS_SW_REQ_SENT :
+                                             IWL_MVM_TDLS_SW_REQ_RCVD);
+        }
+out:
+        /* channel switch failed - we are idle */
+        if (ret)
+                iwl_mvm_tdls_update_cs_state(mvm, IWL_MVM_TDLS_SW_IDLE);
+        return ret;
+}
+void iwl_mvm_tdls_ch_switch_work(struct work_struct *work)
+{
+        struct iwl_mvm *mvm;
+        struct ieee80211_sta *sta;
+        struct iwl_mvm_sta *mvmsta;
+        struct ieee80211_vif *vif;
+        unsigned int delay;
+        int ret;
+        mvm = container_of(work, struct iwl_mvm, tdls_cs.dwork.work);
+        mutex_lock(&mvm->mutex);
+        /* called after an active channel switch has finished or timed-out */
+        iwl_mvm_tdls_update_cs_state(mvm, IWL_MVM_TDLS_SW_IDLE);
+        /* station might be gone, in that case do nothing */
+        if (mvm->tdls_cs.peer.sta_id == IWL_MVM_STATION_COUNT)
+                goto out;
+        sta = rcu_dereference_protected(
+                                mvm->fw_id_to_mac_id[mvm->tdls_cs.peer.sta_id],
+                                lockdep_is_held(&mvm->mutex));
+        /* the station may not be here, but if it is, it must be a TDLS peer */
+        if (!sta || IS_ERR(sta) || WARN_ON(!sta->tdls))
+                goto out;
+        mvmsta = iwl_mvm_sta_from_mac80211(sta);
+        vif = mvmsta->vif;
+        ret = iwl_mvm_tdls_config_channel_switch(mvm, vif,
+                                                 TDLS_SEND_CHAN_SW_REQ,
+                                                 sta->addr,
+                                                 mvm->tdls_cs.peer.initiator,
+                                                 mvm->tdls_cs.peer.op_class,
+                                                 &mvm->tdls_cs.peer.chandef,
+                                                 0, 0, 0,
+                                                 mvm->tdls_cs.peer.skb,
+                                                 mvm->tdls_cs.peer.ch_sw_tm_ie);
+        if (ret)
+                IWL_ERR(mvm, "Not sending TDLS channel switch: %d\n", ret);
+        /* retry after a DTIM if we failed sending now */
+        delay = TU_TO_MS(vif->bss_conf.dtim_period * vif->bss_conf.beacon_int);
+        queue_delayed_work(system_wq, &mvm->tdls_cs.dwork,
+                           msecs_to_jiffies(delay));
+out:
+        mutex_unlock(&mvm->mutex);
+}
+int
+iwl_mvm_tdls_channel_switch(struct ieee80211_hw *hw,
+                            struct ieee80211_vif *vif,
+                            struct ieee80211_sta *sta, u8 oper_class,
+                            struct cfg80211_chan_def *chandef,
+                            struct sk_buff *tmpl_skb, u32 ch_sw_tm_ie)
+{
+        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+        struct iwl_mvm_sta *mvmsta;
+        unsigned int delay;
+        int ret;
+        mutex_lock(&mvm->mutex);
+        IWL_DEBUG_TDLS(mvm, "TDLS channel switch with %pM ch %d width %d\n",
+                       sta->addr, chandef->chan->center_freq, chandef->width);
+        /* we only support a single peer for channel switching */
+        if (mvm->tdls_cs.peer.sta_id != IWL_MVM_STATION_COUNT) {
+                IWL_DEBUG_TDLS(mvm,
+                               "Existing peer. Can't start switch with %pM\n",
+                               sta->addr);
+                ret = -EBUSY;
+                goto out;
+        }
+        ret = iwl_mvm_tdls_config_channel_switch(mvm, vif,
+                                                 TDLS_SEND_CHAN_SW_REQ,
+                                                 sta->addr, sta->tdls_initiator,
+                                                 oper_class, chandef, 0, 0, 0,
+                                                 tmpl_skb, ch_sw_tm_ie);
+        if (ret)
+                goto out;
+        /*
+         * Mark the peer as "in tdls switch" for this vif. We only allow a
+         * single such peer per vif.
+         */
+        mvm->tdls_cs.peer.skb = skb_copy(tmpl_skb, GFP_KERNEL);
+        if (!mvm->tdls_cs.peer.skb) {
+                ret = -ENOMEM;
+                goto out;
+        }
+        mvmsta = iwl_mvm_sta_from_mac80211(sta);
+        mvm->tdls_cs.peer.sta_id = mvmsta->sta_id;
+        mvm->tdls_cs.peer.chandef = *chandef;
+        mvm->tdls_cs.peer.initiator = sta->tdls_initiator;
+        mvm->tdls_cs.peer.op_class = oper_class;
+        mvm->tdls_cs.peer.ch_sw_tm_ie = ch_sw_tm_ie;
+        /*
+         * Wait for 2 DTIM periods before attempting the next switch. The next
+         * switch will be made sooner if the current one completes before that.
+         */
+        delay = 2 * TU_TO_MS(vif->bss_conf.dtim_period *
+                             vif->bss_conf.beacon_int);
+        mod_delayed_work(system_wq, &mvm->tdls_cs.dwork,
+                         msecs_to_jiffies(delay));
+out:
+        mutex_unlock(&mvm->mutex);
+        return ret;
+}
+void iwl_mvm_tdls_cancel_channel_switch(struct ieee80211_hw *hw,
+                                        struct ieee80211_vif *vif,
+                                        struct ieee80211_sta *sta)
+{
+        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+        struct ieee80211_sta *cur_sta;
+        bool wait_for_phy = false;
+        mutex_lock(&mvm->mutex);
+        IWL_DEBUG_TDLS(mvm, "TDLS cancel channel switch with %pM\n", sta->addr);
+        /* we only support a single peer for channel switching */
+        if (mvm->tdls_cs.peer.sta_id == IWL_MVM_STATION_COUNT) {
+                IWL_DEBUG_TDLS(mvm, "No ch switch peer - %pM\n", sta->addr);
+                goto out;
+        }
+        cur_sta = rcu_dereference_protected(
+                                mvm->fw_id_to_mac_id[mvm->tdls_cs.peer.sta_id],
+                                lockdep_is_held(&mvm->mutex));
+        /* make sure it's the same peer */
+        if (cur_sta != sta)
+                goto out;
+        /*
+         * If we're currently in a switch because of the now canceled peer,
+         * wait a DTIM here to make sure the phy is back on the base channel.
+         * We can't otherwise force it.
+         */
+        if (mvm->tdls_cs.cur_sta_id == mvm->tdls_cs.peer.sta_id &&
+            mvm->tdls_cs.state != IWL_MVM_TDLS_SW_IDLE)
+                wait_for_phy = true;
+        mvm->tdls_cs.peer.sta_id = IWL_MVM_STATION_COUNT;
+        dev_kfree_skb(mvm->tdls_cs.peer.skb);
+        mvm->tdls_cs.peer.skb = NULL;
+out:
+        mutex_unlock(&mvm->mutex);
+        /* make sure the phy is on the base channel */
+        if (wait_for_phy)
+                msleep(TU_TO_MS(vif->bss_conf.dtim_period *
+                                vif->bss_conf.beacon_int));
+        /* flush the channel switch state */
+        flush_delayed_work(&mvm->tdls_cs.dwork);
+        IWL_DEBUG_TDLS(mvm, "TDLS ending channel switch with %pM\n", sta->addr);
+}
+void
+iwl_mvm_tdls_recv_channel_switch(struct ieee80211_hw *hw,
+                                 struct ieee80211_vif *vif,
+                                 struct ieee80211_tdls_ch_sw_params *params)
+{
+        struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+        enum iwl_tdls_channel_switch_type type;
+        unsigned int delay;
+        mutex_lock(&mvm->mutex);
+        IWL_DEBUG_TDLS(mvm,
+                       "Received TDLS ch switch action %d from %pM status %d\n",
+                       params->action_code, params->sta->addr, params->status);
+        /*
+         * we got a non-zero status from a peer we were switching to - move to
+         * the idle state and retry again later
+         */
+        if (params->action_code == WLAN_TDLS_CHANNEL_SWITCH_RESPONSE &&
+            params->status != 0 &&
+            mvm->tdls_cs.state == IWL_MVM_TDLS_SW_REQ_SENT &&
+            mvm->tdls_cs.cur_sta_id != IWL_MVM_STATION_COUNT) {
+                struct ieee80211_sta *cur_sta;
+                /* make sure it's the same peer */
+                cur_sta = rcu_dereference_protected(
+                                mvm->fw_id_to_mac_id[mvm->tdls_cs.cur_sta_id],
+                                lockdep_is_held(&mvm->mutex));
+                if (cur_sta == params->sta) {
+                        iwl_mvm_tdls_update_cs_state(mvm,
+                                                     IWL_MVM_TDLS_SW_IDLE);
+                        goto retry;
+                }
+        }
+        type = (params->action_code == WLAN_TDLS_CHANNEL_SWITCH_REQUEST) ?
+               TDLS_SEND_CHAN_SW_RESP_AND_MOVE_CH : TDLS_MOVE_CH;
+        iwl_mvm_tdls_config_channel_switch(mvm, vif, type, params->sta->addr,
+                                           params->sta->tdls_initiator, 0,
+                                           params->chandef, params->timestamp,
+                                           params->switch_time,
+                                           params->switch_timeout,
+                                           params->tmpl_skb,
+                                           params->ch_sw_tm_ie);
+retry:
+        /* register a timeout in case we don't succeed in switching */
+        delay = vif->bss_conf.dtim_period * vif->bss_conf.beacon_int *
+                1024 / 1000;
+        mod_delayed_work(system_wq, &mvm->tdls_cs.dwork,
+                         msecs_to_jiffies(delay));
+        mutex_unlock(&mvm->mutex);
+}
diff --git a/drivers/net/wireless/iwlwifi/mvm/time-event.c b/drivers/net/wireless/iwlwifi/mvm/time-event.c
index 6dfad230be5e..54fafbf9a711 100644
--- a/drivers/net/wireless/iwlwifi/mvm/time-event.c
+++ b/drivers/net/wireless/iwlwifi/mvm/time-event.c
@@ -191,6 +191,35 @@ static bool iwl_mvm_te_check_disconnect(struct iwl_mvm *mvm,
        return true;
 }
+static void
+iwl_mvm_te_handle_notify_csa(struct iwl_mvm *mvm,
+                             struct iwl_mvm_time_event_data *te_data,
+                             struct iwl_time_event_notif *notif)
+{
+        if (!le32_to_cpu(notif->status)) {
+                IWL_DEBUG_TE(mvm, "CSA time event failed to start\n");
+                iwl_mvm_te_clear_data(mvm, te_data);
+                return;
+        }
+        switch (te_data->vif->type) {
+        case NL80211_IFTYPE_AP:
+                iwl_mvm_csa_noa_start(mvm);
+                break;
+        case NL80211_IFTYPE_STATION:
+                iwl_mvm_csa_client_absent(mvm, te_data->vif);
+                ieee80211_chswitch_done(te_data->vif, true);
+                break;
+        default:
+                /* should never happen */
+                WARN_ON_ONCE(1);
+                break;
+        }
+        /* we don't need it anymore */
+        iwl_mvm_te_clear_data(mvm, te_data);
+}
 /*
 * Handles a FW notification for an event that is known to the driver.
 *
@@ -252,14 +281,8 @@ static void iwl_mvm_te_handle_notif(struct iwl_mvm *mvm,
                        set_bit(IWL_MVM_STATUS_ROC_RUNNING, &mvm->status);
                        iwl_mvm_ref(mvm, IWL_MVM_REF_ROC);
                        ieee80211_ready_on_channel(mvm->hw);
-                } else if (te_data->vif->type == NL80211_IFTYPE_AP) {
+                } else if (te_data->id == TE_CHANNEL_SWITCH_PERIOD) {
-                        if (le32_to_cpu(notif->status))
+                        iwl_mvm_te_handle_notify_csa(mvm, te_data, notif);
-                                iwl_mvm_csa_noa_start(mvm);
-                        else
-                                IWL_DEBUG_TE(mvm, "CSA NOA failed to start\n");
-                        /* we don't need it anymore */
-                        iwl_mvm_te_clear_data(mvm, te_data);
                }
        } else {
                IWL_WARN(mvm, "Got TE with unknown action\n");
@@ -549,18 +572,11 @@ void iwl_mvm_protect_session(struct iwl_mvm *mvm,
        }
 }
-/*
+static bool __iwl_mvm_remove_time_event(struct iwl_mvm *mvm,
- * Explicit request to remove a time event. The removal of a time event needs to
+                                        struct iwl_mvm_time_event_data *te_data,
- * be synchronized with the flow of a time event's end notification, which also
+                                        u32 *uid)
- * removes the time event from the op mode data structures.
- */
-void iwl_mvm_remove_time_event(struct iwl_mvm *mvm,
-                               struct iwl_mvm_vif *mvmvif,
-                               struct iwl_mvm_time_event_data *te_data)
 {
-        struct iwl_time_event_cmd time_cmd = {};
+        u32 id;
-        u32 id, uid;
-        int ret;
        /*
         * It is possible that by the time we got to this point the time
@@ -569,7 +585,7 @@ void iwl_mvm_remove_time_event(struct iwl_mvm *mvm,
        spin_lock_bh(&mvm->time_event_lock);
        /* Save time event uid before clearing its data */
-        uid = te_data->uid;
+        *uid = te_data->uid;
        id = te_data->id;
        /*
@@ -584,10 +600,59 @@ void iwl_mvm_remove_time_event(struct iwl_mvm *mvm,
         * send a removal command.
         */
        if (id == TE_MAX) {
-                IWL_DEBUG_TE(mvm, "TE 0x%x has already ended\n", uid);
+                IWL_DEBUG_TE(mvm, "TE 0x%x has already ended\n", *uid);
-                return;
+                return false;
        }
+        return true;
+}
+/*
+ * Explicit request to remove a aux roc time event. The removal of a time
+ * event needs to be synchronized with the flow of a time event's end
+ * notification, which also removes the time event from the op mode
+ * data structures.
+ */
+static void iwl_mvm_remove_aux_roc_te(struct iwl_mvm *mvm,
+                                      struct iwl_mvm_vif *mvmvif,
+                                      struct iwl_mvm_time_event_data *te_data)
+{
+        struct iwl_hs20_roc_req aux_cmd = {};
+        u32 uid;
+        int ret;
+        if (!__iwl_mvm_remove_time_event(mvm, te_data, &uid))
+                return;
+        aux_cmd.event_unique_id = cpu_to_le32(uid);
+        aux_cmd.action = cpu_to_le32(FW_CTXT_ACTION_REMOVE);
+        aux_cmd.id_and_color =
+                cpu_to_le32(FW_CMD_ID_AND_COLOR(mvmvif->id, mvmvif->color));
+        IWL_DEBUG_TE(mvm, "Removing BSS AUX ROC TE 0x%x\n",
+                     le32_to_cpu(aux_cmd.event_unique_id));
+        ret = iwl_mvm_send_cmd_pdu(mvm, HOT_SPOT_CMD, 0,
+                                   sizeof(aux_cmd), &aux_cmd);
+        if (WARN_ON(ret))
+                return;
+}
+/*
+ * Explicit request to remove a time event. The removal of a time event needs to
+ * be synchronized with the flow of a time event's end notification, which also
+ * removes the time event from the op mode data structures.
+ */
+void iwl_mvm_remove_time_event(struct iwl_mvm *mvm,
+                               struct iwl_mvm_vif *mvmvif,
+                               struct iwl_mvm_time_event_data *te_data)
+{
+        struct iwl_time_event_cmd time_cmd = {};
+        u32 uid;
+        int ret;
+        if (!__iwl_mvm_remove_time_event(mvm, te_data, &uid))
+                return;
        /* When we remove a TE, the UID is to be set in the id field */
        time_cmd.id = cpu_to_le32(uid);
        time_cmd.action = cpu_to_le32(FW_CTXT_ACTION_REMOVE);
@@ -666,13 +731,17 @@ int iwl_mvm_start_p2p_roc(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
        return iwl_mvm_time_event_send_add(mvm, vif, te_data, &time_cmd);
 }
-void iwl_mvm_stop_p2p_roc(struct iwl_mvm *mvm)
+void iwl_mvm_stop_roc(struct iwl_mvm *mvm)
 {
        struct iwl_mvm_vif *mvmvif;
        struct iwl_mvm_time_event_data *te_data;
+        bool is_p2p = false;
        lockdep_assert_held(&mvm->mutex);
+        mvmvif = NULL;
+        spin_lock_bh(&mvm->time_event_lock);
        /*
         * Iterate over the list of time events and find the time event that is
         * associated with a P2P_DEVICE interface.
@@ -680,22 +749,41 @@ void iwl_mvm_stop_p2p_roc(struct iwl_mvm *mvm)
         * event at any given time and this time event coresponds to a ROC
         * request
         */
-        mvmvif = NULL;
-        spin_lock_bh(&mvm->time_event_lock);
        list_for_each_entry(te_data, &mvm->time_event_list, list) {
-                if (te_data->vif->type == NL80211_IFTYPE_P2P_DEVICE) {
+                if (te_data->vif->type == NL80211_IFTYPE_P2P_DEVICE &&
+                    te_data->running) {
                        mvmvif = iwl_mvm_vif_from_mac80211(te_data->vif);
-                        break;
+                        is_p2p = true;
+                        goto remove_te;
                }
        }
+        /*
+         * Iterate over the list of aux roc time events and find the time
+         * event that is associated with a BSS interface.
+         * This assumes that a BSS interface can have only a single time
+         * event at any given time and this time event coresponds to a ROC
+         * request
+         */
+        list_for_each_entry(te_data, &mvm->aux_roc_te_list, list) {
+                if (te_data->running) {
+                        mvmvif = iwl_mvm_vif_from_mac80211(te_data->vif);
+                        goto remove_te;
+                }
+        }
+remove_te:
        spin_unlock_bh(&mvm->time_event_lock);
        if (!mvmvif) {
-                IWL_WARN(mvm, "P2P_DEVICE no remain on channel event\n");
+                IWL_WARN(mvm, "No remain on channel event\n");
                return;
        }
-        iwl_mvm_remove_time_event(mvm, mvmvif, te_data);
+        if (is_p2p)
+                iwl_mvm_remove_time_event(mvm, mvmvif, te_data);
+        else
+                iwl_mvm_remove_aux_roc_te(mvm, mvmvif, te_data);
        iwl_mvm_roc_finished(mvm);
 }
diff --git a/drivers/net/wireless/iwlwifi/mvm/time-event.h b/drivers/net/wireless/iwlwifi/mvm/time-event.h
index b350e47e19da..6f6b35db3ab8 100644
--- a/drivers/net/wireless/iwlwifi/mvm/time-event.h
+++ b/drivers/net/wireless/iwlwifi/mvm/time-event.h
@@ -182,14 +182,14 @@ int iwl_mvm_start_p2p_roc(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
                          int duration, enum ieee80211_roc_type type);
 /**
- * iwl_mvm_stop_p2p_roc - stop remain on channel for p2p device functionlity
+ * iwl_mvm_stop_roc - stop remain on channel functionality
 * @mvm: the mvm component
 *
 * This function can be used to cancel an ongoing ROC session.
 * The function is async, it will instruct the FW to stop serving the ROC
 * session, but will not wait for the actual stopping of the session.
 */
-void iwl_mvm_stop_p2p_roc(struct iwl_mvm *mvm);
+void iwl_mvm_stop_roc(struct iwl_mvm *mvm);
 /**
 * iwl_mvm_remove_time_event - general function to clean up of time event
diff --git a/drivers/net/wireless/iwlwifi/mvm/tt.c b/drivers/net/wireless/iwlwifi/mvm/tt.c
index d4f2c29025c7..2b1e61fac34a 100644
--- a/drivers/net/wireless/iwlwifi/mvm/tt.c
+++ b/drivers/net/wireless/iwlwifi/mvm/tt.c
@@ -95,32 +95,81 @@ static void iwl_mvm_exit_ctkill(struct iwl_mvm *mvm)
        iwl_mvm_set_hw_ctkill_state(mvm, false);
 }
-static bool iwl_mvm_temp_notif(struct iwl_notif_wait_data *notif_wait,
+void iwl_mvm_tt_temp_changed(struct iwl_mvm *mvm, u32 temp)
-                               struct iwl_rx_packet *pkt, void *data)
+{
+        /* ignore the notification if we are in test mode */
+        if (mvm->temperature_test)
+                return;
+        if (mvm->temperature == temp)
+                return;
+        mvm->temperature = temp;
+        iwl_mvm_tt_handler(mvm);
+}
+static int iwl_mvm_temp_notif_parse(struct iwl_mvm *mvm,
+                                    struct iwl_rx_packet *pkt)
 {
-        struct iwl_mvm *mvm =
-                container_of(notif_wait, struct iwl_mvm, notif_wait);
-        int *temp = data;
        struct iwl_dts_measurement_notif *notif;
        int len = iwl_rx_packet_payload_len(pkt);
+        int temp;
        if (WARN_ON_ONCE(len != sizeof(*notif))) {
                IWL_ERR(mvm, "Invalid DTS_MEASUREMENT_NOTIFICATION\n");
-                return true;
+                return -EINVAL;
        }
        notif = (void *)pkt->data;
-        *temp = le32_to_cpu(notif->temp);
+        temp = le32_to_cpu(notif->temp);
        /* shouldn't be negative, but since it's s32, make sure it isn't */
-        if (WARN_ON_ONCE(*temp < 0))
+        if (WARN_ON_ONCE(temp < 0))
-                *temp = 0;
+                temp = 0;
+        IWL_DEBUG_TEMP(mvm, "DTS_MEASUREMENT_NOTIFICATION - %d\n", temp);
+        return temp;
+}
+static bool iwl_mvm_temp_notif_wait(struct iwl_notif_wait_data *notif_wait,
+                                    struct iwl_rx_packet *pkt, void *data)
+{
+        struct iwl_mvm *mvm =
+                container_of(notif_wait, struct iwl_mvm, notif_wait);
+        int *temp = data;
+        int ret;
+        ret = iwl_mvm_temp_notif_parse(mvm, pkt);
+        if (ret < 0)
+                return true;
+        *temp = ret;
-        IWL_DEBUG_TEMP(mvm, "DTS_MEASUREMENT_NOTIFICATION - %d\n", *temp);
        return true;
 }
+int iwl_mvm_temp_notif(struct iwl_mvm *mvm,
+                       struct iwl_rx_cmd_buffer *rxb,
+                       struct iwl_device_cmd *cmd)
+{
+        struct iwl_rx_packet *pkt = rxb_addr(rxb);
+        int temp;
+        /* the notification is handled synchronously in ctkill, so skip here */
+        if (test_bit(IWL_MVM_STATUS_HW_CTKILL, &mvm->status))
+                return 0;
+        temp = iwl_mvm_temp_notif_parse(mvm, pkt);
+        if (temp < 0)
+                return 0;
+        iwl_mvm_tt_temp_changed(mvm, temp);
+        return 0;
+}
 static int iwl_mvm_get_temp_cmd(struct iwl_mvm *mvm)
 {
        struct iwl_dts_measurement_cmd cmd = {
@@ -141,7 +190,7 @@ int iwl_mvm_get_temp(struct iwl_mvm *mvm)
        iwl_init_notification_wait(&mvm->notif_wait, &wait_temp_notif,
                                   temp_notif, ARRAY_SIZE(temp_notif),
-                                   iwl_mvm_temp_notif, &temp);
+                                   iwl_mvm_temp_notif_wait, &temp);
        ret = iwl_mvm_get_temp_cmd(mvm);
        if (ret) {
diff --git a/drivers/net/wireless/iwlwifi/mvm/tx.c b/drivers/net/wireless/iwlwifi/mvm/tx.c
index 8d848735cdb8..4f15d9decc81 100644
--- a/drivers/net/wireless/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/iwlwifi/mvm/tx.c
@@ -73,9 +73,9 @@
 /*
 * Sets most of the Tx cmd's fields
 */
-static void iwl_mvm_set_tx_cmd(struct iwl_mvm *mvm, struct sk_buff *skb,
+void iwl_mvm_set_tx_cmd(struct iwl_mvm *mvm, struct sk_buff *skb,
-                               struct iwl_tx_cmd *tx_cmd,
+                        struct iwl_tx_cmd *tx_cmd,
-                               struct ieee80211_tx_info *info, u8 sta_id)
+                        struct ieee80211_tx_info *info, u8 sta_id)
 {
        struct ieee80211_hdr *hdr = (void *)skb->data;
        __le16 fc = hdr->frame_control;
@@ -149,11 +149,9 @@ static void iwl_mvm_set_tx_cmd(struct iwl_mvm *mvm, struct sk_buff *skb,
 /*
 * Sets the fields in the Tx cmd that are rate related
 */
-static void iwl_mvm_set_tx_cmd_rate(struct iwl_mvm *mvm,
+void iwl_mvm_set_tx_cmd_rate(struct iwl_mvm *mvm, struct iwl_tx_cmd *tx_cmd,
-                                    struct iwl_tx_cmd *tx_cmd,
+                            struct ieee80211_tx_info *info,
-                                    struct ieee80211_tx_info *info,
+                            struct ieee80211_sta *sta, __le16 fc)
-                                    struct ieee80211_sta *sta,
-                                    __le16 fc)
 {
        u32 rate_flags;
        int rate_idx;
@@ -232,10 +230,10 @@ static void iwl_mvm_set_tx_cmd_rate(struct iwl_mvm *mvm,
 /*
 * Sets the fields in the Tx cmd that are crypto related
 */
-static void iwl_mvm_set_tx_cmd_crypto(struct iwl_mvm *mvm,
+void iwl_mvm_set_tx_cmd_crypto(struct iwl_mvm *mvm,
-                                      struct ieee80211_tx_info *info,
+                               struct ieee80211_tx_info *info,
-                                      struct iwl_tx_cmd *tx_cmd,
+                               struct iwl_tx_cmd *tx_cmd,
-                                      struct sk_buff *skb_frag)
+                               struct sk_buff *skb_frag)
 {
        struct ieee80211_key_conf *keyconf = info->control.hw_key;
@@ -426,6 +424,13 @@ int iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
        WARN_ON_ONCE(info->flags & IEEE80211_TX_CTL_SEND_AFTER_DTIM);
+        if (sta->tdls) {
+                /* default to TID 0 for non-QoS packets */
+                u8 tdls_tid = tid == IWL_MAX_TID_COUNT ? 0 : tid;
+                txq_id = mvmsta->hw_queue[tid_to_mac80211_ac[tdls_tid]];
+        }
        if (is_ampdu) {
                if (WARN_ON_ONCE(mvmsta->tid_data[tid].state != IWL_AGG_ON))
                        goto drop_unlock_sta;
@@ -660,6 +665,12 @@ static void iwl_mvm_rx_tx_cmd_single(struct iwl_mvm *mvm,
                        seq_ctl = le16_to_cpu(hdr->seq_ctrl);
                }
+                /*
+                 * TODO: this is not accurate if we are freeing more than one
+                 * packet.
+                 */
+                info->status.tx_time =
+                        le16_to_cpu(tx_resp->wireless_media_time);
                BUILD_BUG_ON(ARRAY_SIZE(info->status.status_driver_data) < 1);
                info->status.status_driver_data[0] =
                                (void *)(uintptr_t)tx_resp->reduced_tpc;
@@ -852,6 +863,8 @@ static void iwl_mvm_rx_tx_cmd_agg(struct iwl_mvm *mvm,
                mvmsta->tid_data[tid].rate_n_flags =
                        le32_to_cpu(tx_resp->initial_rate);
                mvmsta->tid_data[tid].reduced_tpc = tx_resp->reduced_tpc;
+                mvmsta->tid_data[tid].tx_time =
+                        le16_to_cpu(tx_resp->wireless_media_time);
        }
        rcu_read_unlock();
@@ -880,6 +893,8 @@ static void iwl_mvm_tx_info_from_ba_notif(struct ieee80211_tx_info *info,
        info->status.ampdu_len = ba_notif->txed;
        iwl_mvm_hwrate_to_tx_status(tid_data->rate_n_flags,
                                    info);
+        /* TODO: not accounted if the whole A-MPDU failed */
+        info->status.tx_time = tid_data->tx_time;
        info->status.status_driver_data[0] =
                (void *)(uintptr_t)tid_data->reduced_tpc;
 }
diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c
index 6ced8549eb3a..3ee8e3848876 100644
--- a/drivers/net/wireless/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/iwlwifi/pcie/drv.c
@@ -499,6 +499,7 @@ static void set_dflt_pwr_limit(struct iwl_trans *trans, struct pci_dev *pdev) {}
 static int iwl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 {
        const struct iwl_cfg *cfg = (struct iwl_cfg *)(ent->driver_data);
+        const struct iwl_cfg *cfg_7265d __maybe_unused = NULL;
        struct iwl_trans *iwl_trans;
        struct iwl_trans_pcie *trans_pcie;
        int ret;
@@ -507,6 +508,25 @@ static int iwl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
        if (IS_ERR(iwl_trans))
                return PTR_ERR(iwl_trans);
+#if IS_ENABLED(CONFIG_IWLMVM)
+        /*
+         * special-case 7265D, it has the same PCI IDs.
+         *
+         * Note that because we already pass the cfg to the transport above,
+         * all the parameters that the transport uses must, until that is
+         * changed, be identical to the ones in the 7265D configuration.
+         */
+        if (cfg == &iwl7265_2ac_cfg)
+                cfg_7265d = &iwl7265d_2ac_cfg;
+        else if (cfg == &iwl7265_2n_cfg)
+                cfg_7265d = &iwl7265d_2n_cfg;
+        else if (cfg == &iwl7265_n_cfg)
+                cfg_7265d = &iwl7265d_n_cfg;
+        if (cfg_7265d &&
+            (iwl_trans->hw_rev & CSR_HW_REV_TYPE_MSK) == CSR_HW_REV_TYPE_7265D)
+                cfg = cfg_7265d;
+#endif
        pci_set_drvdata(pdev, iwl_trans);
        trans_pcie = IWL_TRANS_GET_PCIE_TRANS(iwl_trans);
diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
index 40a290603ead..5d79a1f44b8e 100644
--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
@@ -78,6 +78,11 @@
 #include "iwl-agn-hw.h"
 #include "iwl-fw-error-dump.h"
 #include "internal.h"
+#include "iwl-fh.h"
+/* extended range in FW SRAM */
+#define IWL_FW_MEM_EXTENDED_START       0x40000
+#define IWL_FW_MEM_EXTENDED_END         0x57FFF
 static void iwl_pcie_free_fw_monitor(struct iwl_trans *trans)
 {
@@ -512,6 +517,9 @@ static int iwl_pcie_set_hw_ready(struct iwl_trans *trans)
                           CSR_HW_IF_CONFIG_REG_BIT_NIC_READY,
                           HW_READY_TIMEOUT);
+        if (ret >= 0)
+                iwl_set_bit(trans, CSR_MBOX_SET_REG, CSR_MBOX_SET_REG_OS_ALIVE);
        IWL_DEBUG_INFO(trans, "hardware%s ready\n", ret < 0 ? " not" : "");
        return ret;
 }
@@ -624,14 +632,28 @@ static int iwl_pcie_load_section(struct iwl_trans *trans, u8 section_num,
        }
        for (offset = 0; offset < section->len; offset += chunk_sz) {
-                u32 copy_size;
+                u32 copy_size, dst_addr;
+                bool extended_addr = false;
                copy_size = min_t(u32, chunk_sz, section->len - offset);
+                dst_addr = section->offset + offset;
+                if (dst_addr >= IWL_FW_MEM_EXTENDED_START &&
+                    dst_addr <= IWL_FW_MEM_EXTENDED_END)
+                        extended_addr = true;
+                if (extended_addr)
+                        iwl_set_bits_prph(trans, LMPM_CHICK,
+                                          LMPM_CHICK_EXTENDED_ADDR_SPACE);
                memcpy(v_addr, (u8 *)section->data + offset, copy_size);
-                ret = iwl_pcie_load_firmware_chunk(trans,
+                ret = iwl_pcie_load_firmware_chunk(trans, dst_addr, p_addr,
-                                                   section->offset + offset,
+                                                   copy_size);
-                                                   p_addr, copy_size);
+                if (extended_addr)
+                        iwl_clear_bits_prph(trans, LMPM_CHICK,
+                                            LMPM_CHICK_EXTENDED_ADDR_SPACE);
                if (ret) {
                        IWL_ERR(trans,
                                "Could not load the [%d] uCode section\n",
@@ -644,14 +666,14 @@ static int iwl_pcie_load_section(struct iwl_trans *trans, u8 section_num,
        return ret;
 }
-static int iwl_pcie_load_cpu_secured_sections(struct iwl_trans *trans,
+static int iwl_pcie_load_cpu_sections_8000b(struct iwl_trans *trans,
-                                              const struct fw_img *image,
+                                            const struct fw_img *image,
-                                              int cpu,
+                                            int cpu,
-                                              int *first_ucode_section)
+                                            int *first_ucode_section)
 {
        int shift_param;
-        int i, ret = 0;
+        int i, ret = 0, sec_num = 0x1;
-        u32 last_read_idx = 0;
+        u32 val, last_read_idx = 0;
        if (cpu == 1) {
                shift_param = 0;
@@ -672,21 +694,16 @@ static int iwl_pcie_load_cpu_secured_sections(struct iwl_trans *trans,
                        break;
                }
-                if (i == (*first_ucode_section) + 1)
-                        /* set CPU to started */
-                        iwl_set_bits_prph(trans,
-                                          CSR_UCODE_LOAD_STATUS_ADDR,
-                                          LMPM_CPU_HDRS_LOADING_COMPLETED
-                                          << shift_param);
                ret = iwl_pcie_load_section(trans, i, &image->sec[i]);
                if (ret)
                        return ret;
+                /* Notify the ucode of the loaded section number and status */
+                val = iwl_read_direct32(trans, FH_UCODE_LOAD_STATUS);
+                val = val | (sec_num << shift_param);
+                iwl_write_direct32(trans, FH_UCODE_LOAD_STATUS, val);
+                sec_num = (sec_num << 1) | 0x1;
        }
-        /* image loading complete */
-        iwl_set_bits_prph(trans,
-                          CSR_UCODE_LOAD_STATUS_ADDR,
-                          LMPM_CPU_UCODE_LOADING_COMPLETED << shift_param);
        *first_ucode_section = last_read_idx;
@@ -739,46 +756,78 @@ static int iwl_pcie_load_cpu_sections(struct iwl_trans *trans,
        return 0;
 }
-static int iwl_pcie_load_given_ucode(struct iwl_trans *trans,
+static void iwl_pcie_apply_destination(struct iwl_trans *trans)
-                                const struct fw_img *image)
 {
        struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
-        int ret = 0;
+        const struct iwl_fw_dbg_dest_tlv *dest = trans->dbg_dest_tlv;
-        int first_ucode_section;
+        int i;
-        IWL_DEBUG_FW(trans,
+        if (dest->version)
-                     "working with %s CPU\n",
+                IWL_ERR(trans,
-                     image->is_dual_cpus ? "Dual" : "Single");
+                        "DBG DEST version is %d - expect issues\n",
+                        dest->version);
-        /* configure the ucode to be ready to get the secured image */
+        IWL_INFO(trans, "Applying debug destination %s\n",
-        if (iwl_has_secure_boot(trans->hw_rev, trans->cfg->device_family)) {
+                 get_fw_dbg_mode_string(dest->monitor_mode));
-                /* set secure boot inspector addresses */
-                iwl_write_prph(trans,
-                               LMPM_SECURE_INSPECTOR_CODE_ADDR,
-                               LMPM_SECURE_INSPECTOR_CODE_MEM_SPACE);
-                iwl_write_prph(trans,
+        if (dest->monitor_mode == EXTERNAL_MODE)
-                               LMPM_SECURE_INSPECTOR_DATA_ADDR,
+                iwl_pcie_alloc_fw_monitor(trans);
-                               LMPM_SECURE_INSPECTOR_DATA_MEM_SPACE);
+        else
+                IWL_WARN(trans, "PCI should have external buffer debug\n");
-                /* set CPU1 header address */
+        for (i = 0; i < trans->dbg_dest_reg_num; i++) {
-                iwl_write_prph(trans,
+                u32 addr = le32_to_cpu(dest->reg_ops[i].addr);
-                               LMPM_SECURE_UCODE_LOAD_CPU1_HDR_ADDR,
+                u32 val = le32_to_cpu(dest->reg_ops[i].val);
-                               LMPM_SECURE_CPU1_HDR_MEM_SPACE);
-                /* load to FW the binary Secured sections of CPU1 */
+                switch (dest->reg_ops[i].op) {
-                ret = iwl_pcie_load_cpu_secured_sections(trans, image, 1,
+                case CSR_ASSIGN:
-                                                         &first_ucode_section);
+                        iwl_write32(trans, addr, val);
-                if (ret)
+                        break;
-                        return ret;
+                case CSR_SETBIT:
+                        iwl_set_bit(trans, addr, BIT(val));
+                        break;
+                case CSR_CLEARBIT:
+                        iwl_clear_bit(trans, addr, BIT(val));
+                        break;
+                case PRPH_ASSIGN:
+                        iwl_write_prph(trans, addr, val);
+                        break;
+                case PRPH_SETBIT:
+                        iwl_set_bits_prph(trans, addr, BIT(val));
+                        break;
+                case PRPH_CLEARBIT:
+                        iwl_clear_bits_prph(trans, addr, BIT(val));
+                        break;
+                default:
+                        IWL_ERR(trans, "FW debug - unknown OP %d\n",
+                                dest->reg_ops[i].op);
+                        break;
+                }
+        }
-        } else {
+        if (dest->monitor_mode == EXTERNAL_MODE && trans_pcie->fw_mon_size) {
-                /* load to FW the binary Non secured sections of CPU1 */
+                iwl_write_prph(trans, le32_to_cpu(dest->base_reg),
-                ret = iwl_pcie_load_cpu_sections(trans, image, 1,
+                               trans_pcie->fw_mon_phys >> dest->base_shift);
-                                                 &first_ucode_section);
+                iwl_write_prph(trans, le32_to_cpu(dest->end_reg),
-                if (ret)
+                               (trans_pcie->fw_mon_phys +
-                        return ret;
+                                trans_pcie->fw_mon_size) >> dest->end_shift);
        }
+}
+static int iwl_pcie_load_given_ucode(struct iwl_trans *trans,
+                                const struct fw_img *image)
+{
+        struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+        int ret = 0;
+        int first_ucode_section;
+        IWL_DEBUG_FW(trans, "working with %s CPU\n",
+                     image->is_dual_cpus ? "Dual" : "Single");
+        /* load to FW the binary non secured sections of CPU1 */
+        ret = iwl_pcie_load_cpu_sections(trans, image, 1, &first_ucode_section);
+        if (ret)
+                return ret;
        if (image->is_dual_cpus) {
                /* set CPU2 header address */
@@ -787,14 +836,8 @@ static int iwl_pcie_load_given_ucode(struct iwl_trans *trans,
                               LMPM_SECURE_CPU2_HDR_MEM_SPACE);
                /* load to FW the binary sections of CPU2 */
-                if (iwl_has_secure_boot(trans->hw_rev,
+                ret = iwl_pcie_load_cpu_sections(trans, image, 2,
-                                        trans->cfg->device_family))
+                                                 &first_ucode_section);
-                        ret = iwl_pcie_load_cpu_secured_sections(
-                                                        trans, image, 2,
-                                                        &first_ucode_section);
-                else
-                        ret = iwl_pcie_load_cpu_sections(trans, image, 2,
-                                                         &first_ucode_section);
                if (ret)
                        return ret;
        }
@@ -811,6 +854,8 @@ static int iwl_pcie_load_given_ucode(struct iwl_trans *trans,
                                       (trans_pcie->fw_mon_phys +
                                        trans_pcie->fw_mon_size) >> 4);
                }
+        } else if (trans->dbg_dest_tlv) {
+                iwl_pcie_apply_destination(trans);
        }
        /* release CPU reset */
@@ -819,18 +864,50 @@ static int iwl_pcie_load_given_ucode(struct iwl_trans *trans,
        else
                iwl_write32(trans, CSR_RESET, 0);
-        if (iwl_has_secure_boot(trans->hw_rev, trans->cfg->device_family)) {
+        return 0;
-                /* wait for image verification to complete  */
+}
-                ret = iwl_poll_prph_bit(trans,
-                                        LMPM_SECURE_BOOT_CPU1_STATUS_ADDR,
-                                        LMPM_SECURE_BOOT_STATUS_SUCCESS,
-                                        LMPM_SECURE_BOOT_STATUS_SUCCESS,
-                                        LMPM_SECURE_TIME_OUT);
-                if (ret < 0) {
+static int iwl_pcie_load_given_ucode_8000b(struct iwl_trans *trans,
-                        IWL_ERR(trans, "Time out on secure boot process\n");
+                                           const struct fw_img *image)
-                        return ret;
+{
-                }
+        int ret = 0;
+        int first_ucode_section;
+        u32 reg;
+        IWL_DEBUG_FW(trans, "working with %s CPU\n",
+                     image->is_dual_cpus ? "Dual" : "Single");
+        /* configure the ucode to be ready to get the secured image */
+        /* release CPU reset */
+        iwl_write_prph(trans, RELEASE_CPU_RESET, RELEASE_CPU_RESET_BIT);
+        /* load to FW the binary Secured sections of CPU1 */
+        ret = iwl_pcie_load_cpu_sections_8000b(trans, image, 1,
+                                               &first_ucode_section);
+        if (ret)
+                return ret;
+        /* load to FW the binary sections of CPU2 */
+        ret = iwl_pcie_load_cpu_sections_8000b(trans, image, 2,
+                                               &first_ucode_section);
+        if (ret)
+                return ret;
+        /* Notify FW loading is done */
+        iwl_write_direct32(trans, FH_UCODE_LOAD_STATUS, 0xFFFFFFFF);
+        /* wait for image verification to complete  */
+        ret = iwl_poll_prph_bit(trans, LMPM_SECURE_BOOT_CPU1_STATUS_ADDR_B0,
+                                LMPM_SECURE_BOOT_STATUS_SUCCESS,
+                                LMPM_SECURE_BOOT_STATUS_SUCCESS,
+                                LMPM_SECURE_TIME_OUT);
+        if (ret < 0) {
+                reg = iwl_read_prph(trans,
+                                    LMPM_SECURE_BOOT_CPU1_STATUS_ADDR_B0);
+                IWL_ERR(trans, "Timeout on secure boot process, reg = %x\n",
+                        reg);
+                return ret;
        }
        return 0;
@@ -882,7 +959,11 @@ static int iwl_trans_pcie_start_fw(struct iwl_trans *trans,
        iwl_write32(trans, CSR_UCODE_DRV_GP1_CLR, CSR_UCODE_SW_BIT_RFKILL);
        /* Load the given image to the HW */
-        return iwl_pcie_load_given_ucode(trans, fw);
+        if ((trans->cfg->device_family == IWL_DEVICE_FAMILY_8000) &&
+            (CSR_HW_REV_STEP(trans->hw_rev) == SILICON_B_STEP))
+                return iwl_pcie_load_given_ucode_8000b(trans, fw);
+        else
+                return iwl_pcie_load_given_ucode(trans, fw);
 }
 static void iwl_trans_pcie_fw_alive(struct iwl_trans *trans, u32 scd_addr)
@@ -913,7 +994,8 @@ static void iwl_trans_pcie_stop_device(struct iwl_trans *trans)
         * restart. So don't process again if the device is
         * already dead.
         */
-        if (test_bit(STATUS_DEVICE_ENABLED, &trans->status)) {
+        if (test_and_clear_bit(STATUS_DEVICE_ENABLED, &trans->status)) {
+                IWL_DEBUG_INFO(trans, "DEVICE_ENABLED bit was set and is now cleared\n");
                iwl_pcie_tx_stop(trans);
                iwl_pcie_rx_stop(trans);
@@ -938,12 +1020,12 @@ static void iwl_trans_pcie_stop_device(struct iwl_trans *trans)
        spin_unlock(&trans_pcie->irq_lock);
        /* stop and reset the on-board processor */
-        iwl_write32(trans, CSR_RESET, CSR_RESET_REG_FLAG_NEVO_RESET);
+        iwl_write32(trans, CSR_RESET, CSR_RESET_REG_FLAG_SW_RESET);
+        udelay(20);
        /* clear all status bits */
        clear_bit(STATUS_SYNC_HCMD_ACTIVE, &trans->status);
        clear_bit(STATUS_INT_ENABLED, &trans->status);
-        clear_bit(STATUS_DEVICE_ENABLED, &trans->status);
        clear_bit(STATUS_TPOWER_PMI, &trans->status);
        clear_bit(STATUS_RFKILL, &trans->status);
@@ -972,6 +1054,9 @@ static void iwl_trans_pcie_stop_device(struct iwl_trans *trans)
                clear_bit(STATUS_RFKILL, &trans->status);
        if (hw_rfkill != was_hw_rfkill)
                iwl_trans_pcie_rf_kill(trans, hw_rfkill);
+        /* re-take ownership to prevent other users from stealing the deivce */
+        iwl_pcie_prepare_card_hw(trans);
 }
 void iwl_trans_pcie_rf_kill(struct iwl_trans *trans, bool state)
@@ -1031,6 +1116,9 @@ static int iwl_trans_pcie_d3_resume(struct iwl_trans *trans,
        iwl_set_bit(trans, CSR_GP_CNTRL, CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
        iwl_set_bit(trans, CSR_GP_CNTRL, CSR_GP_CNTRL_REG_FLAG_INIT_DONE);
+        if (trans->cfg->device_family == IWL_DEVICE_FAMILY_8000)
+                udelay(2);
        ret = iwl_poll_bit(trans, CSR_GP_CNTRL,
                           CSR_GP_CNTRL_REG_FLAG_MAC_CLOCK_READY,
                           CSR_GP_CNTRL_REG_FLAG_MAC_CLOCK_READY,
@@ -1233,6 +1321,8 @@ static bool iwl_trans_pcie_grab_nic_access(struct iwl_trans *trans, bool silent,
        /* this bit wakes up the NIC */
        __iwl_trans_pcie_set_bit(trans, CSR_GP_CNTRL,
                                 CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
+        if (trans->cfg->device_family == IWL_DEVICE_FAMILY_8000)
+                udelay(2);
        /*
         * These bits say the device is running, and should keep running for
@@ -1898,8 +1988,7 @@ static u32 iwl_trans_pcie_dump_prph(struct iwl_trans *trans,
                int reg;
                __le32 *val;
-                prph_len += sizeof(*data) + sizeof(*prph) +
+                prph_len += sizeof(**data) + sizeof(*prph) + num_bytes_in_chunk;
-                        num_bytes_in_chunk;
                (*data)->type = cpu_to_le32(IWL_FW_ERROR_DUMP_PRPH);
                (*data)->len = cpu_to_le32(sizeof(*prph) +
@@ -1942,6 +2031,31 @@ static u32 iwl_trans_pcie_dump_csr(struct iwl_trans *trans,
        return csr_len;
 }
+static u32 iwl_trans_pcie_fh_regs_dump(struct iwl_trans *trans,
+                                       struct iwl_fw_error_dump_data **data)
+{
+        u32 fh_regs_len = FH_MEM_UPPER_BOUND - FH_MEM_LOWER_BOUND;
+        unsigned long flags;
+        __le32 *val;
+        int i;
+        if (!iwl_trans_grab_nic_access(trans, false, &flags))
+                return 0;
+        (*data)->type = cpu_to_le32(IWL_FW_ERROR_DUMP_FH_REGS);
+        (*data)->len = cpu_to_le32(fh_regs_len);
+        val = (void *)(*data)->data;
+        for (i = FH_MEM_LOWER_BOUND; i < FH_MEM_UPPER_BOUND; i += sizeof(u32))
+                *val++ = cpu_to_le32(iwl_trans_pcie_read32(trans, i));
+        iwl_trans_release_nic_access(trans, &flags);
+        *data = iwl_fw_error_next_data(*data);
+        return sizeof(**data) + fh_regs_len;
+}
 static
 struct iwl_trans_dump_data *iwl_trans_pcie_dump_data(struct iwl_trans *trans)
 {
@@ -1951,6 +2065,7 @@ struct iwl_trans_dump_data *iwl_trans_pcie_dump_data(struct iwl_trans *trans)
        struct iwl_fw_error_dump_txcmd *txcmd;
        struct iwl_trans_dump_data *dump_data;
        u32 len;
+        u32 monitor_len;
        int i, ptr;
        /* transport dump header */
@@ -1973,10 +2088,34 @@ struct iwl_trans_dump_data *iwl_trans_pcie_dump_data(struct iwl_trans *trans)
                        num_bytes_in_chunk;
        }
+        /* FH registers */
+        len += sizeof(*data) + (FH_MEM_UPPER_BOUND - FH_MEM_LOWER_BOUND);
        /* FW monitor */
-        if (trans_pcie->fw_mon_page)
+        if (trans_pcie->fw_mon_page) {
                len += sizeof(*data) + sizeof(struct iwl_fw_error_dump_fw_mon) +
-                        trans_pcie->fw_mon_size;
+                       trans_pcie->fw_mon_size;
+                monitor_len = trans_pcie->fw_mon_size;
+        } else if (trans->dbg_dest_tlv) {
+                u32 base, end;
+                base = le32_to_cpu(trans->dbg_dest_tlv->base_reg);
+                end = le32_to_cpu(trans->dbg_dest_tlv->end_reg);
+                base = iwl_read_prph(trans, base) <<
+                       trans->dbg_dest_tlv->base_shift;
+                end = iwl_read_prph(trans, end) <<
+                      trans->dbg_dest_tlv->end_shift;
+                /* Make "end" point to the actual end */
+                if (trans->cfg->device_family == IWL_DEVICE_FAMILY_8000)
+                        end += (1 << trans->dbg_dest_tlv->end_shift);
+                monitor_len = end - base;
+                len += sizeof(*data) + sizeof(struct iwl_fw_error_dump_fw_mon) +
+                       monitor_len;
+        } else {
+                monitor_len = 0;
+        }
        dump_data = vzalloc(len);
        if (!dump_data)
@@ -2013,36 +2152,71 @@ struct iwl_trans_dump_data *iwl_trans_pcie_dump_data(struct iwl_trans *trans)
        len += iwl_trans_pcie_dump_prph(trans, &data);
        len += iwl_trans_pcie_dump_csr(trans, &data);
+        len += iwl_trans_pcie_fh_regs_dump(trans, &data);
        /* data is already pointing to the next section */
-        if (trans_pcie->fw_mon_page) {
+        if ((trans_pcie->fw_mon_page &&
+             trans->cfg->device_family == IWL_DEVICE_FAMILY_7000) ||
+            trans->dbg_dest_tlv) {
                struct iwl_fw_error_dump_fw_mon *fw_mon_data;
+                u32 base, write_ptr, wrap_cnt;
+                /* If there was a dest TLV - use the values from there */
+                if (trans->dbg_dest_tlv) {
+                        write_ptr =
+                                le32_to_cpu(trans->dbg_dest_tlv->write_ptr_reg);
+                        wrap_cnt = le32_to_cpu(trans->dbg_dest_tlv->wrap_count);
+                        base = le32_to_cpu(trans->dbg_dest_tlv->base_reg);
+                } else {
+                        base = MON_BUFF_BASE_ADDR;
+                        write_ptr = MON_BUFF_WRPTR;
+                        wrap_cnt = MON_BUFF_CYCLE_CNT;
+                }
                data->type = cpu_to_le32(IWL_FW_ERROR_DUMP_FW_MONITOR);
-                data->len = cpu_to_le32(trans_pcie->fw_mon_size +
-                                        sizeof(*fw_mon_data));
                fw_mon_data = (void *)data->data;
                fw_mon_data->fw_mon_wr_ptr =
-                        cpu_to_le32(iwl_read_prph(trans, MON_BUFF_WRPTR));
+                        cpu_to_le32(iwl_read_prph(trans, write_ptr));
                fw_mon_data->fw_mon_cycle_cnt =
-                        cpu_to_le32(iwl_read_prph(trans, MON_BUFF_CYCLE_CNT));
+                        cpu_to_le32(iwl_read_prph(trans, wrap_cnt));
                fw_mon_data->fw_mon_base_ptr =
-                        cpu_to_le32(iwl_read_prph(trans, MON_BUFF_BASE_ADDR));
+                        cpu_to_le32(iwl_read_prph(trans, base));
-                /*
+                len += sizeof(*data) + sizeof(*fw_mon_data);
-                 * The firmware is now asserted, it won't write anything to
+                if (trans_pcie->fw_mon_page) {
-                 * the buffer. CPU can take ownership to fetch the data.
+                        data->len = cpu_to_le32(trans_pcie->fw_mon_size +
-                 * The buffer will be handed back to the device before the
+                                                sizeof(*fw_mon_data));
-                 * firmware will be restarted.
-                 */
+                        /*
-                dma_sync_single_for_cpu(trans->dev, trans_pcie->fw_mon_phys,
+                         * The firmware is now asserted, it won't write anything
-                                        trans_pcie->fw_mon_size,
+                         * to the buffer. CPU can take ownership to fetch the
-                                        DMA_FROM_DEVICE);
+                         * data. The buffer will be handed back to the device
-                memcpy(fw_mon_data->data, page_address(trans_pcie->fw_mon_page),
+                         * before the firmware will be restarted.
-                       trans_pcie->fw_mon_size);
+                         */
+                        dma_sync_single_for_cpu(trans->dev,
-                len += sizeof(*data) + sizeof(*fw_mon_data) +
+                                                trans_pcie->fw_mon_phys,
-                        trans_pcie->fw_mon_size;
+                                                trans_pcie->fw_mon_size,
+                                                DMA_FROM_DEVICE);
+                        memcpy(fw_mon_data->data,
+                               page_address(trans_pcie->fw_mon_page),
+                               trans_pcie->fw_mon_size);
+                        len += trans_pcie->fw_mon_size;
+                } else {
+                        /* If we are here then the buffer is internal */
+                        /*
+                         * Update pointers to reflect actual values after
+                         * shifting
+                         */
+                        base = iwl_read_prph(trans, base) <<
+                               trans->dbg_dest_tlv->base_shift;
+                        iwl_trans_read_mem(trans, base, fw_mon_data->data,
+                                           monitor_len / sizeof(u32));
+                        data->len = cpu_to_le32(sizeof(*fw_mon_data) +
+                                                monitor_len);
+                        len += monitor_len;
+                }
        }
        dump_data->len = len;
diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c
index eb8e2984c5e9..8a6c7a084aa1 100644
--- a/drivers/net/wireless/iwlwifi/pcie/tx.c
+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c
@@ -989,6 +989,65 @@ out:
        spin_unlock_bh(&txq->lock);
 }
+static int iwl_pcie_set_cmd_in_flight(struct iwl_trans *trans)
+{
+        struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+        int ret;
+        lockdep_assert_held(&trans_pcie->reg_lock);
+        if (trans_pcie->cmd_in_flight)
+                return 0;
+        trans_pcie->cmd_in_flight = true;
+        /*
+         * wake up the NIC to make sure that the firmware will see the host
+         * command - we will let the NIC sleep once all the host commands
+         * returned. This needs to be done only on NICs that have
+         * apmg_wake_up_wa set.
+         */
+        if (trans->cfg->base_params->apmg_wake_up_wa) {
+                __iwl_trans_pcie_set_bit(trans, CSR_GP_CNTRL,
+                                         CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
+                if (trans->cfg->device_family == IWL_DEVICE_FAMILY_8000)
+                        udelay(2);
+                ret = iwl_poll_bit(trans, CSR_GP_CNTRL,
+                                   CSR_GP_CNTRL_REG_VAL_MAC_ACCESS_EN,
+                                   (CSR_GP_CNTRL_REG_FLAG_MAC_CLOCK_READY |
+                                    CSR_GP_CNTRL_REG_FLAG_GOING_TO_SLEEP),
+                                   15000);
+                if (ret < 0) {
+                        __iwl_trans_pcie_clear_bit(trans, CSR_GP_CNTRL,
+                                        CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
+                        trans_pcie->cmd_in_flight = false;
+                        IWL_ERR(trans, "Failed to wake NIC for hcmd\n");
+                        return -EIO;
+                }
+        }
+        return 0;
+}
+static int iwl_pcie_clear_cmd_in_flight(struct iwl_trans *trans)
+{
+        struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+        lockdep_assert_held(&trans_pcie->reg_lock);
+        if (WARN_ON(!trans_pcie->cmd_in_flight))
+                return 0;
+        trans_pcie->cmd_in_flight = false;
+        if (trans->cfg->base_params->apmg_wake_up_wa)
+                __iwl_trans_pcie_clear_bit(trans, CSR_GP_CNTRL,
+                                        CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
+        return 0;
+}
 /*
 * iwl_pcie_cmdq_reclaim - Reclaim TX command queue entries already Tx'd
 *
@@ -1024,14 +1083,9 @@ static void iwl_pcie_cmdq_reclaim(struct iwl_trans *trans, int txq_id, int idx)
                }
        }
-        if (trans->cfg->base_params->apmg_wake_up_wa &&
+        if (q->read_ptr == q->write_ptr) {
-            q->read_ptr == q->write_ptr) {
                spin_lock_irqsave(&trans_pcie->reg_lock, flags);
-                WARN_ON(!trans_pcie->cmd_in_flight);
+                iwl_pcie_clear_cmd_in_flight(trans);
-                trans_pcie->cmd_in_flight = false;
-                __iwl_trans_pcie_clear_bit(trans,
-                                           CSR_GP_CNTRL,
-                                           CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
                spin_unlock_irqrestore(&trans_pcie->reg_lock, flags);
        }
@@ -1419,32 +1473,11 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
                mod_timer(&txq->stuck_timer, jiffies + trans_pcie->wd_timeout);
        spin_lock_irqsave(&trans_pcie->reg_lock, flags);
+        ret = iwl_pcie_set_cmd_in_flight(trans);
-        /*
+        if (ret < 0) {
-         * wake up the NIC to make sure that the firmware will see the host
+                idx = ret;
-         * command - we will let the NIC sleep once all the host commands
+                spin_unlock_irqrestore(&trans_pcie->reg_lock, flags);
-         * returned. This needs to be done only on NICs that have
+                goto out;
-         * apmg_wake_up_wa set.
-         */
-        if (trans->cfg->base_params->apmg_wake_up_wa &&
-            !trans_pcie->cmd_in_flight) {
-                trans_pcie->cmd_in_flight = true;
-                __iwl_trans_pcie_set_bit(trans, CSR_GP_CNTRL,
-                                         CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
-                ret = iwl_poll_bit(trans, CSR_GP_CNTRL,
-                                   CSR_GP_CNTRL_REG_VAL_MAC_ACCESS_EN,
-                                   (CSR_GP_CNTRL_REG_FLAG_MAC_CLOCK_READY |
-                                    CSR_GP_CNTRL_REG_FLAG_GOING_TO_SLEEP),
-                                   15000);
-                if (ret < 0) {
-                        __iwl_trans_pcie_clear_bit(trans, CSR_GP_CNTRL,
-                                   CSR_GP_CNTRL_REG_FLAG_MAC_ACCESS_REQ);
-                        spin_unlock_irqrestore(&trans_pcie->reg_lock, flags);
-                        trans_pcie->cmd_in_flight = false;
-                        IWL_ERR(trans, "Failed to wake NIC for hcmd\n");
-                        idx = -EIO;
-                        goto out;
-                }
        }
        /* Increment and update queue's write index */
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index babbdc1ce741..a71b9d5e353d 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -412,6 +412,11 @@ struct mac80211_hwsim_data {
        struct mac_address addresses[2];
        int channels, idx;
        bool use_chanctx;
+        bool destroy_on_close;
+        struct work_struct destroy_work;
+        u32 portid;
+        char alpha2[2];
+        const struct ieee80211_regdomain *regd;
        struct ieee80211_channel *tmp_chan;
        struct delayed_work roc_done;
@@ -419,6 +424,7 @@ struct mac80211_hwsim_data {
        struct cfg80211_scan_request *hw_scan_request;
        struct ieee80211_vif *hw_scan_vif;
        int scan_chan_idx;
+        u8 scan_addr[ETH_ALEN];
        struct ieee80211_channel *channel;
        u64 beacon_int  /* beacon interval in us */;
@@ -436,7 +442,7 @@ struct mac80211_hwsim_data {
        /*
         * Only radios in the same group can communicate together (the
         * channel has to match too). Each bit represents a group. A
-         * radio can be in more then one group.
+         * radio can be in more than one group.
         */
        u64 group;
@@ -447,6 +453,14 @@ struct mac80211_hwsim_data {
        s64 bcn_delta;
        /* absolute beacon transmission time. Used to cover up "tx" delay. */
        u64 abs_bcn_ts;
+        /* Stats */
+        u64 tx_pkts;
+        u64 rx_pkts;
+        u64 tx_bytes;
+        u64 rx_bytes;
+        u64 tx_dropped;
+        u64 tx_failed;
 };
@@ -476,6 +490,14 @@ static struct genl_family hwsim_genl_family = {
        .maxattr = HWSIM_ATTR_MAX,
 };
+enum hwsim_multicast_groups {
+        HWSIM_MCGRP_CONFIG,
+};
+static const struct genl_multicast_group hwsim_mcgrps[] = {
+        [HWSIM_MCGRP_CONFIG] = { .name = "config", },
+};
 /* MAC80211_HWSIM netlink policy */
 static const struct nla_policy hwsim_genl_policy[HWSIM_ATTR_MAX + 1] = {
@@ -496,6 +518,10 @@ static const struct nla_policy hwsim_genl_policy[HWSIM_ATTR_MAX + 1] = {
        [HWSIM_ATTR_REG_CUSTOM_REG] = { .type = NLA_U32 },
        [HWSIM_ATTR_REG_STRICT_REG] = { .type = NLA_FLAG },
        [HWSIM_ATTR_SUPPORT_P2P_DEVICE] = { .type = NLA_FLAG },
+        [HWSIM_ATTR_DESTROY_RADIO_ON_CLOSE] = { .type = NLA_FLAG },
+        [HWSIM_ATTR_RADIO_NAME] = { .type = NLA_STRING },
+        [HWSIM_ATTR_NO_VIF] = { .type = NLA_FLAG },
+        [HWSIM_ATTR_FREQ] = { .type = NLA_U32 },
 };
 static void mac80211_hwsim_tx_frame(struct ieee80211_hw *hw,
@@ -807,6 +833,9 @@ static bool mac80211_hwsim_addr_match(struct mac80211_hwsim_data *data,
                .ret = false,
        };
+        if (data->scanning && memcmp(addr, data->scan_addr, ETH_ALEN) == 0)
+                return true;
        memcpy(md.addr, addr, ETH_ALEN);
        ieee80211_iterate_active_interfaces_atomic(data->hw,
@@ -861,8 +890,10 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw,
        /* If the queue contains MAX_QUEUE skb's drop some */
        if (skb_queue_len(&data->pending) >= MAX_QUEUE) {
                /* Droping until WARN_QUEUE level */
-                while (skb_queue_len(&data->pending) >= WARN_QUEUE)
+                while (skb_queue_len(&data->pending) >= WARN_QUEUE) {
-                        skb_dequeue(&data->pending);
+                        ieee80211_free_txskb(hw, skb_dequeue(&data->pending));
+                        data->tx_dropped++;
+                }
        }
        skb = genlmsg_new(GENLMSG_DEFAULT_SIZE, GFP_ATOMIC);
@@ -896,6 +927,9 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw,
        if (nla_put_u32(skb, HWSIM_ATTR_FLAGS, hwsim_flags))
                goto nla_put_failure;
+        if (nla_put_u32(skb, HWSIM_ATTR_FREQ, data->channel->center_freq))
+                goto nla_put_failure;
        /* We get the tx control (rate and retries) info*/
        for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) {
@@ -917,10 +951,14 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw,
        /* Enqueue the packet */
        skb_queue_tail(&data->pending, my_skb);
+        data->tx_pkts++;
+        data->tx_bytes += my_skb->len;
        return;
 nla_put_failure:
        printk(KERN_DEBUG "mac80211_hwsim: error occurred in %s\n", __func__);
+        ieee80211_free_txskb(hw, my_skb);
+        data->tx_failed++;
 }
 static bool hwsim_chans_compat(struct ieee80211_channel *c1,
@@ -952,6 +990,53 @@ static void mac80211_hwsim_tx_iter(void *_data, u8 *addr,
        data->receive = true;
 }
+static void mac80211_hwsim_add_vendor_rtap(struct sk_buff *skb)
+{
+        /*
+         * To enable this code, #define the HWSIM_RADIOTAP_OUI,
+         * e.g. like this:
+         * #define HWSIM_RADIOTAP_OUI "\x02\x00\x00"
+         * (but you should use a valid OUI, not that)
+         *
+         * If anyone wants to 'donate' a radiotap OUI/subns code
+         * please send a patch removing this #ifdef and changing
+         * the values accordingly.
+         */
+#ifdef HWSIM_RADIOTAP_OUI
+        struct ieee80211_vendor_radiotap *rtap;
+        /*
+         * Note that this code requires the headroom in the SKB
+         * that was allocated earlier.
+         */
+        rtap = (void *)skb_push(skb, sizeof(*rtap) + 8 + 4);
+        rtap->oui[0] = HWSIM_RADIOTAP_OUI[0];
+        rtap->oui[1] = HWSIM_RADIOTAP_OUI[1];
+        rtap->oui[2] = HWSIM_RADIOTAP_OUI[2];
+        rtap->subns = 127;
+        /*
+         * Radiotap vendor namespaces can (and should) also be
+         * split into fields by using the standard radiotap
+         * presence bitmap mechanism. Use just BIT(0) here for
+         * the presence bitmap.
+         */
+        rtap->present = BIT(0);
+        /* We have 8 bytes of (dummy) data */
+        rtap->len = 8;
+        /* For testing, also require it to be aligned */
+        rtap->align = 8;
+        /* And also test that padding works, 4 bytes */
+        rtap->pad = 4;
+        /* push the data */
+        memcpy(rtap->data, "ABCDEFGH", 8);
+        /* make sure to clear padding, mac80211 doesn't */
+        memset(rtap->data + 8, 0, 4);
+        IEEE80211_SKB_RXCB(skb)->flag |= RX_FLAG_RADIOTAP_VENDOR_DATA;
+#endif
+}
 static bool mac80211_hwsim_tx_frame_no_nl(struct ieee80211_hw *hw,
                                          struct sk_buff *skb,
                                          struct ieee80211_channel *chan)
@@ -1066,6 +1151,11 @@ static bool mac80211_hwsim_tx_frame_no_nl(struct ieee80211_hw *hw,
                rx_status.mactime = now + data2->tsf_offset;
                memcpy(IEEE80211_SKB_RXCB(nskb), &rx_status, sizeof(rx_status));
+                mac80211_hwsim_add_vendor_rtap(nskb);
+                data2->rx_pkts++;
+                data2->rx_bytes += nskb->len;
                ieee80211_rx_irqsafe(data2->hw, nskb);
        }
        spin_unlock(&hwsim_radio_lock);
@@ -1133,6 +1223,8 @@ static void mac80211_hwsim_tx(struct ieee80211_hw *hw,
                return mac80211_hwsim_tx_frame_nl(hw, skb, _portid);
        /* NO wmediumd detected, perfect medium simulation */
+        data->tx_pkts++;
+        data->tx_bytes += skb->len;
        ack = mac80211_hwsim_tx_frame_no_nl(hw, skb, channel);
        if (ack && skb->len >= 16) {
@@ -1716,7 +1808,7 @@ static void hw_scan_work(struct work_struct *work)
                        struct sk_buff *probe;
                        probe = ieee80211_probereq_get(hwsim->hw,
-                                                       hwsim->hw_scan_vif,
+                                                       hwsim->scan_addr,
                                                       req->ssids[i].ssid,
                                                       req->ssids[i].ssid_len,
                                                       req->ie_len);
@@ -1754,6 +1846,12 @@ static int mac80211_hwsim_hw_scan(struct ieee80211_hw *hw,
        hwsim->hw_scan_request = req;
        hwsim->hw_scan_vif = vif;
        hwsim->scan_chan_idx = 0;
+        if (req->flags & NL80211_SCAN_FLAG_RANDOM_ADDR)
+                get_random_mask_addr(hwsim->scan_addr,
+                                     hw_req->req.mac_addr,
+                                     hw_req->req.mac_addr_mask);
+        else
+                memcpy(hwsim->scan_addr, vif->addr, ETH_ALEN);
        mutex_unlock(&hwsim->mutex);
        wiphy_debug(hw->wiphy, "hwsim hw_scan request\n");
@@ -1780,7 +1878,9 @@ static void mac80211_hwsim_cancel_hw_scan(struct ieee80211_hw *hw,
        mutex_unlock(&hwsim->mutex);
 }
-static void mac80211_hwsim_sw_scan(struct ieee80211_hw *hw)
+static void mac80211_hwsim_sw_scan(struct ieee80211_hw *hw,
+                                   struct ieee80211_vif *vif,
+                                   const u8 *mac_addr)
 {
        struct mac80211_hwsim_data *hwsim = hw->priv;
@@ -1792,13 +1892,16 @@ static void mac80211_hwsim_sw_scan(struct ieee80211_hw *hw)
        }
        printk(KERN_DEBUG "hwsim sw_scan request, prepping stuff\n");
+        memcpy(hwsim->scan_addr, mac_addr, ETH_ALEN);
        hwsim->scanning = true;
 out:
        mutex_unlock(&hwsim->mutex);
 }
-static void mac80211_hwsim_sw_scan_complete(struct ieee80211_hw *hw)
+static void mac80211_hwsim_sw_scan_complete(struct ieee80211_hw *hw,
+                                            struct ieee80211_vif *vif)
 {
        struct mac80211_hwsim_data *hwsim = hw->priv;
@@ -1806,6 +1909,7 @@ static void mac80211_hwsim_sw_scan_complete(struct ieee80211_hw *hw)
        printk(KERN_DEBUG "hwsim sw_scan_complete\n");
        hwsim->scanning = false;
+        memset(hwsim->scan_addr, 0, ETH_ALEN);
        mutex_unlock(&hwsim->mutex);
 }
@@ -1916,6 +2020,57 @@ static void mac80211_hwsim_unassign_vif_chanctx(struct ieee80211_hw *hw,
        hwsim_check_chanctx_magic(ctx);
 }
+static const char mac80211_hwsim_gstrings_stats[][ETH_GSTRING_LEN] = {
+        "tx_pkts_nic",
+        "tx_bytes_nic",
+        "rx_pkts_nic",
+        "rx_bytes_nic",
+        "d_tx_dropped",
+        "d_tx_failed",
+        "d_ps_mode",
+        "d_group",
+        "d_tx_power",
+};
+#define MAC80211_HWSIM_SSTATS_LEN ARRAY_SIZE(mac80211_hwsim_gstrings_stats)
+static void mac80211_hwsim_get_et_strings(struct ieee80211_hw *hw,
+                                          struct ieee80211_vif *vif,
+                                          u32 sset, u8 *data)
+{
+        if (sset == ETH_SS_STATS)
+                memcpy(data, *mac80211_hwsim_gstrings_stats,
+                       sizeof(mac80211_hwsim_gstrings_stats));
+}
+static int mac80211_hwsim_get_et_sset_count(struct ieee80211_hw *hw,
+                                            struct ieee80211_vif *vif, int sset)
+{
+        if (sset == ETH_SS_STATS)
+                return MAC80211_HWSIM_SSTATS_LEN;
+        return 0;
+}
+static void mac80211_hwsim_get_et_stats(struct ieee80211_hw *hw,
+                                        struct ieee80211_vif *vif,
+                                        struct ethtool_stats *stats, u64 *data)
+{
+        struct mac80211_hwsim_data *ar = hw->priv;
+        int i = 0;
+        data[i++] = ar->tx_pkts;
+        data[i++] = ar->tx_bytes;
+        data[i++] = ar->rx_pkts;
+        data[i++] = ar->rx_bytes;
+        data[i++] = ar->tx_dropped;
+        data[i++] = ar->tx_failed;
+        data[i++] = ar->ps;
+        data[i++] = ar->group;
+        data[i++] = ar->power_level;
+        WARN_ON(i != MAC80211_HWSIM_SSTATS_LEN);
+}
 static const struct ieee80211_ops mac80211_hwsim_ops = {
        .tx = mac80211_hwsim_tx,
        .start = mac80211_hwsim_start,
@@ -1939,14 +2094,131 @@ static const struct ieee80211_ops mac80211_hwsim_ops = {
        .flush = mac80211_hwsim_flush,
        .get_tsf = mac80211_hwsim_get_tsf,
        .set_tsf = mac80211_hwsim_set_tsf,
+        .get_et_sset_count = mac80211_hwsim_get_et_sset_count,
+        .get_et_stats = mac80211_hwsim_get_et_stats,
+        .get_et_strings = mac80211_hwsim_get_et_strings,
 };
 static struct ieee80211_ops mac80211_hwsim_mchan_ops;
-static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
+struct hwsim_new_radio_params {
-                                       const struct ieee80211_regdomain *regd,
+        unsigned int channels;
-                                       bool reg_strict, bool p2p_device,
+        const char *reg_alpha2;
-                                       bool use_chanctx)
+        const struct ieee80211_regdomain *regd;
+        bool reg_strict;
+        bool p2p_device;
+        bool use_chanctx;
+        bool destroy_on_close;
+        const char *hwname;
+        bool no_vif;
+};
+static void hwsim_mcast_config_msg(struct sk_buff *mcast_skb,
+                                   struct genl_info *info)
+{
+        if (info)
+                genl_notify(&hwsim_genl_family, mcast_skb,
+                            genl_info_net(info), info->snd_portid,
+                            HWSIM_MCGRP_CONFIG, info->nlhdr, GFP_KERNEL);
+        else
+                genlmsg_multicast(&hwsim_genl_family, mcast_skb, 0,
+                                  HWSIM_MCGRP_CONFIG, GFP_KERNEL);
+}
+static int append_radio_msg(struct sk_buff *skb, int id,
+                            struct hwsim_new_radio_params *param)
+{
+        int ret;
+        ret = nla_put_u32(skb, HWSIM_ATTR_RADIO_ID, id);
+        if (ret < 0)
+                return ret;
+        if (param->channels) {
+                ret = nla_put_u32(skb, HWSIM_ATTR_CHANNELS, param->channels);
+                if (ret < 0)
+                        return ret;
+        }
+        if (param->reg_alpha2) {
+                ret = nla_put(skb, HWSIM_ATTR_REG_HINT_ALPHA2, 2,
+                              param->reg_alpha2);
+                if (ret < 0)
+                        return ret;
+        }
+        if (param->regd) {
+                int i;
+                for (i = 0; hwsim_world_regdom_custom[i] != param->regd &&
+                     i < ARRAY_SIZE(hwsim_world_regdom_custom); i++)
+                        ;
+                if (i < ARRAY_SIZE(hwsim_world_regdom_custom)) {
+                        ret = nla_put_u32(skb, HWSIM_ATTR_REG_CUSTOM_REG, i);
+                        if (ret < 0)
+                                return ret;
+                }
+        }
+        if (param->reg_strict) {
+                ret = nla_put_flag(skb, HWSIM_ATTR_REG_STRICT_REG);
+                if (ret < 0)
+                        return ret;
+        }
+        if (param->p2p_device) {
+                ret = nla_put_flag(skb, HWSIM_ATTR_SUPPORT_P2P_DEVICE);
+                if (ret < 0)
+                        return ret;
+        }
+        if (param->use_chanctx) {
+                ret = nla_put_flag(skb, HWSIM_ATTR_USE_CHANCTX);
+                if (ret < 0)
+                        return ret;
+        }
+        if (param->hwname) {
+                ret = nla_put(skb, HWSIM_ATTR_RADIO_NAME,
+                              strlen(param->hwname), param->hwname);
+                if (ret < 0)
+                        return ret;
+        }
+        return 0;
+}
+static void hwsim_mcast_new_radio(int id, struct genl_info *info,
+                                  struct hwsim_new_radio_params *param)
+{
+        struct sk_buff *mcast_skb;
+        void *data;
+        mcast_skb = genlmsg_new(GENLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!mcast_skb)
+                return;
+        data = genlmsg_put(mcast_skb, 0, 0, &hwsim_genl_family, 0,
+                           HWSIM_CMD_NEW_RADIO);
+        if (!data)
+                goto out_err;
+        if (append_radio_msg(mcast_skb, id, param) < 0)
+                goto out_err;
+        genlmsg_end(mcast_skb, data);
+        hwsim_mcast_config_msg(mcast_skb, info);
+        return;
+out_err:
+        genlmsg_cancel(mcast_skb, data);
+        nlmsg_free(mcast_skb);
+}
+static int mac80211_hwsim_new_radio(struct genl_info *info,
+                                    struct hwsim_new_radio_params *param)
 {
        int err;
        u8 addr[ETH_ALEN];
@@ -1956,16 +2228,16 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
        const struct ieee80211_ops *ops = &mac80211_hwsim_ops;
        int idx;
-        if (WARN_ON(channels > 1 && !use_chanctx))
+        if (WARN_ON(param->channels > 1 && !param->use_chanctx))
                return -EINVAL;
        spin_lock_bh(&hwsim_radio_lock);
        idx = hwsim_radio_idx++;
        spin_unlock_bh(&hwsim_radio_lock);
-        if (use_chanctx)
+        if (param->use_chanctx)
                ops = &mac80211_hwsim_mchan_ops;
-        hw = ieee80211_alloc_hw(sizeof(*data), ops);
+        hw = ieee80211_alloc_hw_nm(sizeof(*data), ops, param->hwname);
        if (!hw) {
                printk(KERN_DEBUG "mac80211_hwsim: ieee80211_alloc_hw failed\n");
                err = -ENOMEM;
@@ -1987,7 +2259,7 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
        if (err != 0) {
                printk(KERN_DEBUG "mac80211_hwsim: device_bind_driver failed (%d)\n",
                       err);
-                goto failed_hw;
+                goto failed_bind;
        }
        skb_queue_head_init(&data->pending);
@@ -2003,9 +2275,12 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
        hw->wiphy->n_addresses = 2;
        hw->wiphy->addresses = data->addresses;
-        data->channels = channels;
+        data->channels = param->channels;
-        data->use_chanctx = use_chanctx;
+        data->use_chanctx = param->use_chanctx;
        data->idx = idx;
+        data->destroy_on_close = param->destroy_on_close;
+        if (info)
+                data->portid = info->snd_portid;
        if (data->use_chanctx) {
                hw->wiphy->max_scan_ssids = 255;
@@ -2014,12 +2289,12 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
                /* For channels > 1 DFS is not allowed */
                hw->wiphy->n_iface_combinations = 1;
                hw->wiphy->iface_combinations = &data->if_combination;
-                if (p2p_device)
+                if (param->p2p_device)
                        data->if_combination = hwsim_if_comb_p2p_dev[0];
                else
                        data->if_combination = hwsim_if_comb[0];
                data->if_combination.num_different_channels = data->channels;
-        } else if (p2p_device) {
+        } else if (param->p2p_device) {
                hw->wiphy->iface_combinations = hwsim_if_comb_p2p_dev;
                hw->wiphy->n_iface_combinations =
                        ARRAY_SIZE(hwsim_if_comb_p2p_dev);
@@ -2040,7 +2315,7 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
                                     BIT(NL80211_IFTYPE_ADHOC) |
                                     BIT(NL80211_IFTYPE_MESH_POINT);
-        if (p2p_device)
+        if (param->p2p_device)
                hw->wiphy->interface_modes |= BIT(NL80211_IFTYPE_P2P_DEVICE);
        hw->flags = IEEE80211_HW_MFP_CAPABLE |
@@ -2060,7 +2335,8 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
        hw->wiphy->features |= NL80211_FEATURE_ACTIVE_MONITOR |
                               NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE |
                               NL80211_FEATURE_STATIC_SMPS |
-                               NL80211_FEATURE_DYNAMIC_SMPS;
+                               NL80211_FEATURE_DYNAMIC_SMPS |
+                               NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
        /* ask mac80211 to reserve space for magic */
        hw->vif_data_size = sizeof(struct hwsim_vif_priv);
@@ -2095,6 +2371,7 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
                sband->ht_cap.ht_supported = true;
                sband->ht_cap.cap = IEEE80211_HT_CAP_SUP_WIDTH_20_40 |
                                    IEEE80211_HT_CAP_GRN_FLD |
+                                    IEEE80211_HT_CAP_SGI_20 |
                                    IEEE80211_HT_CAP_SGI_40 |
                                    IEEE80211_HT_CAP_DSSSCCK40;
                sband->ht_cap.ampdu_factor = 0x3;
@@ -2111,7 +2388,6 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
                sband->vht_cap.cap =
                        IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454 |
                        IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ |
-                        IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ |
                        IEEE80211_VHT_CAP_RXLDPC |
                        IEEE80211_VHT_CAP_SHORT_GI_80 |
                        IEEE80211_VHT_CAP_SHORT_GI_160 |
@@ -2142,15 +2418,19 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
        hw->max_rates = 4;
        hw->max_rate_tries = 11;
-        if (reg_strict)
+        if (param->reg_strict)
                hw->wiphy->regulatory_flags |= REGULATORY_STRICT_REG;
-        if (regd) {
+        if (param->regd) {
+                data->regd = param->regd;
                hw->wiphy->regulatory_flags |= REGULATORY_CUSTOM_REG;
-                wiphy_apply_custom_regulatory(hw->wiphy, regd);
+                wiphy_apply_custom_regulatory(hw->wiphy, param->regd);
                /* give the regulatory workqueue a chance to run */
                schedule_timeout_interruptible(1);
        }
+        if (param->no_vif)
+                hw->flags |= IEEE80211_HW_NO_AUTO_VIF;
        err = ieee80211_register_hw(hw);
        if (err < 0) {
                printk(KERN_DEBUG "mac80211_hwsim: ieee80211_register_hw failed (%d)\n",
@@ -2160,8 +2440,11 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
        wiphy_debug(hw->wiphy, "hwaddr %pM registered\n", hw->wiphy->perm_addr);
-        if (reg_alpha2)
+        if (param->reg_alpha2) {
-                regulatory_hint(hw->wiphy, reg_alpha2);
+                data->alpha2[0] = param->reg_alpha2[0];
+                data->alpha2[1] = param->reg_alpha2[1];
+                regulatory_hint(hw->wiphy, param->reg_alpha2);
+        }
        data->debugfs = debugfs_create_dir("hwsim", hw->wiphy->debugfsdir);
        debugfs_create_file("ps", 0666, data->debugfs, data, &hwsim_fops_ps);
@@ -2180,9 +2463,14 @@ static int mac80211_hwsim_create_radio(int channels, const char *reg_alpha2,
        list_add_tail(&data->list, &hwsim_radios);
        spin_unlock_bh(&hwsim_radio_lock);
+        if (idx > 0)
+                hwsim_mcast_new_radio(idx, info, param);
        return idx;
 failed_hw:
+        device_release_driver(data->dev);
+failed_bind:
        device_unregister(data->dev);
 failed_drvdata:
        ieee80211_free_hw(hw);
@@ -2190,8 +2478,46 @@ failed:
        return err;
 }
-static void mac80211_hwsim_destroy_radio(struct mac80211_hwsim_data *data)
+static void hwsim_mcast_del_radio(int id, const char *hwname,
+                                  struct genl_info *info)
 {
+        struct sk_buff *skb;
+        void *data;
+        int ret;
+        skb = genlmsg_new(GENLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!skb)
+                return;
+        data = genlmsg_put(skb, 0, 0, &hwsim_genl_family, 0,
+                           HWSIM_CMD_DEL_RADIO);
+        if (!data)
+                goto error;
+        ret = nla_put_u32(skb, HWSIM_ATTR_RADIO_ID, id);
+        if (ret < 0)
+                goto error;
+        ret = nla_put(skb, HWSIM_ATTR_RADIO_NAME, strlen(hwname),
+                      hwname);
+        if (ret < 0)
+                goto error;
+        genlmsg_end(skb, data);
+        hwsim_mcast_config_msg(skb, info);
+        return;
+error:
+        nlmsg_free(skb);
+}
+static void mac80211_hwsim_del_radio(struct mac80211_hwsim_data *data,
+                                     const char *hwname,
+                                     struct genl_info *info)
+{
+        hwsim_mcast_del_radio(data->idx, hwname, info);
        debugfs_remove_recursive(data->debugfs);
        ieee80211_unregister_hw(data->hw);
        device_release_driver(data->dev);
@@ -2199,6 +2525,46 @@ static void mac80211_hwsim_destroy_radio(struct mac80211_hwsim_data *data)
        ieee80211_free_hw(data->hw);
 }
+static int mac80211_hwsim_get_radio(struct sk_buff *skb,
+                                    struct mac80211_hwsim_data *data,
+                                    u32 portid, u32 seq,
+                                    struct netlink_callback *cb, int flags)
+{
+        void *hdr;
+        struct hwsim_new_radio_params param = { };
+        int res = -EMSGSIZE;
+        hdr = genlmsg_put(skb, portid, seq, &hwsim_genl_family, flags,
+                          HWSIM_CMD_GET_RADIO);
+        if (!hdr)
+                return -EMSGSIZE;
+        if (cb)
+                genl_dump_check_consistent(cb, hdr, &hwsim_genl_family);
+        if (data->alpha2[0] && data->alpha2[1])
+                param.reg_alpha2 = data->alpha2;
+        param.reg_strict = !!(data->hw->wiphy->regulatory_flags &
+                                        REGULATORY_STRICT_REG);
+        param.p2p_device = !!(data->hw->wiphy->interface_modes &
+                                        BIT(NL80211_IFTYPE_P2P_DEVICE));
+        param.use_chanctx = data->use_chanctx;
+        param.regd = data->regd;
+        param.channels = data->channels;
+        param.hwname = wiphy_name(data->hw->wiphy);
+        res = append_radio_msg(skb, data->idx, &param);
+        if (res < 0)
+                goto out_err;
+        return genlmsg_end(skb, hdr);
+out_err:
+        genlmsg_cancel(skb, hdr);
+        return res;
+}
 static void mac80211_hwsim_free(void)
 {
        struct mac80211_hwsim_data *data;
@@ -2209,7 +2575,8 @@ static void mac80211_hwsim_free(void)
                                                list))) {
                list_del(&data->list);
                spin_unlock_bh(&hwsim_radio_lock);
-                mac80211_hwsim_destroy_radio(data);
+                mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy),
+                                         NULL);
                spin_lock_bh(&hwsim_radio_lock);
        }
        spin_unlock_bh(&hwsim_radio_lock);
@@ -2337,7 +2704,6 @@ out:
 static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
                                          struct genl_info *info)
 {
        struct mac80211_hwsim_data *data2;
        struct ieee80211_rx_status rx_status;
        const u8 *dst;
@@ -2380,18 +2746,22 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
        /* A frame is received from user space */
        memset(&rx_status, 0, sizeof(rx_status));
+        /* TODO: Check ATTR_FREQ if it exists, and maybe throw away off-channel
+         * packets?
+         */
        rx_status.freq = data2->channel->center_freq;
        rx_status.band = data2->channel->band;
        rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]);
        rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]);
        memcpy(IEEE80211_SKB_RXCB(skb), &rx_status, sizeof(rx_status));
+        data2->rx_pkts++;
+        data2->rx_bytes += skb->len;
        ieee80211_rx_irqsafe(data2->hw, skb);
        return 0;
 err:
        printk(KERN_DEBUG "mac80211_hwsim: error occurred in %s\n", __func__);
-        goto out;
 out:
        dev_kfree_skb(skb);
        return -EINVAL;
@@ -2427,54 +2797,72 @@ static int hwsim_register_received_nl(struct sk_buff *skb_2,
        return 0;
 }
-static int hwsim_create_radio_nl(struct sk_buff *msg, struct genl_info *info)
+static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)
 {
-        unsigned int chans = channels;
+        struct hwsim_new_radio_params param = { 0 };
-        const char *alpha2 = NULL;
-        const struct ieee80211_regdomain *regd = NULL;
+        param.reg_strict = info->attrs[HWSIM_ATTR_REG_STRICT_REG];
-        bool reg_strict = info->attrs[HWSIM_ATTR_REG_STRICT_REG];
+        param.p2p_device = info->attrs[HWSIM_ATTR_SUPPORT_P2P_DEVICE];
-        bool p2p_device = info->attrs[HWSIM_ATTR_SUPPORT_P2P_DEVICE];
+        param.channels = channels;
-        bool use_chanctx;
+        param.destroy_on_close =
+                info->attrs[HWSIM_ATTR_DESTROY_RADIO_ON_CLOSE];
        if (info->attrs[HWSIM_ATTR_CHANNELS])
-                chans = nla_get_u32(info->attrs[HWSIM_ATTR_CHANNELS]);
+                param.channels = nla_get_u32(info->attrs[HWSIM_ATTR_CHANNELS]);
+        if (info->attrs[HWSIM_ATTR_NO_VIF])
+                param.no_vif = true;
+        if (info->attrs[HWSIM_ATTR_RADIO_NAME])
+                param.hwname = nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]);
        if (info->attrs[HWSIM_ATTR_USE_CHANCTX])
-                use_chanctx = true;
+                param.use_chanctx = true;
        else
-                use_chanctx = (chans > 1);
+                param.use_chanctx = (param.channels > 1);
        if (info->attrs[HWSIM_ATTR_REG_HINT_ALPHA2])
-                alpha2 = nla_data(info->attrs[HWSIM_ATTR_REG_HINT_ALPHA2]);
+                param.reg_alpha2 =
+                        nla_data(info->attrs[HWSIM_ATTR_REG_HINT_ALPHA2]);
        if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) {
                u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]);
                if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom))
                        return -EINVAL;
-                regd = hwsim_world_regdom_custom[idx];
+                param.regd = hwsim_world_regdom_custom[idx];
        }
-        return mac80211_hwsim_create_radio(chans, alpha2, regd, reg_strict,
+        return mac80211_hwsim_new_radio(info, &param);
-                                           p2p_device, use_chanctx);
 }
-static int hwsim_destroy_radio_nl(struct sk_buff *msg, struct genl_info *info)
+static int hwsim_del_radio_nl(struct sk_buff *msg, struct genl_info *info)
 {
        struct mac80211_hwsim_data *data;
-        int idx;
+        s64 idx = -1;
+        const char *hwname = NULL;
-        if (!info->attrs[HWSIM_ATTR_RADIO_ID])
+        if (info->attrs[HWSIM_ATTR_RADIO_ID])
+                idx = nla_get_u32(info->attrs[HWSIM_ATTR_RADIO_ID]);
+        else if (info->attrs[HWSIM_ATTR_RADIO_NAME])
+                hwname = (void *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]);
+        else
                return -EINVAL;
-        idx = nla_get_u32(info->attrs[HWSIM_ATTR_RADIO_ID]);
        spin_lock_bh(&hwsim_radio_lock);
        list_for_each_entry(data, &hwsim_radios, list) {
-                if (data->idx != idx)
+                if (idx >= 0) {
-                        continue;
+                        if (data->idx != idx)
+                                continue;
+                } else {
+                        if (strcmp(hwname, wiphy_name(data->hw->wiphy)))
+                                continue;
+                }
                list_del(&data->list);
                spin_unlock_bh(&hwsim_radio_lock);
-                mac80211_hwsim_destroy_radio(data);
+                mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy),
+                                         info);
                return 0;
        }
        spin_unlock_bh(&hwsim_radio_lock);
@@ -2482,6 +2870,77 @@ static int hwsim_destroy_radio_nl(struct sk_buff *msg, struct genl_info *info)
        return -ENODEV;
 }
+static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info)
+{
+        struct mac80211_hwsim_data *data;
+        struct sk_buff *skb;
+        int idx, res = -ENODEV;
+        if (!info->attrs[HWSIM_ATTR_RADIO_ID])
+                return -EINVAL;
+        idx = nla_get_u32(info->attrs[HWSIM_ATTR_RADIO_ID]);
+        spin_lock_bh(&hwsim_radio_lock);
+        list_for_each_entry(data, &hwsim_radios, list) {
+                if (data->idx != idx)
+                        continue;
+                skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+                if (!skb) {
+                        res = -ENOMEM;
+                        goto out_err;
+                }
+                res = mac80211_hwsim_get_radio(skb, data, info->snd_portid,
+                                               info->snd_seq, NULL, 0);
+                if (res < 0) {
+                        nlmsg_free(skb);
+                        goto out_err;
+                }
+                genlmsg_reply(skb, info);
+                break;
+        }
+out_err:
+        spin_unlock_bh(&hwsim_radio_lock);
+        return res;
+}
+static int hwsim_dump_radio_nl(struct sk_buff *skb,
+                               struct netlink_callback *cb)
+{
+        int idx = cb->args[0];
+        struct mac80211_hwsim_data *data = NULL;
+        int res;
+        spin_lock_bh(&hwsim_radio_lock);
+        if (idx == hwsim_radio_idx)
+                goto done;
+        list_for_each_entry(data, &hwsim_radios, list) {
+                if (data->idx < idx)
+                        continue;
+                res = mac80211_hwsim_get_radio(skb, data,
+                                               NETLINK_CB(cb->skb).portid,
+                                               cb->nlh->nlmsg_seq, cb,
+                                               NLM_F_MULTI);
+                if (res < 0)
+                        break;
+                idx = data->idx + 1;
+        }
+        cb->args[0] = idx;
+done:
+        spin_unlock_bh(&hwsim_radio_lock);
+        return skb->len;
+}
 /* Generic Netlink operations array */
 static const struct genl_ops hwsim_ops[] = {
        {
@@ -2501,19 +2960,48 @@ static const struct genl_ops hwsim_ops[] = {
                .doit = hwsim_tx_info_frame_received_nl,
        },
        {
-                .cmd = HWSIM_CMD_CREATE_RADIO,
+                .cmd = HWSIM_CMD_NEW_RADIO,
                .policy = hwsim_genl_policy,
-                .doit = hwsim_create_radio_nl,
+                .doit = hwsim_new_radio_nl,
                .flags = GENL_ADMIN_PERM,
        },
        {
-                .cmd = HWSIM_CMD_DESTROY_RADIO,
+                .cmd = HWSIM_CMD_DEL_RADIO,
                .policy = hwsim_genl_policy,
-                .doit = hwsim_destroy_radio_nl,
+                .doit = hwsim_del_radio_nl,
                .flags = GENL_ADMIN_PERM,
        },
+        {
+                .cmd = HWSIM_CMD_GET_RADIO,
+                .policy = hwsim_genl_policy,
+                .doit = hwsim_get_radio_nl,
+                .dumpit = hwsim_dump_radio_nl,
+        },
 };
+static void destroy_radio(struct work_struct *work)
+{
+        struct mac80211_hwsim_data *data =
+                container_of(work, struct mac80211_hwsim_data, destroy_work);
+        mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy), NULL);
+}
+static void remove_user_radios(u32 portid)
+{
+        struct mac80211_hwsim_data *entry, *tmp;
+        spin_lock_bh(&hwsim_radio_lock);
+        list_for_each_entry_safe(entry, tmp, &hwsim_radios, list) {
+                if (entry->destroy_on_close && entry->portid == portid) {
+                        list_del(&entry->list);
+                        INIT_WORK(&entry->destroy_work, destroy_radio);
+                        schedule_work(&entry->destroy_work);
+                }
+        }
+        spin_unlock_bh(&hwsim_radio_lock);
+}
 static int mac80211_hwsim_netlink_notify(struct notifier_block *nb,
                                         unsigned long state,
                                         void *_notify)
@@ -2523,6 +3011,8 @@ static int mac80211_hwsim_netlink_notify(struct notifier_block *nb,
        if (state != NETLINK_URELEASE)
                return NOTIFY_DONE;
+        remove_user_radios(notify->portid);
        if (notify->portid == wmediumd_portid) {
                printk(KERN_INFO "mac80211_hwsim: wmediumd released netlink"
                       " socket, switching to perfect channel medium\n");
@@ -2542,7 +3032,9 @@ static int hwsim_init_netlink(void)
        printk(KERN_INFO "mac80211_hwsim: initializing netlink\n");
-        rc = genl_register_family_with_ops(&hwsim_genl_family, hwsim_ops);
+        rc = genl_register_family_with_ops_groups(&hwsim_genl_family,
+                                                  hwsim_ops,
+                                                  hwsim_mcgrps);
        if (rc)
                goto failure;
@@ -2603,69 +3095,73 @@ static int __init init_mac80211_hwsim(void)
                goto out_unregister_driver;
        }
+        err = hwsim_init_netlink();
+        if (err < 0)
+                goto out_unregister_driver;
        for (i = 0; i < radios; i++) {
-                const char *reg_alpha2 = NULL;
+                struct hwsim_new_radio_params param = { 0 };
-                const struct ieee80211_regdomain *regd = NULL;
-                bool reg_strict = false;
+                param.channels = channels;
                switch (regtest) {
                case HWSIM_REGTEST_DIFF_COUNTRY:
                        if (i < ARRAY_SIZE(hwsim_alpha2s))
-                                reg_alpha2 = hwsim_alpha2s[i];
+                                param.reg_alpha2 = hwsim_alpha2s[i];
                        break;
                case HWSIM_REGTEST_DRIVER_REG_FOLLOW:
                        if (!i)
-                                reg_alpha2 = hwsim_alpha2s[0];
+                                param.reg_alpha2 = hwsim_alpha2s[0];
                        break;
                case HWSIM_REGTEST_STRICT_ALL:
-                        reg_strict = true;
+                        param.reg_strict = true;
                case HWSIM_REGTEST_DRIVER_REG_ALL:
-                        reg_alpha2 = hwsim_alpha2s[0];
+                        param.reg_alpha2 = hwsim_alpha2s[0];
                        break;
                case HWSIM_REGTEST_WORLD_ROAM:
                        if (i == 0)
-                                regd = &hwsim_world_regdom_custom_01;
+                                param.regd = &hwsim_world_regdom_custom_01;
                        break;
                case HWSIM_REGTEST_CUSTOM_WORLD:
-                        regd = &hwsim_world_regdom_custom_01;
+                        param.regd = &hwsim_world_regdom_custom_01;
                        break;
                case HWSIM_REGTEST_CUSTOM_WORLD_2:
                        if (i == 0)
-                                regd = &hwsim_world_regdom_custom_01;
+                                param.regd = &hwsim_world_regdom_custom_01;
                        else if (i == 1)
-                                regd = &hwsim_world_regdom_custom_02;
+                                param.regd = &hwsim_world_regdom_custom_02;
                        break;
                case HWSIM_REGTEST_STRICT_FOLLOW:
                        if (i == 0) {
-                                reg_strict = true;
+                                param.reg_strict = true;
-                                reg_alpha2 = hwsim_alpha2s[0];
+                                param.reg_alpha2 = hwsim_alpha2s[0];
                        }
                        break;
                case HWSIM_REGTEST_STRICT_AND_DRIVER_REG:
                        if (i == 0) {
-                                reg_strict = true;
+                                param.reg_strict = true;
-                                reg_alpha2 = hwsim_alpha2s[0];
+                                param.reg_alpha2 = hwsim_alpha2s[0];
                        } else if (i == 1) {
-                                reg_alpha2 = hwsim_alpha2s[1];
+                                param.reg_alpha2 = hwsim_alpha2s[1];
                        }
                        break;
                case HWSIM_REGTEST_ALL:
                        switch (i) {
                        case 0:
-                                regd = &hwsim_world_regdom_custom_01;
+                                param.regd = &hwsim_world_regdom_custom_01;
                                break;
                        case 1:
-                                regd = &hwsim_world_regdom_custom_02;
+                                param.regd = &hwsim_world_regdom_custom_02;
                                break;
                        case 2:
-                                reg_alpha2 = hwsim_alpha2s[0];
+                                param.reg_alpha2 = hwsim_alpha2s[0];
                                break;
                        case 3:
-                                reg_alpha2 = hwsim_alpha2s[1];
+                                param.reg_alpha2 = hwsim_alpha2s[1];
                                break;
                        case 4:
-                                reg_strict = true;
+                                param.reg_strict = true;
-                                reg_alpha2 = hwsim_alpha2s[2];
+                                param.reg_alpha2 = hwsim_alpha2s[2];
                                break;
                        }
                        break;
@@ -2673,10 +3169,10 @@ static int __init init_mac80211_hwsim(void)
                        break;
                }
-                err = mac80211_hwsim_create_radio(channels, reg_alpha2,
+                param.p2p_device = support_p2p_device;
-                                                  regd, reg_strict,
+                param.use_chanctx = channels > 1;
-                                                  support_p2p_device,
-                                                  channels > 1);
+                err = mac80211_hwsim_new_radio(NULL, &param);
                if (err < 0)
                        goto out_free_radios;
        }
@@ -2702,10 +3198,6 @@ static int __init init_mac80211_hwsim(void)
        }
        rtnl_unlock();
-        err = hwsim_init_netlink();
-        if (err < 0)
-                goto out_free_mon;
        return 0;
 out_free_mon:
diff --git a/drivers/net/wireless/mac80211_hwsim.h b/drivers/net/wireless/mac80211_hwsim.h
index c9d0315575ba..66e1c73bd507 100644
--- a/drivers/net/wireless/mac80211_hwsim.h
+++ b/drivers/net/wireless/mac80211_hwsim.h
@@ -60,14 +60,17 @@ enum hwsim_tx_control_flags {
 * space, uses:
 *      %HWSIM_ATTR_ADDR_TRANSMITTER, %HWSIM_ATTR_ADDR_RECEIVER,
 *      %HWSIM_ATTR_FRAME, %HWSIM_ATTR_FLAGS, %HWSIM_ATTR_RX_RATE,
- *      %HWSIM_ATTR_SIGNAL, %HWSIM_ATTR_COOKIE
+ *      %HWSIM_ATTR_SIGNAL, %HWSIM_ATTR_COOKIE, %HWSIM_ATTR_FREQ (optional)
 * @HWSIM_CMD_TX_INFO_FRAME: Transmission info report from user space to
 * kernel, uses:
 *      %HWSIM_ATTR_ADDR_TRANSMITTER, %HWSIM_ATTR_FLAGS,
 *      %HWSIM_ATTR_TX_INFO, %HWSIM_ATTR_SIGNAL, %HWSIM_ATTR_COOKIE
- * @HWSIM_CMD_CREATE_RADIO: create a new radio with the given parameters,
+ * @HWSIM_CMD_NEW_RADIO: create a new radio with the given parameters,
- *      returns the radio ID (>= 0) or negative on errors
+ *      returns the radio ID (>= 0) or negative on errors, if successful
- * @HWSIM_CMD_DESTROY_RADIO: destroy a radio
+ *      then multicast the result
+ * @HWSIM_CMD_DEL_RADIO: destroy a radio, reply is multicasted
+ * @HWSIM_CMD_GET_RADIO: fetch information about existing radios, uses:
+ *      %HWSIM_ATTR_RADIO_ID
 * @__HWSIM_CMD_MAX: enum limit
 */
 enum {
@@ -75,12 +78,16 @@ enum {
        HWSIM_CMD_REGISTER,
        HWSIM_CMD_FRAME,
        HWSIM_CMD_TX_INFO_FRAME,
-        HWSIM_CMD_CREATE_RADIO,
+        HWSIM_CMD_NEW_RADIO,
-        HWSIM_CMD_DESTROY_RADIO,
+        HWSIM_CMD_DEL_RADIO,
+        HWSIM_CMD_GET_RADIO,
        __HWSIM_CMD_MAX,
 };
 #define HWSIM_CMD_MAX (_HWSIM_CMD_MAX - 1)
+#define HWSIM_CMD_CREATE_RADIO   HWSIM_CMD_NEW_RADIO
+#define HWSIM_CMD_DESTROY_RADIO  HWSIM_CMD_DEL_RADIO
 /**
 * enum hwsim_attrs - hwsim netlink attributes
 *
@@ -111,6 +118,11 @@ enum {
 * @HWSIM_ATTR_USE_CHANCTX: used with the %HWSIM_CMD_CREATE_RADIO
 *      command to force use of channel contexts even when only a
 *      single channel is supported
+ * @HWSIM_ATTR_DESTROY_RADIO_ON_CLOSE: used with the %HWSIM_CMD_CREATE_RADIO
+ *      command to force radio removal when process that created the radio dies
+ * @HWSIM_ATTR_RADIO_NAME: Name of radio, e.g. phy666
+ * @HWSIM_ATTR_NO_VIF:  Do not create vif (wlanX) when creating radio.
+ * @HWSIM_ATTR_FREQ: Frequency at which packet is transmitted or received.
 * @__HWSIM_ATTR_MAX: enum limit
 */
@@ -132,6 +144,10 @@ enum {
        HWSIM_ATTR_REG_STRICT_REG,
        HWSIM_ATTR_SUPPORT_P2P_DEVICE,
        HWSIM_ATTR_USE_CHANCTX,
+        HWSIM_ATTR_DESTROY_RADIO_ON_CLOSE,
+        HWSIM_ATTR_RADIO_NAME,
+        HWSIM_ATTR_NO_VIF,
+        HWSIM_ATTR_FREQ,
        __HWSIM_ATTR_MAX,
 };
 #define HWSIM_ATTR_MAX (__HWSIM_ATTR_MAX - 1)
diff --git a/drivers/net/wireless/mwifiex/11n.h b/drivers/net/wireless/mwifiex/11n.h
index 2ee268b632be..f275675cdbd3 100644
--- a/drivers/net/wireless/mwifiex/11n.h
+++ b/drivers/net/wireless/mwifiex/11n.h
@@ -84,6 +84,8 @@ mwifiex_is_amsdu_in_ampdu_allowed(struct mwifiex_private *priv,
 {
        struct mwifiex_tx_ba_stream_tbl *tx_tbl;
+        if (is_broadcast_ether_addr(ptr->ra))
+                return false;
        tx_tbl = mwifiex_get_ba_tbl(priv, tid, ptr->ra);
        if (tx_tbl)
                return tx_tbl->amsdu;
@@ -96,6 +98,8 @@ static inline u8
 mwifiex_is_ampdu_allowed(struct mwifiex_private *priv,
                         struct mwifiex_ra_list_tbl *ptr, int tid)
 {
+        if (is_broadcast_ether_addr(ptr->ra))
+                return false;
        if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_UAP) {
                return mwifiex_is_station_ampdu_allowed(priv, ptr, tid);
        } else {
diff --git a/drivers/net/wireless/mwifiex/11n_rxreorder.c b/drivers/net/wireless/mwifiex/11n_rxreorder.c
index 40057079ffb9..5ef5a0eeba50 100644
--- a/drivers/net/wireless/mwifiex/11n_rxreorder.c
+++ b/drivers/net/wireless/mwifiex/11n_rxreorder.c
@@ -196,6 +196,7 @@ mwifiex_del_rx_reorder_entry(struct mwifiex_private *priv,
        mwifiex_11n_dispatch_pkt_until_start_win(priv, tbl, start_win);
        del_timer_sync(&tbl->timer_context.timer);
+        tbl->timer_context.timer_is_set = false;
        spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags);
        list_del(&tbl->list);
@@ -297,6 +298,7 @@ mwifiex_flush_data(unsigned long context)
                (struct reorder_tmr_cnxt *) context;
        int start_win, seq_num;
+        ctx->timer_is_set = false;
        seq_num = mwifiex_11n_find_last_seq_num(ctx);
        if (seq_num < 0)
@@ -385,6 +387,7 @@ mwifiex_11n_create_rx_reorder_tbl(struct mwifiex_private *priv, u8 *ta,
        new_node->timer_context.ptr = new_node;
        new_node->timer_context.priv = priv;
+        new_node->timer_context.timer_is_set = false;
        init_timer(&new_node->timer_context.timer);
        new_node->timer_context.timer.function = mwifiex_flush_data;
@@ -399,6 +402,22 @@ mwifiex_11n_create_rx_reorder_tbl(struct mwifiex_private *priv, u8 *ta,
        spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags);
 }
+static void
+mwifiex_11n_rxreorder_timer_restart(struct mwifiex_rx_reorder_tbl *tbl)
+{
+        u32 min_flush_time;
+        if (tbl->win_size >= MWIFIEX_BA_WIN_SIZE_32)
+                min_flush_time = MIN_FLUSH_TIMER_15_MS;
+        else
+                min_flush_time = MIN_FLUSH_TIMER_MS;
+        mod_timer(&tbl->timer_context.timer,
+                  jiffies + msecs_to_jiffies(min_flush_time * tbl->win_size));
+        tbl->timer_context.timer_is_set = true;
+}
 /*
 * This function prepares command for adding a BA request.
 *
@@ -523,31 +542,31 @@ int mwifiex_11n_rx_reorder_pkt(struct mwifiex_private *priv,
                                u8 *ta, u8 pkt_type, void *payload)
 {
        struct mwifiex_rx_reorder_tbl *tbl;
-        int start_win, end_win, win_size;
+        int prev_start_win, start_win, end_win, win_size;
        u16 pkt_index;
        bool init_window_shift = false;
+        int ret = 0;
        tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid, ta);
        if (!tbl) {
                if (pkt_type != PKT_TYPE_BAR)
                        mwifiex_11n_dispatch_pkt(priv, payload);
-                return 0;
+                return ret;
        }
        if ((pkt_type == PKT_TYPE_AMSDU) && !tbl->amsdu) {
                mwifiex_11n_dispatch_pkt(priv, payload);
-                return 0;
+                return ret;
        }
        start_win = tbl->start_win;
+        prev_start_win = start_win;
        win_size = tbl->win_size;
        end_win = ((start_win + win_size) - 1) & (MAX_TID_VALUE - 1);
        if (tbl->flags & RXREOR_INIT_WINDOW_SHIFT) {
                init_window_shift = true;
                tbl->flags &= ~RXREOR_INIT_WINDOW_SHIFT;
        }
-        mod_timer(&tbl->timer_context.timer,
-                  jiffies + msecs_to_jiffies(MIN_FLUSH_TIMER_MS * win_size));
        if (tbl->flags & RXREOR_FORCE_NO_DROP) {
                dev_dbg(priv->adapter->dev,
@@ -568,11 +587,14 @@ int mwifiex_11n_rx_reorder_pkt(struct mwifiex_private *priv,
                if ((start_win + TWOPOW11) > (MAX_TID_VALUE - 1)) {
                        if (seq_num >= ((start_win + TWOPOW11) &
                                        (MAX_TID_VALUE - 1)) &&
-                            seq_num < start_win)
+                            seq_num < start_win) {
-                                return -1;
+                                ret = -1;
+                                goto done;
+                        }
                } else if ((seq_num < start_win) ||
-                           (seq_num > (start_win + TWOPOW11))) {
+                           (seq_num >= (start_win + TWOPOW11))) {
-                        return -1;
+                        ret = -1;
+                        goto done;
                }
        }
@@ -601,8 +623,10 @@ int mwifiex_11n_rx_reorder_pkt(struct mwifiex_private *priv,
                else
                        pkt_index = (seq_num+MAX_TID_VALUE) - start_win;
-                if (tbl->rx_reorder_ptr[pkt_index])
+                if (tbl->rx_reorder_ptr[pkt_index]) {
-                        return -1;
+                        ret = -1;
+                        goto done;
+                }
                tbl->rx_reorder_ptr[pkt_index] = payload;
        }
@@ -613,7 +637,11 @@ int mwifiex_11n_rx_reorder_pkt(struct mwifiex_private *priv,
         */
        mwifiex_11n_scan_and_dispatch(priv, tbl);
-        return 0;
+done:
+        if (!tbl->timer_context.timer_is_set ||
+            prev_start_win != tbl->start_win)
+                mwifiex_11n_rxreorder_timer_restart(tbl);
+        return ret;
 }
 /*
diff --git a/drivers/net/wireless/mwifiex/11n_rxreorder.h b/drivers/net/wireless/mwifiex/11n_rxreorder.h
index 3a87bb0e3a62..63ecea89b4ab 100644
--- a/drivers/net/wireless/mwifiex/11n_rxreorder.h
+++ b/drivers/net/wireless/mwifiex/11n_rxreorder.h
@@ -21,6 +21,8 @@
 #define _MWIFIEX_11N_RXREORDER_H_
 #define MIN_FLUSH_TIMER_MS              50
+#define MIN_FLUSH_TIMER_15_MS           15
+#define MWIFIEX_BA_WIN_SIZE_32          32
 #define PKT_TYPE_BAR 0xE7
 #define MAX_TID_VALUE                   (2 << 11)
diff --git a/drivers/net/wireless/mwifiex/Kconfig b/drivers/net/wireless/mwifiex/Kconfig
index e70d0df9b0da..aa01c9bc77f9 100644
--- a/drivers/net/wireless/mwifiex/Kconfig
+++ b/drivers/net/wireless/mwifiex/Kconfig
@@ -31,7 +31,7 @@ config MWIFIEX_PCIE
          mwifiex_pcie.
 config MWIFIEX_USB
-        tristate "Marvell WiFi-Ex Driver for USB8797/8897"
+        tristate "Marvell WiFi-Ex Driver for USB8766/8797/8897"
        depends on MWIFIEX && USB
        select FW_LOADER
        ---help---
diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
index b3c763525cc0..f881044e450d 100644
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -194,10 +194,17 @@ mwifiex_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
        tx_info->pkt_len = pkt_len;
        mwifiex_form_mgmt_frame(skb, buf, len);
-        mwifiex_queue_tx_pkt(priv, skb);
        *cookie = prandom_u32() | 1;
-        cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true, GFP_ATOMIC);
+        if (ieee80211_is_action(mgmt->frame_control))
+                skb = mwifiex_clone_skb_for_tx_status(priv,
+                                                      skb,
+                                MWIFIEX_BUF_FLAG_ACTION_TX_STATUS, cookie);
+        else
+                cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
+                                        GFP_ATOMIC);
+        mwifiex_queue_tx_pkt(priv, skb);
        wiphy_dbg(wiphy, "info: management frame transmitted\n");
        return 0;
@@ -1285,7 +1292,7 @@ static int mwifiex_cfg80211_change_beacon(struct wiphy *wiphy,
 */
 static int
 mwifiex_cfg80211_del_station(struct wiphy *wiphy, struct net_device *dev,
-                             const u8 *mac)
+                             struct station_del_parameters *params)
 {
        struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
        struct mwifiex_sta_node *sta_node;
@@ -1294,7 +1301,7 @@ mwifiex_cfg80211_del_station(struct wiphy *wiphy, struct net_device *dev,
        if (list_empty(&priv->sta_list) || !priv->bss_started)
                return 0;
-        if (!mac || is_broadcast_ether_addr(mac)) {
+        if (!params->mac || is_broadcast_ether_addr(params->mac)) {
                wiphy_dbg(wiphy, "%s: NULL/broadcast mac address\n", __func__);
                list_for_each_entry(sta_node, &priv->sta_list, list) {
                        if (mwifiex_send_cmd(priv, HostCmd_CMD_UAP_STA_DEAUTH,
@@ -1304,9 +1311,10 @@ mwifiex_cfg80211_del_station(struct wiphy *wiphy, struct net_device *dev,
                        mwifiex_uap_del_sta_data(priv, sta_node);
                }
        } else {
-                wiphy_dbg(wiphy, "%s: mac address %pM\n", __func__, mac);
+                wiphy_dbg(wiphy, "%s: mac address %pM\n", __func__,
+                          params->mac);
                spin_lock_irqsave(&priv->sta_list_spinlock, flags);
-                sta_node = mwifiex_get_sta_entry(priv, mac);
+                sta_node = mwifiex_get_sta_entry(priv, params->mac);
                spin_unlock_irqrestore(&priv->sta_list_spinlock, flags);
                if (sta_node) {
                        if (mwifiex_send_cmd(priv, HostCmd_CMD_UAP_STA_DEAUTH,
@@ -1805,6 +1813,10 @@ mwifiex_cfg80211_connect(struct wiphy *wiphy, struct net_device *dev,
                dev_dbg(priv->adapter->dev,
                        "info: associated to bssid %pM successfully\n",
                        priv->cfg_bssid);
+                if (ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
+                    priv->adapter->auto_tdls &&
+                    priv->bss_type == MWIFIEX_BSS_TYPE_STA)
+                        mwifiex_setup_auto_tdls_timer(priv);
        } else {
                dev_dbg(priv->adapter->dev,
                        "info: association to bssid %pM failed\n",
@@ -2676,11 +2688,13 @@ mwifiex_cfg80211_tdls_mgmt(struct wiphy *wiphy, struct net_device *dev,
                dev_dbg(priv->adapter->dev,
                        "Send TDLS Setup Request to %pM status_code=%d\n", peer,
                         status_code);
+                mwifiex_add_auto_tdls_peer(priv, peer);
                ret = mwifiex_send_tdls_data_frame(priv, peer, action_code,
                                                   dialog_token, status_code,
                                                   extra_ies, extra_ies_len);
                break;
        case WLAN_TDLS_SETUP_RESPONSE:
+                mwifiex_add_auto_tdls_peer(priv, peer);
                dev_dbg(priv->adapter->dev,
                        "Send TDLS Setup Response to %pM status_code=%d\n",
                        peer, status_code);
@@ -2981,6 +2995,9 @@ int mwifiex_register_cfg80211(struct mwifiex_adapter *adapter)
                           NL80211_FEATURE_INACTIVITY_TIMER |
                           NL80211_FEATURE_NEED_OBSS_SCAN;
+        if (adapter->fw_api_ver == MWIFIEX_FW_V15)
+                wiphy->features |= NL80211_FEATURE_SK_TX_STATUS;
        /* Reserve space for mwifiex specific private data for BSS */
        wiphy->bss_priv_size = sizeof(struct mwifiex_bss_priv);
diff --git a/drivers/net/wireless/mwifiex/decl.h b/drivers/net/wireless/mwifiex/decl.h
index f53e5b50d3d8..2269acf41ad8 100644
--- a/drivers/net/wireless/mwifiex/decl.h
+++ b/drivers/net/wireless/mwifiex/decl.h
@@ -76,6 +76,8 @@
 #define MWIFIEX_BUF_FLAG_REQUEUED_PKT      BIT(0)
 #define MWIFIEX_BUF_FLAG_BRIDGED_PKT       BIT(1)
 #define MWIFIEX_BUF_FLAG_TDLS_PKT          BIT(2)
+#define MWIFIEX_BUF_FLAG_EAPOL_TX_STATUS   BIT(3)
+#define MWIFIEX_BUF_FLAG_ACTION_TX_STATUS  BIT(4)
 #define MWIFIEX_BRIDGED_PKTS_THR_HIGH      1024
 #define MWIFIEX_BRIDGED_PKTS_THR_LOW        128
@@ -85,6 +87,11 @@
 #define MWIFIEX_TDLS_CREATE_LINK              0x02
 #define MWIFIEX_TDLS_CONFIG_LINK              0x03
+#define MWIFIEX_TDLS_RSSI_HIGH          50
+#define MWIFIEX_TDLS_RSSI_LOW           55
+#define MWIFIEX_TDLS_MAX_FAIL_COUNT      4
+#define MWIFIEX_AUTO_TDLS_IDLE_TIME     10
 enum mwifiex_bss_type {
        MWIFIEX_BSS_TYPE_STA = 0,
        MWIFIEX_BSS_TYPE_UAP = 1,
@@ -154,6 +161,8 @@ struct mwifiex_txinfo {
        u8 bss_num;
        u8 bss_type;
        u32 pkt_len;
+        u8 ack_frame_id;
+        u64 cookie;
 };
 enum mwifiex_wmm_ac_e {
diff --git a/drivers/net/wireless/mwifiex/fw.h b/drivers/net/wireless/mwifiex/fw.h
index 7f922a882c13..fb5936eb82e3 100644
--- a/drivers/net/wireless/mwifiex/fw.h
+++ b/drivers/net/wireless/mwifiex/fw.h
@@ -494,6 +494,7 @@ enum P2P_MODES {
 #define EVENT_TDLS_GENERIC_EVENT        0x00000052
 #define EVENT_EXT_SCAN_REPORT           0x00000058
 #define EVENT_REMAIN_ON_CHAN_EXPIRED    0x0000005f
+#define EVENT_TX_STATUS_REPORT          0x00000074
 #define EVENT_ID_MASK                   0xffff
 #define BSS_NUM_MASK                    0xf
@@ -542,6 +543,7 @@ struct mwifiex_ie_types_data {
 #define MWIFIEX_TxPD_POWER_MGMT_LAST_PACKET 0x08
 #define MWIFIEX_TXPD_FLAGS_TDLS_PACKET      0x10
 #define MWIFIEX_RXPD_FLAGS_TDLS_PACKET      0x01
+#define MWIFIEX_TXPD_FLAGS_REQ_TX_STATUS    0x20
 struct txpd {
        u8 bss_type;
@@ -553,7 +555,9 @@ struct txpd {
        u8 priority;
        u8 flags;
        u8 pkt_delay_2ms;
-        u8 reserved1;
+        u8 reserved1[2];
+        u8 tx_token_id;
+        u8 reserved[2];
 } __packed;
 struct rxpd {
@@ -584,6 +588,7 @@ struct rxpd {
         * [Bit 7] Reserved
         */
        u8 ht_info;
+        u8 reserved[3];
        u8 flags;
 } __packed;
@@ -597,8 +602,9 @@ struct uap_txpd {
        u8 priority;
        u8 flags;
        u8 pkt_delay_2ms;
-        u8 reserved1;
+        u8 reserved1[2];
-        __le32 reserved2;
+        u8 tx_token_id;
+        u8 reserved[2];
 };
 struct uap_rxpd {
@@ -1223,6 +1229,12 @@ struct mwifiex_event_scan_result {
        u8 num_of_set;
 } __packed;
+struct tx_status_event {
+        u8 packet_type;
+        u8 tx_token_id;
+        u8 status;
+} __packed;
 #define MWIFIEX_USER_SCAN_CHAN_MAX             50
 #define MWIFIEX_MAX_SSID_LIST_LENGTH         10
diff --git a/drivers/net/wireless/mwifiex/init.c b/drivers/net/wireless/mwifiex/init.c
index 580aa45ec4bc..520ad4a3018b 100644
--- a/drivers/net/wireless/mwifiex/init.c
+++ b/drivers/net/wireless/mwifiex/init.c
@@ -137,6 +137,7 @@ int mwifiex_init_priv(struct mwifiex_private *priv)
        priv->csa_expire_time = 0;
        priv->del_list_idx = 0;
        priv->hs2_enabled = false;
+        priv->check_tdls_tx = false;
        memcpy(priv->tos_to_tid_inv, tos_to_tid_inv, MAX_NUM_TID);
        return mwifiex_add_bss_prio_tbl(priv);
@@ -366,6 +367,7 @@ static void mwifiex_free_lock_list(struct mwifiex_adapter *adapter)
                        list_del(&priv->tx_ba_stream_tbl_ptr);
                        list_del(&priv->rx_reorder_tbl_ptr);
                        list_del(&priv->sta_list);
+                        list_del(&priv->auto_tdls_list);
                }
        }
 }
@@ -434,6 +436,7 @@ int mwifiex_init_lock_list(struct mwifiex_adapter *adapter)
                        spin_lock_init(&priv->wmm.ra_list_spinlock);
                        spin_lock_init(&priv->curr_bcn_buf_lock);
                        spin_lock_init(&priv->sta_list_spinlock);
+                        spin_lock_init(&priv->auto_tdls_lock);
                }
        }
@@ -449,7 +452,6 @@ int mwifiex_init_lock_list(struct mwifiex_adapter *adapter)
        spin_lock_init(&adapter->scan_pending_q_lock);
        spin_lock_init(&adapter->rx_proc_lock);
-        skb_queue_head_init(&adapter->usb_rx_data_q);
        skb_queue_head_init(&adapter->rx_data_q);
        for (i = 0; i < adapter->priv_num; ++i) {
@@ -466,10 +468,14 @@ int mwifiex_init_lock_list(struct mwifiex_adapter *adapter)
                INIT_LIST_HEAD(&priv->tx_ba_stream_tbl_ptr);
                INIT_LIST_HEAD(&priv->rx_reorder_tbl_ptr);
                INIT_LIST_HEAD(&priv->sta_list);
+                INIT_LIST_HEAD(&priv->auto_tdls_list);
                skb_queue_head_init(&priv->tdls_txq);
                spin_lock_init(&priv->tx_ba_stream_tbl_lock);
                spin_lock_init(&priv->rx_reorder_tbl_lock);
+                spin_lock_init(&priv->ack_status_lock);
+                idr_init(&priv->ack_status_frames);
        }
        return 0;
@@ -646,6 +652,7 @@ mwifiex_shutdown_drv(struct mwifiex_adapter *adapter)
                if (adapter->priv[i]) {
                        priv = adapter->priv[i];
+                        mwifiex_clean_auto_tdls(priv);
                        mwifiex_clean_txrx(priv);
                        mwifiex_delete_bss_prio_tbl(priv);
                }
@@ -668,19 +675,6 @@ mwifiex_shutdown_drv(struct mwifiex_adapter *adapter)
        spin_lock(&adapter->mwifiex_lock);
-        if (adapter->if_ops.data_complete) {
-                while ((skb = skb_dequeue(&adapter->usb_rx_data_q))) {
-                        struct mwifiex_rxinfo *rx_info = MWIFIEX_SKB_RXCB(skb);
-                        priv = adapter->priv[rx_info->bss_num];
-                        if (priv)
-                                priv->stats.rx_dropped++;
-                        dev_kfree_skb_any(skb);
-                        adapter->if_ops.data_complete(adapter);
-                }
-        }
        mwifiex_adapter_cleanup(adapter);
        spin_unlock(&adapter->mwifiex_lock);
diff --git a/drivers/net/wireless/mwifiex/join.c b/drivers/net/wireless/mwifiex/join.c
index 8d6c25908b6d..411a6c2f4aca 100644
--- a/drivers/net/wireless/mwifiex/join.c
+++ b/drivers/net/wireless/mwifiex/join.c
@@ -880,9 +880,7 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv,
        /* Set Capability info */
        bss_desc->cap_info_bitmap |= WLAN_CAPABILITY_IBSS;
-        tmp_cap = le16_to_cpu(adhoc_start->cap_info_bitmap);
+        tmp_cap = WLAN_CAPABILITY_IBSS;
-        tmp_cap &= ~WLAN_CAPABILITY_ESS;
-        tmp_cap |= WLAN_CAPABILITY_IBSS;
        /* Set up privacy in bss_desc */
        if (priv->sec_info.encryption_mode) {
diff --git a/drivers/net/wireless/mwifiex/main.c b/drivers/net/wireless/mwifiex/main.c
index f26420dbab6f..d4d2223d1f31 100644
--- a/drivers/net/wireless/mwifiex/main.c
+++ b/drivers/net/wireless/mwifiex/main.c
@@ -28,6 +28,11 @@ const char driver_version[] = "mwifiex " VERSION " (%s) ";
 static char *cal_data_cfg;
 module_param(cal_data_cfg, charp, 0);
+static unsigned short driver_mode;
+module_param(driver_mode, ushort, 0);
+MODULE_PARM_DESC(driver_mode,
+                 "station=0x1(default), ap-sta=0x3, station-p2p=0x5, ap-sta-p2p=0x7");
 /*
 * This function registers the device and performs all the necessary
 * initializations.
@@ -144,8 +149,11 @@ static int mwifiex_process_rx(struct mwifiex_adapter *adapter)
        /* Check for Rx data */
        while ((skb = skb_dequeue(&adapter->rx_data_q))) {
                atomic_dec(&adapter->rx_pending);
-                if (adapter->delay_main_work &&
+                if ((adapter->delay_main_work ||
+                     adapter->iface_type == MWIFIEX_USB) &&
                    (atomic_read(&adapter->rx_pending) < LOW_RX_PENDING)) {
+                        if (adapter->if_ops.submit_rem_rx_urbs)
+                                adapter->if_ops.submit_rem_rx_urbs(adapter);
                        adapter->delay_main_work = false;
                        queue_work(adapter->workqueue, &adapter->main_work);
                }
@@ -178,7 +186,6 @@ int mwifiex_main_process(struct mwifiex_adapter *adapter)
 {
        int ret = 0;
        unsigned long flags;
-        struct sk_buff *skb;
        spin_lock_irqsave(&adapter->main_proc_lock, flags);
@@ -196,12 +203,15 @@ process_start:
                    (adapter->hw_status == MWIFIEX_HW_STATUS_NOT_READY))
                        break;
-                /* If we process interrupts first, it would increase RX pending
+                /* For non-USB interfaces, If we process interrupts first, it
-                 * even further. Avoid this by checking if rx_pending has
+                 * would increase RX pending even further. Avoid this by
-                 * crossed high threshold and schedule rx work queue
+                 * checking if rx_pending has crossed high threshold and
-                 * and then process interrupts
+                 * schedule rx work queue and then process interrupts.
+                 * For USB interface, there are no interrupts. We already have
+                 * HIGH_RX_PENDING check in usb.c
                 */
-                if (atomic_read(&adapter->rx_pending) >= HIGH_RX_PENDING) {
+                if (atomic_read(&adapter->rx_pending) >= HIGH_RX_PENDING &&
+                    adapter->iface_type != MWIFIEX_USB) {
                        adapter->delay_main_work = true;
                        if (!adapter->rx_processing)
                                queue_work(adapter->rx_workqueue,
@@ -253,11 +263,6 @@ process_start:
                        }
                }
-                /* Check Rx data for USB */
-                if (adapter->iface_type == MWIFIEX_USB)
-                        while ((skb = skb_dequeue(&adapter->usb_rx_data_q)))
-                                mwifiex_handle_rx_packet(adapter, skb);
                /* Check for event */
                if (adapter->event_received) {
                        adapter->event_received = false;
@@ -453,6 +458,11 @@ static void mwifiex_fw_dpc(const struct firmware *firmware, void *context)
                goto err_init_fw;
        }
+        if (driver_mode) {
+                driver_mode &= MWIFIEX_DRIVER_MODE_BITMASK;
+                driver_mode |= MWIFIEX_DRIVER_MODE_STA;
+        }
        rtnl_lock();
        /* Create station interface by default */
        wdev = mwifiex_add_virtual_intf(adapter->wiphy, "mlan%d",
@@ -462,6 +472,28 @@ static void mwifiex_fw_dpc(const struct firmware *firmware, void *context)
                rtnl_unlock();
                goto err_add_intf;
        }
+        if (driver_mode & MWIFIEX_DRIVER_MODE_UAP) {
+                wdev = mwifiex_add_virtual_intf(adapter->wiphy, "uap%d",
+                                                NL80211_IFTYPE_AP, NULL, NULL);
+                if (IS_ERR(wdev)) {
+                        dev_err(adapter->dev, "cannot create AP interface\n");
+                        rtnl_unlock();
+                        goto err_add_intf;
+                }
+        }
+        if (driver_mode & MWIFIEX_DRIVER_MODE_P2P) {
+                wdev = mwifiex_add_virtual_intf(adapter->wiphy, "p2p%d",
+                                                NL80211_IFTYPE_P2P_CLIENT, NULL,
+                                                NULL);
+                if (IS_ERR(wdev)) {
+                        dev_err(adapter->dev,
+                                "cannot create p2p client interface\n");
+                        rtnl_unlock();
+                        goto err_add_intf;
+                }
+        }
        rtnl_unlock();
        mwifiex_drv_get_driver_version(adapter, fmt, sizeof(fmt) - 1);
@@ -576,6 +608,48 @@ int mwifiex_queue_tx_pkt(struct mwifiex_private *priv, struct sk_buff *skb)
        return 0;
 }
+struct sk_buff *
+mwifiex_clone_skb_for_tx_status(struct mwifiex_private *priv,
+                                struct sk_buff *skb, u8 flag, u64 *cookie)
+{
+        struct sk_buff *orig_skb = skb;
+        struct mwifiex_txinfo *tx_info, *orig_tx_info;
+        skb = skb_clone(skb, GFP_ATOMIC);
+        if (skb) {
+                unsigned long flags;
+                int id;
+                spin_lock_irqsave(&priv->ack_status_lock, flags);
+                id = idr_alloc(&priv->ack_status_frames, orig_skb,
+                               1, 0xff, GFP_ATOMIC);
+                spin_unlock_irqrestore(&priv->ack_status_lock, flags);
+                if (id >= 0) {
+                        tx_info = MWIFIEX_SKB_TXCB(skb);
+                        tx_info->ack_frame_id = id;
+                        tx_info->flags |= flag;
+                        orig_tx_info = MWIFIEX_SKB_TXCB(orig_skb);
+                        orig_tx_info->ack_frame_id = id;
+                        orig_tx_info->flags |= flag;
+                        if (flag == MWIFIEX_BUF_FLAG_ACTION_TX_STATUS && cookie)
+                                orig_tx_info->cookie = *cookie;
+                } else if (skb_shared(skb)) {
+                        kfree_skb(orig_skb);
+                } else {
+                        kfree_skb(skb);
+                        skb = orig_skb;
+                }
+        } else {
+                /* couldn't clone -- lose tx status ... */
+                skb = orig_skb;
+        }
+        return skb;
+}
 /*
 * CFG802.11 network device handler for data transmission.
 */
@@ -585,6 +659,7 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
        struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
        struct sk_buff *new_skb;
        struct mwifiex_txinfo *tx_info;
+        bool multicast;
        dev_dbg(priv->adapter->dev, "data: %lu BSS(%d-%d): Data <= kernel\n",
                jiffies, priv->bss_type, priv->bss_num);
@@ -625,6 +700,15 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
        tx_info->bss_type = priv->bss_type;
        tx_info->pkt_len = skb->len;
+        multicast = is_multicast_ether_addr(skb->data);
+        if (unlikely(!multicast && skb->sk &&
+                     skb_shinfo(skb)->tx_flags & SKBTX_WIFI_STATUS &&
+                     priv->adapter->fw_api_ver == MWIFIEX_FW_V15))
+                skb = mwifiex_clone_skb_for_tx_status(priv,
+                                                      skb,
+                                        MWIFIEX_BUF_FLAG_EAPOL_TX_STATUS, NULL);
        /* Record the current time the packet was queued; used to
         * determine the amount of time the packet was queued in
         * the driver before it was sent to the firmware.
@@ -634,6 +718,13 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
         */
        __net_timestamp(skb);
+        if (ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
+            priv->bss_type == MWIFIEX_BSS_TYPE_STA &&
+            !ether_addr_equal_unaligned(priv->cfg_bssid, skb->data)) {
+                if (priv->adapter->auto_tdls && priv->check_tdls_tx)
+                        mwifiex_tdls_check_tx(priv, skb);
+        }
        mwifiex_queue_tx_pkt(priv, skb);
        return 0;
@@ -864,7 +955,7 @@ mwifiex_add_card(void *card, struct semaphore *sem,
        adapter->cmd_wait_q.status = 0;
        adapter->scan_wait_q_woken = false;
-        if (num_possible_cpus() > 1) {
+        if ((num_possible_cpus() > 1) || adapter->iface_type == MWIFIEX_USB) {
                adapter->rx_work_enabled = true;
                pr_notice("rx work enabled, cpus %d\n", num_possible_cpus());
        }
diff --git a/drivers/net/wireless/mwifiex/main.h b/drivers/net/wireless/mwifiex/main.h
index fb47731d45a6..bdba37b7015d 100644
--- a/drivers/net/wireless/mwifiex/main.h
+++ b/drivers/net/wireless/mwifiex/main.h
@@ -34,6 +34,7 @@
 #include <linux/firmware.h>
 #include <linux/ctype.h>
 #include <linux/of.h>
+#include <linux/idr.h>
 #include "decl.h"
 #include "ioctl.h"
@@ -48,6 +49,11 @@ enum {
        MWIFIEX_SYNC_CMD
 };
+#define MWIFIEX_DRIVER_MODE_STA                 BIT(0)
+#define MWIFIEX_DRIVER_MODE_UAP                 BIT(1)
+#define MWIFIEX_DRIVER_MODE_P2P                 BIT(2)
+#define MWIFIEX_DRIVER_MODE_BITMASK             (BIT(0) | BIT(1) | BIT(2))
 #define MWIFIEX_MAX_AP                          64
 #define MWIFIEX_DEFAULT_WATCHDOG_TIMEOUT        (5 * HZ)
@@ -106,10 +112,7 @@ enum {
 */
 #define IS_CARD_RX_RCVD(adapter) (adapter->cmd_resp_received || \
                                adapter->event_received || \
-                                ((adapter->iface_type != MWIFIEX_USB) && \
+                                adapter->data_received)
-                                adapter->data_received) || \
-                                ((adapter->iface_type == MWIFIEX_USB) && \
-                                !skb_queue_empty(&adapter->usb_rx_data_q)))
 #define MWIFIEX_TYPE_CMD                                1
 #define MWIFIEX_TYPE_DATA                               0
@@ -504,8 +507,11 @@ struct mwifiex_private {
        struct mwifiex_wmm_desc wmm;
        atomic_t wmm_tx_pending[IEEE80211_NUM_ACS];
        struct list_head sta_list;
-        /* spin lock for associated station list */
+        /* spin lock for associated station/TDLS peers list */
        spinlock_t sta_list_spinlock;
+        struct list_head auto_tdls_list;
+        /* spin lock for auto TDLS peer list */
+        spinlock_t auto_tdls_lock;
        struct list_head tx_ba_stream_tbl_ptr;
        /* spin lock for tx_ba_stream_tbl_ptr queue */
        spinlock_t tx_ba_stream_tbl_lock;
@@ -570,6 +576,12 @@ struct mwifiex_private {
        bool hs2_enabled;
        struct station_parameters *sta_params;
        struct sk_buff_head tdls_txq;
+        u8 check_tdls_tx;
+        struct timer_list auto_tdls_timer;
+        bool auto_tdls_timer_active;
+        struct idr ack_status_frames;
+        /* spin lock for ack status */
+        spinlock_t ack_status_lock;
 };
 enum mwifiex_ba_status {
@@ -592,6 +604,7 @@ struct reorder_tmr_cnxt {
        struct timer_list timer;
        struct mwifiex_rx_reorder_tbl *ptr;
        struct mwifiex_private *priv;
+        u8 timer_is_set;
 };
 struct mwifiex_rx_reorder_tbl {
@@ -669,6 +682,17 @@ struct mwifiex_sta_node {
        struct mwifiex_tdls_capab tdls_cap;
 };
+struct mwifiex_auto_tdls_peer {
+        struct list_head list;
+        u8 mac_addr[ETH_ALEN];
+        u8 tdls_status;
+        int rssi;
+        long rssi_jiffies;
+        u8 failure_count;
+        u8 do_discover;
+        u8 do_setup;
+};
 struct mwifiex_if_ops {
        int (*init_if) (struct mwifiex_adapter *);
        void (*cleanup_if) (struct mwifiex_adapter *);
@@ -689,13 +713,13 @@ struct mwifiex_if_ops {
        void (*cleanup_mpa_buf) (struct mwifiex_adapter *);
        int (*cmdrsp_complete) (struct mwifiex_adapter *, struct sk_buff *);
        int (*event_complete) (struct mwifiex_adapter *, struct sk_buff *);
-        int (*data_complete) (struct mwifiex_adapter *);
        int (*init_fw_port) (struct mwifiex_adapter *);
        int (*dnld_fw) (struct mwifiex_adapter *, struct mwifiex_fw_image *);
        void (*card_reset) (struct mwifiex_adapter *);
        void (*fw_dump)(struct mwifiex_adapter *);
        int (*clean_pcie_ring) (struct mwifiex_adapter *adapter);
        void (*iface_work)(struct work_struct *work);
+        void (*submit_rem_rx_urbs)(struct mwifiex_adapter *adapter);
 };
 struct mwifiex_adapter {
@@ -766,7 +790,6 @@ struct mwifiex_adapter {
        spinlock_t scan_pending_q_lock;
        /* spin lock for RX processing routine */
        spinlock_t rx_proc_lock;
-        struct sk_buff_head usb_rx_data_q;
        u32 scan_processing;
        u16 region_code;
        struct mwifiex_802_11d_domain_reg domain_reg;
@@ -847,6 +870,7 @@ struct mwifiex_adapter {
        struct mwifiex_chan_stats *chan_stats;
        u32 num_in_chan_stats;
        int survey_idx;
+        bool auto_tdls;
 };
 int mwifiex_init_lock_list(struct mwifiex_adapter *adapter);
@@ -1304,6 +1328,24 @@ u8 mwifiex_get_center_freq_index(struct mwifiex_private *priv, u8 band,
                                 u32 pri_chan, u8 chan_bw);
 int mwifiex_init_channel_scan_gap(struct mwifiex_adapter *adapter);
+int mwifiex_tdls_check_tx(struct mwifiex_private *priv, struct sk_buff *skb);
+void mwifiex_flush_auto_tdls_list(struct mwifiex_private *priv);
+void mwifiex_auto_tdls_update_peer_status(struct mwifiex_private *priv,
+                                          const u8 *mac, u8 link_status);
+void mwifiex_auto_tdls_update_peer_signal(struct mwifiex_private *priv,
+                                          u8 *mac, s8 snr, s8 nflr);
+void mwifiex_check_auto_tdls(unsigned long context);
+void mwifiex_add_auto_tdls_peer(struct mwifiex_private *priv, const u8 *mac);
+void mwifiex_setup_auto_tdls_timer(struct mwifiex_private *priv);
+void mwifiex_clean_auto_tdls(struct mwifiex_private *priv);
+void mwifiex_parse_tx_status_event(struct mwifiex_private *priv,
+                                   void *event_body);
+struct sk_buff *
+mwifiex_clone_skb_for_tx_status(struct mwifiex_private *priv,
+                                struct sk_buff *skb, u8 flag, u64 *cookie);
 #ifdef CONFIG_DEBUG_FS
 void mwifiex_debugfs_init(void);
 void mwifiex_debugfs_remove(void);
diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
index 3a17821157d7..984a7a4fa93b 100644
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1623,7 +1623,7 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info,
        if (*bytes_left >= sizeof(beacon_size)) {
                /* Extract & convert beacon size from command buffer */
-                memcpy(&beacon_size, *bss_info, sizeof(beacon_size));
+                beacon_size = le16_to_cpu(*(__le16 *)(*bss_info));
                *bytes_left -= sizeof(beacon_size);
                *bss_info += sizeof(beacon_size);
        }
diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c
index b25766b43b9f..933dae137850 100644
--- a/drivers/net/wireless/mwifiex/sdio.c
+++ b/drivers/net/wireless/mwifiex/sdio.c
@@ -106,6 +106,7 @@ mwifiex_sdio_probe(struct sdio_func *func, const struct sdio_device_id *id)
                card->mp_tx_agg_buf_size = data->mp_tx_agg_buf_size;
                card->mp_rx_agg_buf_size = data->mp_rx_agg_buf_size;
                card->supports_fw_dump = data->supports_fw_dump;
+                card->auto_tdls = data->auto_tdls;
        }
        sdio_claim_host(func);
@@ -1880,6 +1881,7 @@ static int mwifiex_init_sdio(struct mwifiex_adapter *adapter)
                return -1;
        }
+        adapter->auto_tdls = card->auto_tdls;
        return ret;
 }
diff --git a/drivers/net/wireless/mwifiex/sdio.h b/drivers/net/wireless/mwifiex/sdio.h
index 20cd9adc98d3..54c07156dd78 100644
--- a/drivers/net/wireless/mwifiex/sdio.h
+++ b/drivers/net/wireless/mwifiex/sdio.h
@@ -246,6 +246,7 @@ struct sdio_mmc_card {
        u8 curr_wr_port;
        u8 *mp_regs;
+        u8 auto_tdls;
        struct mwifiex_sdio_mpa_tx mpa_tx;
        struct mwifiex_sdio_mpa_rx mpa_rx;
@@ -262,6 +263,7 @@ struct mwifiex_sdio_device {
        u16 tx_buf_size;
        u32 mp_tx_agg_buf_size;
        u32 mp_rx_agg_buf_size;
+        u8 auto_tdls;
 };
 static const struct mwifiex_sdio_card_reg mwifiex_reg_sd87xx = {
@@ -387,6 +389,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8786 = {
        .mp_tx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_16K,
        .mp_rx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_16K,
        .supports_fw_dump = false,
+        .auto_tdls = false,
 };
 static const struct mwifiex_sdio_device mwifiex_sdio_sd8787 = {
@@ -400,6 +403,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8787 = {
        .mp_tx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_16K,
        .mp_rx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_16K,
        .supports_fw_dump = false,
+        .auto_tdls = false,
 };
 static const struct mwifiex_sdio_device mwifiex_sdio_sd8797 = {
@@ -413,6 +417,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8797 = {
        .mp_tx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_16K,
        .mp_rx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_16K,
        .supports_fw_dump = false,
+        .auto_tdls = false,
 };
 static const struct mwifiex_sdio_device mwifiex_sdio_sd8897 = {
@@ -426,6 +431,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8897 = {
        .mp_tx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_32K,
        .mp_rx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_32K,
        .supports_fw_dump = true,
+        .auto_tdls = false,
 };
 static const struct mwifiex_sdio_device mwifiex_sdio_sd8887 = {
@@ -439,6 +445,7 @@ static const struct mwifiex_sdio_device mwifiex_sdio_sd8887 = {
        .mp_tx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_32K,
        .mp_rx_agg_buf_size = MWIFIEX_MP_AGGR_BUF_SIZE_32K,
        .supports_fw_dump = false,
+        .auto_tdls = true,
 };
 /*
diff --git a/drivers/net/wireless/mwifiex/sta_event.c b/drivers/net/wireless/mwifiex/sta_event.c
index f1c240eca0cd..b8c171df6223 100644
--- a/drivers/net/wireless/mwifiex/sta_event.c
+++ b/drivers/net/wireless/mwifiex/sta_event.c
@@ -55,9 +55,13 @@ mwifiex_reset_connect_state(struct mwifiex_private *priv, u16 reason_code)
        priv->scan_block = false;
        if ((GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) &&
-            ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info))
+            ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info)) {
                mwifiex_disable_all_tdls_links(priv);
+                if (priv->adapter->auto_tdls)
+                        mwifiex_clean_auto_tdls(priv);
+        }
        /* Free Tx and Rx packets, report disconnect to upper layer */
        mwifiex_clean_txrx(priv);
@@ -163,9 +167,6 @@ static int mwifiex_parse_tdls_event(struct mwifiex_private *priv,
                                           NL80211_TDLS_TEARDOWN,
                                           le16_to_cpu(tdls_evt->u.reason_code),
                                           GFP_KERNEL);
-                ret = mwifiex_tdls_oper(priv, tdls_evt->peer_mac,
-                                        MWIFIEX_TDLS_DISABLE_LINK);
-                queue_work(adapter->workqueue, &adapter->main_work);
                break;
        default:
                break;
@@ -503,6 +504,11 @@ int mwifiex_process_sta_event(struct mwifiex_private *priv)
                ret = mwifiex_parse_tdls_event(priv, adapter->event_skb);
                break;
+        case EVENT_TX_STATUS_REPORT:
+                dev_dbg(adapter->dev, "event: TX_STATUS Report\n");
+                mwifiex_parse_tx_status_event(priv, adapter->event_body);
+                break;
        default:
                dev_dbg(adapter->dev, "event: unknown event id: %#x\n",
                        eventcause);
diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
index 92f3eb839866..1626868a4b5c 100644
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -1026,12 +1026,12 @@ mwifiex_drv_get_driver_version(struct mwifiex_adapter *adapter, char *version,
                               int max_len)
 {
        union {
-                u32 l;
+                __le32 l;
                u8 c[4];
        } ver;
        char fw_ver[32];
-        ver.l = adapter->fw_release_number;
+        ver.l = cpu_to_le32(adapter->fw_release_number);
        sprintf(fw_ver, "%u.%u.%u.p%u", ver.c[2], ver.c[1], ver.c[0], ver.c[3]);
        snprintf(version, max_len, driver_version, fw_ver);
diff --git a/drivers/net/wireless/mwifiex/sta_rx.c b/drivers/net/wireless/mwifiex/sta_rx.c
index 9ceb1dbe34c5..c2ad3b63ae70 100644
--- a/drivers/net/wireless/mwifiex/sta_rx.c
+++ b/drivers/net/wireless/mwifiex/sta_rx.c
@@ -232,6 +232,9 @@ int mwifiex_process_sta_rx_packet(struct mwifiex_private *priv,
                        if (sta_ptr)
                                sta_ptr->rx_seq[local_rx_pd->priority] =
                                              le16_to_cpu(local_rx_pd->seq_num);
+                        mwifiex_auto_tdls_update_peer_signal(priv, ta,
+                                                             local_rx_pd->snr,
+                                                             local_rx_pd->nf);
                }
        } else {
                if (rx_pkt_type != PKT_TYPE_BAR)
diff --git a/drivers/net/wireless/mwifiex/sta_tx.c b/drivers/net/wireless/mwifiex/sta_tx.c
index dab7b33c54be..b896d7375b52 100644
--- a/drivers/net/wireless/mwifiex/sta_tx.c
+++ b/drivers/net/wireless/mwifiex/sta_tx.c
@@ -77,6 +77,12 @@ void *mwifiex_process_sta_txpd(struct mwifiex_private *priv,
        local_tx_pd->pkt_delay_2ms =
                                mwifiex_wmm_compute_drv_pkt_delay(priv, skb);
+        if (tx_info->flags & MWIFIEX_BUF_FLAG_EAPOL_TX_STATUS ||
+            tx_info->flags & MWIFIEX_BUF_FLAG_ACTION_TX_STATUS) {
+                local_tx_pd->tx_token_id = tx_info->ack_frame_id;
+                local_tx_pd->flags |= MWIFIEX_TXPD_FLAGS_REQ_TX_STATUS;
+        }
        if (local_tx_pd->priority <
            ARRAY_SIZE(priv->wmm.user_pri_pkt_tx_ctrl))
                /*
diff --git a/drivers/net/wireless/mwifiex/tdls.c b/drivers/net/wireless/mwifiex/tdls.c
index e2949077f5b5..22884b429be7 100644
--- a/drivers/net/wireless/mwifiex/tdls.c
+++ b/drivers/net/wireless/mwifiex/tdls.c
@@ -24,6 +24,7 @@
 #define TDLS_REQ_FIX_LEN      6
 #define TDLS_RESP_FIX_LEN     8
 #define TDLS_CONFIRM_FIX_LEN  6
+#define MWIFIEX_TDLS_WMM_INFO_SIZE 7
 static void mwifiex_restore_tdls_packets(struct mwifiex_private *priv,
                                         const u8 *mac, u8 status)
@@ -367,6 +368,55 @@ static void mwifiex_tdls_add_qos_capab(struct sk_buff *skb)
        *pos++ = MWIFIEX_TDLS_DEF_QOS_CAPAB;
 }
+static void
+mwifiex_tdls_add_wmm_param_ie(struct mwifiex_private *priv, struct sk_buff *skb)
+{
+        struct ieee80211_wmm_param_ie *wmm;
+        u8 ac_vi[] = {0x42, 0x43, 0x5e, 0x00};
+        u8 ac_vo[] = {0x62, 0x32, 0x2f, 0x00};
+        u8 ac_be[] = {0x03, 0xa4, 0x00, 0x00};
+        u8 ac_bk[] = {0x27, 0xa4, 0x00, 0x00};
+        wmm = (void *)skb_put(skb, sizeof(*wmm));
+        memset(wmm, 0, sizeof(*wmm));
+        wmm->element_id = WLAN_EID_VENDOR_SPECIFIC;
+        wmm->len = sizeof(*wmm) - 2;
+        wmm->oui[0] = 0x00; /* Microsoft OUI 00:50:F2 */
+        wmm->oui[1] = 0x50;
+        wmm->oui[2] = 0xf2;
+        wmm->oui_type = 2; /* WME */
+        wmm->oui_subtype = 1; /* WME param */
+        wmm->version = 1; /* WME ver */
+        wmm->qos_info = 0; /* U-APSD not in use */
+        /* use default WMM AC parameters for TDLS link*/
+        memcpy(&wmm->ac[0], ac_be, sizeof(ac_be));
+        memcpy(&wmm->ac[1], ac_bk, sizeof(ac_bk));
+        memcpy(&wmm->ac[2], ac_vi, sizeof(ac_vi));
+        memcpy(&wmm->ac[3], ac_vo, sizeof(ac_vo));
+}
+static void
+mwifiex_add_wmm_info_ie(struct mwifiex_private *priv, struct sk_buff *skb,
+                        u8 qosinfo)
+{
+        u8 *buf;
+        buf = (void *)skb_put(skb, MWIFIEX_TDLS_WMM_INFO_SIZE +
+                              sizeof(struct ieee_types_header));
+        *buf++ = WLAN_EID_VENDOR_SPECIFIC;
+        *buf++ = 7; /* len */
+        *buf++ = 0x00; /* Microsoft OUI 00:50:F2 */
+        *buf++ = 0x50;
+        *buf++ = 0xf2;
+        *buf++ = 2; /* WME */
+        *buf++ = 0; /* WME info */
+        *buf++ = 1; /* WME ver */
+        *buf++ = qosinfo; /* U-APSD no in use */
+}
 static int mwifiex_prep_tdls_encap_data(struct mwifiex_private *priv,
                                        const u8 *peer, u8 action_code,
                                        u8 dialog_token,
@@ -421,6 +471,7 @@ static int mwifiex_prep_tdls_encap_data(struct mwifiex_private *priv,
                mwifiex_tdls_add_ext_capab(priv, skb);
                mwifiex_tdls_add_qos_capab(skb);
+                mwifiex_add_wmm_info_ie(priv, skb, 0);
                break;
        case WLAN_TDLS_SETUP_RESPONSE:
@@ -458,6 +509,7 @@ static int mwifiex_prep_tdls_encap_data(struct mwifiex_private *priv,
                mwifiex_tdls_add_ext_capab(priv, skb);
                mwifiex_tdls_add_qos_capab(skb);
+                mwifiex_add_wmm_info_ie(priv, skb, 0);
                break;
        case WLAN_TDLS_SETUP_CONFIRM:
@@ -466,6 +518,8 @@ static int mwifiex_prep_tdls_encap_data(struct mwifiex_private *priv,
                skb_put(skb, sizeof(tf->u.setup_cfm));
                tf->u.setup_cfm.status_code = cpu_to_le16(status_code);
                tf->u.setup_cfm.dialog_token = dialog_token;
+                mwifiex_tdls_add_wmm_param_ie(priv, skb);
                if (priv->adapter->is_hw_11ac_capable) {
                        ret = mwifiex_tdls_add_vht_oper(priv, peer, skb);
                        if (ret) {
@@ -544,6 +598,7 @@ int mwifiex_send_tdls_data_frame(struct mwifiex_private *priv, const u8 *peer,
                  sizeof(struct ieee_types_bss_co_2040) +
                  sizeof(struct ieee80211_ht_operation) +
                  sizeof(struct ieee80211_tdls_lnkie) +
+                  sizeof(struct ieee80211_wmm_param_ie) +
                  extra_ies_len;
        if (priv->adapter->is_hw_11ac_capable)
@@ -973,6 +1028,7 @@ mwifiex_tdls_process_disable_link(struct mwifiex_private *priv, const u8 *peer)
        }
        mwifiex_restore_tdls_packets(priv, peer, TDLS_LINK_TEARDOWN);
+        mwifiex_auto_tdls_update_peer_status(priv, peer, TDLS_NOT_SETUP);
        memcpy(&tdls_oper.peer_mac, peer, ETH_ALEN);
        tdls_oper.tdls_action = MWIFIEX_TDLS_DISABLE_LINK;
        return mwifiex_send_cmd(priv, HostCmd_CMD_TDLS_OPER,
@@ -1017,6 +1073,8 @@ mwifiex_tdls_process_enable_link(struct mwifiex_private *priv, const u8 *peer)
                memset(sta_ptr->rx_seq, 0xff, sizeof(sta_ptr->rx_seq));
                mwifiex_restore_tdls_packets(priv, peer, TDLS_SETUP_COMPLETE);
+                mwifiex_auto_tdls_update_peer_status(priv, peer,
+                                                     TDLS_SETUP_COMPLETE);
        } else {
                dev_dbg(priv->adapter->dev,
                        "tdls: enable link %pM failed\n", peer);
@@ -1030,6 +1088,8 @@ mwifiex_tdls_process_enable_link(struct mwifiex_private *priv, const u8 *peer)
                        mwifiex_del_sta_entry(priv, peer);
                }
                mwifiex_restore_tdls_packets(priv, peer, TDLS_LINK_TEARDOWN);
+                mwifiex_auto_tdls_update_peer_status(priv, peer,
+                                                     TDLS_NOT_SETUP);
                return -1;
        }
@@ -1097,3 +1157,231 @@ void mwifiex_disable_all_tdls_links(struct mwifiex_private *priv)
        mwifiex_del_all_sta_list(priv);
 }
+int mwifiex_tdls_check_tx(struct mwifiex_private *priv, struct sk_buff *skb)
+{
+        struct mwifiex_auto_tdls_peer *peer;
+        unsigned long flags;
+        u8 mac[ETH_ALEN];
+        ether_addr_copy(mac, skb->data);
+        spin_lock_irqsave(&priv->auto_tdls_lock, flags);
+        list_for_each_entry(peer, &priv->auto_tdls_list, list) {
+                if (!memcmp(mac, peer->mac_addr, ETH_ALEN)) {
+                        if (peer->rssi <= MWIFIEX_TDLS_RSSI_HIGH &&
+                            peer->tdls_status == TDLS_NOT_SETUP &&
+                            (peer->failure_count <
+                             MWIFIEX_TDLS_MAX_FAIL_COUNT)) {
+                                peer->tdls_status = TDLS_SETUP_INPROGRESS;
+                                dev_dbg(priv->adapter->dev,
+                                        "setup TDLS link, peer=%pM rssi=%d\n",
+                                        peer->mac_addr, peer->rssi);
+                                cfg80211_tdls_oper_request(priv->netdev,
+                                                           peer->mac_addr,
+                                                           NL80211_TDLS_SETUP,
+                                                           0, GFP_ATOMIC);
+                                peer->do_setup = false;
+                                priv->check_tdls_tx = false;
+                        } else if (peer->failure_count <
+                                   MWIFIEX_TDLS_MAX_FAIL_COUNT &&
+                                   peer->do_discover) {
+                                mwifiex_send_tdls_data_frame(priv,
+                                                             peer->mac_addr,
+                                                    WLAN_TDLS_DISCOVERY_REQUEST,
+                                                             1, 0, NULL, 0);
+                                peer->do_discover = false;
+                        }
+                }
+        }
+        spin_unlock_irqrestore(&priv->auto_tdls_lock, flags);
+        return 0;
+}
+void mwifiex_flush_auto_tdls_list(struct mwifiex_private *priv)
+{
+        struct mwifiex_auto_tdls_peer *peer, *tmp_node;
+        unsigned long flags;
+        spin_lock_irqsave(&priv->auto_tdls_lock, flags);
+        list_for_each_entry_safe(peer, tmp_node, &priv->auto_tdls_list, list) {
+                list_del(&peer->list);
+                kfree(peer);
+        }
+        INIT_LIST_HEAD(&priv->auto_tdls_list);
+        spin_unlock_irqrestore(&priv->auto_tdls_lock, flags);
+        priv->check_tdls_tx = false;
+}
+void mwifiex_add_auto_tdls_peer(struct mwifiex_private *priv, const u8 *mac)
+{
+        struct mwifiex_auto_tdls_peer *tdls_peer;
+        unsigned long flags;
+        if (!priv->adapter->auto_tdls)
+                return;
+        spin_lock_irqsave(&priv->auto_tdls_lock, flags);
+        list_for_each_entry(tdls_peer, &priv->auto_tdls_list, list) {
+                if (!memcmp(tdls_peer->mac_addr, mac, ETH_ALEN)) {
+                        tdls_peer->tdls_status = TDLS_SETUP_INPROGRESS;
+                        tdls_peer->rssi_jiffies = jiffies;
+                        spin_unlock_irqrestore(&priv->auto_tdls_lock, flags);
+                        return;
+                }
+        }
+        /* create new TDLS peer */
+        tdls_peer = kzalloc(sizeof(*tdls_peer), GFP_ATOMIC);
+        if (tdls_peer) {
+                ether_addr_copy(tdls_peer->mac_addr, mac);
+                tdls_peer->tdls_status = TDLS_SETUP_INPROGRESS;
+                tdls_peer->rssi_jiffies = jiffies;
+                INIT_LIST_HEAD(&tdls_peer->list);
+                list_add_tail(&tdls_peer->list, &priv->auto_tdls_list);
+                dev_dbg(priv->adapter->dev, "Add auto TDLS peer= %pM to list\n",
+                        mac);
+        }
+        spin_unlock_irqrestore(&priv->auto_tdls_lock, flags);
+}
+void mwifiex_auto_tdls_update_peer_status(struct mwifiex_private *priv,
+                                          const u8 *mac, u8 link_status)
+{
+        struct mwifiex_auto_tdls_peer *peer;
+        unsigned long flags;
+        if (!priv->adapter->auto_tdls)
+                return;
+        spin_lock_irqsave(&priv->auto_tdls_lock, flags);
+        list_for_each_entry(peer, &priv->auto_tdls_list, list) {
+                if (!memcmp(peer->mac_addr, mac, ETH_ALEN)) {
+                        if ((link_status == TDLS_NOT_SETUP) &&
+                            (peer->tdls_status == TDLS_SETUP_INPROGRESS))
+                                peer->failure_count++;
+                        else if (link_status == TDLS_SETUP_COMPLETE)
+                                peer->failure_count = 0;
+                        peer->tdls_status = link_status;
+                        break;
+                }
+        }
+        spin_unlock_irqrestore(&priv->auto_tdls_lock, flags);
+}
+void mwifiex_auto_tdls_update_peer_signal(struct mwifiex_private *priv,
+                                          u8 *mac, s8 snr, s8 nflr)
+{
+        struct mwifiex_auto_tdls_peer *peer;
+        unsigned long flags;
+        if (!priv->adapter->auto_tdls)
+                return;
+        spin_lock_irqsave(&priv->auto_tdls_lock, flags);
+        list_for_each_entry(peer, &priv->auto_tdls_list, list) {
+                if (!memcmp(peer->mac_addr, mac, ETH_ALEN)) {
+                        peer->rssi = nflr - snr;
+                        peer->rssi_jiffies = jiffies;
+                        break;
+                }
+        }
+        spin_unlock_irqrestore(&priv->auto_tdls_lock, flags);
+}
+void mwifiex_check_auto_tdls(unsigned long context)
+{
+        struct mwifiex_private *priv = (struct mwifiex_private *)context;
+        struct mwifiex_auto_tdls_peer *tdls_peer;
+        unsigned long flags;
+        u16 reason = WLAN_REASON_TDLS_TEARDOWN_UNSPECIFIED;
+        if (WARN_ON_ONCE(!priv || !priv->adapter)) {
+                pr_err("mwifiex: %s: adapter or private structure is NULL\n",
+                       __func__);
+                return;
+        }
+        if (unlikely(!priv->adapter->auto_tdls))
+                return;
+        if (!priv->auto_tdls_timer_active) {
+                dev_dbg(priv->adapter->dev,
+                        "auto TDLS timer inactive; return");
+                return;
+        }
+        priv->check_tdls_tx = false;
+        if (list_empty(&priv->auto_tdls_list)) {
+                mod_timer(&priv->auto_tdls_timer,
+                          jiffies +
+                          msecs_to_jiffies(MWIFIEX_TIMER_10S));
+                return;
+        }
+        spin_lock_irqsave(&priv->auto_tdls_lock, flags);
+        list_for_each_entry(tdls_peer, &priv->auto_tdls_list, list) {
+                if ((jiffies - tdls_peer->rssi_jiffies) >
+                    (MWIFIEX_AUTO_TDLS_IDLE_TIME * HZ)) {
+                        tdls_peer->rssi = 0;
+                        tdls_peer->do_discover = true;
+                        priv->check_tdls_tx = true;
+                }
+                if (((tdls_peer->rssi >= MWIFIEX_TDLS_RSSI_LOW) ||
+                     !tdls_peer->rssi) &&
+                    tdls_peer->tdls_status == TDLS_SETUP_COMPLETE) {
+                        tdls_peer->tdls_status = TDLS_LINK_TEARDOWN;
+                        dev_dbg(priv->adapter->dev,
+                                "teardown TDLS link,peer=%pM rssi=%d\n",
+                                tdls_peer->mac_addr, -tdls_peer->rssi);
+                        tdls_peer->do_discover = true;
+                        priv->check_tdls_tx = true;
+                        cfg80211_tdls_oper_request(priv->netdev,
+                                                   tdls_peer->mac_addr,
+                                                   NL80211_TDLS_TEARDOWN,
+                                                   reason, GFP_ATOMIC);
+                } else if (tdls_peer->rssi &&
+                           tdls_peer->rssi <= MWIFIEX_TDLS_RSSI_HIGH &&
+                           tdls_peer->tdls_status == TDLS_NOT_SETUP &&
+                           tdls_peer->failure_count <
+                           MWIFIEX_TDLS_MAX_FAIL_COUNT) {
+                                priv->check_tdls_tx = true;
+                                tdls_peer->do_setup = true;
+                                dev_dbg(priv->adapter->dev,
+                                        "check TDLS with peer=%pM rssi=%d\n",
+                                        tdls_peer->mac_addr, -tdls_peer->rssi);
+                }
+        }
+        spin_unlock_irqrestore(&priv->auto_tdls_lock, flags);
+        mod_timer(&priv->auto_tdls_timer,
+                  jiffies + msecs_to_jiffies(MWIFIEX_TIMER_10S));
+}
+void mwifiex_setup_auto_tdls_timer(struct mwifiex_private *priv)
+{
+        init_timer(&priv->auto_tdls_timer);
+        priv->auto_tdls_timer.function = mwifiex_check_auto_tdls;
+        priv->auto_tdls_timer.data = (unsigned long)priv;
+        priv->auto_tdls_timer_active = true;
+        mod_timer(&priv->auto_tdls_timer,
+                  jiffies + msecs_to_jiffies(MWIFIEX_TIMER_10S));
+}
+void mwifiex_clean_auto_tdls(struct mwifiex_private *priv)
+{
+        if (ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
+            priv->adapter->auto_tdls &&
+            priv->bss_type == MWIFIEX_BSS_TYPE_STA) {
+                priv->auto_tdls_timer_active = false;
+                del_timer(&priv->auto_tdls_timer);
+                mwifiex_flush_auto_tdls_list(priv);
+        }
+}
diff --git a/drivers/net/wireless/mwifiex/txrx.c b/drivers/net/wireless/mwifiex/txrx.c
index 96a2126cc44b..6ae133333363 100644
--- a/drivers/net/wireless/mwifiex/txrx.c
+++ b/drivers/net/wireless/mwifiex/txrx.c
@@ -64,10 +64,6 @@ int mwifiex_handle_rx_packet(struct mwifiex_adapter *adapter,
        else
                ret = mwifiex_process_sta_rx_packet(priv, skb);
-        /* Decrement RX pending counter for each packet */
-        if (adapter->if_ops.data_complete)
-                adapter->if_ops.data_complete(adapter);
        return ret;
 }
 EXPORT_SYMBOL_GPL(mwifiex_handle_rx_packet);
@@ -207,3 +203,34 @@ done:
 }
 EXPORT_SYMBOL_GPL(mwifiex_write_data_complete);
+void mwifiex_parse_tx_status_event(struct mwifiex_private *priv,
+                                   void *event_body)
+{
+        struct tx_status_event *tx_status = (void *)priv->adapter->event_body;
+        struct sk_buff *ack_skb;
+        unsigned long flags;
+        struct mwifiex_txinfo *tx_info;
+        if (!tx_status->tx_token_id)
+                return;
+        spin_lock_irqsave(&priv->ack_status_lock, flags);
+        ack_skb = idr_find(&priv->ack_status_frames, tx_status->tx_token_id);
+        if (ack_skb)
+                idr_remove(&priv->ack_status_frames, tx_status->tx_token_id);
+        spin_unlock_irqrestore(&priv->ack_status_lock, flags);
+        if (ack_skb) {
+                tx_info = MWIFIEX_SKB_TXCB(ack_skb);
+                if (tx_info->flags & MWIFIEX_BUF_FLAG_EAPOL_TX_STATUS) {
+                        /* consumes ack_skb */
+                        skb_complete_wifi_ack(ack_skb, !tx_status->status);
+                } else {
+                        cfg80211_mgmt_tx_status(priv->wdev, tx_info->cookie,
+                                                ack_skb->data, ack_skb->len,
+                                                !tx_status->status, GFP_ATOMIC);
+                        dev_kfree_skb_any(ack_skb);
+                }
+        }
+}
diff --git a/drivers/net/wireless/mwifiex/uap_cmd.c b/drivers/net/wireless/mwifiex/uap_cmd.c
index 300bab438011..0f347fdefa0a 100644
--- a/drivers/net/wireless/mwifiex/uap_cmd.c
+++ b/drivers/net/wireless/mwifiex/uap_cmd.c
@@ -167,7 +167,7 @@ mwifiex_set_ht_params(struct mwifiex_private *priv,
        ht_ie = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, params->beacon.tail,
                                 params->beacon.tail_len);
        if (ht_ie) {
-                memcpy(&bss_cfg->ht_cap, ht_ie + 2,
+                memcpy(&bss_cfg->ht_cap, ht_ie,
                       sizeof(struct ieee80211_ht_cap));
                cap_info = le16_to_cpu(bss_cfg->ht_cap.cap_info);
                memset(&bss_cfg->ht_cap.mcs, 0,
diff --git a/drivers/net/wireless/mwifiex/uap_event.c b/drivers/net/wireless/mwifiex/uap_event.c
index 7c2b97660a03..38390cb85a90 100644
--- a/drivers/net/wireless/mwifiex/uap_event.c
+++ b/drivers/net/wireless/mwifiex/uap_event.c
@@ -172,6 +172,10 @@ int mwifiex_process_uap_event(struct mwifiex_private *priv)
                        return mwifiex_handle_event_ext_scan_report(priv,
                                                adapter->event_skb->data);
                break;
+        case EVENT_TX_STATUS_REPORT:
+                dev_dbg(adapter->dev, "event: TX_STATUS Report\n");
+                mwifiex_parse_tx_status_event(priv, adapter->event_body);
+                break;
        default:
                dev_dbg(adapter->dev, "event: unknown event id: %#x\n",
                        eventcause);
diff --git a/drivers/net/wireless/mwifiex/uap_txrx.c b/drivers/net/wireless/mwifiex/uap_txrx.c
index ec7309d096ab..e7d326f5b96e 100644
--- a/drivers/net/wireless/mwifiex/uap_txrx.c
+++ b/drivers/net/wireless/mwifiex/uap_txrx.c
@@ -370,10 +370,16 @@ void *mwifiex_process_uap_txpd(struct mwifiex_private *priv,
        txpd->bss_num = priv->bss_num;
        txpd->bss_type = priv->bss_type;
        txpd->tx_pkt_length = cpu_to_le16((u16)(skb->len - len));
        txpd->priority = (u8)skb->priority;
        txpd->pkt_delay_2ms = mwifiex_wmm_compute_drv_pkt_delay(priv, skb);
+        if (tx_info->flags & MWIFIEX_BUF_FLAG_EAPOL_TX_STATUS ||
+            tx_info->flags & MWIFIEX_BUF_FLAG_ACTION_TX_STATUS) {
+                txpd->tx_token_id = tx_info->ack_frame_id;
+                txpd->flags |= MWIFIEX_TXPD_FLAGS_REQ_TX_STATUS;
+        }
        if (txpd->priority < ARRAY_SIZE(priv->wmm.user_pri_pkt_tx_ctrl))
                /*
                 * Set the priority specific tx_control field, setting of 0 will
diff --git a/drivers/net/wireless/mwifiex/usb.c b/drivers/net/wireless/mwifiex/usb.c
index 4371e12b36f3..1b56495ec872 100644
--- a/drivers/net/wireless/mwifiex/usb.c
+++ b/drivers/net/wireless/mwifiex/usb.c
@@ -27,6 +27,11 @@ static struct mwifiex_if_ops usb_ops;
 static struct semaphore add_remove_card_sem;
 static struct usb_device_id mwifiex_usb_table[] = {
+        /* 8766 */
+        {USB_DEVICE(USB8XXX_VID, USB8766_PID_1)},
+        {USB_DEVICE_AND_INTERFACE_INFO(USB8XXX_VID, USB8766_PID_2,
+                                       USB_CLASS_VENDOR_SPEC,
+                                       USB_SUBCLASS_VENDOR_SPEC, 0xff)},
        /* 8797 */
        {USB_DEVICE(USB8XXX_VID, USB8797_PID_1)},
        {USB_DEVICE_AND_INTERFACE_INFO(USB8XXX_VID, USB8797_PID_2,
@@ -125,8 +130,10 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter,
                        dev_err(dev, "DATA: skb->len too large\n");
                        return -1;
                }
-                skb_queue_tail(&adapter->usb_rx_data_q, skb);
+                skb_queue_tail(&adapter->rx_data_q, skb);
                adapter->data_received = true;
+                atomic_inc(&adapter->rx_pending);
                break;
        default:
                dev_err(dev, "%s: unknown endport %#x\n", __func__, ep);
@@ -176,7 +183,6 @@ static void mwifiex_usb_rx_complete(struct urb *urb)
                else
                        skb_put(skb, recv_length - skb->len);
-                atomic_inc(&adapter->rx_pending);
                status = mwifiex_usb_recv(adapter, skb, context->ep);
                dev_dbg(adapter->dev, "info: recv_length=%d, status=%d\n",
@@ -191,7 +197,6 @@ static void mwifiex_usb_rx_complete(struct urb *urb)
                        if (card->rx_cmd_ep == context->ep)
                                return;
                } else {
-                        atomic_dec(&adapter->rx_pending);
                        if (status == -1)
                                dev_err(adapter->dev,
                                        "received data processing failed!\n");
@@ -222,7 +227,13 @@ setup_for_next:
        else
                size = MWIFIEX_RX_DATA_BUF_SIZE;
-        mwifiex_usb_submit_rx_urb(context, size);
+        if (card->rx_cmd_ep == context->ep) {
+                mwifiex_usb_submit_rx_urb(context, size);
+        } else {
+                context->skb = NULL;
+                if (atomic_read(&adapter->rx_pending) <= HIGH_RX_PENDING)
+                        mwifiex_usb_submit_rx_urb(context, size);
+        }
        return;
 }
@@ -348,10 +359,12 @@ static int mwifiex_usb_probe(struct usb_interface *intf,
        /* PID_1 is used for firmware downloading only */
        switch (id_product) {
+        case USB8766_PID_1:
        case USB8797_PID_1:
        case USB8897_PID_1:
                card->usb_boot_state = USB8XXX_FW_DNLD;
                break;
+        case USB8766_PID_2:
        case USB8797_PID_2:
        case USB8897_PID_2:
                card->usb_boot_state = USB8XXX_FW_READY;
@@ -780,6 +793,11 @@ static int mwifiex_register_dev(struct mwifiex_adapter *adapter)
                adapter->tx_buf_size = MWIFIEX_TX_DATA_BUF_SIZE_4K;
                strcpy(adapter->fw_name, USB8897_DEFAULT_FW_NAME);
                break;
+        case USB8766_PID_1:
+        case USB8766_PID_2:
+                adapter->tx_buf_size = MWIFIEX_TX_DATA_BUF_SIZE_2K;
+                strcpy(adapter->fw_name, USB8766_DEFAULT_FW_NAME);
+                break;
        case USB8797_PID_1:
        case USB8797_PID_2:
        default:
@@ -962,19 +980,11 @@ static void mwifiex_submit_rx_urb(struct mwifiex_adapter *adapter, u8 ep)
 static int mwifiex_usb_cmd_event_complete(struct mwifiex_adapter *adapter,
                                       struct sk_buff *skb)
 {
-        atomic_dec(&adapter->rx_pending);
        mwifiex_submit_rx_urb(adapter, MWIFIEX_USB_EP_CMD_EVENT);
        return 0;
 }
-static int mwifiex_usb_data_complete(struct mwifiex_adapter *adapter)
-{
-        atomic_dec(&adapter->rx_pending);
-        return 0;
-}
 /* This function wakes up the card. */
 static int mwifiex_pm_wakeup_card(struct mwifiex_adapter *adapter)
 {
@@ -986,6 +996,20 @@ static int mwifiex_pm_wakeup_card(struct mwifiex_adapter *adapter)
        return 0;
 }
+static void mwifiex_usb_submit_rem_rx_urbs(struct mwifiex_adapter *adapter)
+{
+        struct usb_card_rec *card = (struct usb_card_rec *)adapter->card;
+        int i;
+        struct urb_context *ctx;
+        for (i = 0; i < MWIFIEX_RX_DATA_URB; i++) {
+                if (card->rx_data_list[i].skb)
+                        continue;
+                ctx = &card->rx_data_list[i];
+                mwifiex_usb_submit_rx_urb(ctx, MWIFIEX_RX_DATA_BUF_SIZE);
+        }
+}
 static struct mwifiex_if_ops usb_ops = {
        .register_dev =         mwifiex_register_dev,
        .unregister_dev =       mwifiex_unregister_dev,
@@ -996,8 +1020,8 @@ static struct mwifiex_if_ops usb_ops = {
        .dnld_fw =              mwifiex_usb_dnld_fw,
        .cmdrsp_complete =      mwifiex_usb_cmd_event_complete,
        .event_complete =       mwifiex_usb_cmd_event_complete,
-        .data_complete =        mwifiex_usb_data_complete,
        .host_to_card =         mwifiex_usb_host_to_card,
+        .submit_rem_rx_urbs =   mwifiex_usb_submit_rem_rx_urbs,
 };
 /* This function initializes the USB driver module.
@@ -1048,5 +1072,6 @@ MODULE_AUTHOR("Marvell International Ltd.");
 MODULE_DESCRIPTION("Marvell WiFi-Ex USB Driver version" USB_VERSION);
 MODULE_VERSION(USB_VERSION);
 MODULE_LICENSE("GPL v2");
+MODULE_FIRMWARE(USB8766_DEFAULT_FW_NAME);
 MODULE_FIRMWARE(USB8797_DEFAULT_FW_NAME);
 MODULE_FIRMWARE(USB8897_DEFAULT_FW_NAME);
diff --git a/drivers/net/wireless/mwifiex/usb.h b/drivers/net/wireless/mwifiex/usb.h
index 4c41c2a193c5..a7cbba1355af 100644
--- a/drivers/net/wireless/mwifiex/usb.h
+++ b/drivers/net/wireless/mwifiex/usb.h
@@ -24,6 +24,8 @@
 #define USB8XXX_VID             0x1286
+#define USB8766_PID_1           0x2041
+#define USB8766_PID_2           0x2042
 #define USB8797_PID_1           0x2043
 #define USB8797_PID_2           0x2044
 #define USB8897_PID_1           0x2045
@@ -37,6 +39,7 @@
 #define MWIFIEX_RX_DATA_URB     6
 #define MWIFIEX_USB_TIMEOUT     100
+#define USB8766_DEFAULT_FW_NAME "mrvl/usb8766_uapsta.bin"
 #define USB8797_DEFAULT_FW_NAME "mrvl/usb8797_uapsta.bin"
 #define USB8897_DEFAULT_FW_NAME "mrvl/usb8897_uapsta.bin"
diff --git a/drivers/net/wireless/mwifiex/util.c b/drivers/net/wireless/mwifiex/util.c
index ec79c49de097..b1768fbf98f2 100644
--- a/drivers/net/wireless/mwifiex/util.c
+++ b/drivers/net/wireless/mwifiex/util.c
@@ -141,6 +141,38 @@ int mwifiex_get_debug_info(struct mwifiex_private *priv,
        return 0;
 }
+static int
+mwifiex_parse_mgmt_packet(struct mwifiex_private *priv, u8 *payload, u16 len,
+                          struct rxpd *rx_pd)
+{
+        u16 stype;
+        u8 category, action_code;
+        struct ieee80211_hdr *ieee_hdr = (void *)payload;
+        stype = (le16_to_cpu(ieee_hdr->frame_control) & IEEE80211_FCTL_STYPE);
+        switch (stype) {
+        case IEEE80211_STYPE_ACTION:
+                category = *(payload + sizeof(struct ieee80211_hdr));
+                action_code = *(payload + sizeof(struct ieee80211_hdr) + 1);
+                if (category == WLAN_CATEGORY_PUBLIC &&
+                    action_code == WLAN_PUB_ACTION_TDLS_DISCOVER_RES) {
+                        dev_dbg(priv->adapter->dev,
+                                "TDLS discovery response %pM nf=%d, snr=%d\n",
+                                ieee_hdr->addr2, rx_pd->nf, rx_pd->snr);
+                        mwifiex_auto_tdls_update_peer_signal(priv,
+                                                             ieee_hdr->addr2,
+                                                             rx_pd->snr,
+                                                             rx_pd->nf);
+                }
+                break;
+        default:
+                dev_dbg(priv->adapter->dev,
+                        "unknown mgmt frame subytpe %#x\n", stype);
+        }
+        return 0;
+}
 /*
 * This function processes the received management packet and send it
 * to the kernel.
@@ -151,6 +183,7 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv,
 {
        struct rxpd *rx_pd;
        u16 pkt_len;
+        struct ieee80211_hdr *ieee_hdr;
        if (!skb)
                return -1;
@@ -162,6 +195,11 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv,
        pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
+        ieee_hdr = (void *)skb->data;
+        if (ieee80211_is_mgmt(ieee_hdr->frame_control)) {
+                mwifiex_parse_mgmt_packet(priv, (u8 *)ieee_hdr,
+                                          pkt_len, rx_pd);
+        }
        /* Remove address4 */
        memmove(skb->data + sizeof(struct ieee80211_hdr_3addr),
                skb->data + sizeof(struct ieee80211_hdr),
diff --git a/drivers/net/wireless/mwifiex/wmm.c b/drivers/net/wireless/mwifiex/wmm.c
index 94c98a86ebbe..dc1f2adfafc2 100644
--- a/drivers/net/wireless/mwifiex/wmm.c
+++ b/drivers/net/wireless/mwifiex/wmm.c
@@ -523,6 +523,13 @@ static void mwifiex_wmm_delete_all_ralist(struct mwifiex_private *priv)
        }
 }
+static int mwifiex_free_ack_frame(int id, void *p, void *data)
+{
+        pr_warn("Have pending ack frames!\n");
+        kfree_skb(p);
+        return 0;
+}
 /*
 * This function cleans up the Tx and Rx queues.
 *
@@ -558,6 +565,9 @@ mwifiex_clean_txrx(struct mwifiex_private *priv)
        skb_queue_walk_safe(&priv->tdls_txq, skb, tmp)
                mwifiex_write_data_complete(priv->adapter, skb, 0, -1);
+        idr_for_each(&priv->ack_status_frames, mwifiex_free_ack_frame, NULL);
+        idr_destroy(&priv->ack_status_frames);
 }
 /*
diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c
index ef1104476bd8..b8d1e04aa9b9 100644
--- a/drivers/net/wireless/mwl8k.c
+++ b/drivers/net/wireless/mwl8k.c
@@ -5548,7 +5548,9 @@ mwl8k_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
        return rc;
 }
-static void mwl8k_sw_scan_start(struct ieee80211_hw *hw)
+static void mwl8k_sw_scan_start(struct ieee80211_hw *hw,
+                                struct ieee80211_vif *vif,
+                                const u8 *mac_addr)
 {
        struct mwl8k_priv *priv = hw->priv;
        u8 tmp;
@@ -5565,7 +5567,8 @@ static void mwl8k_sw_scan_start(struct ieee80211_hw *hw)
        priv->sw_scan_start = true;
 }
-static void mwl8k_sw_scan_complete(struct ieee80211_hw *hw)
+static void mwl8k_sw_scan_complete(struct ieee80211_hw *hw,
+                                   struct ieee80211_vif *vif)
 {
        struct mwl8k_priv *priv = hw->priv;
        u8 tmp;
diff --git a/drivers/net/wireless/p54/net2280.h b/drivers/net/wireless/p54/net2280.h
deleted file mode 100644
index aedfaf24f386..000000000000
--- a/drivers/net/wireless/p54/net2280.h
+++ /dev/null
@@ -1,451 +0,0 @@
-#ifndef NET2280_H
-#define NET2280_H
-/*
- * NetChip 2280 high/full speed USB device controller.
- * Unlike many such controllers, this one talks PCI.
- */
-/*
- * Copyright (C) 2002 NetChip Technology, Inc. (http://www.netchip.com)
- * Copyright (C) 2003 David Brownell
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-/*-------------------------------------------------------------------------*/
-/* NET2280 MEMORY MAPPED REGISTERS
- *
- * The register layout came from the chip documentation, and the bit
- * number definitions were extracted from chip specification.
- *
- * Use the shift operator ('<<') to build bit masks, with readl/writel
- * to access the registers through PCI.
- */
-/* main registers, BAR0 + 0x0000 */
-struct net2280_regs {
-        /* offset 0x0000 */
-        __le32                  devinit;
-#define LOCAL_CLOCK_FREQUENCY                                   8
-#define FORCE_PCI_RESET                                         7
-#define PCI_ID                                                  6
-#define PCI_ENABLE                                              5
-#define FIFO_SOFT_RESET                                         4
-#define CFG_SOFT_RESET                                          3
-#define PCI_SOFT_RESET                                          2
-#define USB_SOFT_RESET                                          1
-#define M8051_RESET                                             0
-        __le32                  eectl;
-#define EEPROM_ADDRESS_WIDTH                                    23
-#define EEPROM_CHIP_SELECT_ACTIVE                               22
-#define EEPROM_PRESENT                                          21
-#define EEPROM_VALID                                            20
-#define EEPROM_BUSY                                             19
-#define EEPROM_CHIP_SELECT_ENABLE                               18
-#define EEPROM_BYTE_READ_START                                  17
-#define EEPROM_BYTE_WRITE_START                                 16
-#define EEPROM_READ_DATA                                        8
-#define EEPROM_WRITE_DATA                                       0
-        __le32                  eeclkfreq;
-        u32                     _unused0;
-        /* offset 0x0010 */
-        __le32                  pciirqenb0;     /* interrupt PCI master ... */
-#define SETUP_PACKET_INTERRUPT_ENABLE                           7
-#define ENDPOINT_F_INTERRUPT_ENABLE                             6
-#define ENDPOINT_E_INTERRUPT_ENABLE                             5
-#define ENDPOINT_D_INTERRUPT_ENABLE                             4
-#define ENDPOINT_C_INTERRUPT_ENABLE                             3
-#define ENDPOINT_B_INTERRUPT_ENABLE                             2
-#define ENDPOINT_A_INTERRUPT_ENABLE                             1
-#define ENDPOINT_0_INTERRUPT_ENABLE                             0
-        __le32                  pciirqenb1;
-#define PCI_INTERRUPT_ENABLE                                    31
-#define POWER_STATE_CHANGE_INTERRUPT_ENABLE                     27
-#define PCI_ARBITER_TIMEOUT_INTERRUPT_ENABLE                    26
-#define PCI_PARITY_ERROR_INTERRUPT_ENABLE                       25
-#define PCI_MASTER_ABORT_RECEIVED_INTERRUPT_ENABLE              20
-#define PCI_TARGET_ABORT_RECEIVED_INTERRUPT_ENABLE              19
-#define PCI_TARGET_ABORT_ASSERTED_INTERRUPT_ENABLE              18
-#define PCI_RETRY_ABORT_INTERRUPT_ENABLE                        17
-#define PCI_MASTER_CYCLE_DONE_INTERRUPT_ENABLE                  16
-#define GPIO_INTERRUPT_ENABLE                                   13
-#define DMA_D_INTERRUPT_ENABLE                                  12
-#define DMA_C_INTERRUPT_ENABLE                                  11
-#define DMA_B_INTERRUPT_ENABLE                                  10
-#define DMA_A_INTERRUPT_ENABLE                                  9
-#define EEPROM_DONE_INTERRUPT_ENABLE                            8
-#define VBUS_INTERRUPT_ENABLE                                   7
-#define CONTROL_STATUS_INTERRUPT_ENABLE                         6
-#define ROOT_PORT_RESET_INTERRUPT_ENABLE                        4
-#define SUSPEND_REQUEST_INTERRUPT_ENABLE                        3
-#define SUSPEND_REQUEST_CHANGE_INTERRUPT_ENABLE                 2
-#define RESUME_INTERRUPT_ENABLE                                 1
-#define SOF_INTERRUPT_ENABLE                                    0
-        __le32                  cpu_irqenb0;    /* ... or onboard 8051 */
-#define SETUP_PACKET_INTERRUPT_ENABLE                           7
-#define ENDPOINT_F_INTERRUPT_ENABLE                             6
-#define ENDPOINT_E_INTERRUPT_ENABLE                             5
-#define ENDPOINT_D_INTERRUPT_ENABLE                             4
-#define ENDPOINT_C_INTERRUPT_ENABLE                             3
-#define ENDPOINT_B_INTERRUPT_ENABLE                             2
-#define ENDPOINT_A_INTERRUPT_ENABLE                             1
-#define ENDPOINT_0_INTERRUPT_ENABLE                             0
-        __le32                  cpu_irqenb1;
-#define CPU_INTERRUPT_ENABLE                                    31
-#define POWER_STATE_CHANGE_INTERRUPT_ENABLE                     27
-#define PCI_ARBITER_TIMEOUT_INTERRUPT_ENABLE                    26
-#define PCI_PARITY_ERROR_INTERRUPT_ENABLE                       25
-#define PCI_INTA_INTERRUPT_ENABLE                               24
-#define PCI_PME_INTERRUPT_ENABLE                                23
-#define PCI_SERR_INTERRUPT_ENABLE                               22
-#define PCI_PERR_INTERRUPT_ENABLE                               21
-#define PCI_MASTER_ABORT_RECEIVED_INTERRUPT_ENABLE              20
-#define PCI_TARGET_ABORT_RECEIVED_INTERRUPT_ENABLE              19
-#define PCI_RETRY_ABORT_INTERRUPT_ENABLE                        17
-#define PCI_MASTER_CYCLE_DONE_INTERRUPT_ENABLE                  16
-#define GPIO_INTERRUPT_ENABLE                                   13
-#define DMA_D_INTERRUPT_ENABLE                                  12
-#define DMA_C_INTERRUPT_ENABLE                                  11
-#define DMA_B_INTERRUPT_ENABLE                                  10
-#define DMA_A_INTERRUPT_ENABLE                                  9
-#define EEPROM_DONE_INTERRUPT_ENABLE                            8
-#define VBUS_INTERRUPT_ENABLE                                   7
-#define CONTROL_STATUS_INTERRUPT_ENABLE                         6
-#define ROOT_PORT_RESET_INTERRUPT_ENABLE                        4
-#define SUSPEND_REQUEST_INTERRUPT_ENABLE                        3
-#define SUSPEND_REQUEST_CHANGE_INTERRUPT_ENABLE                 2
-#define RESUME_INTERRUPT_ENABLE                                 1
-#define SOF_INTERRUPT_ENABLE                                    0
-        /* offset 0x0020 */
-        u32                     _unused1;
-        __le32                  usbirqenb1;
-#define USB_INTERRUPT_ENABLE                                    31
-#define POWER_STATE_CHANGE_INTERRUPT_ENABLE                     27
-#define PCI_ARBITER_TIMEOUT_INTERRUPT_ENABLE                    26
-#define PCI_PARITY_ERROR_INTERRUPT_ENABLE                       25
-#define PCI_INTA_INTERRUPT_ENABLE                               24
-#define PCI_PME_INTERRUPT_ENABLE                                23
-#define PCI_SERR_INTERRUPT_ENABLE                               22
-#define PCI_PERR_INTERRUPT_ENABLE                               21
-#define PCI_MASTER_ABORT_RECEIVED_INTERRUPT_ENABLE              20
-#define PCI_TARGET_ABORT_RECEIVED_INTERRUPT_ENABLE              19
-#define PCI_RETRY_ABORT_INTERRUPT_ENABLE                        17
-#define PCI_MASTER_CYCLE_DONE_INTERRUPT_ENABLE                  16
-#define GPIO_INTERRUPT_ENABLE                                   13
-#define DMA_D_INTERRUPT_ENABLE                                  12
-#define DMA_C_INTERRUPT_ENABLE                                  11
-#define DMA_B_INTERRUPT_ENABLE                                  10
-#define DMA_A_INTERRUPT_ENABLE                                  9
-#define EEPROM_DONE_INTERRUPT_ENABLE                            8
-#define VBUS_INTERRUPT_ENABLE                                   7
-#define CONTROL_STATUS_INTERRUPT_ENABLE                         6
-#define ROOT_PORT_RESET_INTERRUPT_ENABLE                        4
-#define SUSPEND_REQUEST_INTERRUPT_ENABLE                        3
-#define SUSPEND_REQUEST_CHANGE_INTERRUPT_ENABLE                 2
-#define RESUME_INTERRUPT_ENABLE                                 1
-#define SOF_INTERRUPT_ENABLE                                    0
-        __le32                  irqstat0;
-#define INTA_ASSERTED                                           12
-#define SETUP_PACKET_INTERRUPT                                  7
-#define ENDPOINT_F_INTERRUPT                                    6
-#define ENDPOINT_E_INTERRUPT                                    5
-#define ENDPOINT_D_INTERRUPT                                    4
-#define ENDPOINT_C_INTERRUPT                                    3
-#define ENDPOINT_B_INTERRUPT                                    2
-#define ENDPOINT_A_INTERRUPT                                    1
-#define ENDPOINT_0_INTERRUPT                                    0
-        __le32                  irqstat1;
-#define POWER_STATE_CHANGE_INTERRUPT                            27
-#define PCI_ARBITER_TIMEOUT_INTERRUPT                           26
-#define PCI_PARITY_ERROR_INTERRUPT                              25
-#define PCI_INTA_INTERRUPT                                      24
-#define PCI_PME_INTERRUPT                                       23
-#define PCI_SERR_INTERRUPT                                      22
-#define PCI_PERR_INTERRUPT                                      21
-#define PCI_MASTER_ABORT_RECEIVED_INTERRUPT                     20
-#define PCI_TARGET_ABORT_RECEIVED_INTERRUPT                     19
-#define PCI_RETRY_ABORT_INTERRUPT                               17
-#define PCI_MASTER_CYCLE_DONE_INTERRUPT                         16
-#define GPIO_INTERRUPT                                          13
-#define DMA_D_INTERRUPT                                         12
-#define DMA_C_INTERRUPT                                         11
-#define DMA_B_INTERRUPT                                         10
-#define DMA_A_INTERRUPT                                         9
-#define EEPROM_DONE_INTERRUPT                                   8
-#define VBUS_INTERRUPT                                          7
-#define CONTROL_STATUS_INTERRUPT                                6
-#define ROOT_PORT_RESET_INTERRUPT                               4
-#define SUSPEND_REQUEST_INTERRUPT                               3
-#define SUSPEND_REQUEST_CHANGE_INTERRUPT                        2
-#define RESUME_INTERRUPT                                        1
-#define SOF_INTERRUPT                                           0
-        /* offset 0x0030 */
-        __le32                  idxaddr;
-        __le32                  idxdata;
-        __le32                  fifoctl;
-#define PCI_BASE2_RANGE                                         16
-#define IGNORE_FIFO_AVAILABILITY                                3
-#define PCI_BASE2_SELECT                                        2
-#define FIFO_CONFIGURATION_SELECT                               0
-        u32                     _unused2;
-        /* offset 0x0040 */
-        __le32                  memaddr;
-#define START                                                   28
-#define DIRECTION                                               27
-#define FIFO_DIAGNOSTIC_SELECT                                  24
-#define MEMORY_ADDRESS                                          0
-        __le32                  memdata0;
-        __le32                  memdata1;
-        u32                     _unused3;
-        /* offset 0x0050 */
-        __le32                  gpioctl;
-#define GPIO3_LED_SELECT                                        12
-#define GPIO3_INTERRUPT_ENABLE                                  11
-#define GPIO2_INTERRUPT_ENABLE                                  10
-#define GPIO1_INTERRUPT_ENABLE                                  9
-#define GPIO0_INTERRUPT_ENABLE                                  8
-#define GPIO3_OUTPUT_ENABLE                                     7
-#define GPIO2_OUTPUT_ENABLE                                     6
-#define GPIO1_OUTPUT_ENABLE                                     5
-#define GPIO0_OUTPUT_ENABLE                                     4
-#define GPIO3_DATA                                              3
-#define GPIO2_DATA                                              2
-#define GPIO1_DATA                                              1
-#define GPIO0_DATA                                              0
-        __le32                  gpiostat;
-#define GPIO3_INTERRUPT                                         3
-#define GPIO2_INTERRUPT                                         2
-#define GPIO1_INTERRUPT                                         1
-#define GPIO0_INTERRUPT                                         0
-} __packed;
-/* usb control, BAR0 + 0x0080 */
-struct net2280_usb_regs {
-        /* offset 0x0080 */
-        __le32                  stdrsp;
-#define STALL_UNSUPPORTED_REQUESTS                              31
-#define SET_TEST_MODE                                           16
-#define GET_OTHER_SPEED_CONFIGURATION                           15
-#define GET_DEVICE_QUALIFIER                                    14
-#define SET_ADDRESS                                             13
-#define ENDPOINT_SET_CLEAR_HALT                                 12
-#define DEVICE_SET_CLEAR_DEVICE_REMOTE_WAKEUP                   11
-#define GET_STRING_DESCRIPTOR_2                                 10
-#define GET_STRING_DESCRIPTOR_1                                 9
-#define GET_STRING_DESCRIPTOR_0                                 8
-#define GET_SET_INTERFACE                                       6
-#define GET_SET_CONFIGURATION                                   5
-#define GET_CONFIGURATION_DESCRIPTOR                            4
-#define GET_DEVICE_DESCRIPTOR                                   3
-#define GET_ENDPOINT_STATUS                                     2
-#define GET_INTERFACE_STATUS                                    1
-#define GET_DEVICE_STATUS                                       0
-        __le32                  prodvendid;
-#define     PRODUCT_ID                                          16
-#define     VENDOR_ID                                           0
-        __le32                  relnum;
-        __le32                  usbctl;
-#define SERIAL_NUMBER_INDEX                                     16
-#define PRODUCT_ID_STRING_ENABLE                                13
-#define VENDOR_ID_STRING_ENABLE                                 12
-#define USB_ROOT_PORT_WAKEUP_ENABLE                             11
-#define VBUS_PIN                                                10
-#define TIMED_DISCONNECT                                        9
-#define SUSPEND_IMMEDIATELY                                     7
-#define SELF_POWERED_USB_DEVICE                                 6
-#define REMOTE_WAKEUP_SUPPORT                                   5
-#define PME_POLARITY                                            4
-#define USB_DETECT_ENABLE                                       3
-#define PME_WAKEUP_ENABLE                                       2
-#define DEVICE_REMOTE_WAKEUP_ENABLE                             1
-#define SELF_POWERED_STATUS                                     0
-        /* offset 0x0090 */
-        __le32                  usbstat;
-#define HIGH_SPEED                                              7
-#define FULL_SPEED                                              6
-#define GENERATE_RESUME                                         5
-#define GENERATE_DEVICE_REMOTE_WAKEUP                           4
-        __le32                  xcvrdiag;
-#define FORCE_HIGH_SPEED_MODE                                   31
-#define FORCE_FULL_SPEED_MODE                                   30
-#define USB_TEST_MODE                                           24
-#define LINE_STATE                                              16
-#define TRANSCEIVER_OPERATION_MODE                              2
-#define TRANSCEIVER_SELECT                                      1
-#define TERMINATION_SELECT                                      0
-        __le32                  setup0123;
-        __le32                  setup4567;
-        /* offset 0x0090 */
-        u32                     _unused0;
-        __le32                  ouraddr;
-#define FORCE_IMMEDIATE                                         7
-#define OUR_USB_ADDRESS                                         0
-        __le32                  ourconfig;
-} __packed;
-/* pci control, BAR0 + 0x0100 */
-struct net2280_pci_regs {
-        /* offset 0x0100 */
-        __le32                  pcimstctl;
-#define PCI_ARBITER_PARK_SELECT                                 13
-#define PCI_MULTI LEVEL_ARBITER                                 12
-#define PCI_RETRY_ABORT_ENABLE                                  11
-#define DMA_MEMORY_WRITE_AND_INVALIDATE_ENABLE                  10
-#define DMA_READ_MULTIPLE_ENABLE                                9
-#define DMA_READ_LINE_ENABLE                                    8
-#define PCI_MASTER_COMMAND_SELECT                               6
-#define         MEM_READ_OR_WRITE                               0
-#define         IO_READ_OR_WRITE                                1
-#define         CFG_READ_OR_WRITE                               2
-#define PCI_MASTER_START                                        5
-#define PCI_MASTER_READ_WRITE                                   4
-#define         PCI_MASTER_WRITE                                0
-#define         PCI_MASTER_READ                                 1
-#define PCI_MASTER_BYTE_WRITE_ENABLES                           0
-        __le32                  pcimstaddr;
-        __le32                  pcimstdata;
-        __le32                  pcimststat;
-#define PCI_ARBITER_CLEAR                                       2
-#define PCI_EXTERNAL_ARBITER                                    1
-#define PCI_HOST_MODE                                           0
-} __packed;
-/* dma control, BAR0 + 0x0180 ... array of four structs like this,
- * for channels 0..3.  see also struct net2280_dma:  descriptor
- * that can be loaded into some of these registers.
- */
-struct net2280_dma_regs {       /* [11.7] */
-        /* offset 0x0180, 0x01a0, 0x01c0, 0x01e0, */
-        __le32                  dmactl;
-#define DMA_SCATTER_GATHER_DONE_INTERRUPT_ENABLE                25
-#define DMA_CLEAR_COUNT_ENABLE                                  21
-#define DESCRIPTOR_POLLING_RATE                                 19
-#define         POLL_CONTINUOUS                                 0
-#define         POLL_1_USEC                                     1
-#define         POLL_100_USEC                                   2
-#define         POLL_1_MSEC                                     3
-#define DMA_VALID_BIT_POLLING_ENABLE                            18
-#define DMA_VALID_BIT_ENABLE                                    17
-#define DMA_SCATTER_GATHER_ENABLE                               16
-#define DMA_OUT_AUTO_START_ENABLE                               4
-#define DMA_PREEMPT_ENABLE                                      3
-#define DMA_FIFO_VALIDATE                                       2
-#define DMA_ENABLE                                              1
-#define DMA_ADDRESS_HOLD                                        0
-        __le32                  dmastat;
-#define DMA_SCATTER_GATHER_DONE_INTERRUPT                       25
-#define DMA_TRANSACTION_DONE_INTERRUPT                          24
-#define DMA_ABORT                                               1
-#define DMA_START                                               0
-        u32                     _unused0[2];
-        /* offset 0x0190, 0x01b0, 0x01d0, 0x01f0, */
-        __le32                  dmacount;
-#define VALID_BIT                                               31
-#define DMA_DIRECTION                                           30
-#define DMA_DONE_INTERRUPT_ENABLE                               29
-#define END_OF_CHAIN                                            28
-#define DMA_BYTE_COUNT_MASK                                     ((1<<24)-1)
-#define DMA_BYTE_COUNT                                          0
-        __le32                  dmaaddr;
-        __le32                  dmadesc;
-        u32                     _unused1;
-} __packed;
-/* dedicated endpoint registers, BAR0 + 0x0200 */
-struct net2280_dep_regs {       /* [11.8] */
-        /* offset 0x0200, 0x0210, 0x220, 0x230, 0x240 */
-        __le32                  dep_cfg;
-        /* offset 0x0204, 0x0214, 0x224, 0x234, 0x244 */
-        __le32                  dep_rsp;
-        u32                     _unused[2];
-} __packed;
-/* configurable endpoint registers, BAR0 + 0x0300 ... array of seven structs
- * like this, for ep0 then the configurable endpoints A..F
- * ep0 reserved for control; E and F have only 64 bytes of fifo
- */
-struct net2280_ep_regs {        /* [11.9] */
-        /* offset 0x0300, 0x0320, 0x0340, 0x0360, 0x0380, 0x03a0, 0x03c0 */
-        __le32                  ep_cfg;
-#define ENDPOINT_BYTE_COUNT                                     16
-#define ENDPOINT_ENABLE                                         10
-#define ENDPOINT_TYPE                                           8
-#define ENDPOINT_DIRECTION                                      7
-#define ENDPOINT_NUMBER                                         0
-        __le32                  ep_rsp;
-#define SET_NAK_OUT_PACKETS                                     15
-#define SET_EP_HIDE_STATUS_PHASE                                14
-#define SET_EP_FORCE_CRC_ERROR                                  13
-#define SET_INTERRUPT_MODE                                      12
-#define SET_CONTROL_STATUS_PHASE_HANDSHAKE                      11
-#define SET_NAK_OUT_PACKETS_MODE                                10
-#define SET_ENDPOINT_TOGGLE                                     9
-#define SET_ENDPOINT_HALT                                       8
-#define CLEAR_NAK_OUT_PACKETS                                   7
-#define CLEAR_EP_HIDE_STATUS_PHASE                              6
-#define CLEAR_EP_FORCE_CRC_ERROR                                5
-#define CLEAR_INTERRUPT_MODE                                    4
-#define CLEAR_CONTROL_STATUS_PHASE_HANDSHAKE                    3
-#define CLEAR_NAK_OUT_PACKETS_MODE                              2
-#define CLEAR_ENDPOINT_TOGGLE                                   1
-#define CLEAR_ENDPOINT_HALT                                     0
-        __le32                  ep_irqenb;
-#define SHORT_PACKET_OUT_DONE_INTERRUPT_ENABLE                  6
-#define SHORT_PACKET_TRANSFERRED_INTERRUPT_ENABLE               5
-#define DATA_PACKET_RECEIVED_INTERRUPT_ENABLE                   3
-#define DATA_PACKET_TRANSMITTED_INTERRUPT_ENABLE                2
-#define DATA_OUT_PING_TOKEN_INTERRUPT_ENABLE                    1
-#define DATA_IN_TOKEN_INTERRUPT_ENABLE                          0
-        __le32                  ep_stat;
-#define FIFO_VALID_COUNT                                        24
-#define HIGH_BANDWIDTH_OUT_TRANSACTION_PID                      22
-#define TIMEOUT                                                 21
-#define USB_STALL_SENT                                          20
-#define USB_IN_NAK_SENT                                         19
-#define USB_IN_ACK_RCVD                                         18
-#define USB_OUT_PING_NAK_SENT                                   17
-#define USB_OUT_ACK_SENT                                        16
-#define FIFO_OVERFLOW                                           13
-#define FIFO_UNDERFLOW                                          12
-#define FIFO_FULL                                               11
-#define FIFO_EMPTY                                              10
-#define FIFO_FLUSH                                              9
-#define SHORT_PACKET_OUT_DONE_INTERRUPT                         6
-#define SHORT_PACKET_TRANSFERRED_INTERRUPT                      5
-#define NAK_OUT_PACKETS                                         4
-#define DATA_PACKET_RECEIVED_INTERRUPT                          3
-#define DATA_PACKET_TRANSMITTED_INTERRUPT                       2
-#define DATA_OUT_PING_TOKEN_INTERRUPT                           1
-#define DATA_IN_TOKEN_INTERRUPT                                 0
-        /* offset 0x0310, 0x0330, 0x0350, 0x0370, 0x0390, 0x03b0, 0x03d0 */
-        __le32                  ep_avail;
-        __le32                  ep_data;
-        u32                     _unused0[2];
-} __packed;
-struct net2280_reg_write {
-        __le16 port;
-        __le32 addr;
-        __le32 val;
-} __packed;
-struct net2280_reg_read {
-        __le16 port;
-        __le32 addr;
-} __packed;
-#endif /* NET2280_H */
diff --git a/drivers/net/wireless/p54/p54usb.h b/drivers/net/wireless/p54/p54usb.h
index d273be7272b9..a5f5f0fea3bd 100644
--- a/drivers/net/wireless/p54/p54usb.h
+++ b/drivers/net/wireless/p54/p54usb.h
@@ -16,7 +16,7 @@
 /* for isl3886 register definitions used on ver 1 devices */
 #include "p54pci.h"
-#include "net2280.h"
+#include <linux/usb/net2280.h>
 /* pci */
 #define NET2280_BASE            0x10000000
@@ -93,6 +93,17 @@ enum net2280_op_type {
        NET2280_DEV_CFG_U16     = 0x0883
 };
+struct net2280_reg_write {
+        __le16 port;
+        __le32 addr;
+        __le32 val;
+} __packed;
+struct net2280_reg_read {
+        __le16 port;
+        __le32 addr;
+} __packed;
 #define P54U_FW_BLOCK 2048
 #define X2_SIGNATURE "x2  "
diff --git a/drivers/net/wireless/rt2x00/rt2500usb.c b/drivers/net/wireless/rt2x00/rt2500usb.c
index c878e3f3993c..05c64597838d 100644
--- a/drivers/net/wireless/rt2x00/rt2500usb.c
+++ b/drivers/net/wireless/rt2x00/rt2500usb.c
@@ -47,7 +47,7 @@ MODULE_PARM_DESC(nohwcrypt, "Disable hardware encryption.");
 * BBP and RF register require indirect register access,
 * and use the CSR registers BBPCSR and RFCSR to achieve this.
 * These indirect registers work with busy bits,
- * and we will try maximal REGISTER_BUSY_COUNT times to access
+ * and we will try maximal REGISTER_USB_BUSY_COUNT times to access
 * the register while taking a REGISTER_BUSY_DELAY us delay
 * between each attampt. When the busy bit is still set at that time,
 * the access attempt is considered to have failed,
@@ -122,7 +122,7 @@ static int rt2500usb_regbusy_read(struct rt2x00_dev *rt2x00dev,
 {
        unsigned int i;
-        for (i = 0; i < REGISTER_BUSY_COUNT; i++) {
+        for (i = 0; i < REGISTER_USB_BUSY_COUNT; i++) {
                rt2500usb_register_read_lock(rt2x00dev, offset, reg);
                if (!rt2x00_get_field16(*reg, field))
                        return 1;
@@ -904,7 +904,7 @@ static int rt2500usb_wait_bbp_ready(struct rt2x00_dev *rt2x00dev)
        unsigned int i;
        u8 value;
-        for (i = 0; i < REGISTER_BUSY_COUNT; i++) {
+        for (i = 0; i < REGISTER_USB_BUSY_COUNT; i++) {
                rt2500usb_bbp_read(rt2x00dev, 0, &value);
                if ((value != 0xff) && (value != 0x00))
                        return 0;
@@ -1023,7 +1023,7 @@ static int rt2500usb_set_state(struct rt2x00_dev *rt2x00dev,
         * We must wait until the register indicates that the
         * device has entered the correct state.
         */
-        for (i = 0; i < REGISTER_BUSY_COUNT; i++) {
+        for (i = 0; i < REGISTER_USB_BUSY_COUNT; i++) {
                rt2500usb_register_read(rt2x00dev, MAC_CSR17, &reg2);
                bbp_state = rt2x00_get_field16(reg2, MAC_CSR17_BBP_CURR_STATE);
                rf_state = rt2x00_get_field16(reg2, MAC_CSR17_RF_CURR_STATE);
diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c
index 9f57a2db791c..81ee481487cf 100644
--- a/drivers/net/wireless/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/rt2x00/rt2800lib.c
@@ -4119,7 +4119,20 @@ static void rt2800_config_txpower_rt28xx(struct rt2x00_dev *rt2x00dev,
         * expected. We adjust it, based on TSSI reference and boundaries values
         * provided in EEPROM.
         */
-        delta += rt2800_get_gain_calibration_delta(rt2x00dev);
+        switch (rt2x00dev->chip.rt) {
+        case RT2860:
+        case RT2872:
+        case RT2883:
+        case RT3070:
+        case RT3071:
+        case RT3090:
+        case RT3572:
+                delta += rt2800_get_gain_calibration_delta(rt2x00dev);
+                break;
+        default:
+                /* TODO: temperature compensation code for other chips. */
+                break;
+        }
        /*
         * Decrease power according to user settings, on devices with unknown
@@ -4136,25 +4149,19 @@ static void rt2800_config_txpower_rt28xx(struct rt2x00_dev *rt2x00dev,
         * TODO: we do not use +6 dBm option to do not increase power beyond
         * regulatory limit, however this could be utilized for devices with
         * CAPABILITY_POWER_LIMIT.
-         *
+         */
-         * TODO: add different temperature compensation code for RT3290 & RT5390
+        if (delta <= -12) {
-         * to allow to use BBP_R1 for those chips.
+                power_ctrl = 2;
-         */
+                delta += 12;
-        if (!rt2x00_rt(rt2x00dev, RT3290) &&
+        } else if (delta <= -6) {
-            !rt2x00_rt(rt2x00dev, RT5390)) {
+                power_ctrl = 1;
-                rt2800_bbp_read(rt2x00dev, 1, &r1);
+                delta += 6;
-                if (delta <= -12) {
+        } else {
-                        power_ctrl = 2;
+                power_ctrl = 0;
-                        delta += 12;
-                } else if (delta <= -6) {
-                        power_ctrl = 1;
-                        delta += 6;
-                } else {
-                        power_ctrl = 0;
-                }
-                rt2x00_set_field8(&r1, BBP1_TX_POWER_CTRL, power_ctrl);
-                rt2800_bbp_write(rt2x00dev, 1, r1);
        }
+        rt2800_bbp_read(rt2x00dev, 1, &r1);
+        rt2x00_set_field8(&r1, BBP1_TX_POWER_CTRL, power_ctrl);
+        rt2800_bbp_write(rt2x00dev, 1, r1);
        offset = TX_PWR_CFG_0;
diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
index 573897b8e878..8444313eabe2 100644
--- a/drivers/net/wireless/rt2x00/rt2800usb.c
+++ b/drivers/net/wireless/rt2x00/rt2800usb.c
@@ -1111,6 +1111,7 @@ static struct usb_device_id rt2800usb_device_table[] = {
        /* Ovislink */
        { USB_DEVICE(0x1b75, 0x3071) },
        { USB_DEVICE(0x1b75, 0x3072) },
+        { USB_DEVICE(0x1b75, 0xa200) },
        /* Para */
        { USB_DEVICE(0x20b8, 0x8888) },
        /* Pegatron */
diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
index d13f25cd70d5..9bb398bed9bb 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -1019,9 +1019,12 @@ struct rt2x00_bar_list_entry {
 * Register defines.
 * Some registers require multiple attempts before success,
 * in those cases REGISTER_BUSY_COUNT attempts should be
- * taken with a REGISTER_BUSY_DELAY interval.
+ * taken with a REGISTER_BUSY_DELAY interval. Due to USB
+ * bus delays, we do not have to loop so many times to wait
+ * for valid register value on that bus.
 */
 #define REGISTER_BUSY_COUNT     100
+#define REGISTER_USB_BUSY_COUNT 20
 #define REGISTER_BUSY_DELAY     100
 /*
@@ -1437,8 +1440,11 @@ int rt2x00mac_sta_add(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
                      struct ieee80211_sta *sta);
 int rt2x00mac_sta_remove(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
                         struct ieee80211_sta *sta);
-void rt2x00mac_sw_scan_start(struct ieee80211_hw *hw);
+void rt2x00mac_sw_scan_start(struct ieee80211_hw *hw,
-void rt2x00mac_sw_scan_complete(struct ieee80211_hw *hw);
+                             struct ieee80211_vif *vif,
+                             const u8 *mac_addr);
+void rt2x00mac_sw_scan_complete(struct ieee80211_hw *hw,
+                                struct ieee80211_vif *vif);
 int rt2x00mac_get_stats(struct ieee80211_hw *hw,
                        struct ieee80211_low_level_stats *stats);
 void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
index ad6e5a8d1e10..cb40245a0695 100644
--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
+++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
@@ -568,7 +568,9 @@ int rt2x00mac_sta_remove(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
 }
 EXPORT_SYMBOL_GPL(rt2x00mac_sta_remove);
-void rt2x00mac_sw_scan_start(struct ieee80211_hw *hw)
+void rt2x00mac_sw_scan_start(struct ieee80211_hw *hw,
+                             struct ieee80211_vif *vif,
+                             const u8 *mac_addr)
 {
        struct rt2x00_dev *rt2x00dev = hw->priv;
        set_bit(DEVICE_STATE_SCANNING, &rt2x00dev->flags);
@@ -576,7 +578,8 @@ void rt2x00mac_sw_scan_start(struct ieee80211_hw *hw)
 }
 EXPORT_SYMBOL_GPL(rt2x00mac_sw_scan_start);
-void rt2x00mac_sw_scan_complete(struct ieee80211_hw *hw)
+void rt2x00mac_sw_scan_complete(struct ieee80211_hw *hw,
+                                struct ieee80211_vif *vif)
 {
        struct rt2x00_dev *rt2x00dev = hw->priv;
        clear_bit(DEVICE_STATE_SCANNING, &rt2x00dev->flags);
diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
index 8e68f87ab13c..66ff36447b94 100644
--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
@@ -158,55 +158,29 @@ void rt2x00queue_align_frame(struct sk_buff *skb)
        skb_trim(skb, frame_length);
 }
-void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int header_length)
+/*
+ * H/W needs L2 padding between the header and the paylod if header size
+ * is not 4 bytes aligned.
+ */
+void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int hdr_len)
 {
-        unsigned int payload_length = skb->len - header_length;
+        unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
-        unsigned int header_align = ALIGN_SIZE(skb, 0);
-        unsigned int payload_align = ALIGN_SIZE(skb, header_length);
-        unsigned int l2pad = payload_length ? L2PAD_SIZE(header_length) : 0;
-        /*
+        if (!l2pad)
-         * Adjust the header alignment if the payload needs to be moved more
-         * than the header.
-         */
-        if (payload_align > header_align)
-                header_align += 4;
-        /* There is nothing to do if no alignment is needed */
-        if (!header_align)
                return;
-        /* Reserve the amount of space needed in front of the frame */
+        skb_push(skb, l2pad);
-        skb_push(skb, header_align);
+        memmove(skb->data, skb->data + l2pad, hdr_len);
-        /*
-         * Move the header.
-         */
-        memmove(skb->data, skb->data + header_align, header_length);
-        /* Move the payload, if present and if required */
-        if (payload_length && payload_align)
-                memmove(skb->data + header_length + l2pad,
-                        skb->data + header_length + l2pad + payload_align,
-                        payload_length);
-        /* Trim the skb to the correct size */
-        skb_trim(skb, header_length + l2pad + payload_length);
 }
-void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int header_length)
+void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int hdr_len)
 {
-        /*
+        unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
-         * L2 padding is only present if the skb contains more than just the
-         * IEEE 802.11 header.
-         */
-        unsigned int l2pad = (skb->len > header_length) ?
-                                L2PAD_SIZE(header_length) : 0;
        if (!l2pad)
                return;
-        memmove(skb->data + l2pad, skb->data, header_length);
+        memmove(skb->data + l2pad, skb->data, hdr_len);
        skb_pull(skb, l2pad);
 }
diff --git a/drivers/net/wireless/rt2x00/rt2x00usb.c b/drivers/net/wireless/rt2x00/rt2x00usb.c
index dc85d3e0ffe5..892270dd3e7b 100644
--- a/drivers/net/wireless/rt2x00/rt2x00usb.c
+++ b/drivers/net/wireless/rt2x00/rt2x00usb.c
@@ -42,37 +42,27 @@ int rt2x00usb_vendor_request(struct rt2x00_dev *rt2x00dev,
 {
        struct usb_device *usb_dev = to_usb_device_intf(rt2x00dev->dev);
        int status;
-        unsigned int i;
        unsigned int pipe =
            (requesttype == USB_VENDOR_REQUEST_IN) ?
            usb_rcvctrlpipe(usb_dev, 0) : usb_sndctrlpipe(usb_dev, 0);
+        unsigned long expire = jiffies + msecs_to_jiffies(timeout);
        if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags))
                return -ENODEV;
-        for (i = 0; i < REGISTER_BUSY_COUNT; i++) {
+        do {
                status = usb_control_msg(usb_dev, pipe, request, requesttype,
                                         value, offset, buffer, buffer_length,
-                                         timeout);
+                                         timeout / 2);
                if (status >= 0)
                        return 0;
-                /*
+                if (status == -ENODEV) {
-                 * Check for errors
+                        /* Device has disappeared. */
-                 * -ENODEV: Device has disappeared, no point continuing.
-                 * All other errors: Try again.
-                 */
-                else if (status == -ENODEV) {
                        clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
                        break;
                }
-        }
+        } while (time_before(jiffies, expire));
-        /* If the port is powered down, we get a -EPROTO error, and this
-         * leads to a endless loop. So just say that the device is gone.
-         */
-        if (status == -EPROTO)
-                clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
        rt2x00_err(rt2x00dev,
                   "Vendor Request 0x%02x failed for offset 0x%04x with error %d\n",
@@ -154,7 +144,7 @@ int rt2x00usb_regbusy_read(struct rt2x00_dev *rt2x00dev,
        if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags))
                return -ENODEV;
-        for (i = 0; i < REGISTER_BUSY_COUNT; i++) {
+        for (i = 0; i < REGISTER_USB_BUSY_COUNT; i++) {
                rt2x00usb_register_read_lock(rt2x00dev, offset, reg);
                if (!rt2x00_get_field32(*reg, field))
                        return 1;
diff --git a/drivers/net/wireless/rt2x00/rt2x00usb.h b/drivers/net/wireless/rt2x00/rt2x00usb.h
index 819690e978c0..8f85fbd5f237 100644
--- a/drivers/net/wireless/rt2x00/rt2x00usb.h
+++ b/drivers/net/wireless/rt2x00/rt2x00usb.h
@@ -38,7 +38,7 @@
 * a higher value is required. In that case we use the REGISTER_TIMEOUT_FIRMWARE
 * and EEPROM_TIMEOUT.
 */
-#define REGISTER_TIMEOUT                500
+#define REGISTER_TIMEOUT                100
 #define REGISTER_TIMEOUT_FIRMWARE       1000
 #define EEPROM_TIMEOUT                  2000
diff --git a/drivers/net/wireless/rt2x00/rt73usb.c b/drivers/net/wireless/rt2x00/rt73usb.c
index 95724ff9c726..a5458cf01fb2 100644
--- a/drivers/net/wireless/rt2x00/rt73usb.c
+++ b/drivers/net/wireless/rt2x00/rt73usb.c
@@ -1295,7 +1295,7 @@ static int rt73usb_wait_bbp_ready(struct rt2x00_dev *rt2x00dev)
        unsigned int i;
        u8 value;
-        for (i = 0; i < REGISTER_BUSY_COUNT; i++) {
+        for (i = 0; i < REGISTER_USB_BUSY_COUNT; i++) {
                rt73usb_bbp_read(rt2x00dev, 0, &value);
                if ((value != 0xff) && (value != 0x00))
                        return 0;
diff --git a/drivers/net/wireless/rtlwifi/base.c b/drivers/net/wireless/rtlwifi/base.c
index 58ba71830886..40b6d1d006d7 100644
--- a/drivers/net/wireless/rtlwifi/base.c
+++ b/drivers/net/wireless/rtlwifi/base.c
@@ -467,7 +467,7 @@ static void _rtl_init_deferred_work(struct ieee80211_hw *hw)
                    rtl_easy_concurrent_retrytimer_callback, (unsigned long)hw);
        /* <2> work queue */
        rtlpriv->works.hw = hw;
-        rtlpriv->works.rtl_wq = alloc_workqueue(rtlpriv->cfg->name, 0, 0);
+        rtlpriv->works.rtl_wq = alloc_workqueue("%s", 0, 0, rtlpriv->cfg->name);
        INIT_DELAYED_WORK(&rtlpriv->works.watchdog_wq,
                          (void *)rtl_watchdog_wq_callback);
        INIT_DELAYED_WORK(&rtlpriv->works.ips_nic_off_wq,
diff --git a/drivers/net/wireless/rtlwifi/core.c b/drivers/net/wireless/rtlwifi/core.c
index f6179bc06086..5fc6f52641bd 100644
--- a/drivers/net/wireless/rtlwifi/core.c
+++ b/drivers/net/wireless/rtlwifi/core.c
@@ -786,6 +786,7 @@ static void rtl_op_configure_filter(struct ieee80211_hw *hw,
                                    unsigned int changed_flags,
                                    unsigned int *new_flags, u64 multicast)
 {
+        bool update_rcr = false;
        struct rtl_priv *rtlpriv = rtl_priv(hw);
        struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
@@ -806,6 +807,7 @@ static void rtl_op_configure_filter(struct ieee80211_hw *hw,
                        RT_TRACE(rtlpriv, COMP_MAC80211, DBG_LOUD,
                                 "Disable receive multicast frame\n");
                }
+                update_rcr = true;
        }
        if (changed_flags & FIF_FCSFAIL) {
@@ -818,6 +820,8 @@ static void rtl_op_configure_filter(struct ieee80211_hw *hw,
                        RT_TRACE(rtlpriv, COMP_MAC80211, DBG_LOUD,
                                 "Disable receive FCS error frame\n");
                }
+                if (!update_rcr)
+                        update_rcr = true;
        }
        /* if ssid not set to hw don't check bssid
@@ -832,6 +836,8 @@ static void rtl_op_configure_filter(struct ieee80211_hw *hw,
                                rtlpriv->cfg->ops->set_chk_bssid(hw, false);
                        else
                                rtlpriv->cfg->ops->set_chk_bssid(hw, true);
+                        if (update_rcr)
+                                update_rcr = false;
                }
        }
@@ -846,6 +852,8 @@ static void rtl_op_configure_filter(struct ieee80211_hw *hw,
                        RT_TRACE(rtlpriv, COMP_MAC80211, DBG_LOUD,
                                 "Disable receive control frame.\n");
                }
+                if (!update_rcr)
+                        update_rcr = true;
        }
        if (changed_flags & FIF_OTHER_BSS) {
@@ -858,7 +866,13 @@ static void rtl_op_configure_filter(struct ieee80211_hw *hw,
                        RT_TRACE(rtlpriv, COMP_MAC80211, DBG_LOUD,
                                 "Disable receive other BSS's frame.\n");
                }
+                if (!update_rcr)
+                        update_rcr = true;
        }
+        if (update_rcr)
+                rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR,
+                                              (u8 *)(&mac->rx_conf));
 }
 static int rtl_op_sta_add(struct ieee80211_hw *hw,
                         struct ieee80211_vif *vif,
@@ -1361,7 +1375,9 @@ static int rtl_op_ampdu_action(struct ieee80211_hw *hw,
        return 0;
 }
-static void rtl_op_sw_scan_start(struct ieee80211_hw *hw)
+static void rtl_op_sw_scan_start(struct ieee80211_hw *hw,
+                                 struct ieee80211_vif *vif,
+                                 const u8 *mac_addr)
 {
        struct rtl_priv *rtlpriv = rtl_priv(hw);
        struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
@@ -1396,7 +1412,8 @@ static void rtl_op_sw_scan_start(struct ieee80211_hw *hw)
        rtlpriv->cfg->ops->scan_operation_backup(hw, SCAN_OPT_BACKUP_BAND0);
 }
-static void rtl_op_sw_scan_complete(struct ieee80211_hw *hw)
+static void rtl_op_sw_scan_complete(struct ieee80211_hw *hw,
+                                    struct ieee80211_vif *vif)
 {
        struct rtl_priv *rtlpriv = rtl_priv(hw);
        struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
@@ -1828,3 +1845,9 @@ const struct ieee80211_ops rtl_ops = {
        .flush = rtl_op_flush,
 };
 EXPORT_SYMBOL_GPL(rtl_ops);
+bool rtl_btc_status_false(void)
+{
+        return false;
+}
+EXPORT_SYMBOL_GPL(rtl_btc_status_false);
diff --git a/drivers/net/wireless/rtlwifi/core.h b/drivers/net/wireless/rtlwifi/core.h
index 59cd3b9dca25..624e1dc16d31 100644
--- a/drivers/net/wireless/rtlwifi/core.h
+++ b/drivers/net/wireless/rtlwifi/core.h
@@ -42,5 +42,6 @@ void rtl_rfreg_delay(struct ieee80211_hw *hw, enum radio_path rfpath, u32 addr,
                     u32 mask, u32 data);
 void rtl_bb_delay(struct ieee80211_hw *hw, u32 addr, u32 data);
 bool rtl_cmd_send_packet(struct ieee80211_hw *hw, struct sk_buff *skb);
+bool rtl_btc_status_false(void);
 #endif
diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c
index 667aba81246c..61f5d36eca6a 100644
--- a/drivers/net/wireless/rtlwifi/pci.c
+++ b/drivers/net/wireless/rtlwifi/pci.c
@@ -842,7 +842,8 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
                        break;
                }
                /* handle command packet here */
-                if (rtlpriv->cfg->ops->rx_command_packet(hw, stats, skb)) {
+                if (rtlpriv->cfg->ops->rx_command_packet &&
+                    rtlpriv->cfg->ops->rx_command_packet(hw, stats, skb)) {
                                dev_kfree_skb_any(skb);
                                goto end;
                }
@@ -1127,9 +1128,14 @@ static void _rtl_pci_prepare_bcn_tasklet(struct ieee80211_hw *hw)
        __skb_queue_tail(&ring->queue, pskb);
-        rtlpriv->cfg->ops->set_desc(hw, (u8 *)pdesc, true, HW_DESC_OWN,
+        if (rtlpriv->use_new_trx_flow) {
-                                    &temp_one);
+                temp_one = 4;
+                rtlpriv->cfg->ops->set_desc(hw, (u8 *)pbuffer_desc, true,
+                                            HW_DESC_OWN, (u8 *)&temp_one);
+        } else {
+                rtlpriv->cfg->ops->set_desc(hw, (u8 *)pdesc, true, HW_DESC_OWN,
+                                            &temp_one);
+        }
        return;
 }
@@ -1370,9 +1376,9 @@ static void _rtl_pci_free_tx_ring(struct ieee80211_hw *hw,
        ring->desc = NULL;
        if (rtlpriv->use_new_trx_flow) {
                pci_free_consistent(rtlpci->pdev,
-                                    sizeof(*ring->desc) * ring->entries,
+                                    sizeof(*ring->buffer_desc) * ring->entries,
                                    ring->buffer_desc, ring->buffer_desc_dma);
-                ring->desc = NULL;
+                ring->buffer_desc = NULL;
        }
 }
@@ -1543,7 +1549,6 @@ int rtl_pci_reset_trx_ring(struct ieee80211_hw *hw)
                                                         true,
                                                         HW_DESC_TXBUFF_ADDR),
                                                 skb->len, PCI_DMA_TODEVICE);
-                                ring->idx = (ring->idx + 1) % ring->entries;
                                kfree_skb(skb);
                                ring->idx = (ring->idx + 1) % ring->entries;
                        }
@@ -1796,7 +1801,8 @@ static int rtl_pci_start(struct ieee80211_hw *hw)
        rtl_pci_reset_trx_ring(hw);
        rtlpci->driver_is_goingto_unload = false;
-        if (rtlpriv->cfg->ops->get_btc_status()) {
+        if (rtlpriv->cfg->ops->get_btc_status &&
+            rtlpriv->cfg->ops->get_btc_status()) {
                rtlpriv->btcoexist.btc_ops->btc_init_variables(rtlpriv);
                rtlpriv->btcoexist.btc_ops->btc_init_hal_vars(rtlpriv);
        }
diff --git a/drivers/net/wireless/rtlwifi/rtl8192c/fw_common.c b/drivers/net/wireless/rtlwifi/rtl8192c/fw_common.c
index a00861b26ece..29983bc96a89 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192c/fw_common.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192c/fw_common.c
@@ -656,7 +656,8 @@ static u8 reserved_page_packet[TOTAL_RESERVED_PKT_LEN] = {
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 };
-void rtl92c_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
+void rtl92c_set_fw_rsvdpagepkt(struct ieee80211_hw *hw,
+         bool (*cmd_send_packet)(struct ieee80211_hw *, struct sk_buff *))
 {
        struct rtl_priv *rtlpriv = rtl_priv(hw);
        struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
@@ -722,7 +723,10 @@ void rtl92c_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
        memcpy((u8 *)skb_put(skb, totalpacketlen),
               &reserved_page_packet, totalpacketlen);
-        rtstatus = rtl_cmd_send_packet(hw, skb);
+        if (cmd_send_packet)
+                rtstatus = cmd_send_packet(hw, skb);
+        else
+                rtstatus = rtl_cmd_send_packet(hw, skb);
        if (rtstatus)
                b_dlok = true;
diff --git a/drivers/net/wireless/rtlwifi/rtl8192c/fw_common.h b/drivers/net/wireless/rtlwifi/rtl8192c/fw_common.h
index a815bd6273da..b64ae45dc674 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192c/fw_common.h
+++ b/drivers/net/wireless/rtlwifi/rtl8192c/fw_common.h
@@ -109,7 +109,9 @@ void rtl92c_fill_h2c_cmd(struct ieee80211_hw *hw, u8 element_id,
                         u32 cmd_len, u8 *p_cmdbuffer);
 void rtl92c_firmware_selfreset(struct ieee80211_hw *hw);
 void rtl92c_set_fw_pwrmode_cmd(struct ieee80211_hw *hw, u8 mode);
-void rtl92c_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished);
+void rtl92c_set_fw_rsvdpagepkt
+        (struct ieee80211_hw *hw,
+         bool (*cmd_send_packet)(struct ieee80211_hw *, struct sk_buff *));
 void rtl92c_set_fw_joinbss_report_cmd(struct ieee80211_hw *hw, u8 mstatus);
 void usb_writeN_async(struct rtl_priv *rtlpriv, u32 addr, void *data, u16 len);
 void rtl92c_set_p2p_ps_offload_cmd(struct ieee80211_hw *hw, u8 p2p_ps_state);
diff --git a/drivers/net/wireless/rtlwifi/rtl8192ce/def.h b/drivers/net/wireless/rtlwifi/rtl8192ce/def.h
index 831df101d7b7..9b660df6fd71 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192ce/def.h
+++ b/drivers/net/wireless/rtlwifi/rtl8192ce/def.h
@@ -114,6 +114,8 @@
        LE_BITS_TO_4BYTE(((__pcmdfbhdr) + 4), 16, 4)
 #define GET_C2H_CMD_FEEDBACK_CCX_SEQ(__pcmdfbhdr)       \
        LE_BITS_TO_4BYTE(((__pcmdfbhdr) + 4), 20, 12)
+#define GET_RX_STATUS_DESC_BUFF_ADDR(__pdesc)                   \
+        SHIFT_AND_MASK_LE(__pdesc + 24, 0, 32)
 #define CHIP_VER_B                      BIT(4)
 #define CHIP_BONDING_IDENTIFIER(_value) (((_value) >> 22) & 0x3)
diff --git a/drivers/net/wireless/rtlwifi/rtl8192ce/hw.c b/drivers/net/wireless/rtlwifi/rtl8192ce/hw.c
index 8ec0f031f48a..55357d69397a 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192ce/hw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192ce/hw.c
@@ -459,7 +459,7 @@ void rtl92ce_set_hw_reg(struct ieee80211_hw *hw, u8 variable, u8 *val)
                                rtl_write_byte(rtlpriv, REG_FWHW_TXQ_CTRL + 2,
                                               tmp_reg422 & (~BIT(6)));
-                                rtl92c_set_fw_rsvdpagepkt(hw, 0);
+                                rtl92c_set_fw_rsvdpagepkt(hw, NULL);
                                _rtl92ce_set_bcn_ctrl_reg(hw, BIT(3), 0);
                                _rtl92ce_set_bcn_ctrl_reg(hw, 0, BIT(4));
diff --git a/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c b/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c
index d86b5b566444..46ea07605eb4 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192ce/sw.c
@@ -244,6 +244,7 @@ static struct rtl_hal_ops rtl8192ce_hal_ops = {
        .phy_lc_calibrate = _rtl92ce_phy_lc_calibrate,
        .phy_set_bw_mode_callback = rtl92ce_phy_set_bw_mode_callback,
        .dm_dynamic_txpower = rtl92ce_dm_dynamic_txpower,
+        .get_btc_status = rtl_btc_status_false,
 };
 static struct rtl_mod_params rtl92ce_mod_params = {
diff --git a/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c b/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
index 2fb9c7acb76a..dc3d20b17a26 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
@@ -728,6 +728,9 @@ u32 rtl92ce_get_desc(u8 *p_desc, bool istx, u8 desc_name)
                case HW_DESC_RXPKT_LEN:
                        ret = GET_RX_DESC_PKT_LEN(pdesc);
                        break;
+                case HW_DESC_RXBUFF_ADDR:
+                        ret = GET_RX_STATUS_DESC_BUFF_ADDR(pdesc);
+                        break;
                default:
                        RT_ASSERT(false, "ERR rxdesc :%d not process\n",
                                  desc_name);
diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
index 04aa0b5f5b3d..873363acbacf 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
@@ -1592,6 +1592,20 @@ void rtl92cu_get_hw_reg(struct ieee80211_hw *hw, u8 variable, u8 *val)
        }
 }
+bool usb_cmd_send_packet(struct ieee80211_hw *hw, struct sk_buff *skb)
+{
+  /* Currently nothing happens here.
+   * Traffic stops after some seconds in WPA2 802.11n mode.
+   * Maybe because rtl8192cu chip should be set from here?
+   * If I understand correctly, the realtek vendor driver sends some urbs
+   * if its "here".
+   *
+   * This is maybe necessary:
+   * rtlpriv->cfg->ops->fill_tx_cmddesc(hw, buffer, 1, 1, skb);
+   */
+        return true;
+}
 void rtl92cu_set_hw_reg(struct ieee80211_hw *hw, u8 variable, u8 *val)
 {
        struct rtl_priv *rtlpriv = rtl_priv(hw);
@@ -1939,7 +1953,8 @@ void rtl92cu_set_hw_reg(struct ieee80211_hw *hw, u8 variable, u8 *val)
                                        recover = true;
                                rtl_write_byte(rtlpriv, REG_FWHW_TXQ_CTRL + 2,
                                               tmp_reg422 & (~BIT(6)));
-                                rtl92c_set_fw_rsvdpagepkt(hw, 0);
+                                rtl92c_set_fw_rsvdpagepkt(hw,
+                                                          &usb_cmd_send_packet);
                                _rtl92cu_set_bcn_ctrl_reg(hw, BIT(3), 0);
                                _rtl92cu_set_bcn_ctrl_reg(hw, 0, BIT(4));
                                if (recover)
diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.h b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.h
index 0f7812e0c8aa..c1e33b0228c0 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.h
+++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.h
@@ -104,7 +104,6 @@ bool rtl92cu_gpio_radio_on_off_checking(struct ieee80211_hw *hw, u8 * valid);
 void rtl92cu_set_check_bssid(struct ieee80211_hw *hw, bool check_bssid);
 int rtl92c_download_fw(struct ieee80211_hw *hw);
 void rtl92c_set_fw_pwrmode_cmd(struct ieee80211_hw *hw, u8 mode);
-void rtl92c_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool dl_finished);
 void rtl92c_set_fw_joinbss_report_cmd(struct ieee80211_hw *hw, u8 mstatus);
 void rtl92c_fill_h2c_cmd(struct ieee80211_hw *hw,
                         u8 element_id, u32 cmd_len, u8 *p_cmdbuffer);
diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
index 7c5fbaf5fee0..e06bafee37f9 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
@@ -101,6 +101,12 @@ static void rtl92cu_deinit_sw_vars(struct ieee80211_hw *hw)
        }
 }
+/* get bt coexist status */
+static bool rtl92cu_get_btc_status(void)
+{
+        return false;
+}
 static struct rtl_hal_ops rtl8192cu_hal_ops = {
        .init_sw_vars = rtl92cu_init_sw_vars,
        .deinit_sw_vars = rtl92cu_deinit_sw_vars,
@@ -148,6 +154,7 @@ static struct rtl_hal_ops rtl8192cu_hal_ops = {
        .phy_set_bw_mode_callback = rtl92cu_phy_set_bw_mode_callback,
        .dm_dynamic_txpower = rtl92cu_dm_dynamic_txpower,
        .fill_h2c_cmd = rtl92c_fill_h2c_cmd,
+        .get_btc_status = rtl92cu_get_btc_status,
 };
 static struct rtl_mod_params rtl92cu_mod_params = {
diff --git a/drivers/net/wireless/rtlwifi/rtl8192de/sw.c b/drivers/net/wireless/rtlwifi/rtl8192de/sw.c
index edab5a5351b5..a0aba088259a 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192de/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192de/sw.c
@@ -251,6 +251,7 @@ static struct rtl_hal_ops rtl8192de_hal_ops = {
        .get_rfreg = rtl92d_phy_query_rf_reg,
        .set_rfreg = rtl92d_phy_set_rf_reg,
        .linked_set_reg = rtl92d_linked_set_reg,
+        .get_btc_status = rtl_btc_status_false,
 };
 static struct rtl_mod_params rtl92de_mod_params = {
diff --git a/drivers/net/wireless/rtlwifi/rtl8192ee/Makefile b/drivers/net/wireless/rtlwifi/rtl8192ee/Makefile
index 11952b99daf8..0315eeda9b60 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192ee/Makefile
+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/Makefile
@@ -1,6 +1,3 @@
-obj-m := rtl8192ee.o
 rtl8192ee-objs :=               \
                dm.o            \
                fw.o            \
@@ -14,6 +11,6 @@ rtl8192ee-objs :=		\
                trx.o           \
-obj-$(CONFIG_RTL8821AE) += rtl8192ee.o
+obj-$(CONFIG_RTL8192EE) += rtl8192ee.o
 ccflags-y += -D__CHECK_ENDIAN__
diff --git a/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c b/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c
index dfdc9b20e4ad..1a87edca2c3f 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c
@@ -362,7 +362,7 @@ void rtl92ee_get_hw_reg(struct ieee80211_hw *hw, u8 variable, u8 *val)
                }
                break;
        default:
-                RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG,
+                RT_TRACE(rtlpriv, COMP_ERR, DBG_DMESG,
                         "switch case not process %x\n", variable);
                break;
        }
@@ -591,7 +591,7 @@ void rtl92ee_set_hw_reg(struct ieee80211_hw *hw, u8 variable, u8 *val)
                                acm_ctrl &= (~ACMHW_BEQEN);
                                break;
                        default:
-                                RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG,
+                                RT_TRACE(rtlpriv, COMP_ERR, DBG_DMESG,
                                         "switch case not process\n");
                                break;
                        }
@@ -710,7 +710,7 @@ void rtl92ee_set_hw_reg(struct ieee80211_hw *hw, u8 variable, u8 *val)
                }
                break;
        default:
-                RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG,
+                RT_TRACE(rtlpriv, COMP_ERR, DBG_DMESG,
                         "switch case not process %x\n", variable);
                break;
        }
@@ -2424,7 +2424,7 @@ void rtl92ee_set_key(struct ieee80211_hw *hw, u32 key_index,
                        enc_algo = CAM_AES;
                        break;
                default:
-                        RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG,
+                        RT_TRACE(rtlpriv, COMP_ERR, DBG_DMESG,
                                 "switch case not process\n");
                        enc_algo = CAM_TKIP;
                        break;
diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/def.h b/drivers/net/wireless/rtlwifi/rtl8192se/def.h
index 83c98674bfd3..6e7a70b43949 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192se/def.h
+++ b/drivers/net/wireless/rtlwifi/rtl8192se/def.h
@@ -446,6 +446,8 @@
 /* DWORD 6 */
 #define SET_RX_STATUS__DESC_BUFF_ADDR(__pdesc, __val)   \
        SET_BITS_OFFSET_LE(__pdesc + 24, 0, 32, __val)
+#define GET_RX_STATUS_DESC_BUFF_ADDR(__pdesc)                   \
+        SHIFT_AND_MASK_LE(__pdesc + 24, 0, 32)
 #define SE_RX_HAL_IS_CCK_RATE(_pdesc)\
        (GET_RX_STATUS_DESC_RX_MCS(_pdesc) == DESC92_RATE1M ||  \
diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/hw.c b/drivers/net/wireless/rtlwifi/rtl8192se/hw.c
index 00e067044c08..5761d5b49e39 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192se/hw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192se/hw.c
@@ -1201,6 +1201,9 @@ static int _rtl92se_set_media_status(struct ieee80211_hw *hw,
        }
+        if (type != NL80211_IFTYPE_AP &&
+            rtlpriv->mac80211.link_state < MAC80211_LINKED)
+                bt_msr = rtl_read_byte(rtlpriv, MSR) & ~MSR_LINK_MASK;
        rtl_write_byte(rtlpriv, (MSR), bt_msr);
        temp = rtl_read_dword(rtlpriv, TCR);
@@ -1262,6 +1265,7 @@ void rtl92se_enable_interrupt(struct ieee80211_hw *hw)
        rtl_write_dword(rtlpriv, INTA_MASK, rtlpci->irq_mask[0]);
        /* Support Bit 32-37(Assign as Bit 0-5) interrupt setting now */
        rtl_write_dword(rtlpriv, INTA_MASK + 4, rtlpci->irq_mask[1] & 0x3F);
+        rtlpci->irq_enabled = true;
 }
 void rtl92se_disable_interrupt(struct ieee80211_hw *hw)
@@ -1276,8 +1280,7 @@ void rtl92se_disable_interrupt(struct ieee80211_hw *hw)
        rtlpci = rtl_pcidev(rtl_pcipriv(hw));
        rtl_write_dword(rtlpriv, INTA_MASK, 0);
        rtl_write_dword(rtlpriv, INTA_MASK + 4, 0);
+        rtlpci->irq_enabled = false;
-        synchronize_irq(rtlpci->pdev->irq);
 }
 static u8 _rtl92s_set_sysclk(struct ieee80211_hw *hw, u8 data)
diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/phy.c b/drivers/net/wireless/rtlwifi/rtl8192se/phy.c
index 77c5b5f35244..4b4612fe2fdb 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192se/phy.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192se/phy.c
@@ -399,6 +399,8 @@ static bool _rtl92s_phy_sw_chnl_step_by_step(struct ieee80211_hw *hw,
                case 2:
                        currentcmd = &postcommoncmd[*step];
                        break;
+                default:
+                        return true;
                }
                if (currentcmd->cmdid == CMDID_END) {
diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/sw.c b/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
index 1bff2a0f7600..fb003868bdef 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
@@ -87,11 +87,8 @@ static void rtl92s_init_aspm_vars(struct ieee80211_hw *hw)
 static void rtl92se_fw_cb(const struct firmware *firmware, void *context)
 {
        struct ieee80211_hw *hw = context;
-        struct rtl_pci_priv *pcipriv = rtl_pcipriv(hw);
        struct rtl_priv *rtlpriv = rtl_priv(hw);
-        struct rtl_pci *rtlpci = rtl_pcidev(pcipriv);
        struct rt_firmware *pfirmware = NULL;
-        int err;
        RT_TRACE(rtlpriv, COMP_ERR, DBG_LOUD,
                         "Firmware callback routine entered!\n");
@@ -112,20 +109,6 @@ static void rtl92se_fw_cb(const struct firmware *firmware, void *context)
        memcpy(pfirmware->sz_fw_tmpbuffer, firmware->data, firmware->size);
        pfirmware->sz_fw_tmpbufferlen = firmware->size;
        release_firmware(firmware);
-        err = ieee80211_register_hw(hw);
-        if (err) {
-                RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG,
-                         "Can't register mac80211 hw\n");
-                return;
-        } else {
-                rtlpriv->mac80211.mac80211_registered = 1;
-        }
-        rtlpci->irq_alloc = 1;
-        set_bit(RTL_STATUS_INTERFACE_START, &rtlpriv->status);
-        /*init rfkill */
-        rtl_init_rfkill(hw);
 }
 static int rtl92s_init_sw_vars(struct ieee80211_hw *hw)
@@ -226,8 +209,8 @@ static int rtl92s_init_sw_vars(struct ieee80211_hw *hw)
        if (!rtlpriv->rtlhal.pfirmware)
                return 1;
-        rtlpriv->max_fw_size = RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE;
+        rtlpriv->max_fw_size = RTL8190_MAX_FIRMWARE_CODE_SIZE*2 +
+                               sizeof(struct fw_hdr);
        pr_info("Driver for Realtek RTL8192SE/RTL8191SE\n"
                "Loading firmware %s\n", rtlpriv->cfg->fw_name);
        /* request fw */
@@ -253,6 +236,19 @@ static void rtl92s_deinit_sw_vars(struct ieee80211_hw *hw)
        }
 }
+static bool rtl92se_is_tx_desc_closed(struct ieee80211_hw *hw, u8 hw_queue,
+                                      u16 index)
+{
+        struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
+        struct rtl8192_tx_ring *ring = &rtlpci->tx_ring[hw_queue];
+        u8 *entry = (u8 *)(&ring->desc[ring->idx]);
+        u8 own = (u8)rtl92se_get_desc(entry, true, HW_DESC_OWN);
+        if (own)
+                return false;
+        return true;
+}
 static struct rtl_hal_ops rtl8192se_hal_ops = {
        .init_sw_vars = rtl92s_init_sw_vars,
        .deinit_sw_vars = rtl92s_deinit_sw_vars,
@@ -286,6 +282,7 @@ static struct rtl_hal_ops rtl8192se_hal_ops = {
        .led_control = rtl92se_led_control,
        .set_desc = rtl92se_set_desc,
        .get_desc = rtl92se_get_desc,
+        .is_tx_desc_closed = rtl92se_is_tx_desc_closed,
        .tx_polling = rtl92se_tx_polling,
        .enable_hw_sec = rtl92se_enable_hw_security_config,
        .set_key = rtl92se_set_key,
@@ -294,6 +291,7 @@ static struct rtl_hal_ops rtl8192se_hal_ops = {
        .set_bbreg = rtl92s_phy_set_bb_reg,
        .get_rfreg = rtl92s_phy_query_rf_reg,
        .set_rfreg = rtl92s_phy_set_rf_reg,
+        .get_btc_status = rtl_btc_status_false,
 };
 static struct rtl_mod_params rtl92se_mod_params = {
@@ -322,6 +320,8 @@ static struct rtl_hal_cfg rtl92se_hal_cfg = {
        .maps[MAC_RCR_ACRC32] = RCR_ACRC32,
        .maps[MAC_RCR_ACF] = RCR_ACF,
        .maps[MAC_RCR_AAP] = RCR_AAP,
+        .maps[MAC_HIMR] = INTA_MASK,
+        .maps[MAC_HIMRE] = INTA_MASK + 4,
        .maps[EFUSE_TEST] = REG_EFUSE_TEST,
        .maps[EFUSE_CTRL] = REG_EFUSE_CTRL,
diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
index b358ebce8942..672fd3b02835 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
@@ -640,6 +640,9 @@ u32 rtl92se_get_desc(u8 *desc, bool istx, u8 desc_name)
                case HW_DESC_RXPKT_LEN:
                        ret = GET_RX_STATUS_DESC_PKT_LEN(desc);
                        break;
+                case HW_DESC_RXBUFF_ADDR:
+                        ret = GET_RX_STATUS_DESC_BUFF_ADDR(desc);
+                        break;
                default:
                        RT_ASSERT(false, "ERR rxdesc :%d not process\n",
                                  desc_name);
diff --git a/drivers/net/wireless/rtlwifi/rtl8723ae/Makefile b/drivers/net/wireless/rtlwifi/rtl8723ae/Makefile
index 9c34a85fdb89..6220672a96f4 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723ae/Makefile
+++ b/drivers/net/wireless/rtlwifi/rtl8723ae/Makefile
@@ -1,6 +1,3 @@
-obj-m := rtl8723ae.o
 rtl8723ae-objs :=               \
                dm.o            \
                fw.o            \
diff --git a/drivers/net/wireless/rtlwifi/rtl8723be/Makefile b/drivers/net/wireless/rtlwifi/rtl8723be/Makefile
index 59e416abd93a..a77c34102792 100644
--- a/drivers/net/wireless/rtlwifi/rtl8723be/Makefile
+++ b/drivers/net/wireless/rtlwifi/rtl8723be/Makefile
@@ -1,6 +1,3 @@
-obj-m := rtl8723be.o
 rtl8723be-objs :=               \
                dm.o            \
                fw.o            \
diff --git a/drivers/net/wireless/rtlwifi/rtl8821ae/Makefile b/drivers/net/wireless/rtlwifi/rtl8821ae/Makefile
index 87ad604a1eb3..f7a26f71197e 100644
--- a/drivers/net/wireless/rtlwifi/rtl8821ae/Makefile
+++ b/drivers/net/wireless/rtlwifi/rtl8821ae/Makefile
@@ -1,6 +1,3 @@
-obj-m := rtl8821ae.o
 rtl8821ae-objs :=               \
                dm.o            \
                fw.o            \
diff --git a/drivers/net/wireless/rtlwifi/rtl8821ae/phy.c b/drivers/net/wireless/rtlwifi/rtl8821ae/phy.c
index 4be278f7df51..9b4d8a637915 100644
--- a/drivers/net/wireless/rtlwifi/rtl8821ae/phy.c
+++ b/drivers/net/wireless/rtlwifi/rtl8821ae/phy.c
@@ -1889,15 +1889,18 @@ static void _rtl8821ae_store_tx_power_by_rate(struct ieee80211_hw *hw,
        struct rtl_phy *rtlphy = &rtlpriv->phy;
        u8 rate_section = _rtl8821ae_get_rate_section_index(regaddr);
-        if (band != BAND_ON_2_4G && band != BAND_ON_5G)
+        if (band != BAND_ON_2_4G && band != BAND_ON_5G) {
                RT_TRACE(rtlpriv, COMP_INIT, DBG_WARNING, "Invalid Band %d\n", band);
+                band = BAND_ON_2_4G;
-        if (rfpath >= MAX_RF_PATH)
+        }
+        if (rfpath >= MAX_RF_PATH) {
                RT_TRACE(rtlpriv, COMP_INIT, DBG_WARNING, "Invalid RfPath %d\n", rfpath);
+                rfpath = MAX_RF_PATH - 1;
-        if (txnum >= MAX_RF_PATH)
+        }
+        if (txnum >= MAX_RF_PATH) {
                RT_TRACE(rtlpriv, COMP_INIT, DBG_WARNING, "Invalid TxNum %d\n", txnum);
+                txnum = MAX_RF_PATH - 1;
+        }
        rtlphy->tx_power_by_rate_offset[band][rfpath][txnum][rate_section] = data;
        RT_TRACE(rtlpriv, COMP_INIT, DBG_LOUD,
                 "TxPwrByRateOffset[Band %d][RfPath %d][TxNum %d][RateSection %d] = 0x%x\n",
diff --git a/drivers/net/wireless/rtlwifi/usb.c b/drivers/net/wireless/rtlwifi/usb.c
index 10cf69c4bc42..46ee956d0235 100644
--- a/drivers/net/wireless/rtlwifi/usb.c
+++ b/drivers/net/wireless/rtlwifi/usb.c
@@ -1117,7 +1117,18 @@ int rtl_usb_probe(struct usb_interface *intf,
        }
        rtlpriv->cfg->ops->init_sw_leds(hw);
+        err = ieee80211_register_hw(hw);
+        if (err) {
+                RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG,
+                         "Can't register mac80211 hw.\n");
+                err = -ENODEV;
+                goto error_out;
+        }
+        rtlpriv->mac80211.mac80211_registered = 1;
+        set_bit(RTL_STATUS_INTERFACE_START, &rtlpriv->status);
        return 0;
 error_out:
        rtl_deinit_core(hw);
        _rtl_usb_io_handler_release(hw);
diff --git a/drivers/net/wireless/ti/wl1251/main.c b/drivers/net/wireless/ti/wl1251/main.c
index 38234851457e..0b30a7b4d663 100644
--- a/drivers/net/wireless/ti/wl1251/main.c
+++ b/drivers/net/wireless/ti/wl1251/main.c
@@ -1029,7 +1029,7 @@ static int wl1251_op_hw_scan(struct ieee80211_hw *hw,
                        goto out_sleep;
        }
-        skb = ieee80211_probereq_get(wl->hw, wl->vif, ssid, ssid_len,
+        skb = ieee80211_probereq_get(wl->hw, wl->vif->addr, ssid, ssid_len,
                                     req->ie_len);
        if (!skb) {
                ret = -ENOMEM;
diff --git a/drivers/net/wireless/ti/wlcore/cmd.c b/drivers/net/wireless/ti/wlcore/cmd.c
index 05604ee31224..b82661962d33 100644
--- a/drivers/net/wireless/ti/wlcore/cmd.c
+++ b/drivers/net/wireless/ti/wlcore/cmd.c
@@ -64,6 +64,9 @@ static int __wlcore_cmd_send(struct wl1271 *wl, u16 id, void *buf,
                     id != CMD_STOP_FWLOGGER))
                return -EIO;
+        if (WARN_ON_ONCE(len < sizeof(*cmd)))
+                return -EIO;
        cmd = buf;
        cmd->id = cpu_to_le16(id);
        cmd->status = 0;
@@ -128,8 +131,9 @@ static int __wlcore_cmd_send(struct wl1271 *wl, u16 id, void *buf,
 * send command to fw and return cmd status on success
 * valid_rets contains a bitmap of allowed error codes
 */
-int wlcore_cmd_send_failsafe(struct wl1271 *wl, u16 id, void *buf, size_t len,
+static int wlcore_cmd_send_failsafe(struct wl1271 *wl, u16 id, void *buf,
-                             size_t res_len, unsigned long valid_rets)
+                                    size_t len, size_t res_len,
+                                    unsigned long valid_rets)
 {
        int ret = __wlcore_cmd_send(wl, id, buf, len, res_len);
@@ -150,7 +154,6 @@ fail:
        wl12xx_queue_recovery_work(wl);
        return ret;
 }
-EXPORT_SYMBOL_GPL(wl1271_cmd_send);
 /*
 * wrapper for wlcore_cmd_send that accept only CMD_STATUS_SUCCESS
@@ -165,6 +168,7 @@ int wl1271_cmd_send(struct wl1271 *wl, u16 id, void *buf, size_t len,
                return ret;
        return 0;
 }
+EXPORT_SYMBOL_GPL(wl1271_cmd_send);
 /*
 * Poll the mailbox event field until any of the bits in the mask is set or a
@@ -891,6 +895,9 @@ int wlcore_cmd_configure_failsafe(struct wl1271 *wl, u16 id, void *buf,
        wl1271_debug(DEBUG_CMD, "cmd configure (%d)", id);
+        if (WARN_ON_ONCE(len < sizeof(*acx)))
+                return -EIO;
        acx->id = cpu_to_le16(id);
        /* payload length, does not include any headers */
@@ -1138,7 +1145,7 @@ int wl12xx_cmd_build_probe_req(struct wl1271 *wl, struct wl12xx_vif *wlvif,
        wl1271_debug(DEBUG_SCAN, "build probe request band %d", band);
-        skb = ieee80211_probereq_get(wl->hw, vif, ssid, ssid_len,
+        skb = ieee80211_probereq_get(wl->hw, vif->addr, ssid, ssid_len,
                                     ie0_len + ie1_len);
        if (!skb) {
                ret = -ENOMEM;
diff --git a/drivers/net/wireless/ti/wlcore/cmd.h b/drivers/net/wireless/ti/wlcore/cmd.h
index ca6a28b03f8f..453684a71d30 100644
--- a/drivers/net/wireless/ti/wlcore/cmd.h
+++ b/drivers/net/wireless/ti/wlcore/cmd.h
@@ -31,8 +31,6 @@ struct acx_header;
 int wl1271_cmd_send(struct wl1271 *wl, u16 id, void *buf, size_t len,
                    size_t res_len);
-int wlcore_cmd_send_failsafe(struct wl1271 *wl, u16 id, void *buf, size_t len,
-                             size_t res_len, unsigned long valid_rets);
 int wl12xx_cmd_role_enable(struct wl1271 *wl, u8 *addr, u8 role_type,
                           u8 *role_id);
 int wl12xx_cmd_role_disable(struct wl1271 *wl, u8 *role_id);
diff --git a/drivers/net/wireless/ti/wlcore/event.c b/drivers/net/wireless/ti/wlcore/event.c
index 16d10281798d..5153640f4532 100644
--- a/drivers/net/wireless/ti/wlcore/event.c
+++ b/drivers/net/wireless/ti/wlcore/event.c
@@ -259,10 +259,7 @@ void wlcore_event_beacon_loss(struct wl1271 *wl, unsigned long roles_bitmap)
                                             &wlvif->connection_loss_work,
                                             msecs_to_jiffies(delay));
-                ieee80211_cqm_rssi_notify(
+                ieee80211_cqm_beacon_loss_notify(vif, GFP_KERNEL);
-                                vif,
-                                NL80211_CQM_RSSI_BEACON_LOSS_EVENT,
-                                GFP_KERNEL);
        }
 }
 EXPORT_SYMBOL_GPL(wlcore_event_beacon_loss);
diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c
index 575c8f6d4009..6ad3fcedab9b 100644
--- a/drivers/net/wireless/ti/wlcore/main.c
+++ b/drivers/net/wireless/ti/wlcore/main.c
@@ -5177,10 +5177,11 @@ out:
 }
 static void wl12xx_op_channel_switch(struct ieee80211_hw *hw,
+                                     struct ieee80211_vif *vif,
                                     struct ieee80211_channel_switch *ch_switch)
 {
        struct wl1271 *wl = hw->priv;
-        struct wl12xx_vif *wlvif;
+        struct wl12xx_vif *wlvif = wl12xx_vif_to_data(vif);
        int ret;
        wl1271_debug(DEBUG_MAC80211, "mac80211 channel switch");
@@ -5190,14 +5191,8 @@ static void wl12xx_op_channel_switch(struct ieee80211_hw *hw,
        mutex_lock(&wl->mutex);
        if (unlikely(wl->state == WLCORE_STATE_OFF)) {
-                wl12xx_for_each_wlvif_sta(wl, wlvif) {
+                if (test_bit(WLVIF_FLAG_STA_ASSOCIATED, &wlvif->flags))
-                        struct ieee80211_vif *vif = wl12xx_wlvif_to_vif(wlvif);
-                        if (!test_bit(WLVIF_FLAG_STA_ASSOCIATED, &wlvif->flags))
-                                continue;
                        ieee80211_chswitch_done(vif, false);
-                }
                goto out;
        } else if (unlikely(wl->state != WLCORE_STATE_ON)) {
                goto out;
@@ -5208,11 +5203,9 @@ static void wl12xx_op_channel_switch(struct ieee80211_hw *hw,
                goto out;
        /* TODO: change mac80211 to pass vif as param */
-        wl12xx_for_each_wlvif_sta(wl, wlvif) {
-                unsigned long delay_usec;
-                if (!test_bit(WLVIF_FLAG_STA_ASSOCIATED, &wlvif->flags))
+        if (test_bit(WLVIF_FLAG_STA_ASSOCIATED, &wlvif->flags)) {
-                        continue;
+                unsigned long delay_usec;
                ret = wl->ops->channel_switch(wl, wlvif, ch_switch);
                if (ret)
@@ -5222,10 +5215,10 @@ static void wl12xx_op_channel_switch(struct ieee80211_hw *hw,
                /* indicate failure 5 seconds after channel switch time */
                delay_usec = ieee80211_tu_to_usec(wlvif->beacon_int) *
-                             ch_switch->count;
+                        ch_switch->count;
                ieee80211_queue_delayed_work(hw, &wlvif->channel_switch_work,
-                                usecs_to_jiffies(delay_usec) +
+                                             usecs_to_jiffies(delay_usec) +
-                                msecs_to_jiffies(5000));
+                                             msecs_to_jiffies(5000));
        }
 out_sleep:
diff --git a/drivers/nfc/pn544/i2c.c b/drivers/nfc/pn544/i2c.c
index 440291ab7263..fc02e8d6a193 100644
--- a/drivers/nfc/pn544/i2c.c
+++ b/drivers/nfc/pn544/i2c.c
@@ -29,8 +29,8 @@
 #include <linux/delay.h>
 #include <linux/nfc.h>
 #include <linux/firmware.h>
-#include <linux/unaligned/access_ok.h>
 #include <linux/platform_data/pn544.h>
+#include <asm/unaligned.h>
 #include <net/nfc/hci.h>
 #include <net/nfc/llc.h>
diff --git a/drivers/nfc/st21nfca/i2c.c b/drivers/nfc/st21nfca/i2c.c
index 0ea756b77519..05722085a59f 100644
--- a/drivers/nfc/st21nfca/i2c.c
+++ b/drivers/nfc/st21nfca/i2c.c
@@ -28,8 +28,8 @@
 #include <linux/delay.h>
 #include <linux/nfc.h>
 #include <linux/firmware.h>
-#include <linux/unaligned/access_ok.h>
 #include <linux/platform_data/st21nfca.h>
+#include <asm/unaligned.h>
 #include <net/nfc/hci.h>
 #include <net/nfc/llc.h>
@@ -72,7 +72,6 @@ struct st21nfca_i2c_phy {
        struct nfc_hci_dev *hdev;
        unsigned int gpio_ena;
-        unsigned int gpio_irq;
        unsigned int irq_polarity;
        struct sk_buff *pending_skb;
@@ -531,20 +530,12 @@ static int st21nfca_hci_i2c_of_request_resources(struct i2c_client *client)
                                  "clf_enable");
        if (r) {
                nfc_err(&client->dev, "Failed to request enable pin\n");
-                return -ENODEV;
+                return r;
        }
        phy->gpio_ena = gpio;
-        /* IRQ */
+        phy->irq_polarity = irq_get_trigger_type(client->irq);
-        r = irq_of_parse_and_map(pp, 0);
-        if (r < 0) {
-                nfc_err(&client->dev, "Unable to get irq, error: %d\n", r);
-                return r;
-        }
-        phy->irq_polarity = irq_get_trigger_type(r);
-        client->irq = r;
        return 0;
 }
@@ -560,7 +551,6 @@ static int st21nfca_hci_i2c_request_resources(struct i2c_client *client)
        struct st21nfca_nfc_platform_data *pdata;
        struct st21nfca_i2c_phy *phy = i2c_get_clientdata(client);
        int r;
-        int irq;
        pdata = client->dev.platform_data;
        if (pdata == NULL) {
@@ -569,36 +559,18 @@ static int st21nfca_hci_i2c_request_resources(struct i2c_client *client)
        }
        /* store for later use */
-        phy->gpio_irq = pdata->gpio_irq;
        phy->gpio_ena = pdata->gpio_ena;
        phy->irq_polarity = pdata->irq_polarity;
-        r = devm_gpio_request_one(&client->dev, phy->gpio_irq, GPIOF_IN,
-                                  "wake_up");
-        if (r) {
-                pr_err("%s : gpio_request failed\n", __FILE__);
-                return -ENODEV;
-        }
        if (phy->gpio_ena > 0) {
                r = devm_gpio_request_one(&client->dev, phy->gpio_ena,
                                          GPIOF_OUT_INIT_HIGH, "clf_enable");
                if (r) {
                        pr_err("%s : ena gpio_request failed\n", __FILE__);
-                        return -ENODEV;
+                        return r;
                }
        }
-        /* IRQ */
-        irq = gpio_to_irq(phy->gpio_irq);
-        if (irq < 0) {
-                nfc_err(&client->dev,
-                                "Unable to get irq number for GPIO %d error %d\n",
-                                phy->gpio_irq, r);
-                return -ENODEV;
-        }
-        client->irq = irq;
        return 0;
 }
@@ -656,7 +628,7 @@ static int st21nfca_hci_i2c_probe(struct i2c_client *client,
        r = st21nfca_hci_platform_init(phy);
        if (r < 0) {
                nfc_err(&client->dev, "Unable to reboot st21nfca\n");
-                return -ENODEV;
+                return r;
        }
        r = devm_request_threaded_irq(&client->dev, client->irq, NULL,
@@ -687,10 +659,13 @@ static int st21nfca_hci_i2c_remove(struct i2c_client *client)
        return 0;
 }
+#ifdef CONFIG_OF
 static const struct of_device_id of_st21nfca_i2c_match[] = {
        { .compatible = "st,st21nfca_i2c", },
        {}
 };
+MODULE_DEVICE_TABLE(of, of_st21nfca_i2c_match);
+#endif
 static struct i2c_driver st21nfca_hci_i2c_driver = {
        .driver = {
diff --git a/drivers/nfc/st21nfca/st21nfca.c b/drivers/nfc/st21nfca/st21nfca.c
index a89e56c2c749..f2596c8d68b0 100644
--- a/drivers/nfc/st21nfca/st21nfca.c
+++ b/drivers/nfc/st21nfca/st21nfca.c
@@ -77,10 +77,6 @@
        ((p & 0x0f) == (ST21NFCA_DM_PIPE_CREATED | ST21NFCA_DM_PIPE_OPEN))
 #define ST21NFCA_NFC_MODE                       0x03    /* NFC_MODE parameter*/
-#define ST21NFCA_EVT_FIELD_ON                   0x11
-#define ST21NFCA_EVT_CARD_DEACTIVATED           0x12
-#define ST21NFCA_EVT_CARD_ACTIVATED             0x13
-#define ST21NFCA_EVT_FIELD_OFF                  0x14
 static DECLARE_BITMAP(dev_mask, ST21NFCA_NUM_DEVICES);
@@ -841,31 +837,11 @@ static int st21nfca_hci_check_presence(struct nfc_hci_dev *hdev,
 static int st21nfca_hci_event_received(struct nfc_hci_dev *hdev, u8 gate,
                                       u8 event, struct sk_buff *skb)
 {
-        int r;
+        pr_debug("hci event: %d gate: %x\n", event, gate);
-        struct st21nfca_hci_info *info = nfc_hci_get_clientdata(hdev);
-        pr_debug("hci event: %d\n", event);
-        switch (event) {
+        switch (gate) {
-        case ST21NFCA_EVT_CARD_ACTIVATED:
+        case ST21NFCA_RF_CARD_F_GATE:
-                if (gate == ST21NFCA_RF_CARD_F_GATE)
+                return st21nfca_dep_event_received(hdev, event, skb);
-                        info->dep_info.curr_nfc_dep_pni = 0;
-                break;
-        case ST21NFCA_EVT_CARD_DEACTIVATED:
-                break;
-        case ST21NFCA_EVT_FIELD_ON:
-                break;
-        case ST21NFCA_EVT_FIELD_OFF:
-                break;
-        case ST21NFCA_EVT_SEND_DATA:
-                if (gate == ST21NFCA_RF_CARD_F_GATE) {
-                        r = st21nfca_tm_event_send_data(hdev, skb, gate);
-                        if (r < 0)
-                                return r;
-                        return 0;
-                }
-                info->dep_info.curr_nfc_dep_pni = 0;
-                return 1;
        default:
                return 1;
        }
diff --git a/drivers/nfc/st21nfca/st21nfca.h b/drivers/nfc/st21nfca/st21nfca.h
index a0b77f1ba6d9..7c2a85292230 100644
--- a/drivers/nfc/st21nfca/st21nfca.h
+++ b/drivers/nfc/st21nfca/st21nfca.h
@@ -85,6 +85,4 @@ struct st21nfca_hci_info {
 #define ST21NFCA_RF_CARD_F_GATE 0x24
-#define ST21NFCA_EVT_SEND_DATA 0x10
 #endif /* __LOCAL_ST21NFCA_H_ */
diff --git a/drivers/nfc/st21nfca/st21nfca_dep.c b/drivers/nfc/st21nfca/st21nfca_dep.c
index bfb6df56c505..8882181d65de 100644
--- a/drivers/nfc/st21nfca/st21nfca_dep.c
+++ b/drivers/nfc/st21nfca/st21nfca_dep.c
@@ -49,6 +49,12 @@
 #define ST21NFCA_LR_BITS_PAYLOAD_SIZE_254B 0x30
 #define ST21NFCA_GB_BIT  0x02
+#define ST21NFCA_EVT_SEND_DATA          0x10
+#define ST21NFCA_EVT_FIELD_ON           0x11
+#define ST21NFCA_EVT_CARD_DEACTIVATED   0x12
+#define ST21NFCA_EVT_CARD_ACTIVATED     0x13
+#define ST21NFCA_EVT_FIELD_OFF          0x14
 #define ST21NFCA_EVT_CARD_F_BITRATE 0x16
 #define ST21NFCA_EVT_READER_F_BITRATE 0x13
 #define ST21NFCA_PSL_REQ_SEND_SPEED(brs) (brs & 0x38)
@@ -372,8 +378,8 @@ exit:
        return r;
 }
-int st21nfca_tm_event_send_data(struct nfc_hci_dev *hdev, struct sk_buff *skb,
+static int st21nfca_tm_event_send_data(struct nfc_hci_dev *hdev,
-                                u8 gate)
+                                struct sk_buff *skb)
 {
        u8 cmd0, cmd1;
        int r;
@@ -400,7 +406,42 @@ int st21nfca_tm_event_send_data(struct nfc_hci_dev *hdev, struct sk_buff *skb,
        }
        return r;
 }
-EXPORT_SYMBOL(st21nfca_tm_event_send_data);
+/*
+ * Returns:
+ * <= 0: driver handled the event, skb consumed
+ *    1: driver does not handle the event, please do standard processing
+ */
+int st21nfca_dep_event_received(struct nfc_hci_dev *hdev,
+                                u8 event, struct sk_buff *skb)
+{
+        int r = 0;
+        struct st21nfca_hci_info *info = nfc_hci_get_clientdata(hdev);
+        pr_debug("dep event: %d\n", event);
+        switch (event) {
+        case ST21NFCA_EVT_CARD_ACTIVATED:
+                info->dep_info.curr_nfc_dep_pni = 0;
+                break;
+        case ST21NFCA_EVT_CARD_DEACTIVATED:
+                break;
+        case ST21NFCA_EVT_FIELD_ON:
+                break;
+        case ST21NFCA_EVT_FIELD_OFF:
+                break;
+        case ST21NFCA_EVT_SEND_DATA:
+                r = st21nfca_tm_event_send_data(hdev, skb);
+                if (r < 0)
+                        return r;
+                return 0;
+        default:
+                return 1;
+        }
+        kfree_skb(skb);
+        return r;
+}
+EXPORT_SYMBOL(st21nfca_dep_event_received);
 static void st21nfca_im_send_psl_req(struct nfc_hci_dev *hdev, u8 did, u8 bsi,
                                     u8 bri, u8 lri)
diff --git a/drivers/nfc/st21nfca/st21nfca_dep.h b/drivers/nfc/st21nfca/st21nfca_dep.h
index ca213dee9c6e..baf4664b4fc4 100644
--- a/drivers/nfc/st21nfca/st21nfca_dep.h
+++ b/drivers/nfc/st21nfca/st21nfca_dep.h
@@ -32,8 +32,8 @@ struct st21nfca_dep_info {
        u8 lri;
 } __packed;
-int st21nfca_tm_event_send_data(struct nfc_hci_dev *hdev, struct sk_buff *skb,
+int st21nfca_dep_event_received(struct nfc_hci_dev *hdev,
-                                u8 gate);
+                                u8 event, struct sk_buff *skb);
 int st21nfca_tm_send_dep_res(struct nfc_hci_dev *hdev, struct sk_buff *skb);
 int st21nfca_im_send_atr_req(struct nfc_hci_dev *hdev, u8 *gb, size_t gb_len);
diff --git a/drivers/nfc/st21nfcb/i2c.c b/drivers/nfc/st21nfcb/i2c.c
index c5d2427a3db2..01ba865863ee 100644
--- a/drivers/nfc/st21nfcb/i2c.c
+++ b/drivers/nfc/st21nfcb/i2c.c
@@ -50,7 +50,6 @@ struct st21nfcb_i2c_phy {
        struct i2c_client *i2c_dev;
        struct llt_ndlc *ndlc;
-        unsigned int gpio_irq;
        unsigned int gpio_reset;
        unsigned int irq_polarity;
@@ -81,8 +80,6 @@ static void st21nfcb_nci_i2c_disable(void *phy_id)
 {
        struct st21nfcb_i2c_phy *phy = phy_id;
-        pr_info("\n");
        phy->powered = 0;
        /* reset chip in order to flush clf */
        gpio_set_value(phy->gpio_reset, 0);
@@ -258,19 +255,11 @@ static int st21nfcb_nci_i2c_of_request_resources(struct i2c_client *client)
                                GPIOF_OUT_INIT_HIGH, "clf_reset");
        if (r) {
                nfc_err(&client->dev, "Failed to request reset pin\n");
-                return -ENODEV;
-        }
-        phy->gpio_reset = gpio;
-        /* IRQ */
-        r = irq_of_parse_and_map(pp, 0);
-        if (r < 0) {
-                nfc_err(&client->dev, "Unable to get irq, error: %d\n", r);
                return r;
        }
+        phy->gpio_reset = gpio;
-        phy->irq_polarity = irq_get_trigger_type(r);
+        phy->irq_polarity = irq_get_trigger_type(client->irq);
-        client->irq = r;
        return 0;
 }
@@ -286,7 +275,6 @@ static int st21nfcb_nci_i2c_request_resources(struct i2c_client *client)
        struct st21nfcb_nfc_platform_data *pdata;
        struct st21nfcb_i2c_phy *phy = i2c_get_clientdata(client);
        int r;
-        int irq;
        pdata = client->dev.platform_data;
        if (pdata == NULL) {
@@ -295,33 +283,15 @@ static int st21nfcb_nci_i2c_request_resources(struct i2c_client *client)
        }
        /* store for later use */
-        phy->gpio_irq = pdata->gpio_irq;
        phy->gpio_reset = pdata->gpio_reset;
        phy->irq_polarity = pdata->irq_polarity;
-        r = devm_gpio_request_one(&client->dev, phy->gpio_irq,
-                                GPIOF_IN, "clf_irq");
-        if (r) {
-                pr_err("%s : gpio_request failed\n", __FILE__);
-                return -ENODEV;
-        }
        r = devm_gpio_request_one(&client->dev,
                        phy->gpio_reset, GPIOF_OUT_INIT_HIGH, "clf_reset");
        if (r) {
                pr_err("%s : reset gpio_request failed\n", __FILE__);
-                return -ENODEV;
+                return r;
-        }
-        /* IRQ */
-        irq = gpio_to_irq(phy->gpio_irq);
-        if (irq < 0) {
-                nfc_err(&client->dev,
-                        "Unable to get irq number for GPIO %d error %d\n",
-                        phy->gpio_irq, r);
-                return -ENODEV;
        }
-        client->irq = irq;
        return 0;
 }
@@ -401,10 +371,13 @@ static int st21nfcb_nci_i2c_remove(struct i2c_client *client)
        return 0;
 }
+#ifdef CONFIG_OF
 static const struct of_device_id of_st21nfcb_i2c_match[] = {
        { .compatible = "st,st21nfcb_i2c", },
        {}
 };
+MODULE_DEVICE_TABLE(of, of_st21nfcb_i2c_match);
+#endif
 static struct i2c_driver st21nfcb_nci_i2c_driver = {
        .driver = {
diff --git a/drivers/nfc/st21nfcb/ndlc.c b/drivers/nfc/st21nfcb/ndlc.c
index e7bff8921d11..bac50e805f1d 100644
--- a/drivers/nfc/st21nfcb/ndlc.c
+++ b/drivers/nfc/st21nfcb/ndlc.c
@@ -266,7 +266,7 @@ int ndlc_probe(void *phy_id, struct nfc_phy_ops *phy_ops, struct device *dev,
        *ndlc_id = ndlc;
-        /* start timers */
+        /* initialize timers */
        init_timer(&ndlc->t1_timer);
        ndlc->t1_timer.data = (unsigned long)ndlc;
        ndlc->t1_timer.function = ndlc_t1_timeout;
diff --git a/drivers/ssb/pcihost_wrapper.c b/drivers/ssb/pcihost_wrapper.c
index 69161bbc4d0b..410215c16920 100644
--- a/drivers/ssb/pcihost_wrapper.c
+++ b/drivers/ssb/pcihost_wrapper.c
@@ -11,15 +11,17 @@
 * Licensed under the GNU/GPL. See COPYING for details.
 */
+#include <linux/pm.h>
 #include <linux/pci.h>
 #include <linux/export.h>
 #include <linux/slab.h>
 #include <linux/ssb/ssb.h>
-#ifdef CONFIG_PM
+#ifdef CONFIG_PM_SLEEP
-static int ssb_pcihost_suspend(struct pci_dev *dev, pm_message_t state)
+static int ssb_pcihost_suspend(struct device *d)
 {
+        struct pci_dev *dev = to_pci_dev(d);
        struct ssb_bus *ssb = pci_get_drvdata(dev);
        int err;
@@ -28,17 +30,23 @@ static int ssb_pcihost_suspend(struct pci_dev *dev, pm_message_t state)
                return err;
        pci_save_state(dev);
        pci_disable_device(dev);
-        pci_set_power_state(dev, pci_choose_state(dev, state));
+        /* if there is a wakeup enabled child device on ssb bus,
+           enable pci wakeup posibility. */
+        device_set_wakeup_enable(d, d->power.wakeup_path);
+        pci_prepare_to_sleep(dev);
        return 0;
 }
-static int ssb_pcihost_resume(struct pci_dev *dev)
+static int ssb_pcihost_resume(struct device *d)
 {
+        struct pci_dev *dev = to_pci_dev(d);
        struct ssb_bus *ssb = pci_get_drvdata(dev);
        int err;
-        pci_set_power_state(dev, PCI_D0);
+        pci_back_from_sleep(dev);
        err = pci_enable_device(dev);
        if (err)
                return err;
@@ -49,10 +57,12 @@ static int ssb_pcihost_resume(struct pci_dev *dev)
        return 0;
 }
-#else /* CONFIG_PM */
-# define ssb_pcihost_suspend    NULL
+static const struct dev_pm_ops ssb_pcihost_pm_ops = {
-# define ssb_pcihost_resume     NULL
+        SET_SYSTEM_SLEEP_PM_OPS(ssb_pcihost_suspend, ssb_pcihost_resume)
-#endif /* CONFIG_PM */
+};
+#endif /* CONFIG_PM_SLEEP */
 static int ssb_pcihost_probe(struct pci_dev *dev,
                             const struct pci_device_id *id)
@@ -115,8 +125,9 @@ int ssb_pcihost_register(struct pci_driver *driver)
 {
        driver->probe = ssb_pcihost_probe;
        driver->remove = ssb_pcihost_remove;
-        driver->suspend = ssb_pcihost_suspend;
+#ifdef CONFIG_PM_SLEEP
-        driver->resume = ssb_pcihost_resume;
+        driver->driver.pm = &ssb_pcihost_pm_ops;
+#endif
        return pci_register_driver(driver);
 }
diff --git a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
index bd6953af0a03..3d26955da724 100644
--- a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
@@ -2856,8 +2856,10 @@ static int cfg80211_rtw_add_station(struct wiphy *wiphy,
 }
 static int cfg80211_rtw_del_station(struct wiphy *wiphy,
-                                    struct net_device *ndev, const u8 *mac)
+                                    struct net_device *ndev,
+                                    struct station_del_parameters *params)
 {
+        const u8 *mac = params->mac;
        int ret = 0;
        struct list_head *phead, *plist, *ptmp;
        u8 updated = 0;
diff --git a/drivers/staging/vt6656/main_usb.c b/drivers/staging/vt6656/main_usb.c
index 2fbff907ce8a..dbc311c3dc37 100644
--- a/drivers/staging/vt6656/main_usb.c
+++ b/drivers/staging/vt6656/main_usb.c
@@ -856,7 +856,9 @@ static int vnt_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
        return 0;
 }
-static void vnt_sw_scan_start(struct ieee80211_hw *hw)
+static void vnt_sw_scan_start(struct ieee80211_hw *hw,
+                              struct ieee80211_vif *vif,
+                              const u8 *addr)
 {
        struct vnt_private *priv = hw->priv;
@@ -865,7 +867,8 @@ static void vnt_sw_scan_start(struct ieee80211_hw *hw)
        vnt_update_pre_ed_threshold(priv, true);
 }
-static void vnt_sw_scan_complete(struct ieee80211_hw *hw)
+static void vnt_sw_scan_complete(struct ieee80211_hw *hw,
+                                 struct ieee80211_vif *vif)
 {
        struct vnt_private *priv = hw->priv;
diff --git a/include/linux/bcma/bcma.h b/include/linux/bcma/bcma.h
index 729f48e6b20b..eb1c6a47b67f 100644
--- a/include/linux/bcma/bcma.h
+++ b/include/linux/bcma/bcma.h
@@ -447,4 +447,6 @@ extern u32 bcma_chipco_pll_read(struct bcma_drv_cc *cc, u32 offset);
 #define  BCMA_DMA_TRANSLATION_DMA64_CMT 0x80000000 /* Client Mode Translation for 64-bit DMA */
 extern u32 bcma_core_dma_translation(struct bcma_device *core);
+extern unsigned int bcma_core_irq(struct bcma_device *core, int num);
 #endif /* LINUX_BCMA_H_ */
diff --git a/include/linux/bcma/bcma_driver_mips.h b/include/linux/bcma/bcma_driver_mips.h
index fb61f3fb4ddb..0b3b32aeeb8a 100644
--- a/include/linux/bcma/bcma_driver_mips.h
+++ b/include/linux/bcma/bcma_driver_mips.h
@@ -43,12 +43,12 @@ struct bcma_drv_mips {
 extern void bcma_core_mips_init(struct bcma_drv_mips *mcore);
 extern void bcma_core_mips_early_init(struct bcma_drv_mips *mcore);
-extern unsigned int bcma_core_irq(struct bcma_device *core);
+extern unsigned int bcma_core_mips_irq(struct bcma_device *dev);
 #else
 static inline void bcma_core_mips_init(struct bcma_drv_mips *mcore) { }
 static inline void bcma_core_mips_early_init(struct bcma_drv_mips *mcore) { }
-static inline unsigned int bcma_core_irq(struct bcma_device *core)
+static inline unsigned int bcma_core_mips_irq(struct bcma_device *dev)
 {
        return 0;
 }
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index b1be39c76931..4f4eea8a6288 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -19,6 +19,7 @@
 #include <linux/types.h>
 #include <linux/if_ether.h>
 #include <asm/byteorder.h>
+#include <asm/unaligned.h>
 /*
 * DS bit usage
@@ -1066,6 +1067,12 @@ struct ieee80211_pspoll {
 /* TDLS */
+/* Channel switch timing */
+struct ieee80211_ch_switch_timing {
+        __le16 switch_time;
+        __le16 switch_timeout;
+} __packed;
 /* Link-id information element */
 struct ieee80211_tdls_lnkie {
        u8 ie_type; /* Link Identifier IE */
@@ -1107,6 +1114,15 @@ struct ieee80211_tdls_data {
                        u8 dialog_token;
                        u8 variable[0];
                } __packed discover_req;
+                struct {
+                        u8 target_channel;
+                        u8 oper_class;
+                        u8 variable[0];
+                } __packed chan_switch_req;
+                struct {
+                        __le16 status_code;
+                        u8 variable[0];
+                } __packed chan_switch_resp;
        } u;
 } __packed;
@@ -1274,7 +1290,7 @@ struct ieee80211_ht_cap {
 #define         IEEE80211_HT_AMPDU_PARM_DENSITY_SHIFT   2
 /*
- * Maximum length of AMPDU that the STA can receive.
+ * Maximum length of AMPDU that the STA can receive in high-throughput (HT).
 * Length = 2 ^ (13 + max_ampdu_length_exp) - 1 (octets)
 */
 enum ieee80211_max_ampdu_length_exp {
@@ -1284,6 +1300,21 @@ enum ieee80211_max_ampdu_length_exp {
        IEEE80211_HT_MAX_AMPDU_64K = 3
 };
+/*
+ * Maximum length of AMPDU that the STA can receive in VHT.
+ * Length = 2 ^ (13 + max_ampdu_length_exp) - 1 (octets)
+ */
+enum ieee80211_vht_max_ampdu_length_exp {
+        IEEE80211_VHT_MAX_AMPDU_8K = 0,
+        IEEE80211_VHT_MAX_AMPDU_16K = 1,
+        IEEE80211_VHT_MAX_AMPDU_32K = 2,
+        IEEE80211_VHT_MAX_AMPDU_64K = 3,
+        IEEE80211_VHT_MAX_AMPDU_128K = 4,
+        IEEE80211_VHT_MAX_AMPDU_256K = 5,
+        IEEE80211_VHT_MAX_AMPDU_512K = 6,
+        IEEE80211_VHT_MAX_AMPDU_1024K = 7
+};
 #define IEEE80211_HT_MAX_AMPDU_FACTOR 13
 /* Minimum MPDU start spacing */
@@ -1998,6 +2029,16 @@ enum ieee80211_tdls_actioncode {
        WLAN_TDLS_DISCOVERY_REQUEST = 10,
 };
+/* Extended Channel Switching capability to be set in the 1st byte of
+ * the @WLAN_EID_EXT_CAPABILITY information element
+ */
+#define WLAN_EXT_CAPA1_EXT_CHANNEL_SWITCHING    BIT(2)
+/* TDLS capabilities in the the 4th byte of @WLAN_EID_EXT_CAPABILITY */
+#define WLAN_EXT_CAPA4_TDLS_BUFFER_STA          BIT(4)
+#define WLAN_EXT_CAPA4_TDLS_PEER_PSM            BIT(5)
+#define WLAN_EXT_CAPA4_TDLS_CHAN_SWITCH         BIT(6)
 /* Interworking capabilities are set in 7th bit of 4th byte of the
 * @WLAN_EID_EXT_CAPABILITY information element
 */
@@ -2009,6 +2050,7 @@ enum ieee80211_tdls_actioncode {
 */
 #define WLAN_EXT_CAPA5_TDLS_ENABLED     BIT(5)
 #define WLAN_EXT_CAPA5_TDLS_PROHIBITED  BIT(6)
+#define WLAN_EXT_CAPA5_TDLS_CH_SW_PROHIBITED    BIT(7)
 #define WLAN_EXT_CAPA8_OPMODE_NOTIF     BIT(6)
 #define WLAN_EXT_CAPA8_TDLS_WIDE_BW_ENABLED     BIT(7)
@@ -2016,6 +2058,9 @@ enum ieee80211_tdls_actioncode {
 /* TDLS specific payload type in the LLC/SNAP header */
 #define WLAN_TDLS_SNAP_RFTYPE   0x2
+/* BSS Coex IE information field bits */
+#define WLAN_BSS_COEX_INFORMATION_REQUEST       BIT(0)
 /**
 * enum - mesh synchronization method identifier
 *
@@ -2398,6 +2443,30 @@ static inline bool ieee80211_check_tim(const struct ieee80211_tim_ie *tim,
        return !!(tim->virtual_map[index] & mask);
 }
+/**
+ * ieee80211_get_tdls_action - get tdls packet action (or -1, if not tdls packet)
+ * @skb: the skb containing the frame, length will not be checked
+ * @hdr_size: the size of the ieee80211_hdr that starts at skb->data
+ *
+ * This function assumes the frame is a data frame, and that the network header
+ * is in the correct place.
+ */
+static inline int ieee80211_get_tdls_action(struct sk_buff *skb, u32 hdr_size)
+{
+        if (!skb_is_nonlinear(skb) &&
+            skb->len > (skb_network_offset(skb) + 2)) {
+                /* Point to where the indication of TDLS should start */
+                const u8 *tdls_data = skb_network_header(skb) - 2;
+                if (get_unaligned_be16(tdls_data) == ETH_P_TDLS &&
+                    tdls_data[2] == WLAN_TDLS_SNAP_RFTYPE &&
+                    tdls_data[3] == WLAN_CATEGORY_TDLS)
+                        return tdls_data[4];
+        }
+        return -1;
+}
 /* convert time units */
 #define TU_TO_JIFFIES(x)        (usecs_to_jiffies((x) * 1024))
 #define TU_TO_EXP_TIME(x)       (jiffies + TU_TO_JIFFIES(x))
diff --git a/include/linux/platform_data/st21nfca.h b/include/linux/platform_data/st21nfca.h
index 1730312398ff..5087fff96d86 100644
--- a/include/linux/platform_data/st21nfca.h
+++ b/include/linux/platform_data/st21nfca.h
@@ -24,7 +24,6 @@
 #define ST21NFCA_HCI_DRIVER_NAME "st21nfca_hci"
 struct st21nfca_nfc_platform_data {
-        unsigned int gpio_irq;
        unsigned int gpio_ena;
        unsigned int irq_polarity;
 };
diff --git a/include/linux/platform_data/st21nfcb.h b/include/linux/platform_data/st21nfcb.h
index 2d11f1f5efab..c3b432f5b63e 100644
--- a/include/linux/platform_data/st21nfcb.h
+++ b/include/linux/platform_data/st21nfcb.h
@@ -24,7 +24,6 @@
 #define ST21NFCB_NCI_DRIVER_NAME "st21nfcb_nci"
 struct st21nfcb_nfc_platform_data {
-        unsigned int gpio_irq;
        unsigned int gpio_reset;
        unsigned int irq_polarity;
 };
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index a2ddcf2398fd..4ebb816241fa 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -319,9 +319,12 @@ struct ieee80211_supported_band {
 /**
 * struct vif_params - describes virtual interface parameters
 * @use_4addr: use 4-address frames
- * @macaddr: address to use for this virtual interface. This will only
+ * @macaddr: address to use for this virtual interface.
- *      be used for non-netdevice interfaces. If this parameter is set
+ *      If this parameter is set to zero address the driver may
- *      to zero address the driver may determine the address as needed.
+ *      determine the address as needed.
+ *      This feature is only fully supported by drivers that enable the
+ *      %NL80211_FEATURE_MAC_ON_CREATE flag.  Others may support creating
+ **     only p2p devices with specified MAC.
 */
 struct vif_params {
       int use_4addr;
@@ -799,6 +802,22 @@ struct station_parameters {
 };
 /**
+ * struct station_del_parameters - station deletion parameters
+ *
+ * Used to delete a station entry (or all stations).
+ *
+ * @mac: MAC address of the station to remove or NULL to remove all stations
+ * @subtype: Management frame subtype to use for indicating removal
+ *      (10 = Disassociation, 12 = Deauthentication)
+ * @reason_code: Reason code for the Disassociation/Deauthentication frame
+ */
+struct station_del_parameters {
+        const u8 *mac;
+        u8 subtype;
+        u16 reason_code;
+};
+/**
 * enum cfg80211_station_type - the type of station being modified
 * @CFG80211_STA_AP_CLIENT: client of an AP interface
 * @CFG80211_STA_AP_MLME_CLIENT: client of an AP interface that has
@@ -1340,6 +1359,16 @@ struct mesh_setup {
 };
 /**
+ * struct ocb_setup - 802.11p OCB mode setup configuration
+ * @chandef: defines the channel to use
+ *
+ * These parameters are fixed when connecting to the network
+ */
+struct ocb_setup {
+        struct cfg80211_chan_def chandef;
+};
+/**
 * struct ieee80211_txq_params - TX queue parameters
 * @ac: AC identifier
 * @txop: Maximum burst time in units of 32 usecs, 0 meaning disabled
@@ -1408,6 +1437,10 @@ struct cfg80211_ssid {
 * @aborted: (internal) scan request was notified as aborted
 * @notified: (internal) scan request was notified as done or aborted
 * @no_cck: used to send probe requests at non CCK rate in 2GHz band
+ * @mac_addr: MAC address used with randomisation
+ * @mac_addr_mask: MAC address mask used with randomisation, bits that
+ *      are 0 in the mask should be randomised, bits that are 1 should
+ *      be taken from the @mac_addr
 */
 struct cfg80211_scan_request {
        struct cfg80211_ssid *ssids;
@@ -1422,6 +1455,9 @@ struct cfg80211_scan_request {
        struct wireless_dev *wdev;
+        u8 mac_addr[ETH_ALEN] __aligned(2);
+        u8 mac_addr_mask[ETH_ALEN] __aligned(2);
        /* internal */
        struct wiphy *wiphy;
        unsigned long scan_start;
@@ -1432,6 +1468,17 @@ struct cfg80211_scan_request {
        struct ieee80211_channel *channels[0];
 };
+static inline void get_random_mask_addr(u8 *buf, const u8 *addr, const u8 *mask)
+{
+        int i;
+        get_random_bytes(buf, ETH_ALEN);
+        for (i = 0; i < ETH_ALEN; i++) {
+                buf[i] &= ~mask[i];
+                buf[i] |= addr[i] & mask[i];
+        }
+}
 /**
 * struct cfg80211_match_set - sets of attributes to match
 *
@@ -1465,6 +1512,10 @@ struct cfg80211_match_set {
 * @channels: channels to scan
 * @min_rssi_thold: for drivers only supporting a single threshold, this
 *      contains the minimum over all matchsets
+ * @mac_addr: MAC address used with randomisation
+ * @mac_addr_mask: MAC address mask used with randomisation, bits that
+ *      are 0 in the mask should be randomised, bits that are 1 should
+ *      be taken from the @mac_addr
 */
 struct cfg80211_sched_scan_request {
        struct cfg80211_ssid *ssids;
@@ -1479,6 +1530,9 @@ struct cfg80211_sched_scan_request {
        int n_match_sets;
        s32 min_rssi_thold;
+        u8 mac_addr[ETH_ALEN] __aligned(2);
+        u8 mac_addr_mask[ETH_ALEN] __aligned(2);
        /* internal */
        struct wiphy *wiphy;
        struct net_device *dev;
@@ -1911,6 +1965,7 @@ struct cfg80211_wowlan_tcp {
 * @rfkill_release: wake up when rfkill is released
 * @tcp: TCP connection establishment/wakeup parameters, see nl80211.h.
 *      NULL if not configured.
+ * @nd_config: configuration for the scan to be used for net detect wake.
 */
 struct cfg80211_wowlan {
        bool any, disconnect, magic_pkt, gtk_rekey_failure,
@@ -1919,6 +1974,7 @@ struct cfg80211_wowlan {
        struct cfg80211_pkt_pattern *patterns;
        struct cfg80211_wowlan_tcp *tcp;
        int n_patterns;
+        struct cfg80211_sched_scan_request *nd_config;
 };
 /**
@@ -1951,6 +2007,35 @@ struct cfg80211_coalesce {
 };
 /**
+ * struct cfg80211_wowlan_nd_match - information about the match
+ *
+ * @ssid: SSID of the match that triggered the wake up
+ * @n_channels: Number of channels where the match occurred.  This
+ *      value may be zero if the driver can't report the channels.
+ * @channels: center frequencies of the channels where a match
+ *      occurred (in MHz)
+ */
+struct cfg80211_wowlan_nd_match {
+        struct cfg80211_ssid ssid;
+        int n_channels;
+        u32 channels[];
+};
+/**
+ * struct cfg80211_wowlan_nd_info - net detect wake up information
+ *
+ * @n_matches: Number of match information instances provided in
+ *      @matches.  This value may be zero if the driver can't provide
+ *      match information.
+ * @matches: Array of pointers to matches containing information about
+ *      the matches that triggered the wake up.
+ */
+struct cfg80211_wowlan_nd_info {
+        int n_matches;
+        struct cfg80211_wowlan_nd_match *matches[];
+};
+/**
 * struct cfg80211_wowlan_wakeup - wakeup report
 * @disconnect: woke up by getting disconnected
 * @magic_pkt: woke up by receiving magic packet
@@ -1969,6 +2054,7 @@ struct cfg80211_coalesce {
 * @tcp_match: TCP wakeup packet received
 * @tcp_connlost: TCP connection lost or failed to establish
 * @tcp_nomoretokens: TCP data ran out of tokens
+ * @net_detect: if not %NULL, woke up because of net detect
 */
 struct cfg80211_wowlan_wakeup {
        bool disconnect, magic_pkt, gtk_rekey_failure,
@@ -1978,6 +2064,7 @@ struct cfg80211_wowlan_wakeup {
        s32 pattern_idx;
        u32 packet_present_len, packet_len;
        const void *packet;
+        struct cfg80211_wowlan_nd_info *net_detect;
 };
 /**
@@ -2132,7 +2219,7 @@ struct cfg80211_qos_map {
 * @stop_ap: Stop being an AP, including stopping beaconing.
 *
 * @add_station: Add a new station.
- * @del_station: Remove a station; @mac may be NULL to remove all stations.
+ * @del_station: Remove a station
 * @change_station: Modify a given station. Note that flags changes are not much
 *      validated in cfg80211, in particular the auth/assoc/authorized flags
 *      might come to the driver in invalid combinations -- make sure to check
@@ -2146,6 +2233,8 @@ struct cfg80211_qos_map {
 * @change_mpath: change a given mesh path
 * @get_mpath: get a mesh path for the given parameters
 * @dump_mpath: dump mesh path callback -- resume dump at index @idx
+ * @get_mpp: get a mesh proxy path for the given parameters
+ * @dump_mpp: dump mesh proxy path callback -- resume dump at index @idx
 * @join_mesh: join the mesh network with the specified parameters
 *      (invoked with the wireless_dev mutex held)
 * @leave_mesh: leave the current mesh network
@@ -2331,6 +2420,17 @@ struct cfg80211_qos_map {
 *      with the peer followed by immediate teardown when the addition is later
 *      rejected)
 * @del_tx_ts: remove an existing TX TS
+ *
+ * @join_ocb: join the OCB network with the specified parameters
+ *      (invoked with the wireless_dev mutex held)
+ * @leave_ocb: leave the current OCB network
+ *      (invoked with the wireless_dev mutex held)
+ *
+ * @tdls_channel_switch: Start channel-switching with a TDLS peer. The driver
+ *      is responsible for continually initiating channel-switching operations
+ *      and returning to the base channel for communication with the AP.
+ * @tdls_cancel_channel_switch: Stop channel-switching with a TDLS peer. Both
+ *      peers must be on the base channel when the call completes.
 */
 struct cfg80211_ops {
        int     (*suspend)(struct wiphy *wiphy, struct cfg80211_wowlan *wow);
@@ -2376,7 +2476,7 @@ struct cfg80211_ops {
                               const u8 *mac,
                               struct station_parameters *params);
        int     (*del_station)(struct wiphy *wiphy, struct net_device *dev,
-                               const u8 *mac);
+                               struct station_del_parameters *params);
        int     (*change_station)(struct wiphy *wiphy, struct net_device *dev,
                                  const u8 *mac,
                                  struct station_parameters *params);
@@ -2396,6 +2496,11 @@ struct cfg80211_ops {
        int     (*dump_mpath)(struct wiphy *wiphy, struct net_device *dev,
                              int idx, u8 *dst, u8 *next_hop,
                              struct mpath_info *pinfo);
+        int     (*get_mpp)(struct wiphy *wiphy, struct net_device *dev,
+                           u8 *dst, u8 *mpp, struct mpath_info *pinfo);
+        int     (*dump_mpp)(struct wiphy *wiphy, struct net_device *dev,
+                            int idx, u8 *dst, u8 *mpp,
+                            struct mpath_info *pinfo);
        int     (*get_mesh_config)(struct wiphy *wiphy,
                                struct net_device *dev,
                                struct mesh_config *conf);
@@ -2407,6 +2512,10 @@ struct cfg80211_ops {
                             const struct mesh_setup *setup);
        int     (*leave_mesh)(struct wiphy *wiphy, struct net_device *dev);
+        int     (*join_ocb)(struct wiphy *wiphy, struct net_device *dev,
+                            struct ocb_setup *setup);
+        int     (*leave_ocb)(struct wiphy *wiphy, struct net_device *dev);
        int     (*change_bss)(struct wiphy *wiphy, struct net_device *dev,
                              struct bss_parameters *params);
@@ -2577,6 +2686,14 @@ struct cfg80211_ops {
                             u16 admitted_time);
        int     (*del_tx_ts)(struct wiphy *wiphy, struct net_device *dev,
                             u8 tsid, const u8 *peer);
+        int     (*tdls_channel_switch)(struct wiphy *wiphy,
+                                       struct net_device *dev,
+                                       const u8 *addr, u8 oper_class,
+                                       struct cfg80211_chan_def *chandef);
+        void    (*tdls_cancel_channel_switch)(struct wiphy *wiphy,
+                                              struct net_device *dev,
+                                              const u8 *addr);
 };
 /*
@@ -2623,13 +2740,9 @@ struct cfg80211_ops {
 * @WIPHY_FLAG_SUPPORTS_5_10_MHZ: Device supports 5 MHz and 10 MHz channels.
 * @WIPHY_FLAG_HAS_CHANNEL_SWITCH: Device supports channel switch in
 *      beaconing mode (AP, IBSS, Mesh, ...).
- * @WIPHY_FLAG_SUPPORTS_WMM_ADMISSION: the device supports setting up WMM
- *      TSPEC sessions (TID aka TSID 0-7) with the NL80211_CMD_ADD_TX_TS
- *      command. Standard IEEE 802.11 TSPEC setup is not yet supported, it
- *      needs to be able to handle Block-Ack agreements and other things.
 */
 enum wiphy_flags {
-        WIPHY_FLAG_SUPPORTS_WMM_ADMISSION       = BIT(0),
+        /* use hole at 0 */
        /* use hole at 1 */
        /* use hole at 2 */
        WIPHY_FLAG_NETNS_OK                     = BIT(3),
@@ -2755,6 +2868,7 @@ struct ieee80211_txrx_stypes {
 * @WIPHY_WOWLAN_EAP_IDENTITY_REQ: supports wakeup on EAP identity request
 * @WIPHY_WOWLAN_4WAY_HANDSHAKE: supports wakeup on 4-way handshake failure
 * @WIPHY_WOWLAN_RFKILL_RELEASE: supports wakeup on RF-kill release
+ * @WIPHY_WOWLAN_NET_DETECT: supports wakeup on network detection
 */
 enum wiphy_wowlan_support_flags {
        WIPHY_WOWLAN_ANY                = BIT(0),
@@ -2765,6 +2879,7 @@ enum wiphy_wowlan_support_flags {
        WIPHY_WOWLAN_EAP_IDENTITY_REQ   = BIT(5),
        WIPHY_WOWLAN_4WAY_HANDSHAKE     = BIT(6),
        WIPHY_WOWLAN_RFKILL_RELEASE     = BIT(7),
+        WIPHY_WOWLAN_NET_DETECT         = BIT(8),
 };
 struct wiphy_wowlan_tcp_support {
@@ -2783,6 +2898,11 @@ struct wiphy_wowlan_tcp_support {
 * @pattern_max_len: maximum length of each pattern
 * @pattern_min_len: minimum length of each pattern
 * @max_pkt_offset: maximum Rx packet offset
+ * @max_nd_match_sets: maximum number of matchsets for net-detect,
+ *      similar, but not necessarily identical, to max_match_sets for
+ *      scheduled scans.
+ *      See &struct cfg80211_sched_scan_request.@match_sets for more
+ *      details.
 * @tcp: TCP wakeup support information
 */
 struct wiphy_wowlan_support {
@@ -2791,6 +2911,7 @@ struct wiphy_wowlan_support {
        int pattern_max_len;
        int pattern_min_len;
        int max_pkt_offset;
+        int max_nd_match_sets;
        const struct wiphy_wowlan_tcp_support *tcp;
 };
@@ -3166,6 +3287,23 @@ static inline const char *wiphy_name(const struct wiphy *wiphy)
 }
 /**
+ * wiphy_new_nm - create a new wiphy for use with cfg80211
+ *
+ * @ops: The configuration operations for this device
+ * @sizeof_priv: The size of the private area to allocate
+ * @requested_name: Request a particular name.
+ *      NULL is valid value, and means use the default phy%d naming.
+ *
+ * Create a new wiphy and associate the given operations with it.
+ * @sizeof_priv bytes are allocated for private use.
+ *
+ * Return: A pointer to the new wiphy. This pointer must be
+ * assigned to each netdev's ieee80211_ptr for proper operation.
+ */
+struct wiphy *wiphy_new_nm(const struct cfg80211_ops *ops, int sizeof_priv,
+                           const char *requested_name);
+/**
 * wiphy_new - create a new wiphy for use with cfg80211
 *
 * @ops: The configuration operations for this device
@@ -3177,7 +3315,11 @@ static inline const char *wiphy_name(const struct wiphy *wiphy)
 * Return: A pointer to the new wiphy. This pointer must be
 * assigned to each netdev's ieee80211_ptr for proper operation.
 */
-struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv);
+static inline struct wiphy *wiphy_new(const struct cfg80211_ops *ops,
+                                      int sizeof_priv)
+{
+        return wiphy_new_nm(ops, sizeof_priv, NULL);
+}
 /**
 * wiphy_register - register a wiphy with cfg80211
@@ -4501,33 +4643,6 @@ void cfg80211_cqm_rssi_notify(struct net_device *dev,
                              gfp_t gfp);
 /**
- * cfg80211_radar_event - radar detection event
- * @wiphy: the wiphy
- * @chandef: chandef for the current channel
- * @gfp: context flags
- *
- * This function is called when a radar is detected on the current chanenl.
- */
-void cfg80211_radar_event(struct wiphy *wiphy,
-                          struct cfg80211_chan_def *chandef, gfp_t gfp);
-/**
- * cfg80211_cac_event - Channel availability check (CAC) event
- * @netdev: network device
- * @chandef: chandef for the current channel
- * @event: type of event
- * @gfp: context flags
- *
- * This function is called when a Channel availability check (CAC) is finished
- * or aborted. This must be called to notify the completion of a CAC process,
- * also by full-MAC drivers.
- */
-void cfg80211_cac_event(struct net_device *netdev,
-                        const struct cfg80211_chan_def *chandef,
-                        enum nl80211_radar_event event, gfp_t gfp);
-/**
 * cfg80211_cqm_pktloss_notify - notify userspace about packetloss to peer
 * @dev: network device
 * @peer: peer's MAC address
@@ -4555,6 +4670,42 @@ void cfg80211_cqm_txe_notify(struct net_device *dev, const u8 *peer,
                             u32 num_packets, u32 rate, u32 intvl, gfp_t gfp);
 /**
+ * cfg80211_cqm_beacon_loss_notify - beacon loss event
+ * @dev: network device
+ * @gfp: context flags
+ *
+ * Notify userspace about beacon loss from the connected AP.
+ */
+void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp);
+/**
+ * cfg80211_radar_event - radar detection event
+ * @wiphy: the wiphy
+ * @chandef: chandef for the current channel
+ * @gfp: context flags
+ *
+ * This function is called when a radar is detected on the current chanenl.
+ */
+void cfg80211_radar_event(struct wiphy *wiphy,
+                          struct cfg80211_chan_def *chandef, gfp_t gfp);
+/**
+ * cfg80211_cac_event - Channel availability check (CAC) event
+ * @netdev: network device
+ * @chandef: chandef for the current channel
+ * @event: type of event
+ * @gfp: context flags
+ *
+ * This function is called when a Channel availability check (CAC) is finished
+ * or aborted. This must be called to notify the completion of a CAC process,
+ * also by full-MAC drivers.
+ */
+void cfg80211_cac_event(struct net_device *netdev,
+                        const struct cfg80211_chan_def *chandef,
+                        enum nl80211_radar_event event, gfp_t gfp);
+/**
 * cfg80211_gtk_rekey_notify - notify userspace about driver rekeying
 * @dev: network device
 * @bssid: BSSID of AP (to avoid races)
@@ -4657,6 +4808,20 @@ bool cfg80211_reg_can_beacon(struct wiphy *wiphy,
 void cfg80211_ch_switch_notify(struct net_device *dev,
                               struct cfg80211_chan_def *chandef);
+/*
+ * cfg80211_ch_switch_started_notify - notify channel switch start
+ * @dev: the device on which the channel switch started
+ * @chandef: the future channel definition
+ * @count: the number of TBTTs until the channel switch happens
+ *
+ * Inform the userspace about the channel switch that has just
+ * started, so that it can take appropriate actions (eg. starting
+ * channel switch on other vifs), if necessary.
+ */
+void cfg80211_ch_switch_started_notify(struct net_device *dev,
+                                       struct cfg80211_chan_def *chandef,
+                                       u8 count);
 /**
 * ieee80211_operating_class_to_band - convert operating class to band
 *
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 0ad1f47d2dc7..58d719ddaa60 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -263,6 +263,7 @@ struct ieee80211_vif_chanctx_switch {
 * @BSS_CHANGED_BANDWIDTH: The bandwidth used by this interface changed,
 *      note that this is only called when it changes after the channel
 *      context had been assigned.
+ * @BSS_CHANGED_OCB: OCB join status changed
 */
 enum ieee80211_bss_change {
        BSS_CHANGED_ASSOC               = 1<<0,
@@ -287,6 +288,7 @@ enum ieee80211_bss_change {
        BSS_CHANGED_P2P_PS              = 1<<19,
        BSS_CHANGED_BEACON_INFO         = 1<<20,
        BSS_CHANGED_BANDWIDTH           = 1<<21,
+        BSS_CHANGED_OCB                 = 1<<22,
        /* when adding here, make sure to change ieee80211_reconfig */
 };
@@ -739,7 +741,8 @@ struct ieee80211_tx_info {
                        u8 ampdu_ack_len;
                        u8 ampdu_len;
                        u8 antenna;
-                        void *status_driver_data[21 / sizeof(void *)];
+                        u16 tx_time;
+                        void *status_driver_data[19 / sizeof(void *)];
                } status;
                struct {
                        struct ieee80211_tx_rate driver_rates[
@@ -879,6 +882,9 @@ ieee80211_tx_info_clear_status(struct ieee80211_tx_info *info)
 *      subframes share the same sequence number. Reported subframes can be
 *      either regular MSDU or singly A-MSDUs. Subframes must not be
 *      interleaved with other frames.
+ * @RX_FLAG_RADIOTAP_VENDOR_DATA: This frame contains vendor-specific
+ *      radiotap data in the skb->data (before the frame) as described by
+ *      the &struct ieee80211_vendor_radiotap.
 */
 enum mac80211_rx_flags {
        RX_FLAG_MMIC_ERROR              = BIT(0),
@@ -908,6 +914,7 @@ enum mac80211_rx_flags {
        RX_FLAG_10MHZ                   = BIT(28),
        RX_FLAG_5MHZ                    = BIT(29),
        RX_FLAG_AMSDU_MORE              = BIT(30),
+        RX_FLAG_RADIOTAP_VENDOR_DATA    = BIT(31),
 };
 #define RX_FLAG_STBC_SHIFT              26
@@ -979,6 +986,39 @@ struct ieee80211_rx_status {
 };
 /**
+ * struct ieee80211_vendor_radiotap - vendor radiotap data information
+ * @present: presence bitmap for this vendor namespace
+ *      (this could be extended in the future if any vendor needs more
+ *       bits, the radiotap spec does allow for that)
+ * @align: radiotap vendor namespace alignment. This defines the needed
+ *      alignment for the @data field below, not for the vendor namespace
+ *      description itself (which has a fixed 2-byte alignment)
+ *      Must be a power of two, and be set to at least 1!
+ * @oui: radiotap vendor namespace OUI
+ * @subns: radiotap vendor sub namespace
+ * @len: radiotap vendor sub namespace skip length, if alignment is done
+ *      then that's added to this, i.e. this is only the length of the
+ *      @data field.
+ * @pad: number of bytes of padding after the @data, this exists so that
+ *      the skb data alignment can be preserved even if the data has odd
+ *      length
+ * @data: the actual vendor namespace data
+ *
+ * This struct, including the vendor data, goes into the skb->data before
+ * the 802.11 header. It's split up in mac80211 using the align/oui/subns
+ * data.
+ */
+struct ieee80211_vendor_radiotap {
+        u32 present;
+        u8 align;
+        u8 oui[3];
+        u8 subns;
+        u8 pad;
+        u16 len;
+        u8 data[];
+} __packed;
+/**
 * enum ieee80211_conf_flags - configuration flags
 *
 * Flags to define PHY configuration options
@@ -1117,6 +1157,8 @@ struct ieee80211_conf {
 *      Function (TSF) timer when the frame containing the channel switch
 *      announcement was received. This is simply the rx.mactime parameter
 *      the driver passed into mac80211.
+ * @device_timestamp: arbitrary timestamp for the device, this is the
+ *      rx.device_timestamp parameter the driver passed to mac80211.
 * @block_tx: Indicates whether transmission must be blocked before the
 *      scheduled channel switch, as indicated by the AP.
 * @chandef: the new channel to switch to
@@ -1124,6 +1166,7 @@ struct ieee80211_conf {
 */
 struct ieee80211_channel_switch {
        u64 timestamp;
+        u32 device_timestamp;
        bool block_tx;
        struct cfg80211_chan_def chandef;
        u8 count;
@@ -1423,6 +1466,8 @@ struct ieee80211_sta_rates {
 * @smps_mode: current SMPS mode (off, static or dynamic)
 * @rates: rate control selection table
 * @tdls: indicates whether the STA is a TDLS peer
+ * @tdls_initiator: indicates the STA is an initiator of the TDLS link. Only
+ *      valid if the STA is a TDLS peer in the first place.
 */
 struct ieee80211_sta {
        u32 supp_rates[IEEE80211_NUM_BANDS];
@@ -1438,6 +1483,7 @@ struct ieee80211_sta {
        enum ieee80211_smps_mode smps_mode;
        struct ieee80211_sta_rates __rcu *rates;
        bool tdls;
+        bool tdls_initiator;
        /* must be last */
        u8 drv_priv[0] __aligned(sizeof(void *));
@@ -1576,6 +1622,10 @@ struct ieee80211_tx_control {
 *      a virtual monitor interface when monitor interfaces are the only
 *      active interfaces.
 *
+ * @IEEE80211_HW_NO_AUTO_VIF: The driver would like for no wlanX to
+ *      be created.  It is expected user-space will create vifs as
+ *      desired (and thus have them named as desired).
+ *
 * @IEEE80211_HW_QUEUE_CONTROL: The driver wants to control per-interface
 *      queue mapping in order to use different queues (not just one per AC)
 *      for different virtual interfaces. See the doc section on HW queue
@@ -1622,7 +1672,8 @@ enum ieee80211_hw_flags {
        IEEE80211_HW_SUPPORTS_DYNAMIC_PS                = 1<<12,
        IEEE80211_HW_MFP_CAPABLE                        = 1<<13,
        IEEE80211_HW_WANT_MONITOR_VIF                   = 1<<14,
-        /* free slots */
+        IEEE80211_HW_NO_AUTO_VIF                        = 1<<15,
+        /* free slot */
        IEEE80211_HW_SUPPORTS_UAPSD                     = 1<<17,
        IEEE80211_HW_REPORTS_TX_ACK_STATUS              = 1<<18,
        IEEE80211_HW_CONNECTION_MONITOR                 = 1<<19,
@@ -1776,6 +1827,31 @@ struct ieee80211_scan_request {
 };
 /**
+ * struct ieee80211_tdls_ch_sw_params - TDLS channel switch parameters
+ *
+ * @sta: peer this TDLS channel-switch request/response came from
+ * @chandef: channel referenced in a TDLS channel-switch request
+ * @action_code: see &enum ieee80211_tdls_actioncode
+ * @status: channel-switch response status
+ * @timestamp: time at which the frame was received
+ * @switch_time: switch-timing parameter received in the frame
+ * @switch_timeout: switch-timing parameter received in the frame
+ * @tmpl_skb: TDLS switch-channel response template
+ * @ch_sw_tm_ie: offset of the channel-switch timing IE inside @tmpl_skb
+ */
+struct ieee80211_tdls_ch_sw_params {
+        struct ieee80211_sta *sta;
+        struct cfg80211_chan_def *chandef;
+        u8 action_code;
+        u32 status;
+        u32 timestamp;
+        u16 switch_time;
+        u16 switch_timeout;
+        struct sk_buff *tmpl_skb;
+        u32 ch_sw_tm_ie;
+};
+/**
 * wiphy_to_ieee80211_hw - return a mac80211 driver hw struct from a wiphy
 *
 * @wiphy: the &struct wiphy which we want to query
@@ -2375,6 +2451,22 @@ enum ieee80211_roc_type {
 };
 /**
+ * enum ieee80211_reconfig_complete_type - reconfig type
+ *
+ * This enum is used by the reconfig_complete() callback to indicate what
+ * reconfiguration type was completed.
+ *
+ * @IEEE80211_RECONFIG_TYPE_RESTART: hw restart type
+ *      (also due to resume() callback returning 1)
+ * @IEEE80211_RECONFIG_TYPE_SUSPEND: suspend type (regardless
+ *      of wowlan configuration)
+ */
+enum ieee80211_reconfig_type {
+        IEEE80211_RECONFIG_TYPE_RESTART,
+        IEEE80211_RECONFIG_TYPE_SUSPEND,
+};
+/**
 * struct ieee80211_ops - callbacks from mac80211 to the driver
 *
 * This structure contains various callbacks that the driver may
@@ -2530,7 +2622,9 @@ enum ieee80211_roc_type {
 *
 * @sw_scan_start: Notifier function that is called just before a software scan
 *      is started. Can be NULL, if the driver doesn't need this notification.
- *      The callback can sleep.
+ *      The mac_addr parameter allows supporting NL80211_SCAN_FLAG_RANDOM_ADDR,
+ *      the driver may set the NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR flag if it
+ *      can use this parameter. The callback can sleep.
 *
 * @sw_scan_complete: Notifier function that is called just after a
 *      software scan finished. Can be NULL, if the driver doesn't need
@@ -2601,6 +2695,9 @@ enum ieee80211_roc_type {
 *      uses hardware rate control (%IEEE80211_HW_HAS_RATE_CONTROL) since
 *      otherwise the rate control algorithm is notified directly.
 *      Must be atomic.
+ * @sta_rate_tbl_update: Notifies the driver that the rate table changed. This
+ *      is only used if the configured rate control algorithm actually uses
+ *      the new rate table API, and is therefore optional. Must be atomic.
 *
 * @conf_tx: Configure TX queue parameters (EDCF (aifs, cw_min, cw_max),
 *      bursting) for a hardware TX queue.
@@ -2809,11 +2906,11 @@ enum ieee80211_roc_type {
 *      disabled/enabled via @bss_info_changed.
 * @stop_ap: Stop operation on the AP interface.
 *
- * @restart_complete: Called after a call to ieee80211_restart_hw(), when the
+ * @reconfig_complete: Called after a call to ieee80211_restart_hw() and
- *      reconfiguration has completed. This can help the driver implement the
+ *      during resume, when the reconfiguration has completed.
- *      reconfiguration step. Also called when reconfiguring because the
+ *      This can help the driver implement the reconfiguration step (and
- *      driver's resume function returned 1, as this is just like an "inline"
+ *      indicate mac80211 is ready to receive frames).
- *      hardware restart. This callback may sleep.
+ *      This callback may sleep.
 *
 * @ipv6_addr_change: IPv6 address assignment on the given interface changed.
 *      Currently, this is only called for managed or P2P client interfaces.
@@ -2829,6 +2926,13 @@ enum ieee80211_roc_type {
 *      transmitted and then call ieee80211_csa_finish().
 *      If the CSA count starts as zero or 1, this function will not be called,
 *      since there won't be any time to beacon before the switch anyway.
+ * @pre_channel_switch: This is an optional callback that is called
+ *      before a channel switch procedure is started (ie. when a STA
+ *      gets a CSA or an userspace initiated channel-switch), allowing
+ *      the driver to prepare for the channel switch.
+ * @post_channel_switch: This is an optional callback that is called
+ *      after a channel switch procedure is completed, allowing the
+ *      driver to go back to a normal configuration.
 *
 * @join_ibss: Join an IBSS (on an IBSS interface); this is called after all
 *      information in bss_conf is set up and the beacon can be retrieved. A
@@ -2838,6 +2942,26 @@ enum ieee80211_roc_type {
 * @get_expected_throughput: extract the expected throughput towards the
 *      specified station. The returned value is expressed in Kbps. It returns 0
 *      if the RC algorithm does not have proper data to provide.
+ *
+ * @get_txpower: get current maximum tx power (in dBm) based on configuration
+ *      and hardware limits.
+ *
+ * @tdls_channel_switch: Start channel-switching with a TDLS peer. The driver
+ *      is responsible for continually initiating channel-switching operations
+ *      and returning to the base channel for communication with the AP. The
+ *      driver receives a channel-switch request template and the location of
+ *      the switch-timing IE within the template as part of the invocation.
+ *      The template is valid only within the call, and the driver can
+ *      optionally copy the skb for further re-use.
+ * @tdls_cancel_channel_switch: Stop channel-switching with a TDLS peer. Both
+ *      peers must be on the base channel when the call completes.
+ * @tdls_recv_channel_switch: a TDLS channel-switch related frame (request or
+ *      response) has been received from a remote peer. The driver gets
+ *      parameters parsed from the incoming frame and may use them to continue
+ *      an ongoing channel-switch operation. In addition, a channel-switch
+ *      response template is provided, together with the location of the
+ *      switch-timing IE within the template. The skb can only be used within
+ *      the function call.
 */
 struct ieee80211_ops {
        void (*tx)(struct ieee80211_hw *hw,
@@ -2897,8 +3021,11 @@ struct ieee80211_ops {
                                struct ieee80211_scan_ies *ies);
        int (*sched_scan_stop)(struct ieee80211_hw *hw,
                               struct ieee80211_vif *vif);
-        void (*sw_scan_start)(struct ieee80211_hw *hw);
+        void (*sw_scan_start)(struct ieee80211_hw *hw,
-        void (*sw_scan_complete)(struct ieee80211_hw *hw);
+                              struct ieee80211_vif *vif,
+                              const u8 *mac_addr);
+        void (*sw_scan_complete)(struct ieee80211_hw *hw,
+                                 struct ieee80211_vif *vif);
        int (*get_stats)(struct ieee80211_hw *hw,
                         struct ieee80211_low_level_stats *stats);
        void (*get_tkip_seq)(struct ieee80211_hw *hw, u8 hw_key_idx,
@@ -2932,6 +3059,9 @@ struct ieee80211_ops {
                              struct ieee80211_vif *vif,
                              struct ieee80211_sta *sta,
                              u32 changed);
+        void (*sta_rate_tbl_update)(struct ieee80211_hw *hw,
+                                    struct ieee80211_vif *vif,
+                                    struct ieee80211_sta *sta);
        int (*conf_tx)(struct ieee80211_hw *hw,
                       struct ieee80211_vif *vif, u16 ac,
                       const struct ieee80211_tx_queue_params *params);
@@ -2959,6 +3089,7 @@ struct ieee80211_ops {
        void (*flush)(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
                      u32 queues, bool drop);
        void (*channel_switch)(struct ieee80211_hw *hw,
+                               struct ieee80211_vif *vif,
                               struct ieee80211_channel_switch *ch_switch);
        int (*set_antenna)(struct ieee80211_hw *hw, u32 tx_ant, u32 rx_ant);
        int (*get_antenna)(struct ieee80211_hw *hw, u32 *tx_ant, u32 *rx_ant);
@@ -3025,7 +3156,8 @@ struct ieee80211_ops {
                                  int n_vifs,
                                  enum ieee80211_chanctx_switch_mode mode);
-        void (*restart_complete)(struct ieee80211_hw *hw);
+        void (*reconfig_complete)(struct ieee80211_hw *hw,
+                                  enum ieee80211_reconfig_type reconfig_type);
 #if IS_ENABLED(CONFIG_IPV6)
        void (*ipv6_addr_change)(struct ieee80211_hw *hw,
@@ -3035,14 +3167,54 @@ struct ieee80211_ops {
        void (*channel_switch_beacon)(struct ieee80211_hw *hw,
                                      struct ieee80211_vif *vif,
                                      struct cfg80211_chan_def *chandef);
+        int (*pre_channel_switch)(struct ieee80211_hw *hw,
+                                  struct ieee80211_vif *vif,
+                                  struct ieee80211_channel_switch *ch_switch);
+        int (*post_channel_switch)(struct ieee80211_hw *hw,
+                                   struct ieee80211_vif *vif);
        int (*join_ibss)(struct ieee80211_hw *hw, struct ieee80211_vif *vif);
        void (*leave_ibss)(struct ieee80211_hw *hw, struct ieee80211_vif *vif);
        u32 (*get_expected_throughput)(struct ieee80211_sta *sta);
+        int (*get_txpower)(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+                           int *dbm);
+        int (*tdls_channel_switch)(struct ieee80211_hw *hw,
+                                   struct ieee80211_vif *vif,
+                                   struct ieee80211_sta *sta, u8 oper_class,
+                                   struct cfg80211_chan_def *chandef,
+                                   struct sk_buff *tmpl_skb, u32 ch_sw_tm_ie);
+        void (*tdls_cancel_channel_switch)(struct ieee80211_hw *hw,
+                                           struct ieee80211_vif *vif,
+                                           struct ieee80211_sta *sta);
+        void (*tdls_recv_channel_switch)(struct ieee80211_hw *hw,
+                                         struct ieee80211_vif *vif,
+                                         struct ieee80211_tdls_ch_sw_params *params);
 };
 /**
- * ieee80211_alloc_hw -  Allocate a new hardware device
+ * ieee80211_alloc_hw_nm - Allocate a new hardware device
+ *
+ * This must be called once for each hardware device. The returned pointer
+ * must be used to refer to this device when calling other functions.
+ * mac80211 allocates a private data area for the driver pointed to by
+ * @priv in &struct ieee80211_hw, the size of this area is given as
+ * @priv_data_len.
+ *
+ * @priv_data_len: length of private data
+ * @ops: callbacks for this device
+ * @requested_name: Requested name for this device.
+ *      NULL is valid value, and means use the default naming (phy%d)
+ *
+ * Return: A pointer to the new hardware device, or %NULL on error.
+ */
+struct ieee80211_hw *ieee80211_alloc_hw_nm(size_t priv_data_len,
+                                           const struct ieee80211_ops *ops,
+                                           const char *requested_name);
+/**
+ * ieee80211_alloc_hw - Allocate a new hardware device
 *
 * This must be called once for each hardware device. The returned pointer
 * must be used to refer to this device when calling other functions.
@@ -3055,8 +3227,12 @@ struct ieee80211_ops {
 *
 * Return: A pointer to the new hardware device, or %NULL on error.
 */
+static inline
 struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
-                                        const struct ieee80211_ops *ops);
+                                        const struct ieee80211_ops *ops)
+{
+        return ieee80211_alloc_hw_nm(priv_data_len, ops, NULL);
+}
 /**
 * ieee80211_register_hw - Register hardware device
@@ -3443,6 +3619,26 @@ void ieee80211_tx_status(struct ieee80211_hw *hw,
                         struct sk_buff *skb);
 /**
+ * ieee80211_tx_status_noskb - transmit status callback without skb
+ *
+ * This function can be used as a replacement for ieee80211_tx_status
+ * in drivers that cannot reliably map tx status information back to
+ * specific skbs.
+ *
+ * Calls to this function for a single hardware must be synchronized
+ * against each other. Calls to this function, ieee80211_tx_status_ni()
+ * and ieee80211_tx_status_irqsafe() may not be mixed for a single hardware.
+ *
+ * @hw: the hardware the frame was transmitted by
+ * @sta: the receiver station to which this packet is sent
+ *      (NULL for multicast packets)
+ * @info: tx status information
+ */
+void ieee80211_tx_status_noskb(struct ieee80211_hw *hw,
+                               struct ieee80211_sta *sta,
+                               struct ieee80211_tx_info *info);
+/**
 * ieee80211_tx_status_ni - transmit status callback (in process context)
 *
 * Like ieee80211_tx_status() but can be called in process context.
@@ -3655,7 +3851,7 @@ struct sk_buff *ieee80211_nullfunc_get(struct ieee80211_hw *hw,
 /**
 * ieee80211_probereq_get - retrieve a Probe Request template
 * @hw: pointer obtained from ieee80211_alloc_hw().
- * @vif: &struct ieee80211_vif pointer from the add_interface callback.
+ * @src_addr: source MAC address
 * @ssid: SSID buffer
 * @ssid_len: length of SSID
 * @tailroom: tailroom to reserve at end of SKB for IEs
@@ -3666,7 +3862,7 @@ struct sk_buff *ieee80211_nullfunc_get(struct ieee80211_hw *hw,
 * Return: The Probe Request template. %NULL on error.
 */
 struct sk_buff *ieee80211_probereq_get(struct ieee80211_hw *hw,
-                                       struct ieee80211_vif *vif,
+                                       const u8 *src_addr,
                                       const u8 *ssid, size_t ssid_len,
                                       size_t tailroom);
@@ -4172,6 +4368,22 @@ void ieee80211_iterate_active_interfaces_rtnl(struct ieee80211_hw *hw,
                                              void *data);
 /**
+ * ieee80211_iterate_stations_atomic - iterate stations
+ *
+ * This function iterates over all stations associated with a given
+ * hardware that are currently uploaded to the driver and calls the callback
+ * function for them.
+ * This function requires the iterator callback function to be atomic,
+ *
+ * @hw: the hardware struct of which the interfaces should be iterated over
+ * @iterator: the iterator function to call, cannot sleep
+ * @data: first argument of the iterator function
+ */
+void ieee80211_iterate_stations_atomic(struct ieee80211_hw *hw,
+                                       void (*iterator)(void *data,
+                                                struct ieee80211_sta *sta),
+                                       void *data);
+/**
 * ieee80211_queue_work - add work onto the mac80211 workqueue
 *
 * Drivers and mac80211 use this to add work onto the mac80211 workqueue.
@@ -4480,6 +4692,14 @@ void ieee80211_cqm_rssi_notify(struct ieee80211_vif *vif,
                               gfp_t gfp);
 /**
+ * ieee80211_cqm_beacon_loss_notify - inform CQM of beacon loss
+ *
+ * @vif: &struct ieee80211_vif pointer from the add_interface callback.
+ * @gfp: context flags
+ */
+void ieee80211_cqm_beacon_loss_notify(struct ieee80211_vif *vif, gfp_t gfp);
+/**
 * ieee80211_radar_detected - inform that a radar was detected
 *
 * @hw: pointer as obtained from ieee80211_alloc_hw()
@@ -4637,6 +4857,10 @@ struct rate_control_ops {
        void (*free_sta)(void *priv, struct ieee80211_sta *sta,
                         void *priv_sta);
+        void (*tx_status_noskb)(void *priv,
+                                struct ieee80211_supported_band *sband,
+                                struct ieee80211_sta *sta, void *priv_sta,
+                                struct ieee80211_tx_info *info);
        void (*tx_status)(void *priv, struct ieee80211_supported_band *sband,
                          struct ieee80211_sta *sta, void *priv_sta,
                          struct sk_buff *skb);
@@ -4888,4 +5112,69 @@ void ieee80211_update_p2p_noa(struct ieee80211_noa_data *data, u32 tsf);
 void ieee80211_tdls_oper_request(struct ieee80211_vif *vif, const u8 *peer,
                                 enum nl80211_tdls_operation oper,
                                 u16 reason_code, gfp_t gfp);
+/**
+ * ieee80211_reserve_tid - request to reserve a specific TID
+ *
+ * There is sometimes a need (such as in TDLS) for blocking the driver from
+ * using a specific TID so that the FW can use it for certain operations such
+ * as sending PTI requests. To make sure that the driver doesn't use that TID,
+ * this function must be called as it flushes out packets on this TID and marks
+ * it as blocked, so that any transmit for the station on this TID will be
+ * redirected to the alternative TID in the same AC.
+ *
+ * Note that this function blocks and may call back into the driver, so it
+ * should be called without driver locks held. Also note this function should
+ * only be called from the driver's @sta_state callback.
+ *
+ * @sta: the station to reserve the TID for
+ * @tid: the TID to reserve
+ *
+ * Returns: 0 on success, else on failure
+ */
+int ieee80211_reserve_tid(struct ieee80211_sta *sta, u8 tid);
+/**
+ * ieee80211_unreserve_tid - request to unreserve a specific TID
+ *
+ * Once there is no longer any need for reserving a certain TID, this function
+ * should be called, and no longer will packets have their TID modified for
+ * preventing use of this TID in the driver.
+ *
+ * Note that this function blocks and acquires a lock, so it should be called
+ * without driver locks held. Also note this function should only be called
+ * from the driver's @sta_state callback.
+ *
+ * @sta: the station
+ * @tid: the TID to unreserve
+ */
+void ieee80211_unreserve_tid(struct ieee80211_sta *sta, u8 tid);
+/**
+ * ieee80211_ie_split - split an IE buffer according to ordering
+ *
+ * @ies: the IE buffer
+ * @ielen: the length of the IE buffer
+ * @ids: an array with element IDs that are allowed before
+ *      the split
+ * @n_ids: the size of the element ID array
+ * @offset: offset where to start splitting in the buffer
+ *
+ * This function splits an IE buffer by updating the @offset
+ * variable to point to the location where the buffer should be
+ * split.
+ *
+ * It assumes that the given IE buffer is well-formed, this
+ * has to be guaranteed by the caller!
+ *
+ * It also assumes that the IEs in the buffer are ordered
+ * correctly, if not the result of using this function will not
+ * be ordered correctly either, i.e. it does no reordering.
+ *
+ * The function returns the offset where the next part of the
+ * buffer starts, which may be @ielen if the entire (remainder)
+ * of the buffer should be used.
+ */
+size_t ieee80211_ie_split(const u8 *ies, size_t ielen,
+                          const u8 *ids, int n_ids, size_t offset);
 #endif /* MAC80211_H */
diff --git a/include/net/nfc/digital.h b/include/net/nfc/digital.h
index d9a5cf7ac1c4..0ae101eef0f4 100644
--- a/include/net/nfc/digital.h
+++ b/include/net/nfc/digital.h
@@ -225,6 +225,19 @@ struct nfc_digital_dev {
        u8 curr_protocol;
        u8 curr_rf_tech;
        u8 curr_nfc_dep_pni;
+        u8 did;
+        u8 local_payload_max;
+        u8 remote_payload_max;
+        struct sk_buff *chaining_skb;
+        struct digital_data_exch *data_exch;
+        int atn_count;
+        int nack_count;
+        struct sk_buff *saved_skb;
+        unsigned int saved_skb_len;
        u16 target_fsc;
diff --git a/include/net/nfc/hci.h b/include/net/nfc/hci.h
index 7ee8f4cc610b..14bd0e1c47fa 100644
--- a/include/net/nfc/hci.h
+++ b/include/net/nfc/hci.h
@@ -57,10 +57,14 @@ struct nfc_hci_ops {
        int (*discover_se)(struct nfc_hci_dev *dev);
        int (*enable_se)(struct nfc_hci_dev *dev, u32 se_idx);
        int (*disable_se)(struct nfc_hci_dev *dev, u32 se_idx);
+        int (*se_io)(struct nfc_hci_dev *dev, u32 se_idx,
+                      u8 *apdu, size_t apdu_length,
+                      se_io_cb_t cb, void *cb_context);
 };
 /* Pipes */
 #define NFC_HCI_INVALID_PIPE    0x80
+#define NFC_HCI_DO_NOT_CREATE_PIPE      0x81
 #define NFC_HCI_LINK_MGMT_PIPE  0x00
 #define NFC_HCI_ADMIN_PIPE      0x01
diff --git a/include/net/nfc/nci.h b/include/net/nfc/nci.h
index 9eca9ae2280c..e7257a4653b4 100644
--- a/include/net/nfc/nci.h
+++ b/include/net/nfc/nci.h
@@ -28,6 +28,8 @@
 #ifndef __NCI_H
 #define __NCI_H
+#include <net/nfc/nfc.h>
 /* NCI constants */
 #define NCI_MAX_NUM_MAPPING_CONFIGS                             10
 #define NCI_MAX_NUM_RF_CONFIGS                                  10
@@ -73,6 +75,8 @@
 #define NCI_NFC_A_ACTIVE_LISTEN_MODE                            0x83
 #define NCI_NFC_F_ACTIVE_LISTEN_MODE                            0x85
+#define NCI_RF_TECH_MODE_LISTEN_MASK                            0x80
 /* NCI RF Technologies */
 #define NCI_NFC_RF_TECHNOLOGY_A                                 0x00
 #define NCI_NFC_RF_TECHNOLOGY_B                                 0x01
@@ -106,6 +110,17 @@
 /* NCI Configuration Parameter Tags */
 #define NCI_PN_ATR_REQ_GEN_BYTES                                0x29
+#define NCI_LN_ATR_RES_GEN_BYTES                                0x61
+#define NCI_LA_SEL_INFO                                         0x32
+#define NCI_LF_PROTOCOL_TYPE                                    0x50
+#define NCI_LF_CON_BITR_F                                       0x54
+/* NCI Configuration Parameters masks */
+#define NCI_LA_SEL_INFO_ISO_DEP_MASK                            0x20
+#define NCI_LA_SEL_INFO_NFC_DEP_MASK                            0x40
+#define NCI_LF_PROTOCOL_TYPE_NFC_DEP_MASK                       0x02
+#define NCI_LF_CON_BITR_F_212                                   0x02
+#define NCI_LF_CON_BITR_F_424                                   0x04
 /* NCI Reset types */
 #define NCI_RESET_TYPE_KEEP_CONFIG                              0x00
@@ -314,26 +329,31 @@ struct nci_core_intf_error_ntf {
 struct rf_tech_specific_params_nfca_poll {
        __u16   sens_res;
        __u8    nfcid1_len;     /* 0, 4, 7, or 10 Bytes */
-        __u8    nfcid1[10];
+        __u8    nfcid1[NFC_NFCID1_MAXSIZE];
        __u8    sel_res_len;    /* 0 or 1 Bytes */
        __u8    sel_res;
 } __packed;
 struct rf_tech_specific_params_nfcb_poll {
        __u8    sensb_res_len;
-        __u8    sensb_res[12];  /* 11 or 12 Bytes */
+        __u8    sensb_res[NFC_SENSB_RES_MAXSIZE];       /* 11 or 12 Bytes */
 } __packed;
 struct rf_tech_specific_params_nfcf_poll {
        __u8    bit_rate;
        __u8    sensf_res_len;
-        __u8    sensf_res[18];  /* 16 or 18 Bytes */
+        __u8    sensf_res[NFC_SENSF_RES_MAXSIZE];       /* 16 or 18 Bytes */
 } __packed;
 struct rf_tech_specific_params_nfcv_poll {
        __u8    res_flags;
        __u8    dsfid;
-        __u8    uid[8]; /* 8 Bytes */
+        __u8    uid[NFC_ISO15693_UID_MAXSIZE];  /* 8 Bytes */
+} __packed;
+struct rf_tech_specific_params_nfcf_listen {
+        __u8    local_nfcid2_len;
+        __u8    local_nfcid2[NFC_NFCID2_MAXSIZE];       /* 0 or 8 Bytes */
 } __packed;
 struct nci_rf_discover_ntf {
@@ -365,7 +385,12 @@ struct activation_params_nfcb_poll_iso_dep {
 struct activation_params_poll_nfc_dep {
        __u8    atr_res_len;
-        __u8    atr_res[63];
+        __u8    atr_res[NFC_ATR_RES_MAXSIZE - 2]; /* ATR_RES from byte 3 */
+};
+struct activation_params_listen_nfc_dep {
+        __u8    atr_req_len;
+        __u8    atr_req[NFC_ATR_REQ_MAXSIZE - 2]; /* ATR_REQ from byte 3 */
 };
 struct nci_rf_intf_activated_ntf {
@@ -382,6 +407,7 @@ struct nci_rf_intf_activated_ntf {
                struct rf_tech_specific_params_nfcb_poll nfcb_poll;
                struct rf_tech_specific_params_nfcf_poll nfcf_poll;
                struct rf_tech_specific_params_nfcv_poll nfcv_poll;
+                struct rf_tech_specific_params_nfcf_listen nfcf_listen;
        } rf_tech_specific_params;
        __u8    data_exch_rf_tech_and_mode;
@@ -393,6 +419,7 @@ struct nci_rf_intf_activated_ntf {
                struct activation_params_nfca_poll_iso_dep nfca_poll_iso_dep;
                struct activation_params_nfcb_poll_iso_dep nfcb_poll_iso_dep;
                struct activation_params_poll_nfc_dep poll_nfc_dep;
+                struct activation_params_listen_nfc_dep listen_nfc_dep;
        } activation_params;
 } __packed;
diff --git a/include/net/nfc/nci_core.h b/include/net/nfc/nci_core.h
index 75d10e625c49..9e51bb4d841e 100644
--- a/include/net/nfc/nci_core.h
+++ b/include/net/nfc/nci_core.h
@@ -4,6 +4,7 @@
 *
 *  Copyright (C) 2011 Texas Instruments, Inc.
 *  Copyright (C) 2013 Intel Corporation. All rights reserved.
+ *  Copyright (C) 2014 Marvell International Ltd.
 *
 *  Written by Ilan Elias <ilane@ti.com>
 *
@@ -49,6 +50,8 @@ enum nci_state {
        NCI_W4_ALL_DISCOVERIES,
        NCI_W4_HOST_SELECT,
        NCI_POLL_ACTIVE,
+        NCI_LISTEN_ACTIVE,
+        NCI_LISTEN_SLEEP,
 };
 /* NCI timeouts */
@@ -69,6 +72,12 @@ struct nci_ops {
        int   (*send)(struct nci_dev *ndev, struct sk_buff *skb);
        int   (*setup)(struct nci_dev *ndev);
        __u32 (*get_rfprotocol)(struct nci_dev *ndev, __u8 rf_protocol);
+        int   (*discover_se)(struct nci_dev *ndev);
+        int   (*disable_se)(struct nci_dev *ndev, u32 se_idx);
+        int   (*enable_se)(struct nci_dev *ndev, u32 se_idx);
+        int   (*se_io)(struct nci_dev *ndev, u32 se_idx,
+                                u8 *apdu, size_t apdu_length,
+                                se_io_cb_t cb, void *cb_context);
 };
 #define NCI_MAX_SUPPORTED_RF_INTERFACES         4
diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
index 6c583e244de2..12adb817c27a 100644
--- a/include/net/nfc/nfc.h
+++ b/include/net/nfc/nfc.h
@@ -1,5 +1,6 @@
 /*
 * Copyright (C) 2011 Instituto Nokia de Tecnologia
+ * Copyright (C) 2014 Marvell International Ltd.
 *
 * Authors:
 *    Lauro Ramos Venancio <lauro.venancio@openbossa.org>
@@ -87,6 +88,7 @@ struct nfc_ops {
 #define NFC_TARGET_IDX_ANY -1
 #define NFC_MAX_GT_LEN 48
 #define NFC_ATR_RES_GT_OFFSET 15
+#define NFC_ATR_REQ_GT_OFFSET 14
 /**
 * struct nfc_target - NFC target descriptiom
diff --git a/include/net/regulatory.h b/include/net/regulatory.h
index dad7ab20a8cb..b776d72d84be 100644
--- a/include/net/regulatory.h
+++ b/include/net/regulatory.h
@@ -136,6 +136,17 @@ struct regulatory_request {
 *      otherwise initiating radiation is not allowed. This will enable the
 *      relaxations enabled under the CFG80211_REG_RELAX_NO_IR configuration
 *      option
+ * @REGULATORY_IGNORE_STALE_KICKOFF: the regulatory core will _not_ make sure
+ *      all interfaces on this wiphy reside on allowed channels. If this flag
+ *      is not set, upon a regdomain change, the interfaces are given a grace
+ *      period (currently 60 seconds) to disconnect or move to an allowed
+ *      channel. Interfaces on forbidden channels are forcibly disconnected.
+ *      Currently these types of interfaces are supported for enforcement:
+ *      NL80211_IFTYPE_ADHOC, NL80211_IFTYPE_STATION, NL80211_IFTYPE_AP,
+ *      NL80211_IFTYPE_AP_VLAN, NL80211_IFTYPE_MONITOR,
+ *      NL80211_IFTYPE_P2P_CLIENT, NL80211_IFTYPE_P2P_GO,
+ *      NL80211_IFTYPE_P2P_DEVICE. The flag will be set by default if a device
+ *      includes any modes unsupported for enforcement checking.
 */
 enum ieee80211_regulatory_flags {
        REGULATORY_CUSTOM_REG                   = BIT(0),
@@ -144,6 +155,7 @@ enum ieee80211_regulatory_flags {
        REGULATORY_COUNTRY_IE_FOLLOW_POWER      = BIT(3),
        REGULATORY_COUNTRY_IE_IGNORE            = BIT(4),
        REGULATORY_ENABLE_RELAX_NO_IR           = BIT(5),
+        REGULATORY_IGNORE_STALE_KICKOFF         = BIT(6),
 };
 struct ieee80211_freq_range {
diff --git a/include/uapi/linux/nfc.h b/include/uapi/linux/nfc.h
index 9b19b4461928..8119255feae4 100644
--- a/include/uapi/linux/nfc.h
+++ b/include/uapi/linux/nfc.h
@@ -116,6 +116,7 @@ enum nfc_commands {
        NFC_EVENT_SE_TRANSACTION,
        NFC_CMD_GET_SE,
        NFC_CMD_SE_IO,
+        NFC_CMD_ACTIVATE_TARGET,
 /* private: internal use only */
        __NFC_CMD_AFTER_LAST
 };
@@ -196,15 +197,19 @@ enum nfc_sdp_attr {
 };
 #define NFC_SDP_ATTR_MAX (__NFC_SDP_ATTR_AFTER_LAST - 1)
-#define NFC_DEVICE_NAME_MAXSIZE 8
+#define NFC_DEVICE_NAME_MAXSIZE         8
-#define NFC_NFCID1_MAXSIZE 10
+#define NFC_NFCID1_MAXSIZE              10
-#define NFC_NFCID2_MAXSIZE 8
+#define NFC_NFCID2_MAXSIZE              8
-#define NFC_NFCID3_MAXSIZE 10
+#define NFC_NFCID3_MAXSIZE              10
-#define NFC_SENSB_RES_MAXSIZE 12
+#define NFC_SENSB_RES_MAXSIZE           12
-#define NFC_SENSF_RES_MAXSIZE 18
+#define NFC_SENSF_RES_MAXSIZE           18
-#define NFC_GB_MAXSIZE        48
+#define NFC_ATR_REQ_MAXSIZE             64
-#define NFC_FIRMWARE_NAME_MAXSIZE 32
+#define NFC_ATR_RES_MAXSIZE             64
-#define NFC_ISO15693_UID_MAXSIZE 8
+#define NFC_ATR_REQ_GB_MAXSIZE          48
+#define NFC_ATR_RES_GB_MAXSIZE          47
+#define NFC_GB_MAXSIZE                  48
+#define NFC_FIRMWARE_NAME_MAXSIZE       32
+#define NFC_ISO15693_UID_MAXSIZE        8
 /* NFC protocols */
 #define NFC_PROTO_JEWEL         1
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 4b28dc07bcb1..b37bd5a1cb82 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -227,7 +227,11 @@
 *      the interface identified by %NL80211_ATTR_IFINDEX.
 * @NL80211_CMD_DEL_STATION: Remove a station identified by %NL80211_ATTR_MAC
 *      or, if no MAC address given, all stations, on the interface identified
- *      by %NL80211_ATTR_IFINDEX.
+ *      by %NL80211_ATTR_IFINDEX. %NL80211_ATTR_MGMT_SUBTYPE and
+ *      %NL80211_ATTR_REASON_CODE can optionally be used to specify which type
+ *      of disconnection indication should be sent to the station
+ *      (Deauthentication or Disassociation frame and reason code for that
+ *      frame).
 *
 * @NL80211_CMD_GET_MPATH: Get mesh path attributes for mesh path to
 *      destination %NL80211_ATTR_MAC on the interface identified by
@@ -639,7 +643,18 @@
 * @NL80211_CMD_CH_SWITCH_NOTIFY: An AP or GO may decide to switch channels
 *      independently of the userspace SME, send this event indicating
 *      %NL80211_ATTR_IFINDEX is now on %NL80211_ATTR_WIPHY_FREQ and the
- *      attributes determining channel width.
+ *      attributes determining channel width.  This indication may also be
+ *      sent when a remotely-initiated switch (e.g., when a STA receives a CSA
+ *      from the remote AP) is completed;
+ *
+ * @NL80211_CMD_CH_SWITCH_STARTED_NOTIFY: Notify that a channel switch
+ *      has been started on an interface, regardless of the initiator
+ *      (ie. whether it was requested from a remote device or
+ *      initiated on our own).  It indicates that
+ *      %NL80211_ATTR_IFINDEX will be on %NL80211_ATTR_WIPHY_FREQ
+ *      after %NL80211_ATTR_CH_SWITCH_COUNT TBTT's.  The userspace may
+ *      decide to react to this indication by requesting other
+ *      interfaces to change channel as well.
 *
 * @NL80211_CMD_START_P2P_DEVICE: Start the given P2P Device, identified by
 *      its %NL80211_ATTR_WDEV identifier. It must have been created with
@@ -738,6 +753,27 @@
 *      before removing a station entry entirely, or before disassociating
 *      or similar, cleanup will happen in the driver/device in this case.
 *
+ * @NL80211_CMD_GET_MPP: Get mesh path attributes for mesh proxy path to
+ *      destination %NL80211_ATTR_MAC on the interface identified by
+ *      %NL80211_ATTR_IFINDEX.
+ *
+ * @NL80211_CMD_JOIN_OCB: Join the OCB network. The center frequency and
+ *      bandwidth of a channel must be given.
+ * @NL80211_CMD_LEAVE_OCB: Leave the OCB network -- no special arguments, the
+ *      network is determined by the network interface.
+ *
+ * @NL80211_CMD_TDLS_CHANNEL_SWITCH: Start channel-switching with a TDLS peer,
+ *      identified by the %NL80211_ATTR_MAC parameter. A target channel is
+ *      provided via %NL80211_ATTR_WIPHY_FREQ and other attributes determining
+ *      channel width/type. The target operating class is given via
+ *      %NL80211_ATTR_OPER_CLASS.
+ *      The driver is responsible for continually initiating channel-switching
+ *      operations and returning to the base channel for communication with the
+ *      AP.
+ * @NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH: Stop channel-switching with a TDLS
+ *      peer given by %NL80211_ATTR_MAC. Both peers must be on the base channel
+ *      when this command completes.
+ *
 * @NL80211_CMD_MAX: highest used command number
 * @__NL80211_CMD_AFTER_LAST: internal use
 */
@@ -912,6 +948,16 @@ enum nl80211_commands {
        NL80211_CMD_ADD_TX_TS,
        NL80211_CMD_DEL_TX_TS,
+        NL80211_CMD_GET_MPP,
+        NL80211_CMD_JOIN_OCB,
+        NL80211_CMD_LEAVE_OCB,
+        NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
+        NL80211_CMD_TDLS_CHANNEL_SWITCH,
+        NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
        /* add new commands above here */
        /* used to define NL80211_CMD_MAX below */
@@ -1606,9 +1652,9 @@ enum nl80211_commands {
 * @NL80211_ATTR_TDLS_PEER_CAPABILITY: flags for TDLS peer capabilities, u32.
 *      As specified in the &enum nl80211_tdls_peer_capability.
 *
- * @NL80211_ATTR_IFACE_SOCKET_OWNER: flag attribute, if set during interface
+ * @NL80211_ATTR_SOCKET_OWNER: Flag attribute, if set during interface
 *      creation then the new interface will be owned by the netlink socket
- *      that created it and will be destroyed when the socket is closed
+ *      that created it and will be destroyed when the socket is closed.
 *
 * @NL80211_ATTR_TDLS_INITIATOR: flag attribute indicating the current end is
 *      the TDLS link initiator.
@@ -1638,6 +1684,11 @@ enum nl80211_commands {
 * @NL80211_ATTR_SMPS_MODE: SMPS mode to use (ap mode). see
 *      &enum nl80211_smps_mode.
 *
+ * @NL80211_ATTR_OPER_CLASS: operating class
+ *
+ * @NL80211_ATTR_MAC_MASK: MAC address mask
+ *
+ * @NUM_NL80211_ATTR: total number of nl80211_attrs available
 * @NL80211_ATTR_MAX: highest attribute number currently defined
 * @__NL80211_ATTR_AFTER_LAST: internal use
 */
@@ -1973,7 +2024,7 @@ enum nl80211_attrs {
        NL80211_ATTR_TDLS_PEER_CAPABILITY,
-        NL80211_ATTR_IFACE_SOCKET_OWNER,
+        NL80211_ATTR_SOCKET_OWNER,
        NL80211_ATTR_CSA_C_OFFSETS_TX,
        NL80211_ATTR_MAX_CSA_COUNTERS,
@@ -1990,15 +2041,21 @@ enum nl80211_attrs {
        NL80211_ATTR_SMPS_MODE,
+        NL80211_ATTR_OPER_CLASS,
+        NL80211_ATTR_MAC_MASK,
        /* add attributes here, update the policy in nl80211.c */
        __NL80211_ATTR_AFTER_LAST,
+        NUM_NL80211_ATTR = __NL80211_ATTR_AFTER_LAST,
        NL80211_ATTR_MAX = __NL80211_ATTR_AFTER_LAST - 1
 };
 /* source-level API compatibility */
 #define NL80211_ATTR_SCAN_GENERATION NL80211_ATTR_GENERATION
 #define NL80211_ATTR_MESH_PARAMS NL80211_ATTR_MESH_CONFIG
+#define NL80211_ATTR_IFACE_SOCKET_OWNER NL80211_ATTR_SOCKET_OWNER
 /*
 * Allow user space programs to use #ifdef on new attributes by defining them
@@ -2064,6 +2121,8 @@ enum nl80211_attrs {
 *      and therefore can't be created in the normal ways, use the
 *      %NL80211_CMD_START_P2P_DEVICE and %NL80211_CMD_STOP_P2P_DEVICE
 *      commands to create and destroy one
+ * @NL80211_IF_TYPE_OCB: Outside Context of a BSS
+ *      This mode corresponds to the MIB variable dot11OCBActivated=true
 * @NL80211_IFTYPE_MAX: highest interface type number currently defined
 * @NUM_NL80211_IFTYPES: number of defined interface types
 *
@@ -2083,6 +2142,7 @@ enum nl80211_iftype {
        NL80211_IFTYPE_P2P_CLIENT,
        NL80211_IFTYPE_P2P_GO,
        NL80211_IFTYPE_P2P_DEVICE,
+        NL80211_IFTYPE_OCB,
        /* keep last */
        NUM_NL80211_IFTYPES,
@@ -2631,6 +2691,11 @@ enum nl80211_sched_scan_match_attr {
 * @NL80211_RRF_AUTO_BW: maximum available bandwidth should be calculated
 *      base on contiguous rules and wider channels will be allowed to cross
 *      multiple contiguous/overlapping frequency ranges.
+ * @NL80211_RRF_GO_CONCURRENT: See &NL80211_FREQUENCY_ATTR_GO_CONCURRENT
+ * @NL80211_RRF_NO_HT40MINUS: channels can't be used in HT40- operation
+ * @NL80211_RRF_NO_HT40PLUS: channels can't be used in HT40+ operation
+ * @NL80211_RRF_NO_80MHZ: 80MHz operation not allowed
+ * @NL80211_RRF_NO_160MHZ: 160MHz operation not allowed
 */
 enum nl80211_reg_rule_flags {
        NL80211_RRF_NO_OFDM             = 1<<0,
@@ -2643,11 +2708,18 @@ enum nl80211_reg_rule_flags {
        NL80211_RRF_NO_IR               = 1<<7,
        __NL80211_RRF_NO_IBSS           = 1<<8,
        NL80211_RRF_AUTO_BW             = 1<<11,
+        NL80211_RRF_GO_CONCURRENT       = 1<<12,
+        NL80211_RRF_NO_HT40MINUS        = 1<<13,
+        NL80211_RRF_NO_HT40PLUS         = 1<<14,
+        NL80211_RRF_NO_80MHZ            = 1<<15,
+        NL80211_RRF_NO_160MHZ           = 1<<16,
 };
 #define NL80211_RRF_PASSIVE_SCAN        NL80211_RRF_NO_IR
 #define NL80211_RRF_NO_IBSS             NL80211_RRF_NO_IR
 #define NL80211_RRF_NO_IR               NL80211_RRF_NO_IR
+#define NL80211_RRF_NO_HT40             (NL80211_RRF_NO_HT40MINUS |\
+                                         NL80211_RRF_NO_HT40PLUS)
 /* For backport compatibility with older userspace */
 #define NL80211_RRF_NO_IR_ALL           (NL80211_RRF_NO_IR | __NL80211_RRF_NO_IBSS)
@@ -3379,6 +3451,8 @@ enum nl80211_ps_state {
 *      interval in which %NL80211_ATTR_CQM_TXE_PKTS and
 *      %NL80211_ATTR_CQM_TXE_RATE must be satisfied before generating an
 *      %NL80211_CMD_NOTIFY_CQM. Set to 0 to turn off TX error reporting.
+ * @NL80211_ATTR_CQM_BEACON_LOSS_EVENT: flag attribute that's set in a beacon
+ *      loss event
 * @__NL80211_ATTR_CQM_AFTER_LAST: internal
 * @NL80211_ATTR_CQM_MAX: highest key attribute
 */
@@ -3391,6 +3465,7 @@ enum nl80211_attr_cqm {
        NL80211_ATTR_CQM_TXE_RATE,
        NL80211_ATTR_CQM_TXE_PKTS,
        NL80211_ATTR_CQM_TXE_INTVL,
+        NL80211_ATTR_CQM_BEACON_LOSS_EVENT,
        /* keep last */
        __NL80211_ATTR_CQM_AFTER_LAST,
@@ -3403,9 +3478,7 @@ enum nl80211_attr_cqm {
 *      configured threshold
 * @NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH: The RSSI is higher than the
 *      configured threshold
- * @NL80211_CQM_RSSI_BEACON_LOSS_EVENT: The device experienced beacon loss.
+ * @NL80211_CQM_RSSI_BEACON_LOSS_EVENT: (reserved, never sent)
- *      (Note that deauth/disassoc will still follow if the AP is not
- *      available. This event might get used as roaming event, etc.)
 */
 enum nl80211_cqm_rssi_threshold_event {
        NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW,
@@ -3545,6 +3618,25 @@ struct nl80211_pattern_support {
 * @NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS: For wakeup reporting only,
 *      the TCP connection ran out of tokens to use for data to send to the
 *      service
+ * @NL80211_WOWLAN_TRIG_NET_DETECT: wake up when a configured network
+ *      is detected.  This is a nested attribute that contains the
+ *      same attributes used with @NL80211_CMD_START_SCHED_SCAN.  It
+ *      specifies how the scan is performed (e.g. the interval and the
+ *      channels to scan) as well as the scan results that will
+ *      trigger a wake (i.e. the matchsets).
+ * @NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS: nested attribute
+ *      containing an array with information about what triggered the
+ *      wake up.  If no elements are present in the array, it means
+ *      that the information is not available.  If more than one
+ *      element is present, it means that more than one match
+ *      occurred.
+ *      Each element in the array is a nested attribute that contains
+ *      one optional %NL80211_ATTR_SSID attribute and one optional
+ *      %NL80211_ATTR_SCAN_FREQUENCIES attribute.  At least one of
+ *      these attributes must be present.  If
+ *      %NL80211_ATTR_SCAN_FREQUENCIES contains more than one
+ *      frequency, it means that the match occurred in more than one
+ *      channel.
 * @NUM_NL80211_WOWLAN_TRIG: number of wake on wireless triggers
 * @MAX_NL80211_WOWLAN_TRIG: highest wowlan trigger attribute number
 *
@@ -3570,6 +3662,8 @@ enum nl80211_wowlan_triggers {
        NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH,
        NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST,
        NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS,
+        NL80211_WOWLAN_TRIG_NET_DETECT,
+        NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS,
        /* keep last */
        NUM_NL80211_WOWLAN_TRIG,
@@ -4042,6 +4136,27 @@ enum nl80211_ap_sme_features {
 *      multiplexing powersave, ie. can turn off all but one chain
 *      and then wake the rest up as required after, for example,
 *      rts/cts handshake.
+ * @NL80211_FEATURE_SUPPORTS_WMM_ADMISSION: the device supports setting up WMM
+ *      TSPEC sessions (TID aka TSID 0-7) with the %NL80211_CMD_ADD_TX_TS
+ *      command. Standard IEEE 802.11 TSPEC setup is not yet supported, it
+ *      needs to be able to handle Block-Ack agreements and other things.
+ * @NL80211_FEATURE_MAC_ON_CREATE: Device supports configuring
+ *      the vif's MAC address upon creation.
+ *      See 'macaddr' field in the vif_params (cfg80211.h).
+ * @NL80211_FEATURE_TDLS_CHANNEL_SWITCH: Driver supports channel switching when
+ *      operating as a TDLS peer.
+ * @NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR: This device/driver supports using a
+ *      random MAC address during scan (if the device is unassociated); the
+ *      %NL80211_SCAN_FLAG_RANDOM_ADDR flag may be set for scans and the MAC
+ *      address mask/value will be used.
+ * @NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR: This device/driver supports
+ *      using a random MAC address for every scan iteration during scheduled
+ *      scan (while not associated), the %NL80211_SCAN_FLAG_RANDOM_ADDR may
+ *      be set for scheduled scan and the MAC address mask/value will be used.
+ * @NL80211_FEATURE_ND_RANDOM_MAC_ADDR: This device/driver supports using a
+ *      random MAC address for every scan iteration during "net detect", i.e.
+ *      scan in unassociated WoWLAN, the %NL80211_SCAN_FLAG_RANDOM_ADDR may
+ *      be set for scheduled scan and the MAC address mask/value will be used.
 */
 enum nl80211_feature_flags {
        NL80211_FEATURE_SK_TX_STATUS                    = 1 << 0,
@@ -4070,6 +4185,12 @@ enum nl80211_feature_flags {
        NL80211_FEATURE_ACKTO_ESTIMATION                = 1 << 23,
        NL80211_FEATURE_STATIC_SMPS                     = 1 << 24,
        NL80211_FEATURE_DYNAMIC_SMPS                    = 1 << 25,
+        NL80211_FEATURE_SUPPORTS_WMM_ADMISSION          = 1 << 26,
+        NL80211_FEATURE_MAC_ON_CREATE                   = 1 << 27,
+        NL80211_FEATURE_TDLS_CHANNEL_SWITCH             = 1 << 28,
+        NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR            = 1 << 29,
+        NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR      = 1 << 30,
+        NL80211_FEATURE_ND_RANDOM_MAC_ADDR              = 1 << 31,
 };
 /**
@@ -4118,11 +4239,21 @@ enum nl80211_connect_failed_reason {
 *      dangerous because will destroy stations performance as a lot of frames
 *      will be lost while scanning off-channel, therefore it must be used only
 *      when really needed
+ * @NL80211_SCAN_FLAG_RANDOM_ADDR: use a random MAC address for this scan (or
+ *      for scheduled scan: a different one for every scan iteration). When the
+ *      flag is set, depending on device capabilities the @NL80211_ATTR_MAC and
+ *      @NL80211_ATTR_MAC_MASK attributes may also be given in which case only
+ *      the masked bits will be preserved from the MAC address and the remainder
+ *      randomised. If the attributes are not given full randomisation (46 bits,
+ *      locally administered 1, multicast 0) is assumed.
+ *      This flag must not be requested when the feature isn't supported, check
+ *      the nl80211 feature flags for the device.
 */
 enum nl80211_scan_flags {
        NL80211_SCAN_FLAG_LOW_PRIORITY                  = 1<<0,
        NL80211_SCAN_FLAG_FLUSH                         = 1<<1,
        NL80211_SCAN_FLAG_AP                            = 1<<2,
+        NL80211_SCAN_FLAG_RANDOM_ADDR                   = 1<<3,
 };
 /**
diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index aeb6a483b3bc..75cc6801a431 100644
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -33,6 +33,13 @@ config MAC80211_RC_MINSTREL_HT
        ---help---
          This option enables the 'minstrel_ht' TX rate control algorithm
+config MAC80211_RC_MINSTREL_VHT
+        bool "Minstrel 802.11ac support" if EXPERT
+        depends on MAC80211_RC_MINSTREL_HT
+        default n
+        ---help---
+          This option enables VHT in the 'minstrel_ht' TX rate control algorithm
 choice
        prompt "Default rate control algorithm"
        depends on MAC80211_HAS_RC
@@ -169,6 +176,17 @@ config MAC80211_HT_DEBUG
          Do not select this option.
+config MAC80211_OCB_DEBUG
+        bool "Verbose OCB debugging"
+        depends on MAC80211_DEBUG_MENU
+        ---help---
+          Selecting this option causes mac80211 to print out
+          very verbose OCB debugging messages. It should not
+          be selected on production systems as those messages
+          are remotely triggerable.
+          Do not select this option.
 config MAC80211_IBSS_DEBUG
        bool "Verbose IBSS debugging"
        depends on MAC80211_DEBUG_MENU
diff --git a/net/mac80211/Makefile b/net/mac80211/Makefile
index 7273d2796dd1..e53671b1105e 100644
--- a/net/mac80211/Makefile
+++ b/net/mac80211/Makefile
@@ -27,7 +27,8 @@ mac80211-y := \
        event.o \
        chan.o \
        trace.o mlme.o \
-        tdls.o
+        tdls.o \
+        ocb.o
 mac80211-$(CONFIG_MAC80211_LEDS) += led.o
 mac80211-$(CONFIG_MAC80211_DEBUGFS) += \
diff --git a/net/mac80211/aes_ccm.c b/net/mac80211/aes_ccm.c
index ec24378caaaf..09d9caaec591 100644
--- a/net/mac80211/aes_ccm.c
+++ b/net/mac80211/aes_ccm.c
@@ -53,6 +53,9 @@ int ieee80211_aes_ccm_decrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad,
                __aligned(__alignof__(struct aead_request));
        struct aead_request *aead_req = (void *) aead_req_data;
+        if (data_len == 0)
+                return -EINVAL;
        memset(aead_req, 0, sizeof(aead_req_data));
        sg_init_one(&pt, data, data_len);
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index d6986f3aa5c4..a360c15cc978 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -149,11 +149,6 @@ void ieee80211_assign_tid_tx(struct sta_info *sta, int tid,
        rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], tid_tx);
 }
-static inline int ieee80211_ac_from_tid(int tid)
-{
-        return ieee802_1d_to_ac[tid & 7];
-}
 /*
 * When multiple aggregation sessions on multiple stations
 * are being created/destroyed simultaneously, we need to
@@ -514,6 +509,10 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
        struct tid_ampdu_tx *tid_tx;
        int ret = 0;
+        if (WARN(sta->reserved_tid == tid,
+                 "Requested to start BA session on reserved tid=%d", tid))
+                return -EINVAL;
        trace_api_start_tx_ba_session(pubsta, tid);
        if (WARN_ON_ONCE(!local->ops->ampdu_action))
@@ -770,6 +769,9 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid)
                goto unlock;
        }
+        WARN(sta->reserved_tid == tid,
+             "Requested to stop BA session on reserved tid=%d", tid);
        if (test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
                /* already in progress stopping it */
                ret = 0;
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index fb6a1502b6df..e75d5c53e97b 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -20,6 +20,7 @@
 #include "cfg.h"
 #include "rate.h"
 #include "mesh.h"
+#include "wme.h"
 static struct wireless_dev *ieee80211_add_iface(struct wiphy *wiphy,
                                                const char *name,
@@ -190,7 +191,7 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
                 * receive the key. When wpa_supplicant has roamed
                 * using FT, it attempts to set the key before
                 * association has completed, this rejects that attempt
-                 * so it will set the key again after assocation.
+                 * so it will set the key again after association.
                 *
                 * TODO: accept the key if we have a station entry and
                 *       add it to the device after the station.
@@ -229,6 +230,7 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
        case NUM_NL80211_IFTYPES:
        case NL80211_IFTYPE_P2P_CLIENT:
        case NL80211_IFTYPE_P2P_GO:
+        case NL80211_IFTYPE_OCB:
                /* shouldn't happen */
                WARN_ON_ONCE(1);
                break;
@@ -1040,6 +1042,13 @@ static int sta_apply_parameters(struct ieee80211_local *local,
                        clear_sta_flag(sta, WLAN_STA_TDLS_PEER);
        }
+        /* mark TDLS channel switch support, if the AP allows it */
+        if (test_sta_flag(sta, WLAN_STA_TDLS_PEER) &&
+            !sdata->u.mgd.tdls_chan_switch_prohibited &&
+            params->ext_capab_len >= 4 &&
+            params->ext_capab[3] & WLAN_EXT_CAPA4_TDLS_CHAN_SWITCH)
+                set_sta_flag(sta, WLAN_STA_TDLS_CHAN_SWITCH);
        if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD) {
                sta->sta.uapsd_queues = params->uapsd_queues;
                sta->sta.max_sp = params->max_sp;
@@ -1225,14 +1234,14 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
 }
 static int ieee80211_del_station(struct wiphy *wiphy, struct net_device *dev,
-                                 const u8 *mac)
+                                 struct station_del_parameters *params)
 {
        struct ieee80211_sub_if_data *sdata;
        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-        if (mac)
+        if (params->mac)
-                return sta_info_destroy_addr_bss(sdata, mac);
+                return sta_info_destroy_addr_bss(sdata, params->mac);
        sta_info_flush(sdata);
        return 0;
@@ -1516,6 +1525,57 @@ static int ieee80211_dump_mpath(struct wiphy *wiphy, struct net_device *dev,
        return 0;
 }
+static void mpp_set_pinfo(struct mesh_path *mpath, u8 *mpp,
+                          struct mpath_info *pinfo)
+{
+        memset(pinfo, 0, sizeof(*pinfo));
+        memcpy(mpp, mpath->mpp, ETH_ALEN);
+        pinfo->generation = mpp_paths_generation;
+}
+static int ieee80211_get_mpp(struct wiphy *wiphy, struct net_device *dev,
+                             u8 *dst, u8 *mpp, struct mpath_info *pinfo)
+{
+        struct ieee80211_sub_if_data *sdata;
+        struct mesh_path *mpath;
+        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        rcu_read_lock();
+        mpath = mpp_path_lookup(sdata, dst);
+        if (!mpath) {
+                rcu_read_unlock();
+                return -ENOENT;
+        }
+        memcpy(dst, mpath->dst, ETH_ALEN);
+        mpp_set_pinfo(mpath, mpp, pinfo);
+        rcu_read_unlock();
+        return 0;
+}
+static int ieee80211_dump_mpp(struct wiphy *wiphy, struct net_device *dev,
+                              int idx, u8 *dst, u8 *mpp,
+                              struct mpath_info *pinfo)
+{
+        struct ieee80211_sub_if_data *sdata;
+        struct mesh_path *mpath;
+        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        rcu_read_lock();
+        mpath = mpp_path_lookup_by_idx(sdata, idx);
+        if (!mpath) {
+                rcu_read_unlock();
+                return -ENOENT;
+        }
+        memcpy(dst, mpath->dst, ETH_ALEN);
+        mpp_set_pinfo(mpath, mpp, pinfo);
+        rcu_read_unlock();
+        return 0;
+}
 static int ieee80211_get_mesh_config(struct wiphy *wiphy,
                                struct net_device *dev,
                                struct mesh_config *conf)
@@ -1966,6 +2026,17 @@ static int ieee80211_leave_ibss(struct wiphy *wiphy, struct net_device *dev)
        return ieee80211_ibss_leave(IEEE80211_DEV_TO_SUB_IF(dev));
 }
+static int ieee80211_join_ocb(struct wiphy *wiphy, struct net_device *dev,
+                              struct ocb_setup *setup)
+{
+        return ieee80211_ocb_join(IEEE80211_DEV_TO_SUB_IF(dev), setup);
+}
+static int ieee80211_leave_ocb(struct wiphy *wiphy, struct net_device *dev)
+{
+        return ieee80211_ocb_leave(IEEE80211_DEV_TO_SUB_IF(dev));
+}
 static int ieee80211_set_mcast_rate(struct wiphy *wiphy, struct net_device *dev,
                                    int rate[IEEE80211_NUM_BANDS])
 {
@@ -2081,6 +2152,9 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy,
        struct ieee80211_local *local = wiphy_priv(wiphy);
        struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
+        if (local->ops->get_txpower)
+                return drv_get_txpower(local, sdata, dbm);
        if (!local->use_chanctx)
                *dbm = local->hw.conf.power_level;
        else
@@ -2850,11 +2924,7 @@ static int __ieee80211_csa_finalize(struct ieee80211_sub_if_data *sdata)
                if (sdata->reserved_ready)
                        return 0;
-                err = ieee80211_vif_use_reserved_context(sdata);
+                return ieee80211_vif_use_reserved_context(sdata);
-                if (err)
-                        return err;
-                return 0;
        }
        if (!cfg80211_chandef_identical(&sdata->vif.bss_conf.chandef,
@@ -2868,7 +2938,6 @@ static int __ieee80211_csa_finalize(struct ieee80211_sub_if_data *sdata)
                return err;
        ieee80211_bss_info_change_notify(sdata, changed);
-        cfg80211_ch_switch_notify(sdata->dev, &sdata->csa_chandef);
        if (sdata->csa_block_tx) {
                ieee80211_wake_vif_queues(local, sdata,
@@ -2876,6 +2945,12 @@ static int __ieee80211_csa_finalize(struct ieee80211_sub_if_data *sdata)
                sdata->csa_block_tx = false;
        }
+        err = drv_post_channel_switch(sdata);
+        if (err)
+                return err;
+        cfg80211_ch_switch_notify(sdata->dev, &sdata->csa_chandef);
        return 0;
 }
@@ -3053,9 +3128,11 @@ __ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
 {
        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_channel_switch ch_switch;
        struct ieee80211_chanctx_conf *conf;
        struct ieee80211_chanctx *chanctx;
-        int err, changed = 0;
+        u32 changed = 0;
+        int err;
        sdata_assert_lock(sdata);
        lockdep_assert_held(&local->mtx);
@@ -3088,6 +3165,16 @@ __ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
                goto out;
        }
+        ch_switch.timestamp = 0;
+        ch_switch.device_timestamp = 0;
+        ch_switch.block_tx = params->block_tx;
+        ch_switch.chandef = params->chandef;
+        ch_switch.count = params->count;
+        err = drv_pre_channel_switch(sdata, &ch_switch);
+        if (err)
+                goto out;
        err = ieee80211_vif_reserve_chanctx(sdata, &params->chandef,
                                            chanctx->mode,
                                            params->radar_required);
@@ -3115,6 +3202,9 @@ __ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
                ieee80211_stop_vif_queues(local, sdata,
                                          IEEE80211_QUEUE_STOP_REASON_CSA);
+        cfg80211_ch_switch_started_notify(sdata->dev, &sdata->csa_chandef,
+                                          params->count);
        if (changed) {
                ieee80211_bss_info_change_notify(sdata, changed);
                drv_channel_switch_beacon(sdata, &params->chandef);
@@ -3431,6 +3521,7 @@ static int ieee80211_probe_client(struct wiphy *wiphy, struct net_device *dev,
        info->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS |
                       IEEE80211_TX_INTFL_NL80211_FRAME_TX;
+        info->band = band;
        skb_set_queue_mapping(skb, IEEE80211_AC_VO);
        skb->priority = 7;
@@ -3438,7 +3529,7 @@ static int ieee80211_probe_client(struct wiphy *wiphy, struct net_device *dev,
                nullfunc->qos_ctrl = cpu_to_le16(7);
        local_bh_disable();
-        ieee80211_xmit(sdata, skb, band);
+        ieee80211_xmit(sdata, skb);
        local_bh_enable();
        rcu_read_unlock();
@@ -3458,7 +3549,7 @@ static int ieee80211_cfg_get_channel(struct wiphy *wiphy,
        rcu_read_lock();
        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
        if (chanctx_conf) {
-                *chandef = chanctx_conf->def;
+                *chandef = sdata->vif.bss_conf.chandef;
                ret = 0;
        } else if (local->open_count > 0 &&
                   local->open_count == local->monitors &&
@@ -3521,6 +3612,76 @@ static int ieee80211_set_ap_chanwidth(struct wiphy *wiphy,
        return ret;
 }
+static int ieee80211_add_tx_ts(struct wiphy *wiphy, struct net_device *dev,
+                               u8 tsid, const u8 *peer, u8 up,
+                               u16 admitted_time)
+{
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+        int ac = ieee802_1d_to_ac[up];
+        if (sdata->vif.type != NL80211_IFTYPE_STATION)
+                return -EOPNOTSUPP;
+        if (!(sdata->wmm_acm & BIT(up)))
+                return -EINVAL;
+        if (ifmgd->tx_tspec[ac].admitted_time)
+                return -EBUSY;
+        if (admitted_time) {
+                ifmgd->tx_tspec[ac].admitted_time = 32 * admitted_time;
+                ifmgd->tx_tspec[ac].tsid = tsid;
+                ifmgd->tx_tspec[ac].up = up;
+        }
+        return 0;
+}
+static int ieee80211_del_tx_ts(struct wiphy *wiphy, struct net_device *dev,
+                               u8 tsid, const u8 *peer)
+{
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+        struct ieee80211_local *local = wiphy_priv(wiphy);
+        int ac;
+        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+                struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
+                /* skip unused entries */
+                if (!tx_tspec->admitted_time)
+                        continue;
+                if (tx_tspec->tsid != tsid)
+                        continue;
+                /* due to this new packets will be reassigned to non-ACM ACs */
+                tx_tspec->up = -1;
+                /* Make sure that all packets have been sent to avoid to
+                 * restore the QoS params on packets that are still on the
+                 * queues.
+                 */
+                synchronize_net();
+                ieee80211_flush_queues(local, sdata);
+                /* restore the normal QoS parameters
+                 * (unconditionally to avoid races)
+                 */
+                tx_tspec->action = TX_TSPEC_ACTION_STOP_DOWNGRADE;
+                tx_tspec->downgraded = false;
+                ieee80211_sta_handle_tspec_ac_params(sdata);
+                /* finally clear all the data */
+                memset(tx_tspec, 0, sizeof(*tx_tspec));
+                return 0;
+        }
+        return -ENOENT;
+}
 const struct cfg80211_ops mac80211_config_ops = {
        .add_virtual_intf = ieee80211_add_iface,
        .del_virtual_intf = ieee80211_del_iface,
@@ -3547,11 +3708,15 @@ const struct cfg80211_ops mac80211_config_ops = {
        .change_mpath = ieee80211_change_mpath,
        .get_mpath = ieee80211_get_mpath,
        .dump_mpath = ieee80211_dump_mpath,
+        .get_mpp = ieee80211_get_mpp,
+        .dump_mpp = ieee80211_dump_mpp,
        .update_mesh_config = ieee80211_update_mesh_config,
        .get_mesh_config = ieee80211_get_mesh_config,
        .join_mesh = ieee80211_join_mesh,
        .leave_mesh = ieee80211_leave_mesh,
 #endif
+        .join_ocb = ieee80211_join_ocb,
+        .leave_ocb = ieee80211_leave_ocb,
        .change_bss = ieee80211_change_bss,
        .set_txq_params = ieee80211_set_txq_params,
        .set_monitor_channel = ieee80211_set_monitor_channel,
@@ -3587,6 +3752,8 @@ const struct cfg80211_ops mac80211_config_ops = {
        .set_rekey_data = ieee80211_set_rekey_data,
        .tdls_oper = ieee80211_tdls_oper,
        .tdls_mgmt = ieee80211_tdls_mgmt,
+        .tdls_channel_switch = ieee80211_tdls_channel_switch,
+        .tdls_cancel_channel_switch = ieee80211_tdls_cancel_channel_switch,
        .probe_client = ieee80211_probe_client,
        .set_noack_map = ieee80211_set_noack_map,
 #ifdef CONFIG_PM
@@ -3597,4 +3764,6 @@ const struct cfg80211_ops mac80211_config_ops = {
        .channel_switch = ieee80211_channel_switch,
        .set_qos_map = ieee80211_set_qos_map,
        .set_ap_chanwidth = ieee80211_set_ap_chanwidth,
+        .add_tx_ts = ieee80211_add_tx_ts,
+        .del_tx_ts = ieee80211_del_tx_ts,
 };
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 4c74e8da64b9..5d6dae9e4aac 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -270,6 +270,7 @@ ieee80211_get_chanctx_max_required_bw(struct ieee80211_local *local,
                case NL80211_IFTYPE_ADHOC:
                case NL80211_IFTYPE_WDS:
                case NL80211_IFTYPE_MESH_POINT:
+                case NL80211_IFTYPE_OCB:
                        width = vif->bss_conf.chandef.width;
                        break;
                case NL80211_IFTYPE_UNSPECIFIED:
@@ -674,6 +675,7 @@ void ieee80211_recalc_smps_chanctx(struct ieee80211_local *local,
                case NL80211_IFTYPE_ADHOC:
                case NL80211_IFTYPE_WDS:
                case NL80211_IFTYPE_MESH_POINT:
+                case NL80211_IFTYPE_OCB:
                        break;
                default:
                        WARN_ON_ONCE(1);
@@ -909,6 +911,7 @@ ieee80211_vif_chanctx_reservation_complete(struct ieee80211_sub_if_data *sdata)
        case NL80211_IFTYPE_ADHOC:
        case NL80211_IFTYPE_AP:
        case NL80211_IFTYPE_MESH_POINT:
+        case NL80211_IFTYPE_OCB:
                ieee80211_queue_work(&sdata->local->hw,
                                     &sdata->csa_finalize_work);
                break;
@@ -929,6 +932,21 @@ ieee80211_vif_chanctx_reservation_complete(struct ieee80211_sub_if_data *sdata)
        }
 }
+static void
+ieee80211_vif_update_chandef(struct ieee80211_sub_if_data *sdata,
+                             const struct cfg80211_chan_def *chandef)
+{
+        struct ieee80211_sub_if_data *vlan;
+        sdata->vif.bss_conf.chandef = *chandef;
+        if (sdata->vif.type != NL80211_IFTYPE_AP)
+                return;
+        list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
+                vlan->vif.bss_conf.chandef = *chandef;
+}
 static int
 ieee80211_vif_use_reserved_reassign(struct ieee80211_sub_if_data *sdata)
 {
@@ -991,7 +1009,7 @@ ieee80211_vif_use_reserved_reassign(struct ieee80211_sub_if_data *sdata)
        if (sdata->vif.bss_conf.chandef.width != sdata->reserved_chandef.width)
                changed = BSS_CHANGED_BANDWIDTH;
-        sdata->vif.bss_conf.chandef = sdata->reserved_chandef;
+        ieee80211_vif_update_chandef(sdata, &sdata->reserved_chandef);
        if (changed)
                ieee80211_bss_info_change_notify(sdata, changed);
@@ -1333,7 +1351,7 @@ static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local)
                            sdata->reserved_chandef.width)
                                changed = BSS_CHANGED_BANDWIDTH;
-                        sdata->vif.bss_conf.chandef = sdata->reserved_chandef;
+                        ieee80211_vif_update_chandef(sdata, &sdata->reserved_chandef);
                        if (changed)
                                ieee80211_bss_info_change_notify(sdata,
                                                                 changed);
@@ -1504,7 +1522,7 @@ int ieee80211_vif_use_channel(struct ieee80211_sub_if_data *sdata,
                goto out;
        }
-        sdata->vif.bss_conf.chandef = *chandef;
+        ieee80211_vif_update_chandef(sdata, chandef);
        ret = ieee80211_assign_vif_chanctx(sdata, ctx);
        if (ret) {
@@ -1634,7 +1652,7 @@ int ieee80211_vif_change_bandwidth(struct ieee80211_sub_if_data *sdata,
                }
                break;
        case IEEE80211_CHANCTX_WILL_BE_REPLACED:
-                /* TODO: Perhaps the bandwith change could be treated as a
+                /* TODO: Perhaps the bandwidth change could be treated as a
                 * reservation itself? */
                ret = -EBUSY;
                goto out;
@@ -1646,7 +1664,7 @@ int ieee80211_vif_change_bandwidth(struct ieee80211_sub_if_data *sdata,
                break;
        }
-        sdata->vif.bss_conf.chandef = *chandef;
+        ieee80211_vif_update_chandef(sdata, chandef);
        ieee80211_recalc_chanctx_chantype(local, ctx);
diff --git a/net/mac80211/debug.h b/net/mac80211/debug.h
index 493d68061f0c..1956b3115dd5 100644
--- a/net/mac80211/debug.h
+++ b/net/mac80211/debug.h
@@ -2,6 +2,12 @@
 #define __MAC80211_DEBUG_H
 #include <net/cfg80211.h>
+#ifdef CONFIG_MAC80211_OCB_DEBUG
+#define MAC80211_OCB_DEBUG 1
+#else
+#define MAC80211_OCB_DEBUG 0
+#endif
 #ifdef CONFIG_MAC80211_IBSS_DEBUG
 #define MAC80211_IBSS_DEBUG 1
 #else
@@ -131,6 +137,10 @@ do {									\
        _sdata_dbg(MAC80211_HT_DEBUG && net_ratelimit(),                \
                   sdata, fmt, ##__VA_ARGS__)
+#define ocb_dbg(sdata, fmt, ...)                                        \
+        _sdata_dbg(MAC80211_OCB_DEBUG,                                  \
+                   sdata, fmt, ##__VA_ARGS__)
 #define ibss_dbg(sdata, fmt, ...)                                       \
        _sdata_dbg(MAC80211_IBSS_DEBUG,                                 \
                   sdata, fmt, ##__VA_ARGS__)
diff --git a/net/mac80211/debugfs_key.c b/net/mac80211/debugfs_key.c
index 1521cabad3d6..5523b94c7c90 100644
--- a/net/mac80211/debugfs_key.c
+++ b/net/mac80211/debugfs_key.c
@@ -300,10 +300,8 @@ void ieee80211_debugfs_key_update_default(struct ieee80211_sub_if_data *sdata)
        lockdep_assert_held(&sdata->local->key_mtx);
-        if (sdata->debugfs.default_unicast_key) {
+        debugfs_remove(sdata->debugfs.default_unicast_key);
-                debugfs_remove(sdata->debugfs.default_unicast_key);
+        sdata->debugfs.default_unicast_key = NULL;
-                sdata->debugfs.default_unicast_key = NULL;
-        }
        if (sdata->default_unicast_key) {
                key = key_mtx_dereference(sdata->local,
@@ -314,10 +312,8 @@ void ieee80211_debugfs_key_update_default(struct ieee80211_sub_if_data *sdata)
                                               sdata->vif.debugfs_dir, buf);
        }
-        if (sdata->debugfs.default_multicast_key) {
+        debugfs_remove(sdata->debugfs.default_multicast_key);
-                debugfs_remove(sdata->debugfs.default_multicast_key);
+        sdata->debugfs.default_multicast_key = NULL;
-                sdata->debugfs.default_multicast_key = NULL;
-        }
        if (sdata->default_multicast_key) {
                key = key_mtx_dereference(sdata->local,
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index bafe48916229..94c70091bbd7 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -74,7 +74,7 @@ static ssize_t sta_flags_read(struct file *file, char __user *userbuf,
        test_sta_flag(sta, WLAN_STA_##flg) ? #flg "\n" : ""
        int res = scnprintf(buf, sizeof(buf),
-                            "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
+                            "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
                            TEST(AUTH), TEST(ASSOC), TEST(PS_STA),
                            TEST(PS_DRIVER), TEST(AUTHORIZED),
                            TEST(SHORT_PREAMBLE),
@@ -82,10 +82,11 @@ static ssize_t sta_flags_read(struct file *file, char __user *userbuf,
                            TEST(WDS), TEST(CLEAR_PS_FILT),
                            TEST(MFP), TEST(BLOCK_BA), TEST(PSPOLL),
                            TEST(UAPSD), TEST(SP), TEST(TDLS_PEER),
-                            TEST(TDLS_PEER_AUTH), TEST(4ADDR_EVENT),
+                            TEST(TDLS_PEER_AUTH), TEST(TDLS_INITIATOR),
-                            TEST(INSERTED), TEST(RATE_CONTROL),
+                            TEST(TDLS_CHAN_SWITCH), TEST(TDLS_OFF_CHANNEL),
-                            TEST(TOFFSET_KNOWN), TEST(MPSP_OWNER),
+                            TEST(4ADDR_EVENT), TEST(INSERTED),
-                            TEST(MPSP_RECIPIENT));
+                            TEST(RATE_CONTROL), TEST(TOFFSET_KNOWN),
+                            TEST(MPSP_OWNER), TEST(MPSP_RECIPIENT));
 #undef TEST
        return simple_read_from_buffer(userbuf, count, ppos, buf, res);
 }
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index 196d48c68134..2ebc9ead9695 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -214,7 +214,8 @@ static inline void drv_bss_info_changed(struct ieee80211_local *local,
                                    BSS_CHANGED_BEACON_ENABLED) &&
                         sdata->vif.type != NL80211_IFTYPE_AP &&
                         sdata->vif.type != NL80211_IFTYPE_ADHOC &&
-                         sdata->vif.type != NL80211_IFTYPE_MESH_POINT))
+                         sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
+                         sdata->vif.type != NL80211_IFTYPE_OCB))
                return;
        if (WARN_ON_ONCE(sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE ||
@@ -379,23 +380,26 @@ static inline int drv_sched_scan_stop(struct ieee80211_local *local,
        return ret;
 }
-static inline void drv_sw_scan_start(struct ieee80211_local *local)
+static inline void drv_sw_scan_start(struct ieee80211_local *local,
+                                     struct ieee80211_sub_if_data *sdata,
+                                     const u8 *mac_addr)
 {
        might_sleep();
-        trace_drv_sw_scan_start(local);
+        trace_drv_sw_scan_start(local, sdata, mac_addr);
        if (local->ops->sw_scan_start)
-                local->ops->sw_scan_start(&local->hw);
+                local->ops->sw_scan_start(&local->hw, &sdata->vif, mac_addr);
        trace_drv_return_void(local);
 }
-static inline void drv_sw_scan_complete(struct ieee80211_local *local)
+static inline void drv_sw_scan_complete(struct ieee80211_local *local,
+                                        struct ieee80211_sub_if_data *sdata)
 {
        might_sleep();
-        trace_drv_sw_scan_complete(local);
+        trace_drv_sw_scan_complete(local, sdata);
        if (local->ops->sw_scan_complete)
-                local->ops->sw_scan_complete(&local->hw);
+                local->ops->sw_scan_complete(&local->hw, &sdata->vif);
        trace_drv_return_void(local);
 }
@@ -620,6 +624,21 @@ static inline void drv_sta_rc_update(struct ieee80211_local *local,
        trace_drv_return_void(local);
 }
+static inline void drv_sta_rate_tbl_update(struct ieee80211_local *local,
+                                           struct ieee80211_sub_if_data *sdata,
+                                           struct ieee80211_sta *sta)
+{
+        sdata = get_bss_sdata(sdata);
+        if (!check_sdata_in_driver(sdata))
+                return;
+        trace_drv_sta_rate_tbl_update(local, sdata, sta);
+        if (local->ops->sta_rate_tbl_update)
+                local->ops->sta_rate_tbl_update(&local->hw, &sdata->vif, sta);
+        trace_drv_return_void(local);
+}
 static inline int drv_conf_tx(struct ieee80211_local *local,
                              struct ieee80211_sub_if_data *sdata, u16 ac,
                              const struct ieee80211_tx_queue_params *params)
@@ -631,6 +650,12 @@ static inline int drv_conf_tx(struct ieee80211_local *local,
        if (!check_sdata_in_driver(sdata))
                return -EIO;
+        if (WARN_ONCE(params->cw_min == 0 ||
+                      params->cw_min > params->cw_max,
+                      "%s: invalid CW_min/CW_max: %d/%d\n",
+                      sdata->name, params->cw_min, params->cw_max))
+                return -EINVAL;
        trace_drv_conf_tx(local, sdata, ac, params);
        if (local->ops->conf_tx)
                ret = local->ops->conf_tx(&local->hw, &sdata->vif,
@@ -764,12 +789,13 @@ static inline void drv_flush(struct ieee80211_local *local,
 }
 static inline void drv_channel_switch(struct ieee80211_local *local,
-                                     struct ieee80211_channel_switch *ch_switch)
+                                      struct ieee80211_sub_if_data *sdata,
+                                      struct ieee80211_channel_switch *ch_switch)
 {
        might_sleep();
-        trace_drv_channel_switch(local, ch_switch);
+        trace_drv_channel_switch(local, sdata, ch_switch);
-        local->ops->channel_switch(&local->hw, ch_switch);
+        local->ops->channel_switch(&local->hw, &sdata->vif, ch_switch);
        trace_drv_return_void(local);
 }
@@ -1144,13 +1170,15 @@ static inline void drv_stop_ap(struct ieee80211_local *local,
        trace_drv_return_void(local);
 }
-static inline void drv_restart_complete(struct ieee80211_local *local)
+static inline void
+drv_reconfig_complete(struct ieee80211_local *local,
+                      enum ieee80211_reconfig_type reconfig_type)
 {
        might_sleep();
-        trace_drv_restart_complete(local);
+        trace_drv_reconfig_complete(local, reconfig_type);
-        if (local->ops->restart_complete)
+        if (local->ops->reconfig_complete)
-                local->ops->restart_complete(&local->hw);
+                local->ops->reconfig_complete(&local->hw, reconfig_type);
        trace_drv_return_void(local);
 }
@@ -1196,6 +1224,40 @@ drv_channel_switch_beacon(struct ieee80211_sub_if_data *sdata,
        }
 }
+static inline int
+drv_pre_channel_switch(struct ieee80211_sub_if_data *sdata,
+                       struct ieee80211_channel_switch *ch_switch)
+{
+        struct ieee80211_local *local = sdata->local;
+        int ret = 0;
+        if (!check_sdata_in_driver(sdata))
+                return -EIO;
+        trace_drv_pre_channel_switch(local, sdata, ch_switch);
+        if (local->ops->pre_channel_switch)
+                ret = local->ops->pre_channel_switch(&local->hw, &sdata->vif,
+                                                     ch_switch);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+static inline int
+drv_post_channel_switch(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_local *local = sdata->local;
+        int ret = 0;
+        if (!check_sdata_in_driver(sdata))
+                return -EIO;
+        trace_drv_post_channel_switch(local, sdata);
+        if (local->ops->post_channel_switch)
+                ret = local->ops->post_channel_switch(&local->hw, &sdata->vif);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
 static inline int drv_join_ibss(struct ieee80211_local *local,
                                struct ieee80211_sub_if_data *sdata)
 {
@@ -1238,4 +1300,71 @@ static inline u32 drv_get_expected_throughput(struct ieee80211_local *local,
        return ret;
 }
+static inline int drv_get_txpower(struct ieee80211_local *local,
+                                  struct ieee80211_sub_if_data *sdata, int *dbm)
+{
+        int ret;
+        if (!local->ops->get_txpower)
+                return -EOPNOTSUPP;
+        ret = local->ops->get_txpower(&local->hw, &sdata->vif, dbm);
+        trace_drv_get_txpower(local, sdata, *dbm, ret);
+        return ret;
+}
+static inline int
+drv_tdls_channel_switch(struct ieee80211_local *local,
+                        struct ieee80211_sub_if_data *sdata,
+                        struct ieee80211_sta *sta, u8 oper_class,
+                        struct cfg80211_chan_def *chandef,
+                        struct sk_buff *tmpl_skb, u32 ch_sw_tm_ie)
+{
+        int ret;
+        might_sleep();
+        if (!check_sdata_in_driver(sdata))
+                return -EIO;
+        if (!local->ops->tdls_channel_switch)
+                return -EOPNOTSUPP;
+        trace_drv_tdls_channel_switch(local, sdata, sta, oper_class, chandef);
+        ret = local->ops->tdls_channel_switch(&local->hw, &sdata->vif, sta,
+                                              oper_class, chandef, tmpl_skb,
+                                              ch_sw_tm_ie);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+static inline void
+drv_tdls_cancel_channel_switch(struct ieee80211_local *local,
+                               struct ieee80211_sub_if_data *sdata,
+                               struct ieee80211_sta *sta)
+{
+        might_sleep();
+        if (!check_sdata_in_driver(sdata))
+                return;
+        if (!local->ops->tdls_cancel_channel_switch)
+                return;
+        trace_drv_tdls_cancel_channel_switch(local, sdata, sta);
+        local->ops->tdls_cancel_channel_switch(&local->hw, &sdata->vif, sta);
+        trace_drv_return_void(local);
+}
+static inline void
+drv_tdls_recv_channel_switch(struct ieee80211_local *local,
+                             struct ieee80211_sub_if_data *sdata,
+                             struct ieee80211_tdls_ch_sw_params *params)
+{
+        trace_drv_tdls_recv_channel_switch(local, sdata, params);
+        if (local->ops->tdls_recv_channel_switch)
+                local->ops->tdls_recv_channel_switch(&local->hw, &sdata->vif,
+                                                     params);
+        trace_drv_return_void(local);
+}
 #endif /* __MAC80211_DRIVER_OPS */
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 56b53571c807..509bc157ce55 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -805,7 +805,7 @@ ieee80211_ibss_process_chanswitch(struct ieee80211_sub_if_data *sdata,
        memset(&params, 0, sizeof(params));
        memset(&csa_ie, 0, sizeof(csa_ie));
-        err = ieee80211_parse_ch_switch_ie(sdata, elems, beacon,
+        err = ieee80211_parse_ch_switch_ie(sdata, elems,
                                           ifibss->chandef.chan->band,
                                           sta_flags, ifibss->bssid, &csa_ie);
        /* can't switch to destination channel, fail */
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index c2aaec4dfcf0..cc6e964d9837 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -131,7 +131,7 @@ enum ieee80211_bss_corrupt_data_flags {
 *
 * These are bss flags that are attached to a bss in the
 * @valid_data field of &struct ieee80211_bss.  They show which parts
- * of the data structure were recieved as a result of an un-corrupted
+ * of the data structure were received as a result of an un-corrupted
 * beacon/probe response.
 */
 enum ieee80211_bss_valid_data_flags {
@@ -399,6 +399,24 @@ struct ieee80211_mgd_assoc_data {
        u8 ie[];
 };
+struct ieee80211_sta_tx_tspec {
+        /* timestamp of the first packet in the time slice */
+        unsigned long time_slice_start;
+        u32 admitted_time; /* in usecs, unlike over the air */
+        u8 tsid;
+        s8 up; /* signed to be able to invalidate with -1 during teardown */
+        /* consumed TX time in microseconds in the time slice */
+        u32 consumed_tx_time;
+        enum {
+                TX_TSPEC_ACTION_NONE = 0,
+                TX_TSPEC_ACTION_DOWNGRADE,
+                TX_TSPEC_ACTION_STOP_DOWNGRADE,
+        } action;
+        bool downgraded;
+};
 struct ieee80211_if_managed {
        struct timer_list timer;
        struct timer_list conn_mon_timer;
@@ -434,6 +452,8 @@ struct ieee80211_if_managed {
        unsigned int flags;
+        bool csa_waiting_bcn;
        bool beacon_crc_valid;
        u32 beacon_crc;
@@ -505,8 +525,23 @@ struct ieee80211_if_managed {
        struct ieee80211_vht_cap vht_capa; /* configured VHT overrides */
        struct ieee80211_vht_cap vht_capa_mask; /* Valid parts of vht_capa */
+        /* TDLS support */
        u8 tdls_peer[ETH_ALEN] __aligned(2);
        struct delayed_work tdls_peer_del_work;
+        struct sk_buff *orig_teardown_skb; /* The original teardown skb */
+        struct sk_buff *teardown_skb; /* A copy to send through the AP */
+        spinlock_t teardown_lock; /* To lock changing teardown_skb */
+        bool tdls_chan_switch_prohibited;
+        /* WMM-AC TSPEC support */
+        struct ieee80211_sta_tx_tspec tx_tspec[IEEE80211_NUM_ACS];
+        /* Use a separate work struct so that we can do something here
+         * while the sdata->work is flushing the queues, for example.
+         * otherwise, in scenarios where we hardly get any traffic out
+         * on the BE queue, but there's a lot of VO traffic, we might
+         * get stuck in a downgraded situation and flush takes forever.
+         */
+        struct delayed_work tx_tspec_wk;
 };
 struct ieee80211_if_ibss {
@@ -547,6 +582,25 @@ struct ieee80211_if_ibss {
 };
 /**
+ * struct ieee80211_if_ocb - OCB mode state
+ *
+ * @housekeeping_timer: timer for periodic invocation of a housekeeping task
+ * @wrkq_flags: OCB deferred task action
+ * @incomplete_lock: delayed STA insertion lock
+ * @incomplete_stations: list of STAs waiting for delayed insertion
+ * @joined: indication if the interface is connected to an OCB network
+ */
+struct ieee80211_if_ocb {
+        struct timer_list housekeeping_timer;
+        unsigned long wrkq_flags;
+        spinlock_t incomplete_lock;
+        struct list_head incomplete_stations;
+        bool joined;
+};
+/**
 * struct ieee80211_mesh_sync_ops - Extensible synchronization framework interface
 *
 * these declarations define the interface, which enables
@@ -839,6 +893,7 @@ struct ieee80211_sub_if_data {
                struct ieee80211_if_managed mgd;
                struct ieee80211_if_ibss ibss;
                struct ieee80211_if_mesh mesh;
+                struct ieee80211_if_ocb ocb;
                u32 mntr_flags;
        } u;
@@ -938,6 +993,7 @@ enum sdata_queue_type {
        IEEE80211_SDATA_QUEUE_AGG_STOP          = 2,
        IEEE80211_SDATA_QUEUE_RX_AGG_START      = 3,
        IEEE80211_SDATA_QUEUE_RX_AGG_STOP       = 4,
+        IEEE80211_SDATA_QUEUE_TDLS_CHSW         = 5,
 };
 enum {
@@ -955,6 +1011,7 @@ enum queue_stop_reason {
        IEEE80211_QUEUE_STOP_REASON_OFFCHANNEL,
        IEEE80211_QUEUE_STOP_REASON_FLUSH,
        IEEE80211_QUEUE_STOP_REASON_TDLS_TEARDOWN,
+        IEEE80211_QUEUE_STOP_REASON_RESERVE_TID,
        IEEE80211_QUEUE_STOP_REASONS,
 };
@@ -1181,7 +1238,7 @@ struct ieee80211_local {
        unsigned long scanning;
        struct cfg80211_ssid scan_ssid;
        struct cfg80211_scan_request *int_scan_req;
-        struct cfg80211_scan_request *scan_req;
+        struct cfg80211_scan_request __rcu *scan_req;
        struct ieee80211_scan_request *hw_scan_req;
        struct cfg80211_chan_def scan_chandef;
        enum ieee80211_band hw_scan_band;
@@ -1191,7 +1248,8 @@ struct ieee80211_local {
        struct work_struct sched_scan_stopped_work;
        struct ieee80211_sub_if_data __rcu *sched_scan_sdata;
-        struct cfg80211_sched_scan_request *sched_scan_req;
+        struct cfg80211_sched_scan_request __rcu *sched_scan_req;
+        u8 scan_addr[ETH_ALEN];
        unsigned long leave_oper_channel_time;
        enum mac80211_scan_state next_scan_state;
@@ -1307,6 +1365,9 @@ struct ieee80211_local {
        /* virtual monitor interface */
        struct ieee80211_sub_if_data __rcu *monitor_sdata;
        struct cfg80211_chan_def monitor_chandef;
+        /* extended capabilities provided by mac80211 */
+        u8 ext_capa[8];
 };
 static inline struct ieee80211_sub_if_data *
@@ -1342,6 +1403,9 @@ struct ieee802_11_elems {
        size_t total_len;
        /* pointers to IEs */
+        const struct ieee80211_tdls_lnkie *lnk_id;
+        const struct ieee80211_ch_switch_timing *ch_sw_timing;
+        const u8 *ext_capab;
        const u8 *ssid;
        const u8 *supp_rates;
        const u8 *ds_params;
@@ -1376,6 +1440,7 @@ struct ieee802_11_elems {
        const struct ieee80211_mesh_chansw_params_ie *mesh_chansw_params_ie;
        /* length of them, respectively */
+        u8 ext_capab_len;
        u8 ssid_len;
        u8 supp_rates_len;
        u8 tim_len;
@@ -1454,6 +1519,7 @@ void ieee80211_mgd_conn_tx_status(struct ieee80211_sub_if_data *sdata,
                                  __le16 fc, bool acked);
 void ieee80211_mgd_quiesce(struct ieee80211_sub_if_data *sdata);
 void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata);
+void ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata);
 /* IBSS code */
 void ieee80211_ibss_notify_scan_completed(struct ieee80211_local *local);
@@ -1471,6 +1537,15 @@ int ieee80211_ibss_csa_beacon(struct ieee80211_sub_if_data *sdata,
 int ieee80211_ibss_finish_csa(struct ieee80211_sub_if_data *sdata);
 void ieee80211_ibss_stop(struct ieee80211_sub_if_data *sdata);
+/* OCB code */
+void ieee80211_ocb_work(struct ieee80211_sub_if_data *sdata);
+void ieee80211_ocb_rx_no_sta(struct ieee80211_sub_if_data *sdata,
+                             const u8 *bssid, const u8 *addr, u32 supp_rates);
+void ieee80211_ocb_setup_sdata(struct ieee80211_sub_if_data *sdata);
+int ieee80211_ocb_join(struct ieee80211_sub_if_data *sdata,
+                       struct ocb_setup *setup);
+int ieee80211_ocb_leave(struct ieee80211_sub_if_data *sdata);
 /* mesh code */
 void ieee80211_mesh_work(struct ieee80211_sub_if_data *sdata);
 void ieee80211_mesh_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
@@ -1562,8 +1637,14 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
                                         struct net_device *dev);
 netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                                       struct net_device *dev);
+void __ieee80211_subif_start_xmit(struct sk_buff *skb,
+                                  struct net_device *dev,
+                                  u32 info_flags);
 void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
                              struct sk_buff_head *skbs);
+struct sk_buff *
+ieee80211_build_data_template(struct ieee80211_sub_if_data *sdata,
+                              struct sk_buff *skb, u32 info_flags);
 /* HT */
 void ieee80211_apply_htcap_overrides(struct ieee80211_sub_if_data *sdata,
@@ -1642,7 +1723,6 @@ void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata,
 * ieee80211_parse_ch_switch_ie - parses channel switch IEs
 * @sdata: the sdata of the interface which has received the frame
 * @elems: parsed 802.11 elements received with the frame
- * @beacon: indicates if the frame was a beacon or probe response
 * @current_band: indicates the current band
 * @sta_flags: contains information about own capabilities and restrictions
 *      to decide which channel switch announcements can be accepted. Only the
@@ -1656,7 +1736,7 @@ void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata,
 * Return: 0 on success, <0 on error and >0 if there is nothing to parse.
 */
 int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
-                                 struct ieee802_11_elems *elems, bool beacon,
+                                 struct ieee802_11_elems *elems,
                                 enum ieee80211_band current_band,
                                 u32 sta_flags, u8 *bssid,
                                 struct ieee80211_csa_ie *csa_ie);
@@ -1691,8 +1771,7 @@ void mac80211_ev_michael_mic_failure(struct ieee80211_sub_if_data *sdata, int ke
                                     gfp_t gfp);
 void ieee80211_set_wmm_default(struct ieee80211_sub_if_data *sdata,
                               bool bss_notify);
-void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb,
+void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb);
-                    enum ieee80211_band band);
 void __ieee80211_tx_skb_tid_band(struct ieee80211_sub_if_data *sdata,
                                 struct sk_buff *skb, int tid,
@@ -1758,6 +1837,13 @@ static inline bool ieee80211_rx_reorder_ready(struct sk_buff_head *frames)
        return true;
 }
+extern const int ieee802_1d_to_ac[8];
+static inline int ieee80211_ac_from_tid(int tid)
+{
+        return ieee802_1d_to_ac[tid & 7];
+}
 void ieee80211_dynamic_ps_enable_work(struct work_struct *work);
 void ieee80211_dynamic_ps_disable_work(struct work_struct *work);
 void ieee80211_dynamic_ps_timer(unsigned long data);
@@ -1767,7 +1853,7 @@ void ieee80211_send_nullfunc(struct ieee80211_local *local,
 void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata,
                             struct ieee80211_hdr *hdr);
 void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata,
-                             struct ieee80211_hdr *hdr, bool ack);
+                             struct ieee80211_hdr *hdr, bool ack, u16 tx_time);
 void ieee80211_wake_queues_by_reason(struct ieee80211_hw *hw,
                                     unsigned long queues,
@@ -1796,6 +1882,9 @@ void ieee80211_add_pending_skbs(struct ieee80211_local *local,
                                struct sk_buff_head *skbs);
 void ieee80211_flush_queues(struct ieee80211_local *local,
                            struct ieee80211_sub_if_data *sdata);
+void __ieee80211_flush_queues(struct ieee80211_local *local,
+                              struct ieee80211_sub_if_data *sdata,
+                              unsigned int queues);
 void ieee80211_send_auth(struct ieee80211_sub_if_data *sdata,
                         u16 transaction, u16 auth_alg, u16 status,
@@ -1812,12 +1901,14 @@ int ieee80211_build_preq_ies(struct ieee80211_local *local, u8 *buffer,
                             u8 bands_used, u32 *rate_masks,
                             struct cfg80211_chan_def *chandef);
 struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
-                                          u8 *dst, u32 ratemask,
+                                          const u8 *src, const u8 *dst,
+                                          u32 ratemask,
                                          struct ieee80211_channel *chan,
                                          const u8 *ssid, size_t ssid_len,
                                          const u8 *ie, size_t ie_len,
                                          bool directed);
-void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst,
+void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata,
+                              const u8 *src, const u8 *dst,
                              const u8 *ssid, size_t ssid_len,
                              const u8 *ie, size_t ie_len,
                              u32 ratemask, bool directed, u32 tx_flags,
@@ -1833,8 +1924,10 @@ int __ieee80211_request_smps_ap(struct ieee80211_sub_if_data *sdata,
 void ieee80211_recalc_smps(struct ieee80211_sub_if_data *sdata);
 void ieee80211_recalc_min_chandef(struct ieee80211_sub_if_data *sdata);
-size_t ieee80211_ie_split(const u8 *ies, size_t ielen,
+size_t ieee80211_ie_split_ric(const u8 *ies, size_t ielen,
-                          const u8 *ids, int n_ids, size_t offset);
+                              const u8 *ids, int n_ids,
+                              const u8 *after_ric, int n_after_ric,
+                              size_t offset);
 size_t ieee80211_ie_split_vendor(const u8 *ies, size_t ielen, size_t offset);
 u8 *ieee80211_ie_build_ht_cap(u8 *pos, struct ieee80211_sta_ht_cap *ht_cap,
                              u16 cap);
@@ -1921,6 +2014,14 @@ int ieee80211_tdls_mgmt(struct wiphy *wiphy, struct net_device *dev,
 int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
                        const u8 *peer, enum nl80211_tdls_operation oper);
 void ieee80211_tdls_peer_del_work(struct work_struct *wk);
+int ieee80211_tdls_channel_switch(struct wiphy *wiphy, struct net_device *dev,
+                                  const u8 *addr, u8 oper_class,
+                                  struct cfg80211_chan_def *chandef);
+void ieee80211_tdls_cancel_channel_switch(struct wiphy *wiphy,
+                                          struct net_device *dev,
+                                          const u8 *addr);
+void ieee80211_process_tdls_channel_switch(struct ieee80211_sub_if_data *sdata,
+                                           struct sk_buff *skb);
 extern const struct ethtool_ops ieee80211_ethtool_ops;
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index af237223a8cd..417355390873 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -259,6 +259,15 @@ static int ieee80211_check_concurrent_iface(struct ieee80211_sub_if_data *sdata,
        list_for_each_entry(nsdata, &local->interfaces, list) {
                if (nsdata != sdata && ieee80211_sdata_running(nsdata)) {
                        /*
+                         * Only OCB and monitor mode may coexist
+                         */
+                        if ((sdata->vif.type == NL80211_IFTYPE_OCB &&
+                             nsdata->vif.type != NL80211_IFTYPE_MONITOR) ||
+                            (sdata->vif.type != NL80211_IFTYPE_MONITOR &&
+                             nsdata->vif.type == NL80211_IFTYPE_OCB))
+                                return -EBUSY;
+                        /*
                         * Allow only a single IBSS interface to be up at any
                         * time. This is restricted because beacon distribution
                         * cannot work properly if both are in the same IBSS.
@@ -511,6 +520,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
                sdata->vif.cab_queue = master->vif.cab_queue;
                memcpy(sdata->vif.hw_queue, master->vif.hw_queue,
                       sizeof(sdata->vif.hw_queue));
+                sdata->vif.bss_conf.chandef = master->vif.bss_conf.chandef;
                break;
                }
        case NL80211_IFTYPE_AP:
@@ -521,6 +531,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
        case NL80211_IFTYPE_MONITOR:
        case NL80211_IFTYPE_ADHOC:
        case NL80211_IFTYPE_P2P_DEVICE:
+        case NL80211_IFTYPE_OCB:
                /* no special treatment */
                break;
        case NL80211_IFTYPE_UNSPECIFIED:
@@ -631,6 +642,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
                case NL80211_IFTYPE_ADHOC:
                case NL80211_IFTYPE_AP:
                case NL80211_IFTYPE_MESH_POINT:
+                case NL80211_IFTYPE_OCB:
                        netif_carrier_off(dev);
                        break;
                case NL80211_IFTYPE_WDS:
@@ -766,10 +778,12 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
        int i, flushed;
        struct ps_data *ps;
        struct cfg80211_chan_def chandef;
+        bool cancel_scan;
        clear_bit(SDATA_STATE_RUNNING, &sdata->state);
-        if (rcu_access_pointer(local->scan_sdata) == sdata)
+        cancel_scan = rcu_access_pointer(local->scan_sdata) == sdata;
+        if (cancel_scan)
                ieee80211_scan_cancel(local);
        /*
@@ -842,6 +856,8 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
        sdata_lock(sdata);
        mutex_lock(&local->mtx);
        sdata->vif.csa_active = false;
+        if (sdata->vif.type == NL80211_IFTYPE_STATION)
+                sdata->u.mgd.csa_waiting_bcn = false;
        if (sdata->csa_block_tx) {
                ieee80211_wake_vif_queues(local, sdata,
                                          IEEE80211_QUEUE_STOP_REASON_CSA);
@@ -898,6 +914,8 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                list_del(&sdata->u.vlan.list);
                mutex_unlock(&local->mtx);
                RCU_INIT_POINTER(sdata->vif.chanctx_conf, NULL);
+                /* see comment in the default case below */
+                ieee80211_free_keys(sdata, true);
                /* no need to tell driver */
                break;
        case NL80211_IFTYPE_MONITOR:
@@ -923,17 +941,16 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                /*
                 * When we get here, the interface is marked down.
                 * Free the remaining keys, if there are any
-                 * (shouldn't be, except maybe in WDS mode?)
+                 * (which can happen in AP mode if userspace sets
+                 * keys before the interface is operating, and maybe
+                 * also in WDS mode)
                 *
                 * Force the key freeing to always synchronize_net()
                 * to wait for the RX path in case it is using this
-                 * interface enqueuing frames * at this very time on
+                 * interface enqueuing frames at this very time on
                 * another CPU.
                 */
                ieee80211_free_keys(sdata, true);
-                /* fall through */
-        case NL80211_IFTYPE_AP:
                skb_queue_purge(&sdata->skb_queue);
        }
@@ -991,6 +1008,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
        ieee80211_recalc_ps(local, -1);
+        if (cancel_scan)
+                flush_delayed_work(&local->scan_work);
        if (local->open_count == 0) {
                ieee80211_stop_device(local);
@@ -1189,6 +1209,8 @@ static void ieee80211_iface_work(struct work_struct *work)
                                                        WLAN_BACK_RECIPIENT, 0,
                                                        false);
                        mutex_unlock(&local->sta_mtx);
+                } else if (skb->pkt_type == IEEE80211_SDATA_QUEUE_TDLS_CHSW) {
+                        ieee80211_process_tdls_channel_switch(sdata, skb);
                } else if (ieee80211_is_action(mgmt->frame_control) &&
                           mgmt->u.action.category == WLAN_CATEGORY_BACK) {
                        int len = skb->len;
@@ -1279,6 +1301,9 @@ static void ieee80211_iface_work(struct work_struct *work)
                        break;
                ieee80211_mesh_work(sdata);
                break;
+        case NL80211_IFTYPE_OCB:
+                ieee80211_ocb_work(sdata);
+                break;
        default:
                break;
        }
@@ -1298,6 +1323,9 @@ static void ieee80211_recalc_smps_work(struct work_struct *work)
 static void ieee80211_setup_sdata(struct ieee80211_sub_if_data *sdata,
                                  enum nl80211_iftype type)
 {
+        static const u8 bssid_wildcard[ETH_ALEN] = {0xff, 0xff, 0xff,
+                                                    0xff, 0xff, 0xff};
        /* clear type-dependent union */
        memset(&sdata->u, 0, sizeof(sdata->u));
@@ -1349,6 +1377,10 @@ static void ieee80211_setup_sdata(struct ieee80211_sub_if_data *sdata,
                sdata->vif.bss_conf.bssid = sdata->u.mgd.bssid;
                ieee80211_sta_setup_sdata(sdata);
                break;
+        case NL80211_IFTYPE_OCB:
+                sdata->vif.bss_conf.bssid = bssid_wildcard;
+                ieee80211_ocb_setup_sdata(sdata);
+                break;
        case NL80211_IFTYPE_ADHOC:
                sdata->vif.bss_conf.bssid = sdata->u.ibss.bssid;
                ieee80211_ibss_setup_sdata(sdata);
@@ -1396,6 +1428,7 @@ static int ieee80211_runtime_change_iftype(struct ieee80211_sub_if_data *sdata,
        case NL80211_IFTYPE_AP:
        case NL80211_IFTYPE_STATION:
        case NL80211_IFTYPE_ADHOC:
+        case NL80211_IFTYPE_OCB:
                /*
                 * Could maybe also all others here?
                 * Just not sure how that interacts
@@ -1411,6 +1444,7 @@ static int ieee80211_runtime_change_iftype(struct ieee80211_sub_if_data *sdata,
        case NL80211_IFTYPE_AP:
        case NL80211_IFTYPE_STATION:
        case NL80211_IFTYPE_ADHOC:
+        case NL80211_IFTYPE_OCB:
                /*
                 * Could probably support everything
                 * but WDS here (WDS do_open can fail
@@ -1669,7 +1703,10 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name,
                }
                ieee80211_assign_perm_addr(local, ndev->perm_addr, type);
-                memcpy(ndev->dev_addr, ndev->perm_addr, ETH_ALEN);
+                if (params && is_valid_ether_addr(params->macaddr))
+                        memcpy(ndev->dev_addr, params->macaddr, ETH_ALEN);
+                else
+                        memcpy(ndev->dev_addr, ndev->perm_addr, ETH_ALEN);
                SET_NETDEV_DEV(ndev, wiphy_dev(local->hw.wiphy));
                /* don't use IEEE80211_DEV_TO_SUB_IF -- it checks too much */
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 4712150dc210..434a91ad12c8 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -94,8 +94,17 @@ static int ieee80211_key_enable_hw_accel(struct ieee80211_key *key)
        might_sleep();
-        if (key->flags & KEY_FLAG_TAINTED)
+        if (key->flags & KEY_FLAG_TAINTED) {
+                /* If we get here, it's during resume and the key is
+                 * tainted so shouldn't be used/programmed any more.
+                 * However, its flags may still indicate that it was
+                 * programmed into the device (since we're in resume)
+                 * so clear that flag now to avoid trying to remove
+                 * it again later.
+                 */
+                key->flags &= ~KEY_FLAG_UPLOADED_TO_HARDWARE;
                return -EINVAL;
+        }
        if (!key->local->ops->set_key)
                goto out_unsupported;
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 0de7c93bf62b..6ab99da38db9 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -478,13 +478,9 @@ static const struct ieee80211_vht_cap mac80211_vht_capa_mod_mask = {
        },
 };
-static const u8 extended_capabilities[] = {
+struct ieee80211_hw *ieee80211_alloc_hw_nm(size_t priv_data_len,
-        0, 0, 0, 0, 0, 0, 0,
+                                           const struct ieee80211_ops *ops,
-        WLAN_EXT_CAPA8_OPMODE_NOTIF,
+                                           const char *requested_name)
-};
-struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
-                                        const struct ieee80211_ops *ops)
 {
        struct ieee80211_local *local;
        int priv_size, i;
@@ -524,7 +520,7 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
         */
        priv_size = ALIGN(sizeof(*local), NETDEV_ALIGN) + priv_data_len;
-        wiphy = wiphy_new(&mac80211_config_ops, priv_size);
+        wiphy = wiphy_new_nm(&mac80211_config_ops, priv_size, requested_name);
        if (!wiphy)
                return NULL;
@@ -539,10 +535,6 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
                        WIPHY_FLAG_REPORTS_OBSS |
                        WIPHY_FLAG_OFFCHAN_TX;
-        wiphy->extended_capabilities = extended_capabilities;
-        wiphy->extended_capabilities_mask = extended_capabilities;
-        wiphy->extended_capabilities_len = ARRAY_SIZE(extended_capabilities);
        if (ops->remain_on_channel)
                wiphy->flags |= WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL;
@@ -550,6 +542,7 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
                           NL80211_FEATURE_SAE |
                           NL80211_FEATURE_HT_IBSS |
                           NL80211_FEATURE_VIF_TXPOWER |
+                           NL80211_FEATURE_MAC_ON_CREATE |
                           NL80211_FEATURE_USERSPACE_MPM;
        if (!ops->hw_scan)
@@ -591,6 +584,13 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
        wiphy->ht_capa_mod_mask = &mac80211_ht_capa_mod_mask;
        wiphy->vht_capa_mod_mask = &mac80211_vht_capa_mod_mask;
+        local->ext_capa[7] = WLAN_EXT_CAPA8_OPMODE_NOTIF;
+        wiphy->extended_capabilities = local->ext_capa;
+        wiphy->extended_capabilities_mask = local->ext_capa;
+        wiphy->extended_capabilities_len =
+                ARRAY_SIZE(local->ext_capa);
        INIT_LIST_HEAD(&local->interfaces);
        __hw_addr_init(&local->mc_list);
@@ -651,7 +651,7 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
        return &local->hw;
 }
-EXPORT_SYMBOL(ieee80211_alloc_hw);
+EXPORT_SYMBOL(ieee80211_alloc_hw_nm);
 static int ieee80211_init_cipher_suites(struct ieee80211_local *local)
 {
@@ -764,6 +764,12 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
             local->hw.offchannel_tx_hw_queue >= local->hw.queues))
                return -EINVAL;
+        if ((hw->wiphy->features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH) &&
+            (!local->ops->tdls_channel_switch ||
+             !local->ops->tdls_cancel_channel_switch ||
+             !local->ops->tdls_recv_channel_switch))
+                return -EOPNOTSUPP;
 #ifdef CONFIG_PM
        if (hw->wiphy->wowlan && (!local->ops->suspend || !local->ops->resume))
                return -EINVAL;
@@ -787,13 +793,14 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_WDS))
                        return -EINVAL;
-                /* DFS currently not supported with channel context drivers */
+                /* DFS is not supported with multi-channel combinations yet */
                for (i = 0; i < local->hw.wiphy->n_iface_combinations; i++) {
                        const struct ieee80211_iface_combination *comb;
                        comb = &local->hw.wiphy->iface_combinations[i];
-                        if (comb->radar_detect_widths)
+                        if (comb->radar_detect_widths &&
+                            comb->num_different_channels > 1)
                                return -EINVAL;
                }
        }
@@ -958,6 +965,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        if (local->hw.wiphy->flags & WIPHY_FLAG_SUPPORTS_TDLS)
                local->hw.wiphy->flags |= WIPHY_FLAG_TDLS_EXTERNAL_SETUP;
+        /* mac80211 supports eCSA, if the driver supports STA CSA at all */
+        if (local->hw.flags & IEEE80211_HW_CHANCTX_STA_CSA)
+                local->ext_capa[0] |= WLAN_EXT_CAPA1_EXT_CHANNEL_SWITCHING;
        local->hw.wiphy->max_num_csa_counters = IEEE80211_MAX_CSA_COUNTERS_NUM;
        result = wiphy_register(local->hw.wiphy);
@@ -1019,7 +1030,8 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        }
        /* add one default STA interface if supported */
-        if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_STATION)) {
+        if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_STATION) &&
+            !(hw->flags & IEEE80211_HW_NO_AUTO_VIF)) {
                result = ieee80211_if_add(local, "wlan%d", NULL,
                                          NL80211_IFTYPE_STATION, NULL);
                if (result)
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index e9f99c1e3fad..0c8b2a77d312 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -874,7 +874,7 @@ ieee80211_mesh_process_chnswitch(struct ieee80211_sub_if_data *sdata,
        memset(&params, 0, sizeof(params));
        memset(&csa_ie, 0, sizeof(csa_ie));
-        err = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, band,
+        err = ieee80211_parse_ch_switch_ie(sdata, elems, band,
                                           sta_flags, sdata->vif.addr,
                                           &csa_ie);
        if (err < 0)
diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index f39a19f9090f..50c8473cf9dc 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -270,6 +270,8 @@ int mpp_path_add(struct ieee80211_sub_if_data *sdata,
                 const u8 *dst, const u8 *mpp);
 struct mesh_path *
 mesh_path_lookup_by_idx(struct ieee80211_sub_if_data *sdata, int idx);
+struct mesh_path *
+mpp_path_lookup_by_idx(struct ieee80211_sub_if_data *sdata, int idx);
 void mesh_path_fix_nexthop(struct mesh_path *mpath, struct sta_info *next_hop);
 void mesh_path_expire(struct ieee80211_sub_if_data *sdata);
 void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
@@ -317,6 +319,7 @@ void mesh_path_tx_root_frame(struct ieee80211_sub_if_data *sdata);
 bool mesh_action_is_path_sel(struct ieee80211_mgmt *mgmt);
 extern int mesh_paths_generation;
+extern int mpp_paths_generation;
 #ifdef CONFIG_MAC80211_MESH
 static inline
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index a6699dceae7c..b890e225a8f1 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -44,6 +44,7 @@ static struct mesh_table __rcu *mesh_paths;
 static struct mesh_table __rcu *mpp_paths; /* Store paths for MPP&MAP */
 int mesh_paths_generation;
+int mpp_paths_generation;
 /* This lock will have the grow table function as writer and add / delete nodes
 * as readers. RCU provides sufficient protection only when reading the table
@@ -410,6 +411,33 @@ mesh_path_lookup_by_idx(struct ieee80211_sub_if_data *sdata, int idx)
 }
 /**
+ * mpp_path_lookup_by_idx - look up a path in the proxy path table by its index
+ * @idx: index
+ * @sdata: local subif, or NULL for all entries
+ *
+ * Returns: pointer to the proxy path structure, or NULL if not found.
+ *
+ * Locking: must be called within a read rcu section.
+ */
+struct mesh_path *
+mpp_path_lookup_by_idx(struct ieee80211_sub_if_data *sdata, int idx)
+{
+        struct mesh_table *tbl = rcu_dereference(mpp_paths);
+        struct mpath_node *node;
+        int i;
+        int j = 0;
+        for_each_mesh_entry(tbl, node, i) {
+                if (sdata && node->mpath->sdata != sdata)
+                        continue;
+                if (j++ == idx)
+                        return node->mpath;
+        }
+        return NULL;
+}
+/**
 * mesh_path_add_gate - add the given mpath to a mesh gate to our path table
 * @mpath: gate path to add to table
 */
@@ -691,6 +719,9 @@ int mpp_path_add(struct ieee80211_sub_if_data *sdata,
        spin_unlock(&tbl->hashwlock[hash_idx]);
        read_unlock_bh(&pathtbl_resize_lock);
+        mpp_paths_generation++;
        if (grow) {
                set_bit(MESH_WORK_GROW_MPP_TABLE,  &ifmsh->wrkq_flags);
                ieee80211_queue_work(&local->hw, &sdata->work);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 2de88704278b..75a9bf50207e 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -552,13 +552,17 @@ static void ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
        cap = vht_cap.cap;
        if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_80P80MHZ) {
-                cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ;
+                u32 bw = cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
-                cap |= IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ;
+                cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
+                if (bw == IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ ||
+                    bw == IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)
+                        cap |= IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ;
        }
        if (sdata->u.mgd.flags & IEEE80211_STA_DISABLE_160MHZ) {
                cap &= ~IEEE80211_VHT_CAP_SHORT_GI_160;
-                cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ;
+                cap &= ~IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
        }
        /*
@@ -775,11 +779,30 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
                        WLAN_EID_QOS_CAPA,
                        WLAN_EID_RRM_ENABLED_CAPABILITIES,
                        WLAN_EID_MOBILITY_DOMAIN,
+                        WLAN_EID_FAST_BSS_TRANSITION,   /* reassoc only */
+                        WLAN_EID_RIC_DATA,              /* reassoc only */
                        WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
                };
-                noffset = ieee80211_ie_split(assoc_data->ie, assoc_data->ie_len,
+                static const u8 after_ric[] = {
-                                             before_ht, ARRAY_SIZE(before_ht),
+                        WLAN_EID_SUPPORTED_REGULATORY_CLASSES,
-                                             offset);
+                        WLAN_EID_HT_CAPABILITY,
+                        WLAN_EID_BSS_COEX_2040,
+                        WLAN_EID_EXT_CAPABILITY,
+                        WLAN_EID_QOS_TRAFFIC_CAPA,
+                        WLAN_EID_TIM_BCAST_REQ,
+                        WLAN_EID_INTERWORKING,
+                        /* 60GHz doesn't happen right now */
+                        WLAN_EID_VHT_CAPABILITY,
+                        WLAN_EID_OPMODE_NOTIF,
+                };
+                noffset = ieee80211_ie_split_ric(assoc_data->ie,
+                                                 assoc_data->ie_len,
+                                                 before_ht,
+                                                 ARRAY_SIZE(before_ht),
+                                                 after_ric,
+                                                 ARRAY_SIZE(after_ric),
+                                                 offset);
                pos = skb_put(skb, noffset - offset);
                memcpy(pos, assoc_data->ie + offset, noffset - offset);
                offset = noffset;
@@ -813,6 +836,8 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
                        WLAN_EID_TIM_BCAST_REQ,
                        WLAN_EID_INTERWORKING,
                };
+                /* RIC already taken above, so no need to handle here anymore */
                noffset = ieee80211_ie_split(assoc_data->ie, assoc_data->ie_len,
                                             before_vht, ARRAY_SIZE(before_vht),
                                             offset);
@@ -1001,14 +1026,7 @@ static void ieee80211_chswitch_work(struct work_struct *work)
        /* XXX: shouldn't really modify cfg80211-owned data! */
        ifmgd->associated->channel = sdata->csa_chandef.chan;
-        sdata->vif.csa_active = false;
+        ifmgd->csa_waiting_bcn = true;
-        /* XXX: wait for a beacon first? */
-        if (sdata->csa_block_tx) {
-                ieee80211_wake_vif_queues(local, sdata,
-                                          IEEE80211_QUEUE_STOP_REASON_CSA);
-                sdata->csa_block_tx = false;
-        }
        ieee80211_sta_reset_beacon_monitor(sdata);
        ieee80211_sta_reset_conn_monitor(sdata);
@@ -1019,6 +1037,37 @@ out:
        sdata_unlock(sdata);
 }
+static void ieee80211_chswitch_post_beacon(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+        int ret;
+        sdata_assert_lock(sdata);
+        WARN_ON(!sdata->vif.csa_active);
+        if (sdata->csa_block_tx) {
+                ieee80211_wake_vif_queues(local, sdata,
+                                          IEEE80211_QUEUE_STOP_REASON_CSA);
+                sdata->csa_block_tx = false;
+        }
+        cfg80211_ch_switch_notify(sdata->dev, &sdata->reserved_chandef);
+        sdata->vif.csa_active = false;
+        ifmgd->csa_waiting_bcn = false;
+        ret = drv_post_channel_switch(sdata);
+        if (ret) {
+                sdata_info(sdata,
+                           "driver post channel switch failed, disconnecting\n");
+                ieee80211_queue_work(&local->hw,
+                                     &ifmgd->csa_connection_drop_work);
+                return;
+        }
+}
 void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success)
 {
        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
@@ -1046,7 +1095,8 @@ static void ieee80211_chswitch_timer(unsigned long data)
 static void
 ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
-                                 u64 timestamp, struct ieee802_11_elems *elems,
+                                 u64 timestamp, u32 device_timestamp,
+                                 struct ieee802_11_elems *elems,
                                 bool beacon)
 {
        struct ieee80211_local *local = sdata->local;
@@ -1056,6 +1106,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
        struct ieee80211_chanctx *chanctx;
        enum ieee80211_band current_band;
        struct ieee80211_csa_ie csa_ie;
+        struct ieee80211_channel_switch ch_switch;
        int res;
        sdata_assert_lock(sdata);
@@ -1072,7 +1123,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
        current_band = cbss->channel->band;
        memset(&csa_ie, 0, sizeof(csa_ie));
-        res = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, current_band,
+        res = ieee80211_parse_ch_switch_ie(sdata, elems, current_band,
                                           ifmgd->flags,
                                           ifmgd->associated->bssid, &csa_ie);
        if (res < 0)
@@ -1110,21 +1161,31 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
        chanctx = container_of(conf, struct ieee80211_chanctx, conf);
-        if (local->use_chanctx) {
+        if (local->use_chanctx &&
-                u32 num_chanctx = 0;
+            !(local->hw.flags & IEEE80211_HW_CHANCTX_STA_CSA)) {
-                list_for_each_entry(chanctx, &local->chanctx_list, list)
+                sdata_info(sdata,
-                       num_chanctx++;
+                           "driver doesn't support chan-switch with channel contexts\n");
+                ieee80211_queue_work(&local->hw,
+                                     &ifmgd->csa_connection_drop_work);
+                mutex_unlock(&local->chanctx_mtx);
+                mutex_unlock(&local->mtx);
+                return;
+        }
+        ch_switch.timestamp = timestamp;
+        ch_switch.device_timestamp = device_timestamp;
+        ch_switch.block_tx = csa_ie.mode;
+        ch_switch.chandef = csa_ie.chandef;
+        ch_switch.count = csa_ie.count;
-                if (num_chanctx > 1 ||
+        if (drv_pre_channel_switch(sdata, &ch_switch)) {
-                    !(local->hw.flags & IEEE80211_HW_CHANCTX_STA_CSA)) {
+                sdata_info(sdata,
-                        sdata_info(sdata,
+                           "preparing for channel switch failed, disconnecting\n");
-                                   "not handling chan-switch with channel contexts\n");
+                ieee80211_queue_work(&local->hw,
-                        ieee80211_queue_work(&local->hw,
+                                     &ifmgd->csa_connection_drop_work);
-                                             &ifmgd->csa_connection_drop_work);
+                mutex_unlock(&local->chanctx_mtx);
-                        mutex_unlock(&local->chanctx_mtx);
+                mutex_unlock(&local->mtx);
-                        mutex_unlock(&local->mtx);
+                return;
-                        return;
-                }
        }
        res = ieee80211_vif_reserve_chanctx(sdata, &csa_ie.chandef,
@@ -1150,16 +1211,12 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                                          IEEE80211_QUEUE_STOP_REASON_CSA);
        mutex_unlock(&local->mtx);
+        cfg80211_ch_switch_started_notify(sdata->dev, &csa_ie.chandef,
+                                          csa_ie.count);
        if (local->ops->channel_switch) {
                /* use driver's channel switch callback */
-                struct ieee80211_channel_switch ch_switch = {
+                drv_channel_switch(local, sdata, &ch_switch);
-                        .timestamp = timestamp,
-                        .block_tx = csa_ie.mode,
-                        .chandef = csa_ie.chandef,
-                        .count = csa_ie.count,
-                };
-                drv_channel_switch(local, &ch_switch);
                return;
        }
@@ -1168,7 +1225,8 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                ieee80211_queue_work(&local->hw, &ifmgd->chswitch_work);
        else
                mod_timer(&ifmgd->chswitch_timer,
-                          TU_TO_EXP_TIME(csa_ie.count * cbss->beacon_interval));
+                          TU_TO_EXP_TIME((csa_ie.count - 1) *
+                                         cbss->beacon_interval));
 }
 static bool
@@ -1579,6 +1637,95 @@ void ieee80211_dfs_cac_timer_work(struct work_struct *work)
        mutex_unlock(&sdata->local->mtx);
 }
+static bool
+__ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+        bool ret;
+        int ac;
+        if (local->hw.queues < IEEE80211_NUM_ACS)
+                return false;
+        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+                struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
+                int non_acm_ac;
+                unsigned long now = jiffies;
+                if (tx_tspec->action == TX_TSPEC_ACTION_NONE &&
+                    tx_tspec->admitted_time &&
+                    time_after(now, tx_tspec->time_slice_start + HZ)) {
+                        tx_tspec->consumed_tx_time = 0;
+                        tx_tspec->time_slice_start = now;
+                        if (tx_tspec->downgraded)
+                                tx_tspec->action =
+                                        TX_TSPEC_ACTION_STOP_DOWNGRADE;
+                }
+                switch (tx_tspec->action) {
+                case TX_TSPEC_ACTION_STOP_DOWNGRADE:
+                        /* take the original parameters */
+                        if (drv_conf_tx(local, sdata, ac, &sdata->tx_conf[ac]))
+                                sdata_err(sdata,
+                                          "failed to set TX queue parameters for queue %d\n",
+                                          ac);
+                        tx_tspec->action = TX_TSPEC_ACTION_NONE;
+                        tx_tspec->downgraded = false;
+                        ret = true;
+                        break;
+                case TX_TSPEC_ACTION_DOWNGRADE:
+                        if (time_after(now, tx_tspec->time_slice_start + HZ)) {
+                                tx_tspec->action = TX_TSPEC_ACTION_NONE;
+                                ret = true;
+                                break;
+                        }
+                        /* downgrade next lower non-ACM AC */
+                        for (non_acm_ac = ac + 1;
+                             non_acm_ac < IEEE80211_NUM_ACS;
+                             non_acm_ac++)
+                                if (!(sdata->wmm_acm & BIT(7 - 2 * non_acm_ac)))
+                                        break;
+                        /* The loop will result in using BK even if it requires
+                         * admission control, such configuration makes no sense
+                         * and we have to transmit somehow - the AC selection
+                         * does the same thing.
+                         */
+                        if (drv_conf_tx(local, sdata, ac,
+                                        &sdata->tx_conf[non_acm_ac]))
+                                sdata_err(sdata,
+                                          "failed to set TX queue parameters for queue %d\n",
+                                          ac);
+                        tx_tspec->action = TX_TSPEC_ACTION_NONE;
+                        ret = true;
+                        schedule_delayed_work(&ifmgd->tx_tspec_wk,
+                                tx_tspec->time_slice_start + HZ - now + 1);
+                        break;
+                case TX_TSPEC_ACTION_NONE:
+                        /* nothing now */
+                        break;
+                }
+        }
+        return ret;
+}
+void ieee80211_sta_handle_tspec_ac_params(struct ieee80211_sub_if_data *sdata)
+{
+        if (__ieee80211_sta_handle_tspec_ac_params(sdata))
+                ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_QOS);
+}
+static void ieee80211_sta_handle_tspec_ac_params_wk(struct work_struct *work)
+{
+        struct ieee80211_sub_if_data *sdata;
+        sdata = container_of(work, struct ieee80211_sub_if_data,
+                             u.mgd.tx_tspec_wk.work);
+        ieee80211_sta_handle_tspec_ac_params(sdata);
+}
 /* MLME */
 static bool ieee80211_sta_wmm_params(struct ieee80211_local *local,
                                     struct ieee80211_sub_if_data *sdata,
@@ -1663,12 +1810,14 @@ static bool ieee80211_sta_wmm_params(struct ieee80211_local *local,
                params.uapsd = uapsd;
                mlme_dbg(sdata,
-                         "WMM queue=%d aci=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d\n",
+                         "WMM queue=%d aci=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
                         queue, aci, acm,
                         params.aifs, params.cw_min, params.cw_max,
-                         params.txop, params.uapsd);
+                         params.txop, params.uapsd,
+                         ifmgd->tx_tspec[queue].downgraded);
                sdata->tx_conf[queue] = params;
-                if (drv_conf_tx(local, sdata, queue, &params))
+                if (!ifmgd->tx_tspec[queue].downgraded &&
+                    drv_conf_tx(local, sdata, queue, &params))
                        sdata_err(sdata,
                                  "failed to set TX queue parameters for queue %d\n",
                                  queue);
@@ -1923,6 +2072,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
        ieee80211_vif_release_channel(sdata);
        sdata->vif.csa_active = false;
+        ifmgd->csa_waiting_bcn = false;
        if (sdata->csa_block_tx) {
                ieee80211_wake_vif_queues(local, sdata,
                                          IEEE80211_QUEUE_STOP_REASON_CSA);
@@ -1930,6 +2080,10 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
        }
        mutex_unlock(&local->mtx);
+        /* existing TX TSPEC sessions no longer exist */
+        memset(ifmgd->tx_tspec, 0, sizeof(ifmgd->tx_tspec));
+        cancel_delayed_work_sync(&ifmgd->tx_tspec_wk);
        sdata->encrypt_headroom = IEEE80211_ENCRYPT_HEADROOM;
 }
@@ -1982,9 +2136,46 @@ out:
        mutex_unlock(&local->mtx);
 }
+static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
+                                           struct ieee80211_hdr *hdr,
+                                           u16 tx_time)
+{
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+        u16 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
+        int ac = ieee80211_ac_from_tid(tid);
+        struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
+        unsigned long now = jiffies;
+        if (likely(!tx_tspec->admitted_time))
+                return;
+        if (time_after(now, tx_tspec->time_slice_start + HZ)) {
+                tx_tspec->consumed_tx_time = 0;
+                tx_tspec->time_slice_start = now;
+                if (tx_tspec->downgraded) {
+                        tx_tspec->action = TX_TSPEC_ACTION_STOP_DOWNGRADE;
+                        schedule_delayed_work(&ifmgd->tx_tspec_wk, 0);
+                }
+        }
+        if (tx_tspec->downgraded)
+                return;
+        tx_tspec->consumed_tx_time += tx_time;
+        if (tx_tspec->consumed_tx_time >= tx_tspec->admitted_time) {
+                tx_tspec->downgraded = true;
+                tx_tspec->action = TX_TSPEC_ACTION_DOWNGRADE;
+                schedule_delayed_work(&ifmgd->tx_tspec_wk, 0);
+        }
+}
 void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata,
-                             struct ieee80211_hdr *hdr, bool ack)
+                             struct ieee80211_hdr *hdr, bool ack, u16 tx_time)
 {
+        ieee80211_sta_tx_wmm_ac_notify(sdata, hdr, tx_time);
        if (!ieee80211_is_data(hdr->frame_control))
            return;
@@ -2039,7 +2230,8 @@ static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
                else
                        ssid_len = ssid[1];
-                ieee80211_send_probe_req(sdata, dst, ssid + 2, ssid_len, NULL,
+                ieee80211_send_probe_req(sdata, sdata->vif.addr, NULL,
+                                         ssid + 2, ssid_len, NULL,
                                         0, (u32) -1, true, 0,
                                         ifmgd->associated->channel, false);
                rcu_read_unlock();
@@ -2047,8 +2239,6 @@ static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
        ifmgd->probe_timeout = jiffies + msecs_to_jiffies(probe_wait_ms);
        run_again(sdata, ifmgd->probe_timeout);
-        if (sdata->local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
-                ieee80211_flush_queues(sdata->local, sdata);
 }
 static void ieee80211_mgd_probe_ap(struct ieee80211_sub_if_data *sdata,
@@ -2077,9 +2267,7 @@ static void ieee80211_mgd_probe_ap(struct ieee80211_sub_if_data *sdata,
                                     "detected beacon loss from AP (missed %d beacons) - probing\n",
                                     beacon_loss_count);
-                ieee80211_cqm_rssi_notify(&sdata->vif,
+                ieee80211_cqm_beacon_loss_notify(&sdata->vif, GFP_KERNEL);
-                                          NL80211_CQM_RSSI_BEACON_LOSS_EVENT,
-                                          GFP_KERNEL);
        }
        /*
@@ -2144,7 +2332,7 @@ struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
        else
                ssid_len = ssid[1];
-        skb = ieee80211_build_probe_req(sdata, cbss->bssid,
+        skb = ieee80211_build_probe_req(sdata, sdata->vif.addr, cbss->bssid,
                                        (u32) -1, cbss->channel,
                                        ssid + 2, ssid_len,
                                        NULL, 0, true);
@@ -2171,6 +2359,7 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
                               true, frame_buf);
        mutex_lock(&local->mtx);
        sdata->vif.csa_active = false;
+        ifmgd->csa_waiting_bcn = false;
        if (sdata->csa_block_tx) {
                ieee80211_wake_vif_queues(local, sdata,
                                          IEEE80211_QUEUE_STOP_REASON_CSA);
@@ -2617,6 +2806,9 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
        }
        ifmgd->aid = aid;
+        ifmgd->tdls_chan_switch_prohibited =
+                elems.ext_capab && elems.ext_capab_len >= 5 &&
+                (elems.ext_capab[4] & WLAN_EXT_CAPA5_TDLS_CH_SW_PROHIBITED);
        /*
         * Some APs are erroneously not including some information in their
@@ -3195,6 +3387,9 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
                }
        }
+        if (ifmgd->csa_waiting_bcn)
+                ieee80211_chswitch_post_beacon(sdata);
        if (ncrc == ifmgd->beacon_crc && ifmgd->beacon_crc_valid)
                return;
        ifmgd->beacon_crc = ncrc;
@@ -3203,6 +3398,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
        ieee80211_rx_bss_info(sdata, mgmt, len, rx_status, &elems);
        ieee80211_sta_process_chanswitch(sdata, rx_status->mactime,
+                                         rx_status->device_timestamp,
                                         &elems, true);
        if (!(ifmgd->flags & IEEE80211_STA_DISABLE_WMM) &&
@@ -3334,8 +3530,9 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
                                break;
                        ieee80211_sta_process_chanswitch(sdata,
-                                                         rx_status->mactime,
+                                                 rx_status->mactime,
-                                                         &elems, false);
+                                                 rx_status->device_timestamp,
+                                                 &elems, false);
                } else if (mgmt->u.action.category == WLAN_CATEGORY_PUBLIC) {
                        ies_len = skb->len -
                                  offsetof(struct ieee80211_mgmt,
@@ -3356,8 +3553,9 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
                                &mgmt->u.action.u.ext_chan_switch.data;
                        ieee80211_sta_process_chanswitch(sdata,
-                                                         rx_status->mactime,
+                                                 rx_status->mactime,
-                                                         &elems, false);
+                                                 rx_status->device_timestamp,
+                                                 &elems, false);
                }
                break;
        }
@@ -3455,7 +3653,8 @@ static int ieee80211_probe_auth(struct ieee80211_sub_if_data *sdata)
                 * Direct probe is sent to broadcast address as some APs
                 * will not answer to direct packet in unassociated state.
                 */
-                ieee80211_send_probe_req(sdata, NULL, ssidie + 2, ssidie[1],
+                ieee80211_send_probe_req(sdata, sdata->vif.addr, NULL,
+                                         ssidie + 2, ssidie[1],
                                         NULL, 0, (u32) -1, true, 0,
                                         auth_data->bss->channel, false);
                rcu_read_unlock();
@@ -3664,11 +3863,12 @@ static void ieee80211_sta_bcn_mon_timer(unsigned long data)
        struct ieee80211_sub_if_data *sdata =
                (struct ieee80211_sub_if_data *) data;
        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
        if (local->quiescing)
                return;
-        if (sdata->vif.csa_active)
+        if (sdata->vif.csa_active && !ifmgd->csa_waiting_bcn)
                return;
        sdata->u.mgd.connection_loss = false;
@@ -3686,7 +3886,7 @@ static void ieee80211_sta_conn_mon_timer(unsigned long data)
        if (local->quiescing)
                return;
-        if (sdata->vif.csa_active)
+        if (sdata->vif.csa_active && !ifmgd->csa_waiting_bcn)
                return;
        ieee80211_queue_work(&local->hw, &ifmgd->monitor_work);
@@ -3798,6 +3998,8 @@ void ieee80211_sta_setup_sdata(struct ieee80211_sub_if_data *sdata)
                    (unsigned long) sdata);
        setup_timer(&ifmgd->chswitch_timer, ieee80211_chswitch_timer,
                    (unsigned long) sdata);
+        INIT_DELAYED_WORK(&ifmgd->tx_tspec_wk,
+                          ieee80211_sta_handle_tspec_ac_params_wk);
        ifmgd->flags = 0;
        ifmgd->powersave = sdata->wdev.ps;
@@ -3809,6 +4011,11 @@ void ieee80211_sta_setup_sdata(struct ieee80211_sub_if_data *sdata)
                ifmgd->req_smps = IEEE80211_SMPS_AUTOMATIC;
        else
                ifmgd->req_smps = IEEE80211_SMPS_OFF;
+        /* Setup TDLS data */
+        spin_lock_init(&ifmgd->teardown_lock);
+        ifmgd->teardown_skb = NULL;
+        ifmgd->orig_teardown_skb = NULL;
 }
 /* scan finished notification */
@@ -4671,6 +4878,13 @@ void ieee80211_mgd_stop(struct ieee80211_sub_if_data *sdata)
        }
        if (ifmgd->auth_data)
                ieee80211_destroy_auth_data(sdata, false);
+        spin_lock_bh(&ifmgd->teardown_lock);
+        if (ifmgd->teardown_skb) {
+                kfree_skb(ifmgd->teardown_skb);
+                ifmgd->teardown_skb = NULL;
+                ifmgd->orig_teardown_skb = NULL;
+        }
+        spin_unlock_bh(&ifmgd->teardown_lock);
        del_timer_sync(&ifmgd->timer);
        sdata_unlock(sdata);
 }
@@ -4686,3 +4900,13 @@ void ieee80211_cqm_rssi_notify(struct ieee80211_vif *vif,
        cfg80211_cqm_rssi_notify(sdata->dev, rssi_event, gfp);
 }
 EXPORT_SYMBOL(ieee80211_cqm_rssi_notify);
+void ieee80211_cqm_beacon_loss_notify(struct ieee80211_vif *vif, gfp_t gfp)
+{
+        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
+        trace_api_cqm_beacon_loss_notify(sdata->local, sdata);
+        cfg80211_cqm_beacon_loss_notify(sdata->dev, gfp);
+}
+EXPORT_SYMBOL(ieee80211_cqm_beacon_loss_notify);
diff --git a/net/mac80211/ocb.c b/net/mac80211/ocb.c
new file mode 100644
index 000000000000..358d5f9d8207
--- /dev/null
+++ b/net/mac80211/ocb.c
@@ -0,0 +1,250 @@
+/*
+ * OCB mode implementation
+ *
+ * Copyright: (c) 2014 Czech Technical University in Prague
+ *            (c) 2014 Volkswagen Group Research
+ * Author:    Rostislav Lisovy <rostislav.lisovy@fel.cvut.cz>
+ * Funded by: Volkswagen Group Research
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/delay.h>
+#include <linux/if_ether.h>
+#include <linux/skbuff.h>
+#include <linux/if_arp.h>
+#include <linux/etherdevice.h>
+#include <linux/rtnetlink.h>
+#include <net/mac80211.h>
+#include <asm/unaligned.h>
+#include "ieee80211_i.h"
+#include "driver-ops.h"
+#include "rate.h"
+#define IEEE80211_OCB_HOUSEKEEPING_INTERVAL             (60 * HZ)
+#define IEEE80211_OCB_PEER_INACTIVITY_LIMIT             (240 * HZ)
+#define IEEE80211_OCB_MAX_STA_ENTRIES                   128
+/**
+ * enum ocb_deferred_task_flags - mac80211 OCB deferred tasks
+ * @OCB_WORK_HOUSEKEEPING: run the periodic OCB housekeeping tasks
+ *
+ * These flags are used in @wrkq_flags field of &struct ieee80211_if_ocb
+ */
+enum ocb_deferred_task_flags {
+        OCB_WORK_HOUSEKEEPING,
+};
+void ieee80211_ocb_rx_no_sta(struct ieee80211_sub_if_data *sdata,
+                             const u8 *bssid, const u8 *addr,
+                             u32 supp_rates)
+{
+        struct ieee80211_if_ocb *ifocb = &sdata->u.ocb;
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_supported_band *sband;
+        enum nl80211_bss_scan_width scan_width;
+        struct sta_info *sta;
+        int band;
+        /* XXX: Consider removing the least recently used entry and
+         *      allow new one to be added.
+         */
+        if (local->num_sta >= IEEE80211_OCB_MAX_STA_ENTRIES) {
+                net_info_ratelimited("%s: No room for a new OCB STA entry %pM\n",
+                                     sdata->name, addr);
+                return;
+        }
+        ocb_dbg(sdata, "Adding new OCB station %pM\n", addr);
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (WARN_ON_ONCE(!chanctx_conf)) {
+                rcu_read_unlock();
+                return;
+        }
+        band = chanctx_conf->def.chan->band;
+        scan_width = cfg80211_chandef_to_scan_width(&chanctx_conf->def);
+        rcu_read_unlock();
+        sta = sta_info_alloc(sdata, addr, GFP_ATOMIC);
+        if (!sta)
+                return;
+        sta->last_rx = jiffies;
+        /* Add only mandatory rates for now */
+        sband = local->hw.wiphy->bands[band];
+        sta->sta.supp_rates[band] =
+                ieee80211_mandatory_rates(sband, scan_width);
+        spin_lock(&ifocb->incomplete_lock);
+        list_add(&sta->list, &ifocb->incomplete_stations);
+        spin_unlock(&ifocb->incomplete_lock);
+        ieee80211_queue_work(&local->hw, &sdata->work);
+}
+static struct sta_info *ieee80211_ocb_finish_sta(struct sta_info *sta)
+        __acquires(RCU)
+{
+        struct ieee80211_sub_if_data *sdata = sta->sdata;
+        u8 addr[ETH_ALEN];
+        memcpy(addr, sta->sta.addr, ETH_ALEN);
+        ocb_dbg(sdata, "Adding new IBSS station %pM (dev=%s)\n",
+                addr, sdata->name);
+        sta_info_move_state(sta, IEEE80211_STA_AUTH);
+        sta_info_move_state(sta, IEEE80211_STA_ASSOC);
+        sta_info_move_state(sta, IEEE80211_STA_AUTHORIZED);
+        rate_control_rate_init(sta);
+        /* If it fails, maybe we raced another insertion? */
+        if (sta_info_insert_rcu(sta))
+                return sta_info_get(sdata, addr);
+        return sta;
+}
+static void ieee80211_ocb_housekeeping(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_if_ocb *ifocb = &sdata->u.ocb;
+        ocb_dbg(sdata, "Running ocb housekeeping\n");
+        ieee80211_sta_expire(sdata, IEEE80211_OCB_PEER_INACTIVITY_LIMIT);
+        mod_timer(&ifocb->housekeeping_timer,
+                  round_jiffies(jiffies + IEEE80211_OCB_HOUSEKEEPING_INTERVAL));
+}
+void ieee80211_ocb_work(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_if_ocb *ifocb = &sdata->u.ocb;
+        struct sta_info *sta;
+        if (ifocb->joined != true)
+                return;
+        sdata_lock(sdata);
+        spin_lock_bh(&ifocb->incomplete_lock);
+        while (!list_empty(&ifocb->incomplete_stations)) {
+                sta = list_first_entry(&ifocb->incomplete_stations,
+                                       struct sta_info, list);
+                list_del(&sta->list);
+                spin_unlock_bh(&ifocb->incomplete_lock);
+                ieee80211_ocb_finish_sta(sta);
+                rcu_read_unlock();
+                spin_lock_bh(&ifocb->incomplete_lock);
+        }
+        spin_unlock_bh(&ifocb->incomplete_lock);
+        if (test_and_clear_bit(OCB_WORK_HOUSEKEEPING, &ifocb->wrkq_flags))
+                ieee80211_ocb_housekeeping(sdata);
+        sdata_unlock(sdata);
+}
+static void ieee80211_ocb_housekeeping_timer(unsigned long data)
+{
+        struct ieee80211_sub_if_data *sdata = (void *)data;
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_if_ocb *ifocb = &sdata->u.ocb;
+        set_bit(OCB_WORK_HOUSEKEEPING, &ifocb->wrkq_flags);
+        ieee80211_queue_work(&local->hw, &sdata->work);
+}
+void ieee80211_ocb_setup_sdata(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_if_ocb *ifocb = &sdata->u.ocb;
+        setup_timer(&ifocb->housekeeping_timer,
+                    ieee80211_ocb_housekeeping_timer,
+                    (unsigned long)sdata);
+        INIT_LIST_HEAD(&ifocb->incomplete_stations);
+        spin_lock_init(&ifocb->incomplete_lock);
+}
+int ieee80211_ocb_join(struct ieee80211_sub_if_data *sdata,
+                       struct ocb_setup *setup)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_if_ocb *ifocb = &sdata->u.ocb;
+        u32 changed = BSS_CHANGED_OCB;
+        int err;
+        if (ifocb->joined == true)
+                return -EINVAL;
+        sdata->flags |= IEEE80211_SDATA_OPERATING_GMODE;
+        sdata->smps_mode = IEEE80211_SMPS_OFF;
+        sdata->needed_rx_chains = sdata->local->rx_chains;
+        mutex_lock(&sdata->local->mtx);
+        err = ieee80211_vif_use_channel(sdata, &setup->chandef,
+                                        IEEE80211_CHANCTX_SHARED);
+        mutex_unlock(&sdata->local->mtx);
+        if (err)
+                return err;
+        ieee80211_bss_info_change_notify(sdata, changed);
+        ifocb->joined = true;
+        set_bit(OCB_WORK_HOUSEKEEPING, &ifocb->wrkq_flags);
+        ieee80211_queue_work(&local->hw, &sdata->work);
+        netif_carrier_on(sdata->dev);
+        return 0;
+}
+int ieee80211_ocb_leave(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_if_ocb *ifocb = &sdata->u.ocb;
+        struct ieee80211_local *local = sdata->local;
+        struct sta_info *sta;
+        ifocb->joined = false;
+        sta_info_flush(sdata);
+        spin_lock_bh(&ifocb->incomplete_lock);
+        while (!list_empty(&ifocb->incomplete_stations)) {
+                sta = list_first_entry(&ifocb->incomplete_stations,
+                                       struct sta_info, list);
+                list_del(&sta->list);
+                spin_unlock_bh(&ifocb->incomplete_lock);
+                sta_info_free(local, sta);
+                spin_lock_bh(&ifocb->incomplete_lock);
+        }
+        spin_unlock_bh(&ifocb->incomplete_lock);
+        netif_carrier_off(sdata->dev);
+        clear_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
+        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_OCB);
+        mutex_lock(&sdata->local->mtx);
+        ieee80211_vif_release_channel(sdata);
+        mutex_unlock(&sdata->local->mtx);
+        skb_queue_purge(&sdata->skb_queue);
+        del_timer_sync(&sdata->u.ocb.housekeeping_timer);
+        /* If the timer fired while we waited for it, it will have
+         * requeued the work. Now the work will be running again
+         * but will not rearm the timer again because it checks
+         * whether we are connected to the network or not -- at this
+         * point we shouldn't be anymore.
+         */
+        return 0;
+}
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index 8fdadfd94ba8..d53355b011f5 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -385,7 +385,7 @@ static void rate_idx_match_mask(struct ieee80211_tx_rate *rate,
                        *rate = alt_rate;
                        return;
                }
-        } else {
+        } else if (!(rate->flags & IEEE80211_TX_RC_VHT_MCS)) {
                /* handle legacy rates */
                if (rate_idx_match_legacy_mask(rate, sband->n_bitrates, mask))
                        return;
@@ -446,9 +446,10 @@ static void rate_fixup_ratelist(struct ieee80211_vif *vif,
         *
         * XXX: Should this check all retry rates?
         */
-        if (!(rates[0].flags & IEEE80211_TX_RC_MCS)) {
+        if (!(rates[0].flags &
+              (IEEE80211_TX_RC_MCS | IEEE80211_TX_RC_VHT_MCS))) {
                u32 basic_rates = vif->bss_conf.basic_rates;
-                s8 baserate = basic_rates ? ffs(basic_rates - 1) : 0;
+                s8 baserate = basic_rates ? ffs(basic_rates) - 1 : 0;
                rate = &sband->bitrates[rates[0].idx];
@@ -696,6 +697,7 @@ int rate_control_set_rates(struct ieee80211_hw *hw,
                           struct ieee80211_sta *pubsta,
                           struct ieee80211_sta_rates *rates)
 {
+        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
        struct ieee80211_sta_rates *old;
        /*
@@ -709,6 +711,8 @@ int rate_control_set_rates(struct ieee80211_hw *hw,
        if (old)
                kfree_rcu(old, rcu_head);
+        drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta);
        return 0;
 }
 EXPORT_SYMBOL(rate_control_set_rates);
diff --git a/net/mac80211/rate.h b/net/mac80211/rate.h
index 18babe302832..38652f09feaf 100644
--- a/net/mac80211/rate.h
+++ b/net/mac80211/rate.h
@@ -37,13 +37,35 @@ static inline void rate_control_tx_status(struct ieee80211_local *local,
        struct rate_control_ref *ref = local->rate_ctrl;
        struct ieee80211_sta *ista = &sta->sta;
        void *priv_sta = sta->rate_ctrl_priv;
+        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
        if (!ref || !test_sta_flag(sta, WLAN_STA_RATE_CONTROL))
                return;
-        ref->ops->tx_status(ref->priv, sband, ista, priv_sta, skb);
+        if (ref->ops->tx_status)
+                ref->ops->tx_status(ref->priv, sband, ista, priv_sta, skb);
+        else
+                ref->ops->tx_status_noskb(ref->priv, sband, ista, priv_sta, info);
 }
+static inline void
+rate_control_tx_status_noskb(struct ieee80211_local *local,
+                             struct ieee80211_supported_band *sband,
+                             struct sta_info *sta,
+                             struct ieee80211_tx_info *info)
+{
+        struct rate_control_ref *ref = local->rate_ctrl;
+        struct ieee80211_sta *ista = &sta->sta;
+        void *priv_sta = sta->rate_ctrl_priv;
+        if (!ref || !test_sta_flag(sta, WLAN_STA_RATE_CONTROL))
+                return;
+        if (WARN_ON_ONCE(!ref->ops->tx_status_noskb))
+                return;
+        ref->ops->tx_status_noskb(ref->priv, sband, ista, priv_sta, info);
+}
 static inline void rate_control_rate_init(struct sta_info *sta)
 {
diff --git a/net/mac80211/rc80211_minstrel.c b/net/mac80211/rc80211_minstrel.c
index 2baa7ed8789d..d51f6b1c549b 100644
--- a/net/mac80211/rc80211_minstrel.c
+++ b/net/mac80211/rc80211_minstrel.c
@@ -191,7 +191,7 @@ minstrel_update_stats(struct minstrel_priv *mp, struct minstrel_sta_info *mi)
                 * (1) if any success probabilitiy >= 95%, out of those rates
                 * choose the maximum throughput rate as max_prob_rate
                 * (2) if all success probabilities < 95%, the rate with
-                 * highest success probability is choosen as max_prob_rate */
+                 * highest success probability is chosen as max_prob_rate */
                if (mrs->probability >= MINSTREL_FRAC(95, 100)) {
                        if (mrs->cur_tp >= mi->r[tmp_prob_rate].stats.cur_tp)
                                tmp_prob_rate = i;
@@ -223,11 +223,10 @@ minstrel_update_stats(struct minstrel_priv *mp, struct minstrel_sta_info *mi)
 static void
 minstrel_tx_status(void *priv, struct ieee80211_supported_band *sband,
                   struct ieee80211_sta *sta, void *priv_sta,
-                   struct sk_buff *skb)
+                   struct ieee80211_tx_info *info)
 {
        struct minstrel_priv *mp = priv;
        struct minstrel_sta_info *mi = priv_sta;
-        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
        struct ieee80211_tx_rate *ar = info->status.rates;
        int i, ndx;
        int success;
@@ -674,7 +673,7 @@ static u32 minstrel_get_expected_throughput(void *priv_sta)
 const struct rate_control_ops mac80211_minstrel = {
        .name = "minstrel",
-        .tx_status = minstrel_tx_status,
+        .tx_status_noskb = minstrel_tx_status,
        .get_rate = minstrel_get_rate,
        .rate_init = minstrel_rate_init,
        .alloc = minstrel_alloc,
diff --git a/net/mac80211/rc80211_minstrel_debugfs.c b/net/mac80211/rc80211_minstrel_debugfs.c
index edde723f9f00..2acab1bcaa4b 100644
--- a/net/mac80211/rc80211_minstrel_debugfs.c
+++ b/net/mac80211/rc80211_minstrel_debugfs.c
@@ -62,14 +62,14 @@ minstrel_stats_open(struct inode *inode, struct file *file)
        unsigned int i, tp, prob, eprob;
        char *p;
-        ms = kmalloc(sizeof(*ms) + 4096, GFP_KERNEL);
+        ms = kmalloc(2048, GFP_KERNEL);
        if (!ms)
                return -ENOMEM;
        file->private_data = ms;
        p = ms->buf;
-        p += sprintf(p, "rate      throughput  ewma prob  this prob  "
+        p += sprintf(p, "rate          tpt eprob *prob"
-                        "this succ/attempt   success    attempts\n");
+                        "  *ok(*cum)        ok(      cum)\n");
        for (i = 0; i < mi->n_rates; i++) {
                struct minstrel_rate *mr = &mi->r[i];
                struct minstrel_rate_stats *mrs = &mi->r[i].stats;
@@ -86,8 +86,8 @@ minstrel_stats_open(struct inode *inode, struct file *file)
                prob = MINSTREL_TRUNC(mrs->cur_prob * 1000);
                eprob = MINSTREL_TRUNC(mrs->probability * 1000);
-                p += sprintf(p, "  %6u.%1u   %6u.%1u   %6u.%1u        "
+                p += sprintf(p, " %4u.%1u %3u.%1u %3u.%1u"
-                                "   %3u(%3u)  %8llu    %8llu\n",
+                                " %4u(%4u) %9llu(%9llu)\n",
                                tp / 10, tp % 10,
                                eprob / 10, eprob % 10,
                                prob / 10, prob % 10,
@@ -102,6 +102,8 @@ minstrel_stats_open(struct inode *inode, struct file *file)
                        mi->sample_packets);
        ms->len = p - ms->buf;
+        WARN_ON(ms->len + sizeof(*ms) > 2048);
        return 0;
 }
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index df90ce2db00c..b52996aca4f1 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -10,6 +10,7 @@
 #include <linux/skbuff.h>
 #include <linux/debugfs.h>
 #include <linux/random.h>
+#include <linux/moduleparam.h>
 #include <linux/ieee80211.h>
 #include <net/mac80211.h>
 #include "rate.h"
@@ -34,12 +35,17 @@
 /* Transmit duration for the raw data part of an average sized packet */
 #define MCS_DURATION(streams, sgi, bps) MCS_SYMBOL_TIME(sgi, MCS_NSYMS((streams) * (bps)))
+#define BW_20                   0
+#define BW_40                   1
+#define BW_80                   2
 /*
 * Define group sort order: HT40 -> SGI -> #streams
 */
 #define GROUP_IDX(_streams, _sgi, _ht40)        \
+        MINSTREL_HT_GROUP_0 +                   \
        MINSTREL_MAX_STREAMS * 2 * _ht40 +      \
-        MINSTREL_MAX_STREAMS * _sgi +           \
+        MINSTREL_MAX_STREAMS * _sgi +   \
        _streams - 1
 /* MCS rate information for an MCS group */
@@ -47,6 +53,7 @@
        [GROUP_IDX(_streams, _sgi, _ht40)] = {                          \
        .streams = _streams,                                            \
        .flags =                                                        \
+                IEEE80211_TX_RC_MCS |                                   \
                (_sgi ? IEEE80211_TX_RC_SHORT_GI : 0) |                 \
                (_ht40 ? IEEE80211_TX_RC_40_MHZ_WIDTH : 0),             \
        .duration = {                                                   \
@@ -61,6 +68,47 @@
        }                                                               \
 }
+#define VHT_GROUP_IDX(_streams, _sgi, _bw)                              \
+        (MINSTREL_VHT_GROUP_0 +                                         \
+         MINSTREL_MAX_STREAMS * 2 * (_bw) +                             \
+         MINSTREL_MAX_STREAMS * (_sgi) +                                \
+         (_streams) - 1)
+#define BW2VBPS(_bw, r3, r2, r1)                                        \
+        (_bw == BW_80 ? r3 : _bw == BW_40 ? r2 : r1)
+#define VHT_GROUP(_streams, _sgi, _bw)                                  \
+        [VHT_GROUP_IDX(_streams, _sgi, _bw)] = {                        \
+        .streams = _streams,                                            \
+        .flags =                                                        \
+                IEEE80211_TX_RC_VHT_MCS |                               \
+                (_sgi ? IEEE80211_TX_RC_SHORT_GI : 0) |                 \
+                (_bw == BW_80 ? IEEE80211_TX_RC_80_MHZ_WIDTH :          \
+                 _bw == BW_40 ? IEEE80211_TX_RC_40_MHZ_WIDTH : 0),      \
+        .duration = {                                                   \
+                MCS_DURATION(_streams, _sgi,                            \
+                             BW2VBPS(_bw,  117,  54,  26)),             \
+                MCS_DURATION(_streams, _sgi,                            \
+                             BW2VBPS(_bw,  234, 108,  52)),             \
+                MCS_DURATION(_streams, _sgi,                            \
+                             BW2VBPS(_bw,  351, 162,  78)),             \
+                MCS_DURATION(_streams, _sgi,                            \
+                             BW2VBPS(_bw,  468, 216, 104)),             \
+                MCS_DURATION(_streams, _sgi,                            \
+                             BW2VBPS(_bw,  702, 324, 156)),             \
+                MCS_DURATION(_streams, _sgi,                            \
+                             BW2VBPS(_bw,  936, 432, 208)),             \
+                MCS_DURATION(_streams, _sgi,                            \
+                             BW2VBPS(_bw, 1053, 486, 234)),             \
+                MCS_DURATION(_streams, _sgi,                            \
+                             BW2VBPS(_bw, 1170, 540, 260)),             \
+                MCS_DURATION(_streams, _sgi,                            \
+                             BW2VBPS(_bw, 1404, 648, 312)),             \
+                MCS_DURATION(_streams, _sgi,                            \
+                             BW2VBPS(_bw, 1560, 720, 346))              \
+        }                                                               \
+}
 #define CCK_DURATION(_bitrate, _short, _len)            \
        (1000 * (10 /* SIFS */ +                        \
         (_short ? 72 + 24 : 144 + 48) +                \
@@ -76,53 +124,96 @@
        CCK_ACK_DURATION(55, _short),                   \
        CCK_ACK_DURATION(110, _short)
-#define CCK_GROUP                                               \
+#define CCK_GROUP                                       \
-        [MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS] = {     \
+        [MINSTREL_CCK_GROUP] = {                        \
-                .streams = 0,                                   \
+                .streams = 0,                           \
-                .duration = {                                   \
+                .flags = 0,                             \
-                        CCK_DURATION_LIST(false),               \
+                .duration = {                           \
-                        CCK_DURATION_LIST(true)                 \
+                        CCK_DURATION_LIST(false),       \
-                }                                               \
+                        CCK_DURATION_LIST(true)         \
+                }                                       \
        }
+#ifdef CONFIG_MAC80211_RC_MINSTREL_VHT
+static bool minstrel_vht_only = true;
+module_param(minstrel_vht_only, bool, 0644);
+MODULE_PARM_DESC(minstrel_vht_only,
+                 "Use only VHT rates when VHT is supported by sta.");
+#endif
 /*
 * To enable sufficiently targeted rate sampling, MCS rates are divided into
 * groups, based on the number of streams and flags (HT40, SGI) that they
 * use.
 *
 * Sortorder has to be fixed for GROUP_IDX macro to be applicable:
- * HT40 -> SGI -> #streams
+ * BW -> SGI -> #streams
 */
 const struct mcs_group minstrel_mcs_groups[] = {
-        MCS_GROUP(1, 0, 0),
+        MCS_GROUP(1, 0, BW_20),
-        MCS_GROUP(2, 0, 0),
+        MCS_GROUP(2, 0, BW_20),
 #if MINSTREL_MAX_STREAMS >= 3
-        MCS_GROUP(3, 0, 0),
+        MCS_GROUP(3, 0, BW_20),
 #endif
-        MCS_GROUP(1, 1, 0),
+        MCS_GROUP(1, 1, BW_20),
-        MCS_GROUP(2, 1, 0),
+        MCS_GROUP(2, 1, BW_20),
 #if MINSTREL_MAX_STREAMS >= 3
-        MCS_GROUP(3, 1, 0),
+        MCS_GROUP(3, 1, BW_20),
 #endif
-        MCS_GROUP(1, 0, 1),
+        MCS_GROUP(1, 0, BW_40),
-        MCS_GROUP(2, 0, 1),
+        MCS_GROUP(2, 0, BW_40),
 #if MINSTREL_MAX_STREAMS >= 3
-        MCS_GROUP(3, 0, 1),
+        MCS_GROUP(3, 0, BW_40),
 #endif
-        MCS_GROUP(1, 1, 1),
+        MCS_GROUP(1, 1, BW_40),
-        MCS_GROUP(2, 1, 1),
+        MCS_GROUP(2, 1, BW_40),
 #if MINSTREL_MAX_STREAMS >= 3
-        MCS_GROUP(3, 1, 1),
+        MCS_GROUP(3, 1, BW_40),
 #endif
-        /* must be last */
+        CCK_GROUP,
-        CCK_GROUP
-};
+#ifdef CONFIG_MAC80211_RC_MINSTREL_VHT
+        VHT_GROUP(1, 0, BW_20),
+        VHT_GROUP(2, 0, BW_20),
+#if MINSTREL_MAX_STREAMS >= 3
+        VHT_GROUP(3, 0, BW_20),
+#endif
-#define MINSTREL_CCK_GROUP      (ARRAY_SIZE(minstrel_mcs_groups) - 1)
+        VHT_GROUP(1, 1, BW_20),
+        VHT_GROUP(2, 1, BW_20),
+#if MINSTREL_MAX_STREAMS >= 3
+        VHT_GROUP(3, 1, BW_20),
+#endif
+        VHT_GROUP(1, 0, BW_40),
+        VHT_GROUP(2, 0, BW_40),
+#if MINSTREL_MAX_STREAMS >= 3
+        VHT_GROUP(3, 0, BW_40),
+#endif
+        VHT_GROUP(1, 1, BW_40),
+        VHT_GROUP(2, 1, BW_40),
+#if MINSTREL_MAX_STREAMS >= 3
+        VHT_GROUP(3, 1, BW_40),
+#endif
+        VHT_GROUP(1, 0, BW_80),
+        VHT_GROUP(2, 0, BW_80),
+#if MINSTREL_MAX_STREAMS >= 3
+        VHT_GROUP(3, 0, BW_80),
+#endif
+        VHT_GROUP(1, 1, BW_80),
+        VHT_GROUP(2, 1, BW_80),
+#if MINSTREL_MAX_STREAMS >= 3
+        VHT_GROUP(3, 1, BW_80),
+#endif
+#endif
+};
 static u8 sample_table[SAMPLE_COLUMNS][MCS_GROUP_RATES] __read_mostly;
@@ -130,16 +221,64 @@ static void
 minstrel_ht_update_rates(struct minstrel_priv *mp, struct minstrel_ht_sta *mi);
 /*
+ * Some VHT MCSes are invalid (when Ndbps / Nes is not an integer)
+ * e.g for MCS9@20MHzx1Nss: Ndbps=8x52*(5/6) Nes=1
+ *
+ * Returns the valid mcs map for struct minstrel_mcs_group_data.supported
+ */
+static u16
+minstrel_get_valid_vht_rates(int bw, int nss, __le16 mcs_map)
+{
+        u16 mask = 0;
+        if (bw == BW_20) {
+                if (nss != 3 && nss != 6)
+                        mask = BIT(9);
+        } else if (bw == BW_80) {
+                if (nss == 3 || nss == 7)
+                        mask = BIT(6);
+                else if (nss == 6)
+                        mask = BIT(9);
+        } else {
+                WARN_ON(bw != BW_40);
+        }
+        switch ((le16_to_cpu(mcs_map) >> (2 * (nss - 1))) & 3) {
+        case IEEE80211_VHT_MCS_SUPPORT_0_7:
+                mask |= 0x300;
+                break;
+        case IEEE80211_VHT_MCS_SUPPORT_0_8:
+                mask |= 0x200;
+                break;
+        case IEEE80211_VHT_MCS_SUPPORT_0_9:
+                break;
+        default:
+                mask = 0x3ff;
+        }
+        return 0x3ff & ~mask;
+}
+/*
 * Look up an MCS group index based on mac80211 rate information
 */
 static int
 minstrel_ht_get_group_idx(struct ieee80211_tx_rate *rate)
 {
-        return GROUP_IDX((rate->idx / MCS_GROUP_RATES) + 1,
+        return GROUP_IDX((rate->idx / 8) + 1,
                         !!(rate->flags & IEEE80211_TX_RC_SHORT_GI),
                         !!(rate->flags & IEEE80211_TX_RC_40_MHZ_WIDTH));
 }
+static int
+minstrel_vht_get_group_idx(struct ieee80211_tx_rate *rate)
+{
+        return VHT_GROUP_IDX(ieee80211_rate_get_vht_nss(rate),
+                             !!(rate->flags & IEEE80211_TX_RC_SHORT_GI),
+                             !!(rate->flags & IEEE80211_TX_RC_40_MHZ_WIDTH) +
+                             2*!!(rate->flags & IEEE80211_TX_RC_80_MHZ_WIDTH));
+}
 static struct minstrel_rate_stats *
 minstrel_ht_get_stats(struct minstrel_priv *mp, struct minstrel_ht_sta *mi,
                      struct ieee80211_tx_rate *rate)
@@ -149,6 +288,9 @@ minstrel_ht_get_stats(struct minstrel_priv *mp, struct minstrel_ht_sta *mi,
        if (rate->flags & IEEE80211_TX_RC_MCS) {
                group = minstrel_ht_get_group_idx(rate);
                idx = rate->idx % 8;
+        } else if (rate->flags & IEEE80211_TX_RC_VHT_MCS) {
+                group = minstrel_vht_get_group_idx(rate);
+                idx = ieee80211_rate_get_vht_mcs(rate);
        } else {
                group = MINSTREL_CCK_GROUP;
@@ -240,8 +382,8 @@ minstrel_ht_calc_tp(struct minstrel_ht_sta *mi, int group, int rate)
 * MCS groups, CCK rates do not provide aggregation and are therefore at last.
 */
 static void
-minstrel_ht_sort_best_tp_rates(struct minstrel_ht_sta *mi, u8 index,
+minstrel_ht_sort_best_tp_rates(struct minstrel_ht_sta *mi, u16 index,
-                               u8 *tp_list)
+                               u16 *tp_list)
 {
        int cur_group, cur_idx, cur_thr, cur_prob;
        int tmp_group, tmp_idx, tmp_thr, tmp_prob;
@@ -278,7 +420,7 @@ minstrel_ht_sort_best_tp_rates(struct minstrel_ht_sta *mi, u8 index,
 * Find and set the topmost probability rate per sta and per group
 */
 static void
-minstrel_ht_set_best_prob_rate(struct minstrel_ht_sta *mi, u8 index)
+minstrel_ht_set_best_prob_rate(struct minstrel_ht_sta *mi, u16 index)
 {
        struct minstrel_mcs_group_data *mg;
        struct minstrel_rate_stats *mr;
@@ -321,8 +463,8 @@ minstrel_ht_set_best_prob_rate(struct minstrel_ht_sta *mi, u8 index)
 */
 static void
 minstrel_ht_assign_best_tp_rates(struct minstrel_ht_sta *mi,
-                                 u8 tmp_mcs_tp_rate[MAX_THR_RATES],
+                                 u16 tmp_mcs_tp_rate[MAX_THR_RATES],
-                                 u8 tmp_cck_tp_rate[MAX_THR_RATES])
+                                 u16 tmp_cck_tp_rate[MAX_THR_RATES])
 {
        unsigned int tmp_group, tmp_idx, tmp_cck_tp, tmp_mcs_tp;
        int i;
@@ -386,8 +528,8 @@ minstrel_ht_update_stats(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
        struct minstrel_mcs_group_data *mg;
        struct minstrel_rate_stats *mr;
        int group, i, j;
-        u8 tmp_mcs_tp_rate[MAX_THR_RATES], tmp_group_tp_rate[MAX_THR_RATES];
+        u16 tmp_mcs_tp_rate[MAX_THR_RATES], tmp_group_tp_rate[MAX_THR_RATES];
-        u8 tmp_cck_tp_rate[MAX_THR_RATES], index;
+        u16 tmp_cck_tp_rate[MAX_THR_RATES], index;
        if (mi->ampdu_packets > 0) {
                mi->avg_ampdu_len = minstrel_ewma(mi->avg_ampdu_len,
@@ -485,7 +627,8 @@ minstrel_ht_txstat_valid(struct minstrel_priv *mp, struct ieee80211_tx_rate *rat
        if (!rate->count)
                return false;
-        if (rate->flags & IEEE80211_TX_RC_MCS)
+        if (rate->flags & IEEE80211_TX_RC_MCS ||
+            rate->flags & IEEE80211_TX_RC_VHT_MCS)
                return true;
        return rate->idx == mp->cck_rates[0] ||
@@ -517,7 +660,7 @@ minstrel_next_sample_idx(struct minstrel_ht_sta *mi)
 }
 static void
-minstrel_downgrade_rate(struct minstrel_ht_sta *mi, u8 *idx, bool primary)
+minstrel_downgrade_rate(struct minstrel_ht_sta *mi, u16 *idx, bool primary)
 {
        int group, orig_group;
@@ -547,6 +690,9 @@ minstrel_aggr_check(struct ieee80211_sta *pubsta, struct sk_buff *skb)
        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
        u16 tid;
+        if (skb_get_queue_mapping(skb) == IEEE80211_AC_VO)
+                return;
        if (unlikely(!ieee80211_is_data_qos(hdr->frame_control)))
                return;
@@ -557,20 +703,16 @@ minstrel_aggr_check(struct ieee80211_sta *pubsta, struct sk_buff *skb)
        if (likely(sta->ampdu_mlme.tid_tx[tid]))
                return;
-        if (skb_get_queue_mapping(skb) == IEEE80211_AC_VO)
-                return;
        ieee80211_start_tx_ba_session(pubsta, tid, 5000);
 }
 static void
 minstrel_ht_tx_status(void *priv, struct ieee80211_supported_band *sband,
                      struct ieee80211_sta *sta, void *priv_sta,
-                      struct sk_buff *skb)
+                      struct ieee80211_tx_info *info)
 {
        struct minstrel_ht_sta_priv *msp = priv_sta;
        struct minstrel_ht_sta *mi = &msp->ht;
-        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
        struct ieee80211_tx_rate *ar = info->status.rates;
        struct minstrel_rate_stats *rate, *rate2;
        struct minstrel_priv *mp = priv;
@@ -578,7 +720,8 @@ minstrel_ht_tx_status(void *priv, struct ieee80211_supported_band *sband,
        int i;
        if (!msp->is_ht)
-                return mac80211_minstrel.tx_status(priv, sband, sta, &msp->legacy, skb);
+                return mac80211_minstrel.tx_status_noskb(priv, sband, sta,
+                                                         &msp->legacy, info);
        /* This packet was aggregated but doesn't carry status info */
        if ((info->flags & IEEE80211_TX_CTL_AMPDU) &&
@@ -639,9 +782,6 @@ minstrel_ht_tx_status(void *priv, struct ieee80211_supported_band *sband,
        if (time_after(jiffies, mi->stats_update + (mp->update_interval / 2 * HZ) / 1000)) {
                update = true;
                minstrel_ht_update_stats(mp, mi);
-                if (!(info->flags & IEEE80211_TX_CTL_AMPDU) &&
-                    mi->max_prob_rate / MCS_GROUP_RATES != MINSTREL_CCK_GROUP)
-                        minstrel_aggr_check(sta, skb);
        }
        if (update)
@@ -714,7 +854,7 @@ minstrel_ht_set_rate(struct minstrel_priv *mp, struct minstrel_ht_sta *mi,
        const struct mcs_group *group = &minstrel_mcs_groups[index / MCS_GROUP_RATES];
        struct minstrel_rate_stats *mr;
        u8 idx;
-        u16 flags;
+        u16 flags = group->flags;
        mr = minstrel_get_ratestats(mi, index);
        if (!mr->retry_updated)
@@ -730,13 +870,13 @@ minstrel_ht_set_rate(struct minstrel_priv *mp, struct minstrel_ht_sta *mi,
                ratetbl->rate[offset].count_rts = mr->retry_count_rtscts;
        }
-        if (index / MCS_GROUP_RATES == MINSTREL_CCK_GROUP) {
+        if (index / MCS_GROUP_RATES == MINSTREL_CCK_GROUP)
                idx = mp->cck_rates[index % ARRAY_SIZE(mp->cck_rates)];
-                flags = 0;
+        else if (flags & IEEE80211_TX_RC_VHT_MCS)
-        } else {
+                idx = ((group->streams - 1) << 4) |
+                      ((index % MCS_GROUP_RATES) & 0xF);
+        else
                idx = index % MCS_GROUP_RATES + (group->streams - 1) * 8;
-                flags = IEEE80211_TX_RC_MCS | group->flags;
-        }
        if (offset > 0) {
                ratetbl->rate[offset].count = ratetbl->rate[offset].count_rts;
@@ -883,6 +1023,10 @@ minstrel_ht_get_rate(void *priv, struct ieee80211_sta *sta, void *priv_sta,
        if (!msp->is_ht)
                return mac80211_minstrel.get_rate(priv, sta, &msp->legacy, txrc);
+        if (!(info->flags & IEEE80211_TX_CTL_AMPDU) &&
+            mi->max_prob_rate / MCS_GROUP_RATES != MINSTREL_CCK_GROUP)
+                minstrel_aggr_check(sta, txrc->skb);
        info->flags |= mi->tx_flags;
        minstrel_ht_check_cck_shortpreamble(mp, mi, txrc->short_preamble);
@@ -916,13 +1060,15 @@ minstrel_ht_get_rate(void *priv, struct ieee80211_sta *sta, void *priv_sta,
        if (sample_idx / MCS_GROUP_RATES == MINSTREL_CCK_GROUP) {
                int idx = sample_idx % ARRAY_SIZE(mp->cck_rates);
                rate->idx = mp->cck_rates[idx];
-                rate->flags = 0;
+        } else if (sample_group->flags & IEEE80211_TX_RC_VHT_MCS) {
-                return;
+                ieee80211_rate_set_vht(rate, sample_idx % MCS_GROUP_RATES,
+                                       sample_group->streams);
+        } else {
+                rate->idx = sample_idx % MCS_GROUP_RATES +
+                            (sample_group->streams - 1) * 8;
        }
-        rate->idx = sample_idx % MCS_GROUP_RATES +
+        rate->flags = sample_group->flags;
-                    (sample_group->streams - 1) * 8;
-        rate->flags = IEEE80211_TX_RC_MCS | sample_group->flags;
 }
 static void
@@ -962,6 +1108,8 @@ minstrel_ht_update_caps(void *priv, struct ieee80211_supported_band *sband,
        struct minstrel_ht_sta *mi = &msp->ht;
        struct ieee80211_mcs_info *mcs = &sta->ht_cap.mcs;
        u16 sta_cap = sta->ht_cap.cap;
+        struct ieee80211_sta_vht_cap *vht_cap = &sta->vht_cap;
+        int use_vht;
        int n_supported = 0;
        int ack_dur;
        int stbc;
@@ -971,8 +1119,14 @@ minstrel_ht_update_caps(void *priv, struct ieee80211_supported_band *sband,
        if (!sta->ht_cap.ht_supported)
                goto use_legacy;
-        BUILD_BUG_ON(ARRAY_SIZE(minstrel_mcs_groups) !=
+        BUILD_BUG_ON(ARRAY_SIZE(minstrel_mcs_groups) != MINSTREL_GROUPS_NB);
-                MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS + 1);
+#ifdef CONFIG_MAC80211_RC_MINSTREL_VHT
+        if (vht_cap->vht_supported)
+                use_vht = vht_cap->vht_mcs.tx_mcs_map != cpu_to_le16(~0);
+        else
+#endif
+        use_vht = 0;
        msp->is_ht = true;
        memset(mi, 0, sizeof(*mi));
@@ -997,22 +1151,28 @@ minstrel_ht_update_caps(void *priv, struct ieee80211_supported_band *sband,
        }
        mi->sample_tries = 4;
-        stbc = (sta_cap & IEEE80211_HT_CAP_RX_STBC) >>
+        /* TODO tx_flags for vht - ATM the RC API is not fine-grained enough */
-                IEEE80211_HT_CAP_RX_STBC_SHIFT;
+        if (!use_vht) {
-        mi->tx_flags |= stbc << IEEE80211_TX_CTL_STBC_SHIFT;
+                stbc = (sta_cap & IEEE80211_HT_CAP_RX_STBC) >>
+                        IEEE80211_HT_CAP_RX_STBC_SHIFT;
+                mi->tx_flags |= stbc << IEEE80211_TX_CTL_STBC_SHIFT;
-        if (sta_cap & IEEE80211_HT_CAP_LDPC_CODING)
+                if (sta_cap & IEEE80211_HT_CAP_LDPC_CODING)
-                mi->tx_flags |= IEEE80211_TX_CTL_LDPC;
+                        mi->tx_flags |= IEEE80211_TX_CTL_LDPC;
+        }
        for (i = 0; i < ARRAY_SIZE(mi->groups); i++) {
+                u32 gflags = minstrel_mcs_groups[i].flags;
+                int bw, nss;
                mi->groups[i].supported = 0;
                if (i == MINSTREL_CCK_GROUP) {
                        minstrel_ht_update_cck(mp, mi, sband, sta);
                        continue;
                }
-                if (minstrel_mcs_groups[i].flags & IEEE80211_TX_RC_SHORT_GI) {
+                if (gflags & IEEE80211_TX_RC_SHORT_GI) {
-                        if (minstrel_mcs_groups[i].flags & IEEE80211_TX_RC_40_MHZ_WIDTH) {
+                        if (gflags & IEEE80211_TX_RC_40_MHZ_WIDTH) {
                                if (!(sta_cap & IEEE80211_HT_CAP_SGI_40))
                                        continue;
                        } else {
@@ -1021,17 +1181,51 @@ minstrel_ht_update_caps(void *priv, struct ieee80211_supported_band *sband,
                        }
                }
-                if (minstrel_mcs_groups[i].flags & IEEE80211_TX_RC_40_MHZ_WIDTH &&
+                if (gflags & IEEE80211_TX_RC_40_MHZ_WIDTH &&
                    sta->bandwidth < IEEE80211_STA_RX_BW_40)
                        continue;
+                nss = minstrel_mcs_groups[i].streams;
                /* Mark MCS > 7 as unsupported if STA is in static SMPS mode */
-                if (sta->smps_mode == IEEE80211_SMPS_STATIC &&
+                if (sta->smps_mode == IEEE80211_SMPS_STATIC && nss > 1)
-                    minstrel_mcs_groups[i].streams > 1)
+                        continue;
+                /* HT rate */
+                if (gflags & IEEE80211_TX_RC_MCS) {
+#ifdef CONFIG_MAC80211_RC_MINSTREL_VHT
+                        if (use_vht && minstrel_vht_only)
+                                continue;
+#endif
+                        mi->groups[i].supported = mcs->rx_mask[nss - 1];
+                        if (mi->groups[i].supported)
+                                n_supported++;
                        continue;
+                }
+                /* VHT rate */
+                if (!vht_cap->vht_supported ||
+                    WARN_ON(!(gflags & IEEE80211_TX_RC_VHT_MCS)) ||
+                    WARN_ON(gflags & IEEE80211_TX_RC_160_MHZ_WIDTH))
+                        continue;
+                if (gflags & IEEE80211_TX_RC_80_MHZ_WIDTH) {
+                        if (sta->bandwidth < IEEE80211_STA_RX_BW_80 ||
+                            ((gflags & IEEE80211_TX_RC_SHORT_GI) &&
+                             !(vht_cap->cap & IEEE80211_VHT_CAP_SHORT_GI_80))) {
+                                continue;
+                        }
+                }
+                if (gflags & IEEE80211_TX_RC_40_MHZ_WIDTH)
+                        bw = BW_40;
+                else if (gflags & IEEE80211_TX_RC_80_MHZ_WIDTH)
+                        bw = BW_80;
+                else
+                        bw = BW_20;
-                mi->groups[i].supported =
+                mi->groups[i].supported = minstrel_get_valid_vht_rates(bw, nss,
-                        mcs->rx_mask[minstrel_mcs_groups[i].streams - 1];
+                                vht_cap->vht_mcs.tx_mcs_map);
                if (mi->groups[i].supported)
                        n_supported++;
@@ -1149,7 +1343,7 @@ static u32 minstrel_ht_get_expected_throughput(void *priv_sta)
 static const struct rate_control_ops mac80211_minstrel_ht = {
        .name = "minstrel_ht",
-        .tx_status = minstrel_ht_tx_status,
+        .tx_status_noskb = minstrel_ht_tx_status,
        .get_rate = minstrel_ht_get_rate,
        .rate_init = minstrel_ht_rate_init,
        .rate_update = minstrel_ht_rate_update,
diff --git a/net/mac80211/rc80211_minstrel_ht.h b/net/mac80211/rc80211_minstrel_ht.h
index 01570e0e014b..f2217d6aa0c2 100644
--- a/net/mac80211/rc80211_minstrel_ht.h
+++ b/net/mac80211/rc80211_minstrel_ht.h
@@ -13,10 +13,32 @@
 * The number of streams can be changed to 2 to reduce code
 * size and memory footprint.
 */
-#define MINSTREL_MAX_STREAMS    3
+#define MINSTREL_MAX_STREAMS            3
-#define MINSTREL_STREAM_GROUPS  4
+#define MINSTREL_HT_STREAM_GROUPS       4 /* BW(=2) * SGI(=2) */
+#ifdef CONFIG_MAC80211_RC_MINSTREL_VHT
+#define MINSTREL_VHT_STREAM_GROUPS      6 /* BW(=3) * SGI(=2) */
+#else
+#define MINSTREL_VHT_STREAM_GROUPS      0
+#endif
-#define MCS_GROUP_RATES 8
+#define MINSTREL_HT_GROUPS_NB   (MINSTREL_MAX_STREAMS *         \
+                                 MINSTREL_HT_STREAM_GROUPS)
+#define MINSTREL_VHT_GROUPS_NB  (MINSTREL_MAX_STREAMS *         \
+                                 MINSTREL_VHT_STREAM_GROUPS)
+#define MINSTREL_CCK_GROUPS_NB  1
+#define MINSTREL_GROUPS_NB      (MINSTREL_HT_GROUPS_NB +        \
+                                 MINSTREL_VHT_GROUPS_NB +       \
+                                 MINSTREL_CCK_GROUPS_NB)
+#define MINSTREL_HT_GROUP_0     0
+#define MINSTREL_CCK_GROUP      (MINSTREL_HT_GROUP_0 + MINSTREL_HT_GROUPS_NB)
+#define MINSTREL_VHT_GROUP_0    (MINSTREL_CCK_GROUP + 1)
+#ifdef CONFIG_MAC80211_RC_MINSTREL_VHT
+#define MCS_GROUP_RATES         10
+#else
+#define MCS_GROUP_RATES         8
+#endif
 struct mcs_group {
        u32 flags;
@@ -31,11 +53,11 @@ struct minstrel_mcs_group_data {
        u8 column;
        /* bitfield of supported MCS rates of this group */
-        u8 supported;
+        u16 supported;
        /* sorted rate set within a MCS group*/
-        u8 max_group_tp_rate[MAX_THR_RATES];
+        u16 max_group_tp_rate[MAX_THR_RATES];
-        u8 max_group_prob_rate;
+        u16 max_group_prob_rate;
        /* MCS rate statistics */
        struct minstrel_rate_stats rates[MCS_GROUP_RATES];
@@ -52,8 +74,8 @@ struct minstrel_ht_sta {
        unsigned int avg_ampdu_len;
        /* overall sorted rate set */
-        u8 max_tp_rate[MAX_THR_RATES];
+        u16 max_tp_rate[MAX_THR_RATES];
-        u8 max_prob_rate;
+        u16 max_prob_rate;
        /* time of last status update */
        unsigned long stats_update;
@@ -80,7 +102,7 @@ struct minstrel_ht_sta {
        u8 cck_supported_short;
        /* MCS rate group info and statistics */
-        struct minstrel_mcs_group_data groups[MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS + 1];
+        struct minstrel_mcs_group_data groups[MINSTREL_GROUPS_NB];
 };
 struct minstrel_ht_sta_priv {
diff --git a/net/mac80211/rc80211_minstrel_ht_debugfs.c b/net/mac80211/rc80211_minstrel_ht_debugfs.c
index a72ad46f2a04..20c676b8e5b6 100644
--- a/net/mac80211/rc80211_minstrel_ht_debugfs.c
+++ b/net/mac80211/rc80211_minstrel_ht_debugfs.c
@@ -18,19 +18,23 @@
 static char *
 minstrel_ht_stats_dump(struct minstrel_ht_sta *mi, int i, char *p)
 {
-        unsigned int max_mcs = MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS;
        const struct mcs_group *mg;
        unsigned int j, tp, prob, eprob;
        char htmode = '2';
        char gimode = 'L';
+        u32 gflags;
        if (!mi->groups[i].supported)
                return p;
        mg = &minstrel_mcs_groups[i];
-        if (mg->flags & IEEE80211_TX_RC_40_MHZ_WIDTH)
+        gflags = mg->flags;
+        if (gflags & IEEE80211_TX_RC_40_MHZ_WIDTH)
                htmode = '4';
-        if (mg->flags & IEEE80211_TX_RC_SHORT_GI)
+        else if (gflags & IEEE80211_TX_RC_80_MHZ_WIDTH)
+                htmode = '8';
+        if (gflags & IEEE80211_TX_RC_SHORT_GI)
                gimode = 'S';
        for (j = 0; j < MCS_GROUP_RATES; j++) {
@@ -41,10 +45,12 @@ minstrel_ht_stats_dump(struct minstrel_ht_sta *mi, int i, char *p)
                if (!(mi->groups[i].supported & BIT(j)))
                        continue;
-                if (i == max_mcs)
+                if (gflags & IEEE80211_TX_RC_MCS)
-                        p += sprintf(p, "CCK/%cP   ", j < 4 ? 'L' : 'S');
+                        p += sprintf(p, " HT%c0/%cGI ", htmode, gimode);
+                else if (gflags & IEEE80211_TX_RC_VHT_MCS)
+                        p += sprintf(p, "VHT%c0/%cGI ", htmode, gimode);
                else
-                        p += sprintf(p, "HT%c0/%cGI ", htmode, gimode);
+                        p += sprintf(p, " CCK/%cP   ", j < 4 ? 'L' : 'S');
                *(p++) = (idx == mi->max_tp_rate[0]) ? 'A' : ' ';
                *(p++) = (idx == mi->max_tp_rate[1]) ? 'B' : ' ';
@@ -52,19 +58,22 @@ minstrel_ht_stats_dump(struct minstrel_ht_sta *mi, int i, char *p)
                *(p++) = (idx == mi->max_tp_rate[3]) ? 'D' : ' ';
                *(p++) = (idx == mi->max_prob_rate) ? 'P' : ' ';
-                if (i == max_mcs) {
+                if (gflags & IEEE80211_TX_RC_MCS) {
-                        int r = bitrates[j % 4];
+                        p += sprintf(p, " MCS%-2u ", (mg->streams - 1) * 8 + j);
-                        p += sprintf(p, " %2u.%1uM", r / 10, r % 10);
+                } else if (gflags & IEEE80211_TX_RC_VHT_MCS) {
+                        p += sprintf(p, " MCS%-1u/%1u", j, mg->streams);
                } else {
-                        p += sprintf(p, " MCS%-2u", (mg->streams - 1) * 8 + j);
+                        int r = bitrates[j % 4];
+                        p += sprintf(p, " %2u.%1uM ", r / 10, r % 10);
                }
                tp = mr->cur_tp / 10;
                prob = MINSTREL_TRUNC(mr->cur_prob * 1000);
                eprob = MINSTREL_TRUNC(mr->probability * 1000);
-                p += sprintf(p, "      %6u.%1u   %6u.%1u    %6u.%1u    "
+                p += sprintf(p, " %4u.%1u %3u.%1u %3u.%1u "
-                                "%3u            %3u(%3u)  %8llu    %8llu\n",
+                                "%3u %4u(%4u) %9llu(%9llu)\n",
                                tp / 10, tp % 10,
                                eprob / 10, eprob % 10,
                                prob / 10, prob % 10,
@@ -85,7 +94,6 @@ minstrel_ht_stats_open(struct inode *inode, struct file *file)
        struct minstrel_ht_sta *mi = &msp->ht;
        struct minstrel_debugfs_info *ms;
        unsigned int i;
-        unsigned int max_mcs = MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS;
        char *p;
        int ret;
@@ -96,17 +104,19 @@ minstrel_ht_stats_open(struct inode *inode, struct file *file)
                return ret;
        }
-        ms = kmalloc(sizeof(*ms) + 8192, GFP_KERNEL);
+        ms = kmalloc(32768, GFP_KERNEL);
        if (!ms)
                return -ENOMEM;
        file->private_data = ms;
        p = ms->buf;
-        p += sprintf(p, "type           rate     throughput  ewma prob   "
+        p += sprintf(p, " type           rate      tpt eprob *prob "
-                     "this prob  retry   this succ/attempt   success    attempts\n");
+                        "ret  *ok(*cum)        ok(      cum)\n");
-        p = minstrel_ht_stats_dump(mi, max_mcs, p);
+        p = minstrel_ht_stats_dump(mi, MINSTREL_CCK_GROUP, p);
-        for (i = 0; i < max_mcs; i++)
+        for (i = 0; i < MINSTREL_CCK_GROUP; i++)
+                p = minstrel_ht_stats_dump(mi, i, p);
+        for (i++; i < ARRAY_SIZE(mi->groups); i++)
                p = minstrel_ht_stats_dump(mi, i, p);
        p += sprintf(p, "\nTotal packet count::    ideal %d      "
@@ -118,6 +128,8 @@ minstrel_ht_stats_open(struct inode *inode, struct file *file)
                MINSTREL_TRUNC(mi->avg_ampdu_len * 10) % 10);
        ms->len = p - ms->buf;
+        WARN_ON(ms->len + sizeof(*ms) > 32768);
        return nonseekable_open(inode, file);
 }
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index b04ca4049c95..49c23bdf08bb 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -39,7 +39,8 @@
 * only useful for monitoring.
 */
 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
-                                           struct sk_buff *skb)
+                                           struct sk_buff *skb,
+                                           unsigned int rtap_vendor_space)
 {
        if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) {
                if (likely(skb->len > FCS_LEN))
@@ -52,20 +53,25 @@ static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
                }
        }
+        __pskb_pull(skb, rtap_vendor_space);
        return skb;
 }
-static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len)
+static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
+                                     unsigned int rtap_vendor_space)
 {
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
-        struct ieee80211_hdr *hdr = (void *)skb->data;
+        struct ieee80211_hdr *hdr;
+        hdr = (void *)(skb->data + rtap_vendor_space);
        if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
                            RX_FLAG_FAILED_PLCP_CRC |
                            RX_FLAG_AMPDU_IS_ZEROLEN))
                return true;
-        if (unlikely(skb->len < 16 + present_fcs_len))
+        if (unlikely(skb->len < 16 + present_fcs_len + rtap_vendor_space))
                return true;
        if (ieee80211_is_ctl(hdr->frame_control) &&
@@ -77,8 +83,9 @@ static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len)
 }
 static int
-ieee80211_rx_radiotap_space(struct ieee80211_local *local,
+ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
-                            struct ieee80211_rx_status *status)
+                             struct ieee80211_rx_status *status,
+                             struct sk_buff *skb)
 {
        int len;
@@ -121,6 +128,21 @@ ieee80211_rx_radiotap_space(struct ieee80211_local *local,
                len += 2 * hweight8(status->chains);
        }
+        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
+                struct ieee80211_vendor_radiotap *rtap = (void *)skb->data;
+                /* vendor presence bitmap */
+                len += 4;
+                /* alignment for fixed 6-byte vendor data header */
+                len = ALIGN(len, 2);
+                /* vendor data header */
+                len += 6;
+                if (WARN_ON(rtap->align == 0))
+                        rtap->align = 1;
+                len = ALIGN(len, rtap->align);
+                len += rtap->len + rtap->pad;
+        }
        return len;
 }
@@ -144,13 +166,20 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
        u16 channel_flags = 0;
        int mpdulen, chain;
        unsigned long chains = status->chains;
+        struct ieee80211_vendor_radiotap rtap = {};
+        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
+                rtap = *(struct ieee80211_vendor_radiotap *)skb->data;
+                /* rtap.len and rtap.pad are undone immediately */
+                skb_pull(skb, sizeof(rtap) + rtap.len + rtap.pad);
+        }
        mpdulen = skb->len;
        if (!(has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)))
                mpdulen += FCS_LEN;
        rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
-        memset(rthdr, 0, rtap_len);
+        memset(rthdr, 0, rtap_len - rtap.len - rtap.pad);
        it_present = &rthdr->it_present;
        /* radiotap header, set always present flags */
@@ -172,6 +201,14 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
                                 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
        }
+        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
+                it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
+                                  BIT(IEEE80211_RADIOTAP_EXT);
+                put_unaligned_le32(it_present_val, it_present);
+                it_present++;
+                it_present_val = rtap.present;
+        }
        put_unaligned_le32(it_present_val, it_present);
        pos = (void *)(it_present + 1);
@@ -366,6 +403,22 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
                *pos++ = status->chain_signal[chain];
                *pos++ = chain;
        }
+        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
+                /* ensure 2 byte alignment for the vendor field as required */
+                if ((pos - (u8 *)rthdr) & 1)
+                        *pos++ = 0;
+                *pos++ = rtap.oui[0];
+                *pos++ = rtap.oui[1];
+                *pos++ = rtap.oui[2];
+                *pos++ = rtap.subns;
+                put_unaligned_le16(rtap.len, pos);
+                pos += 2;
+                /* align the actual payload as requested */
+                while ((pos - (u8 *)rthdr) & (rtap.align - 1))
+                        *pos++ = 0;
+                /* data (and possible padding) already follows */
+        }
 }
 /*
@@ -379,10 +432,17 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
 {
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
        struct ieee80211_sub_if_data *sdata;
-        int needed_headroom;
+        int rt_hdrlen, needed_headroom;
        struct sk_buff *skb, *skb2;
        struct net_device *prev_dev = NULL;
        int present_fcs_len = 0;
+        unsigned int rtap_vendor_space = 0;
+        if (unlikely(status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)) {
+                struct ieee80211_vendor_radiotap *rtap = (void *)origskb->data;
+                rtap_vendor_space = sizeof(*rtap) + rtap->len + rtap->pad;
+        }
        /*
         * First, we may need to make a copy of the skb because
@@ -396,25 +456,27 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
        if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
                present_fcs_len = FCS_LEN;
-        /* ensure hdr->frame_control is in skb head */
+        /* ensure hdr->frame_control and vendor radiotap data are in skb head */
-        if (!pskb_may_pull(origskb, 2)) {
+        if (!pskb_may_pull(origskb, 2 + rtap_vendor_space)) {
                dev_kfree_skb(origskb);
                return NULL;
        }
        if (!local->monitors) {
-                if (should_drop_frame(origskb, present_fcs_len)) {
+                if (should_drop_frame(origskb, present_fcs_len,
+                                      rtap_vendor_space)) {
                        dev_kfree_skb(origskb);
                        return NULL;
                }
-                return remove_monitor_info(local, origskb);
+                return remove_monitor_info(local, origskb, rtap_vendor_space);
        }
        /* room for the radiotap header based on driver features */
-        needed_headroom = ieee80211_rx_radiotap_space(local, status);
+        rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, origskb);
+        needed_headroom = rt_hdrlen - rtap_vendor_space;
-        if (should_drop_frame(origskb, present_fcs_len)) {
+        if (should_drop_frame(origskb, present_fcs_len, rtap_vendor_space)) {
                /* only need to expand headroom if necessary */
                skb = origskb;
                origskb = NULL;
@@ -438,15 +500,15 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
                 */
                skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);
-                origskb = remove_monitor_info(local, origskb);
+                origskb = remove_monitor_info(local, origskb,
+                                              rtap_vendor_space);
                if (!skb)
                        return origskb;
        }
        /* prepend radiotap information */
-        ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
+        ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);
-                                         true);
        skb_reset_mac_header(skb);
        skb->ip_summed = CHECKSUM_UNNECESSARY;
@@ -985,7 +1047,7 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
 }
 static ieee80211_rx_result debug_noinline
-ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
+ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
 {
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
@@ -994,10 +1056,16 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
         * Drop duplicate 802.11 retransmissions
         * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
         */
-        if (rx->skb->len >= 24 && rx->sta &&
-            !ieee80211_is_ctl(hdr->frame_control) &&
+        if (rx->skb->len < 24)
-            !ieee80211_is_qos_nullfunc(hdr->frame_control) &&
+                return RX_CONTINUE;
-            !is_multicast_ether_addr(hdr->addr1)) {
+        if (ieee80211_is_ctl(hdr->frame_control) ||
+            ieee80211_is_qos_nullfunc(hdr->frame_control) ||
+            is_multicast_ether_addr(hdr->addr1))
+                return RX_CONTINUE;
+        if (rx->sta) {
                if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
                             rx->sta->last_seq_ctrl[rx->seqno_idx] ==
                             hdr->seq_ctrl)) {
@@ -1011,6 +1079,14 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
                }
        }
+        return RX_CONTINUE;
+}
+static ieee80211_rx_result debug_noinline
+ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
+{
+        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
        if (unlikely(rx->skb->len < 16)) {
                I802_DEBUG_INC(rx->local->rx_handlers_drop_short);
                return RX_DROP_MONITOR;
@@ -1032,6 +1108,7 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
                      ieee80211_is_pspoll(hdr->frame_control)) &&
                     rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
                     rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
+                     rx->sdata->vif.type != NL80211_IFTYPE_OCB &&
                     (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
                /*
                 * accept port control frames from the AP even when it's not
@@ -1272,6 +1349,12 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
                                sta->last_rx_rate_vht_nss = status->vht_nss;
                        }
                }
+        } else if (rx->sdata->vif.type == NL80211_IFTYPE_OCB) {
+                u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
+                                                NL80211_IFTYPE_OCB);
+                /* OCB uses wild-card BSSID */
+                if (is_broadcast_ether_addr(bssid))
+                        sta->last_rx = jiffies;
        } else if (!is_multicast_ether_addr(hdr->addr1)) {
                /*
                 * Mesh beacons will update last_rx when if they are found to
@@ -1678,11 +1761,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
        sc = le16_to_cpu(hdr->seq_ctrl);
        frag = sc & IEEE80211_SCTL_FRAG;
-        if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
+        if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
-                   is_multicast_ether_addr(hdr->addr1))) {
+                goto out;
-                /* not fragmented */
+        if (is_multicast_ether_addr(hdr->addr1)) {
+                rx->local->dot11MulticastReceivedFrameCount++;
                goto out;
        }
        I802_DEBUG_INC(rx->local->rx_handlers_fragments);
        if (skb_linearize(rx->skb))
@@ -1775,10 +1861,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
 out:
        if (rx->sta)
                rx->sta->rx_packets++;
-        if (is_multicast_ether_addr(hdr->addr1))
+        ieee80211_led_rx(rx->local);
-                rx->local->dot11MulticastReceivedFrameCount++;
-        else
-                ieee80211_led_rx(rx->local);
        return RX_CONTINUE;
 }
@@ -2250,6 +2333,27 @@ ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
        if (!ieee80211_frame_allowed(rx, fc))
                return RX_DROP_MONITOR;
+        /* directly handle TDLS channel switch requests/responses */
+        if (unlikely(((struct ethhdr *)rx->skb->data)->h_proto ==
+                                                cpu_to_be16(ETH_P_TDLS))) {
+                struct ieee80211_tdls_data *tf = (void *)rx->skb->data;
+                if (pskb_may_pull(rx->skb,
+                                  offsetof(struct ieee80211_tdls_data, u)) &&
+                    tf->payload_type == WLAN_TDLS_SNAP_RFTYPE &&
+                    tf->category == WLAN_CATEGORY_TDLS &&
+                    (tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_REQUEST ||
+                     tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_RESPONSE)) {
+                        rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TDLS_CHSW;
+                        skb_queue_tail(&sdata->skb_queue, rx->skb);
+                        ieee80211_queue_work(&rx->local->hw, &sdata->work);
+                        if (rx->sta)
+                                rx->sta->rx_packets++;
+                        return RX_QUEUED;
+                }
+        }
        if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
            unlikely(port_control) && sdata->bss) {
                sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
@@ -2820,6 +2924,7 @@ ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
        if (!ieee80211_vif_is_mesh(&sdata->vif) &&
            sdata->vif.type != NL80211_IFTYPE_ADHOC &&
+            sdata->vif.type != NL80211_IFTYPE_OCB &&
            sdata->vif.type != NL80211_IFTYPE_STATION)
                return RX_DROP_MONITOR;
@@ -2884,8 +2989,10 @@ static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
        if (!local->cooked_mntrs)
                goto out_free_skb;
+        /* vendor data is long removed here */
+        status->flag &= ~RX_FLAG_RADIOTAP_VENDOR_DATA;
        /* room for the radiotap header based on driver features */
-        needed_headroom = ieee80211_rx_radiotap_space(local, status);
+        needed_headroom = ieee80211_rx_radiotap_hdrlen(local, status, skb);
        if (skb_headroom(skb) < needed_headroom &&
            pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC))
@@ -3038,6 +3145,7 @@ static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
                        goto rxh_next;  \
        } while (0);
+        CALL_RXH(ieee80211_rx_h_check_dup)
        CALL_RXH(ieee80211_rx_h_check)
        ieee80211_rx_reorder_ampdu(rx, &reorder_release);
@@ -3130,6 +3238,33 @@ static bool prepare_for_handlers(struct ieee80211_rx_data *rx,
                                                 BIT(rate_idx));
                }
                break;
+        case NL80211_IFTYPE_OCB:
+                if (!bssid)
+                        return false;
+                if (ieee80211_is_beacon(hdr->frame_control)) {
+                        return false;
+                } else if (!is_broadcast_ether_addr(bssid)) {
+                        ocb_dbg(sdata, "BSSID mismatch in OCB mode!\n");
+                        return false;
+                } else if (!multicast &&
+                           !ether_addr_equal(sdata->dev->dev_addr,
+                                             hdr->addr1)) {
+                        /* if we are in promisc mode we also accept
+                         * packets not destined for us
+                         */
+                        if (!(sdata->dev->flags & IFF_PROMISC))
+                                return false;
+                        rx->flags &= ~IEEE80211_RX_RA_MATCH;
+                } else if (!rx->sta) {
+                        int rate_idx;
+                        if (status->flag & RX_FLAG_HT)
+                                rate_idx = 0; /* TODO: HT rates */
+                        else
+                                rate_idx = status->rate_idx;
+                        ieee80211_ocb_rx_no_sta(sdata, bssid, hdr->addr2,
+                                                BIT(rate_idx));
+                }
+                break;
        case NL80211_IFTYPE_MESH_POINT:
                if (!multicast &&
                    !ether_addr_equal(sdata->vif.addr, hdr->addr1)) {
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index af0d094b2f2f..ae842678b629 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -184,9 +184,21 @@ void ieee80211_scan_rx(struct ieee80211_local *local, struct sk_buff *skb)
                return;
        if (ieee80211_is_probe_resp(mgmt->frame_control)) {
-                /* ignore ProbeResp to foreign address */
+                struct cfg80211_scan_request *scan_req;
-                if ((!sdata1 || !ether_addr_equal(mgmt->da, sdata1->vif.addr)) &&
+                struct cfg80211_sched_scan_request *sched_scan_req;
-                    (!sdata2 || !ether_addr_equal(mgmt->da, sdata2->vif.addr)))
+                scan_req = rcu_dereference(local->scan_req);
+                sched_scan_req = rcu_dereference(local->sched_scan_req);
+                /* ignore ProbeResp to foreign address unless scanning
+                 * with randomised address
+                 */
+                if (!(sdata1 &&
+                      (ether_addr_equal(mgmt->da, sdata1->vif.addr) ||
+                       scan_req->flags & NL80211_SCAN_FLAG_RANDOM_ADDR)) &&
+                    !(sdata2 &&
+                      (ether_addr_equal(mgmt->da, sdata2->vif.addr) ||
+                       sched_scan_req->flags & NL80211_SCAN_FLAG_RANDOM_ADDR)))
                        return;
                elements = mgmt->u.probe_resp.variable;
@@ -234,11 +246,14 @@ ieee80211_prepare_scan_chandef(struct cfg80211_chan_def *chandef,
 /* return false if no more work */
 static bool ieee80211_prep_hw_scan(struct ieee80211_local *local)
 {
-        struct cfg80211_scan_request *req = local->scan_req;
+        struct cfg80211_scan_request *req;
        struct cfg80211_chan_def chandef;
        u8 bands_used = 0;
        int i, ielen, n_chans;
+        req = rcu_dereference_protected(local->scan_req,
+                                        lockdep_is_held(&local->mtx));
        if (test_bit(SCAN_HW_CANCELLED, &local->scanning))
                return false;
@@ -281,6 +296,9 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_local *local)
                                         bands_used, req->rates, &chandef);
        local->hw_scan_req->req.ie_len = ielen;
        local->hw_scan_req->req.no_cck = req->no_cck;
+        ether_addr_copy(local->hw_scan_req->req.mac_addr, req->mac_addr);
+        ether_addr_copy(local->hw_scan_req->req.mac_addr_mask,
+                        req->mac_addr_mask);
        return true;
 }
@@ -290,6 +308,8 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted)
        struct ieee80211_local *local = hw_to_local(hw);
        bool hw_scan = local->ops->hw_scan;
        bool was_scanning = local->scanning;
+        struct cfg80211_scan_request *scan_req;
+        struct ieee80211_sub_if_data *scan_sdata;
        lockdep_assert_held(&local->mtx);
@@ -322,9 +342,15 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted)
        kfree(local->hw_scan_req);
        local->hw_scan_req = NULL;
-        if (local->scan_req != local->int_scan_req)
+        scan_req = rcu_dereference_protected(local->scan_req,
-                cfg80211_scan_done(local->scan_req, aborted);
+                                             lockdep_is_held(&local->mtx));
-        local->scan_req = NULL;
+        if (scan_req != local->int_scan_req)
+                cfg80211_scan_done(scan_req, aborted);
+        RCU_INIT_POINTER(local->scan_req, NULL);
+        scan_sdata = rcu_dereference_protected(local->scan_sdata,
+                                               lockdep_is_held(&local->mtx));
        RCU_INIT_POINTER(local->scan_sdata, NULL);
        local->scanning = 0;
@@ -335,7 +361,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted)
        if (!hw_scan) {
                ieee80211_configure_filter(local);
-                drv_sw_scan_complete(local);
+                drv_sw_scan_complete(local, scan_sdata);
                ieee80211_offchannel_return(local);
        }
@@ -361,7 +387,8 @@ void ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted)
 }
 EXPORT_SYMBOL(ieee80211_scan_completed);
-static int ieee80211_start_sw_scan(struct ieee80211_local *local)
+static int ieee80211_start_sw_scan(struct ieee80211_local *local,
+                                   struct ieee80211_sub_if_data *sdata)
 {
        /* Software scan is not supported in multi-channel cases */
        if (local->use_chanctx)
@@ -380,7 +407,7 @@ static int ieee80211_start_sw_scan(struct ieee80211_local *local)
         * nullfunc frames and probe requests will be dropped in
         * ieee80211_tx_h_check_assoc().
         */
-        drv_sw_scan_start(local);
+        drv_sw_scan_start(local, sdata, local->scan_addr);
        local->leave_oper_channel_time = jiffies;
        local->next_scan_state = SCAN_DECISION;
@@ -440,23 +467,26 @@ static void ieee80211_scan_state_send_probe(struct ieee80211_local *local,
 {
        int i;
        struct ieee80211_sub_if_data *sdata;
+        struct cfg80211_scan_request *scan_req;
        enum ieee80211_band band = local->hw.conf.chandef.chan->band;
        u32 tx_flags;
+        scan_req = rcu_dereference_protected(local->scan_req,
+                                             lockdep_is_held(&local->mtx));
        tx_flags = IEEE80211_TX_INTFL_OFFCHAN_TX_OK;
-        if (local->scan_req->no_cck)
+        if (scan_req->no_cck)
                tx_flags |= IEEE80211_TX_CTL_NO_CCK_RATE;
        sdata = rcu_dereference_protected(local->scan_sdata,
                                          lockdep_is_held(&local->mtx));
-        for (i = 0; i < local->scan_req->n_ssids; i++)
+        for (i = 0; i < scan_req->n_ssids; i++)
                ieee80211_send_probe_req(
-                        sdata, NULL,
+                        sdata, local->scan_addr, NULL,
-                        local->scan_req->ssids[i].ssid,
+                        scan_req->ssids[i].ssid, scan_req->ssids[i].ssid_len,
-                        local->scan_req->ssids[i].ssid_len,
+                        scan_req->ie, scan_req->ie_len,
-                        local->scan_req->ie, local->scan_req->ie_len,
+                        scan_req->rates[band], false,
-                        local->scan_req->rates[band], false,
                        tx_flags, local->hw.conf.chandef.chan, true);
        /*
@@ -480,7 +510,7 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata,
        if (!ieee80211_can_scan(local, sdata)) {
                /* wait for the work to finish/time out */
-                local->scan_req = req;
+                rcu_assign_pointer(local->scan_req, req);
                rcu_assign_pointer(local->scan_sdata, sdata);
                return 0;
        }
@@ -530,9 +560,16 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata,
                 */
        }
-        local->scan_req = req;
+        rcu_assign_pointer(local->scan_req, req);
        rcu_assign_pointer(local->scan_sdata, sdata);
+        if (req->flags & NL80211_SCAN_FLAG_RANDOM_ADDR)
+                get_random_mask_addr(local->scan_addr,
+                                     req->mac_addr,
+                                     req->mac_addr_mask);
+        else
+                memcpy(local->scan_addr, sdata->vif.addr, ETH_ALEN);
        if (local->ops->hw_scan) {
                __set_bit(SCAN_HW_SCANNING, &local->scanning);
        } else if ((req->n_channels == 1) &&
@@ -549,7 +586,7 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata,
                /* Notify driver scan is starting, keep order of operations
                 * same as normal software scan, in case that matters. */
-                drv_sw_scan_start(local);
+                drv_sw_scan_start(local, sdata, local->scan_addr);
                ieee80211_configure_filter(local); /* accept probe-responses */
@@ -558,7 +595,7 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata,
                if ((req->channels[0]->flags &
                     IEEE80211_CHAN_NO_IR) ||
-                    !local->scan_req->n_ssids) {
+                    !req->n_ssids) {
                        next_delay = IEEE80211_PASSIVE_CHANNEL_TIME;
                } else {
                        ieee80211_scan_state_send_probe(local, &next_delay);
@@ -579,8 +616,9 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata,
        if (local->ops->hw_scan) {
                WARN_ON(!ieee80211_prep_hw_scan(local));
                rc = drv_hw_scan(local, sdata, local->hw_scan_req);
-        } else
+        } else {
-                rc = ieee80211_start_sw_scan(local);
+                rc = ieee80211_start_sw_scan(local, sdata);
+        }
        if (rc) {
                kfree(local->hw_scan_req);
@@ -617,6 +655,7 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
        struct ieee80211_sub_if_data *sdata;
        struct ieee80211_channel *next_chan;
        enum mac80211_scan_state next_scan_state;
+        struct cfg80211_scan_request *scan_req;
        /*
         * check if at least one STA interface is associated,
@@ -641,7 +680,10 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
        }
        mutex_unlock(&local->iflist_mtx);
-        next_chan = local->scan_req->channels[local->scan_channel_idx];
+        scan_req = rcu_dereference_protected(local->scan_req,
+                                             lockdep_is_held(&local->mtx));
+        next_chan = scan_req->channels[local->scan_channel_idx];
        /*
         * we're currently scanning a different channel, let's
@@ -656,7 +698,7 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
                                 local->leave_oper_channel_time + HZ / 8);
        if (associated && !tx_empty) {
-                if (local->scan_req->flags & NL80211_SCAN_FLAG_LOW_PRIORITY)
+                if (scan_req->flags & NL80211_SCAN_FLAG_LOW_PRIORITY)
                        next_scan_state = SCAN_ABORT;
                else
                        next_scan_state = SCAN_SUSPEND;
@@ -677,14 +719,18 @@ static void ieee80211_scan_state_set_channel(struct ieee80211_local *local,
        int skip;
        struct ieee80211_channel *chan;
        enum nl80211_bss_scan_width oper_scan_width;
+        struct cfg80211_scan_request *scan_req;
+        scan_req = rcu_dereference_protected(local->scan_req,
+                                             lockdep_is_held(&local->mtx));
        skip = 0;
-        chan = local->scan_req->channels[local->scan_channel_idx];
+        chan = scan_req->channels[local->scan_channel_idx];
        local->scan_chandef.chan = chan;
        local->scan_chandef.center_freq1 = chan->center_freq;
        local->scan_chandef.center_freq2 = 0;
-        switch (local->scan_req->scan_width) {
+        switch (scan_req->scan_width) {
        case NL80211_BSS_CHAN_WIDTH_5:
                local->scan_chandef.width = NL80211_CHAN_WIDTH_5;
                break;
@@ -698,7 +744,7 @@ static void ieee80211_scan_state_set_channel(struct ieee80211_local *local,
                oper_scan_width = cfg80211_chandef_to_scan_width(
                                        &local->_oper_chandef);
                if (chan == local->_oper_chandef.chan &&
-                    oper_scan_width == local->scan_req->scan_width)
+                    oper_scan_width == scan_req->scan_width)
                        local->scan_chandef = local->_oper_chandef;
                else
                        local->scan_chandef.width = NL80211_CHAN_WIDTH_20_NOHT;
@@ -727,8 +773,7 @@ static void ieee80211_scan_state_set_channel(struct ieee80211_local *local,
         *
         * In any case, it is not necessary for a passive scan.
         */
-        if (chan->flags & IEEE80211_CHAN_NO_IR ||
+        if (chan->flags & IEEE80211_CHAN_NO_IR || !scan_req->n_ssids) {
-            !local->scan_req->n_ssids) {
                *next_delay = IEEE80211_PASSIVE_CHANNEL_TIME;
                local->next_scan_state = SCAN_DECISION;
                return;
@@ -777,6 +822,7 @@ void ieee80211_scan_work(struct work_struct *work)
        struct ieee80211_local *local =
                container_of(work, struct ieee80211_local, scan_work.work);
        struct ieee80211_sub_if_data *sdata;
+        struct cfg80211_scan_request *scan_req;
        unsigned long next_delay = 0;
        bool aborted;
@@ -784,6 +830,8 @@ void ieee80211_scan_work(struct work_struct *work)
        sdata = rcu_dereference_protected(local->scan_sdata,
                                          lockdep_is_held(&local->mtx));
+        scan_req = rcu_dereference_protected(local->scan_req,
+                                             lockdep_is_held(&local->mtx));
        /* When scanning on-channel, the first-callback means completed. */
        if (test_bit(SCAN_ONCHANNEL_SCANNING, &local->scanning)) {
@@ -796,20 +844,19 @@ void ieee80211_scan_work(struct work_struct *work)
                goto out_complete;
        }
-        if (!sdata || !local->scan_req)
+        if (!sdata || !scan_req)
                goto out;
-        if (local->scan_req && !local->scanning) {
+        if (!local->scanning) {
-                struct cfg80211_scan_request *req = local->scan_req;
                int rc;
-                local->scan_req = NULL;
+                RCU_INIT_POINTER(local->scan_req, NULL);
                RCU_INIT_POINTER(local->scan_sdata, NULL);
-                rc = __ieee80211_start_scan(sdata, req);
+                rc = __ieee80211_start_scan(sdata, scan_req);
                if (rc) {
                        /* need to complete scan in cfg80211 */
-                        local->scan_req = req;
+                        rcu_assign_pointer(local->scan_req, scan_req);
                        aborted = true;
                        goto out_complete;
                } else
@@ -829,7 +876,7 @@ void ieee80211_scan_work(struct work_struct *work)
                switch (local->next_scan_state) {
                case SCAN_DECISION:
                        /* if no more bands/channels left, complete scan */
-                        if (local->scan_channel_idx >= local->scan_req->n_channels) {
+                        if (local->scan_channel_idx >= scan_req->n_channels) {
                                aborted = false;
                                goto out_complete;
                        }
@@ -1043,7 +1090,7 @@ int __ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
        ret = drv_sched_scan_start(local, sdata, req, &sched_scan_ies);
        if (ret == 0) {
                rcu_assign_pointer(local->sched_scan_sdata, sdata);
-                local->sched_scan_req = req;
+                rcu_assign_pointer(local->sched_scan_req, req);
        }
        kfree(ie);
@@ -1052,7 +1099,7 @@ out:
        if (ret) {
                /* Clean in case of failure after HW restart or upon resume. */
                RCU_INIT_POINTER(local->sched_scan_sdata, NULL);
-                local->sched_scan_req = NULL;
+                RCU_INIT_POINTER(local->sched_scan_req, NULL);
        }
        return ret;
@@ -1090,7 +1137,7 @@ int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata)
        }
        /* We don't want to restart sched scan anymore. */
-        local->sched_scan_req = NULL;
+        RCU_INIT_POINTER(local->sched_scan_req, NULL);
        if (rcu_access_pointer(local->sched_scan_sdata)) {
                ret = drv_sched_scan_stop(local, sdata);
@@ -1125,7 +1172,7 @@ void ieee80211_sched_scan_end(struct ieee80211_local *local)
        RCU_INIT_POINTER(local->sched_scan_sdata, NULL);
        /* If sched scan was aborted by the driver. */
-        local->sched_scan_req = NULL;
+        RCU_INIT_POINTER(local->sched_scan_req, NULL);
        mutex_unlock(&local->mtx);
diff --git a/net/mac80211/spectmgmt.c b/net/mac80211/spectmgmt.c
index 6ab009070084..efeba56c913b 100644
--- a/net/mac80211/spectmgmt.c
+++ b/net/mac80211/spectmgmt.c
@@ -22,7 +22,7 @@
 #include "wme.h"
 int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
-                                 struct ieee802_11_elems *elems, bool beacon,
+                                 struct ieee802_11_elems *elems,
                                 enum ieee80211_band current_band,
                                 u32 sta_flags, u8 *bssid,
                                 struct ieee80211_csa_ie *csa_ie)
@@ -91,19 +91,13 @@ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
                return -EINVAL;
        }
-        if (!beacon && sec_chan_offs) {
+        if (sec_chan_offs) {
                secondary_channel_offset = sec_chan_offs->sec_chan_offs;
-        } else if (beacon && ht_oper) {
-                secondary_channel_offset =
-                        ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET;
        } else if (!(sta_flags & IEEE80211_STA_DISABLE_HT)) {
-                /* If it's not a beacon, HT is enabled and the IE not present,
+                /* If the secondary channel offset IE is not present,
-                 * it's 20 MHz, 802.11-2012 8.5.2.6:
+                 * we can't know what's the post-CSA offset, so the
-                 *      This element [the Secondary Channel Offset Element] is
+                 * best we can do is use 20MHz.
-                 *      present when switching to a 40 MHz channel. It may be
+                */
-                 *      present when switching to a 20 MHz channel (in which
-                 *      case the secondary channel offset is set to SCN).
-                 */
                secondary_channel_offset = IEEE80211_HT_PARAM_CHA_SEC_NONE;
        }
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index de494df3bab8..a42f5b2b024d 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -351,6 +351,9 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
        sta->sta_state = IEEE80211_STA_NONE;
+        /* Mark TID as unreserved */
+        sta->reserved_tid = IEEE80211_TID_UNRESERVED;
        ktime_get_ts(&uptime);
        sta->last_connected = uptime.tv_sec;
        ewma_init(&sta->avg_signal, 1024, 8);
@@ -501,7 +504,7 @@ static int sta_info_insert_finish(struct sta_info *sta) __acquires(RCU)
        /* make the station visible */
        sta_info_hash_add(local, sta);
-        list_add_rcu(&sta->list, &local->sta_list);
+        list_add_tail_rcu(&sta->list, &local->sta_list);
        /* notify driver */
        err = sta_info_insert_drv_state(local, sdata, sta);
@@ -847,6 +850,15 @@ static int __must_check __sta_info_destroy_part1(struct sta_info *sta)
        if (WARN_ON(ret))
                return ret;
+        /*
+         * for TDLS peers, make sure to return to the base channel before
+         * removal.
+         */
+        if (test_sta_flag(sta, WLAN_STA_TDLS_OFF_CHANNEL)) {
+                drv_tdls_cancel_channel_switch(local, sdata, &sta->sta);
+                clear_sta_flag(sta, WLAN_STA_TDLS_OFF_CHANNEL);
+        }
        list_del_rcu(&sta->list);
        drv_sta_pre_rcu_remove(local, sta->sdata, sta);
@@ -1249,7 +1261,8 @@ static void ieee80211_send_null_response(struct ieee80211_sub_if_data *sdata,
                return;
        }
-        ieee80211_xmit(sdata, skb, chanctx_conf->def.chan->band);
+        info->band = chanctx_conf->def.chan->band;
+        ieee80211_xmit(sdata, skb);
        rcu_read_unlock();
 }
@@ -1531,7 +1544,7 @@ void ieee80211_sta_ps_deliver_uapsd(struct sta_info *sta)
                break;
        case 0:
                /* XXX: what is a good value? */
-                n_frames = 8;
+                n_frames = 128;
                break;
        }
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index 42f68cb8957e..4f052bb2a5ad 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -49,6 +49,9 @@
 *      packets. This means the link is enabled.
 * @WLAN_STA_TDLS_INITIATOR: We are the initiator of the TDLS link with this
 *      station.
+ * @WLAN_STA_TDLS_CHAN_SWITCH: This TDLS peer supports TDLS channel-switching
+ * @WLAN_STA_TDLS_OFF_CHANNEL: The local STA is currently off-channel with this
+ *      TDLS peer
 * @WLAN_STA_UAPSD: Station requested unscheduled SP while driver was
 *      keeping station in power-save mode, reply when the driver
 *      unblocks the station.
@@ -78,6 +81,8 @@ enum ieee80211_sta_info_flags {
        WLAN_STA_TDLS_PEER,
        WLAN_STA_TDLS_PEER_AUTH,
        WLAN_STA_TDLS_INITIATOR,
+        WLAN_STA_TDLS_CHAN_SWITCH,
+        WLAN_STA_TDLS_OFF_CHANNEL,
        WLAN_STA_UAPSD,
        WLAN_STA_SP,
        WLAN_STA_4ADDR_EVENT,
@@ -249,6 +254,9 @@ struct ieee80211_tx_latency_stat {
        u32 bin_count;
 };
+/* Value to indicate no TID reservation */
+#define IEEE80211_TID_UNRESERVED        0xff
 /**
 * struct sta_info - STA information
 *
@@ -336,6 +344,8 @@ struct ieee80211_tx_latency_stat {
 * @known_smps_mode: the smps_mode the client thinks we are in. Relevant for
 *      AP only.
 * @cipher_scheme: optional cipher scheme for this station
+ * @last_tdls_pkt_time: holds the time in jiffies of last TDLS pkt ACKed
+ * @reserved_tid: reserved TID (if any, otherwise IEEE80211_TID_UNRESERVED)
 */
 struct sta_info {
        /* General information, mostly static */
@@ -453,6 +463,8 @@ struct sta_info {
        /* TDLS timeout data */
        unsigned long last_tdls_pkt_time;
+        u8 reserved_tid;
        /* keep last! */
        struct ieee80211_sta sta;
 };
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 89290e33dafe..bb146f377ee4 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -390,6 +390,46 @@ ieee80211_add_tx_radiotap_header(struct ieee80211_local *local,
        }
 }
+/*
+ * Handles the tx for TDLS teardown frames.
+ * If the frame wasn't ACKed by the peer - it will be re-sent through the AP
+ */
+static void ieee80211_tdls_td_tx_handle(struct ieee80211_local *local,
+                                        struct ieee80211_sub_if_data *sdata,
+                                        struct sk_buff *skb, u32 flags)
+{
+        struct sk_buff *teardown_skb;
+        struct sk_buff *orig_teardown_skb;
+        bool is_teardown = false;
+        /* Get the teardown data we need and free the lock */
+        spin_lock(&sdata->u.mgd.teardown_lock);
+        teardown_skb = sdata->u.mgd.teardown_skb;
+        orig_teardown_skb = sdata->u.mgd.orig_teardown_skb;
+        if ((skb == orig_teardown_skb) && teardown_skb) {
+                sdata->u.mgd.teardown_skb = NULL;
+                sdata->u.mgd.orig_teardown_skb = NULL;
+                is_teardown = true;
+        }
+        spin_unlock(&sdata->u.mgd.teardown_lock);
+        if (is_teardown) {
+                /* This mechanism relies on being able to get ACKs */
+                WARN_ON(!(local->hw.flags &
+                          IEEE80211_HW_REPORTS_TX_ACK_STATUS));
+                /* Check if peer has ACKed */
+                if (flags & IEEE80211_TX_STAT_ACK) {
+                        dev_kfree_skb_any(teardown_skb);
+                } else {
+                        tdls_dbg(sdata,
+                                 "TDLS Resending teardown through AP\n");
+                        ieee80211_subif_start_xmit(teardown_skb, skb->dev);
+                }
+        }
+}
 static void ieee80211_report_used_skb(struct ieee80211_local *local,
                                      struct sk_buff *skb, bool dropped)
 {
@@ -426,8 +466,19 @@ static void ieee80211_report_used_skb(struct ieee80211_local *local,
                if (!sdata) {
                        skb->dev = NULL;
                } else if (info->flags & IEEE80211_TX_INTFL_MLME_CONN_TX) {
-                        ieee80211_mgd_conn_tx_status(sdata, hdr->frame_control,
+                        unsigned int hdr_size =
-                                                     acked);
+                                ieee80211_hdrlen(hdr->frame_control);
+                        /* Check to see if packet is a TDLS teardown packet */
+                        if (ieee80211_is_data(hdr->frame_control) &&
+                            (ieee80211_get_tdls_action(skb, hdr_size) ==
+                             WLAN_TDLS_TEARDOWN))
+                                ieee80211_tdls_td_tx_handle(local, sdata, skb,
+                                                            info->flags);
+                        else
+                                ieee80211_mgd_conn_tx_status(sdata,
+                                                             hdr->frame_control,
+                                                             acked);
                } else if (ieee80211_is_nullfunc(hdr->frame_control) ||
                           ieee80211_is_qos_nullfunc(hdr->frame_control)) {
                        cfg80211_probe_status(sdata->dev, hdr->addr1,
@@ -541,10 +592,9 @@ static void ieee80211_tx_latency_end_msrmnt(struct ieee80211_local *local,
 #define STA_LOST_TDLS_PKT_THRESHOLD     10
 #define STA_LOST_TDLS_PKT_TIME          (10*HZ) /* 10secs since last ACK */
-static void ieee80211_lost_packet(struct sta_info *sta, struct sk_buff *skb)
+static void ieee80211_lost_packet(struct sta_info *sta,
+                                  struct ieee80211_tx_info *info)
 {
-        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
        /* This packet was aggregated but doesn't carry status info */
        if ((info->flags & IEEE80211_TX_CTL_AMPDU) &&
            !(info->flags & IEEE80211_TX_STAT_AMPDU))
@@ -571,24 +621,13 @@ static void ieee80211_lost_packet(struct sta_info *sta, struct sk_buff *skb)
        sta->lost_packets = 0;
 }
-void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
+static int ieee80211_tx_get_rates(struct ieee80211_hw *hw,
+                                  struct ieee80211_tx_info *info,
+                                  int *retry_count)
 {
-        struct sk_buff *skb2;
-        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
-        struct ieee80211_local *local = hw_to_local(hw);
-        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
-        __le16 fc;
-        struct ieee80211_supported_band *sband;
-        struct ieee80211_sub_if_data *sdata;
-        struct net_device *prev_dev = NULL;
-        struct sta_info *sta, *tmp;
-        int retry_count = -1, i;
        int rates_idx = -1;
-        bool send_to_cooked;
+        int count = -1;
-        bool acked;
+        int i;
-        struct ieee80211_bar *bar;
-        int rtap_len;
-        int shift = 0;
        for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) {
                if ((info->flags & IEEE80211_TX_CTL_AMPDU) &&
@@ -606,12 +645,91 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                        break;
                }
-                retry_count += info->status.rates[i].count;
+                count += info->status.rates[i].count;
        }
        rates_idx = i - 1;
-        if (retry_count < 0)
+        if (count < 0)
-                retry_count = 0;
+                count = 0;
+        *retry_count = count;
+        return rates_idx;
+}
+void ieee80211_tx_status_noskb(struct ieee80211_hw *hw,
+                               struct ieee80211_sta *pubsta,
+                               struct ieee80211_tx_info *info)
+{
+        struct ieee80211_local *local = hw_to_local(hw);
+        struct ieee80211_supported_band *sband;
+        int retry_count;
+        int rates_idx;
+        bool acked;
+        rates_idx = ieee80211_tx_get_rates(hw, info, &retry_count);
+        sband = hw->wiphy->bands[info->band];
+        acked = !!(info->flags & IEEE80211_TX_STAT_ACK);
+        if (pubsta) {
+                struct sta_info *sta;
+                sta = container_of(pubsta, struct sta_info, sta);
+                if (!acked)
+                        sta->tx_retry_failed++;
+                sta->tx_retry_count += retry_count;
+                if (acked) {
+                        sta->last_rx = jiffies;
+                        if (sta->lost_packets)
+                                sta->lost_packets = 0;
+                        /* Track when last TDLS packet was ACKed */
+                        if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH))
+                                sta->last_tdls_pkt_time = jiffies;
+                } else {
+                        ieee80211_lost_packet(sta, info);
+                }
+                rate_control_tx_status_noskb(local, sband, sta, info);
+        }
+        if (acked) {
+                    local->dot11TransmittedFrameCount++;
+                    if (!pubsta)
+                            local->dot11MulticastTransmittedFrameCount++;
+                    if (retry_count > 0)
+                            local->dot11RetryCount++;
+                    if (retry_count > 1)
+                            local->dot11MultipleRetryCount++;
+        } else {
+                local->dot11FailedCount++;
+        }
+}
+EXPORT_SYMBOL(ieee80211_tx_status_noskb);
+void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
+{
+        struct sk_buff *skb2;
+        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
+        struct ieee80211_local *local = hw_to_local(hw);
+        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+        __le16 fc;
+        struct ieee80211_supported_band *sband;
+        struct ieee80211_sub_if_data *sdata;
+        struct net_device *prev_dev = NULL;
+        struct sta_info *sta, *tmp;
+        int retry_count;
+        int rates_idx;
+        bool send_to_cooked;
+        bool acked;
+        struct ieee80211_bar *bar;
+        int rtap_len;
+        int shift = 0;
+        rates_idx = ieee80211_tx_get_rates(hw, info, &retry_count);
        rcu_read_lock();
@@ -704,7 +822,8 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                if ((sta->sdata->vif.type == NL80211_IFTYPE_STATION) &&
                    (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS))
-                        ieee80211_sta_tx_notify(sta->sdata, (void *) skb->data, acked);
+                        ieee80211_sta_tx_notify(sta->sdata, (void *) skb->data,
+                                                acked, info->status.tx_time);
                if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS) {
                        if (info->flags & IEEE80211_TX_STAT_ACK) {
@@ -715,7 +834,7 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                                if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH))
                                        sta->last_tdls_pkt_time = jiffies;
                        } else {
-                                ieee80211_lost_packet(sta, skb);
+                                ieee80211_lost_packet(sta, info);
                        }
                }
diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index 4ea25dec0698..55ddd77b865d 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -35,19 +35,101 @@ void ieee80211_tdls_peer_del_work(struct work_struct *wk)
        mutex_unlock(&local->mtx);
 }
-static void ieee80211_tdls_add_ext_capab(struct sk_buff *skb)
+static void ieee80211_tdls_add_ext_capab(struct ieee80211_local *local,
+                                         struct sk_buff *skb)
 {
        u8 *pos = (void *)skb_put(skb, 7);
+        bool chan_switch = local->hw.wiphy->features &
+                           NL80211_FEATURE_TDLS_CHANNEL_SWITCH;
        *pos++ = WLAN_EID_EXT_CAPABILITY;
        *pos++ = 5; /* len */
        *pos++ = 0x0;
        *pos++ = 0x0;
        *pos++ = 0x0;
-        *pos++ = 0x0;
+        *pos++ = chan_switch ? WLAN_EXT_CAPA4_TDLS_CHAN_SWITCH : 0;
        *pos++ = WLAN_EXT_CAPA5_TDLS_ENABLED;
 }
+static u8
+ieee80211_tdls_add_subband(struct ieee80211_sub_if_data *sdata,
+                           struct sk_buff *skb, u16 start, u16 end,
+                           u16 spacing)
+{
+        u8 subband_cnt = 0, ch_cnt = 0;
+        struct ieee80211_channel *ch;
+        struct cfg80211_chan_def chandef;
+        int i, subband_start;
+        for (i = start; i <= end; i += spacing) {
+                if (!ch_cnt)
+                        subband_start = i;
+                ch = ieee80211_get_channel(sdata->local->hw.wiphy, i);
+                if (ch) {
+                        /* we will be active on the channel */
+                        u32 flags = IEEE80211_CHAN_DISABLED |
+                                    IEEE80211_CHAN_NO_IR;
+                        cfg80211_chandef_create(&chandef, ch,
+                                                NL80211_CHAN_HT20);
+                        if (cfg80211_chandef_usable(sdata->local->hw.wiphy,
+                                                    &chandef, flags)) {
+                                ch_cnt++;
+                                continue;
+                        }
+                }
+                if (ch_cnt) {
+                        u8 *pos = skb_put(skb, 2);
+                        *pos++ = ieee80211_frequency_to_channel(subband_start);
+                        *pos++ = ch_cnt;
+                        subband_cnt++;
+                        ch_cnt = 0;
+                }
+        }
+        return subband_cnt;
+}
+static void
+ieee80211_tdls_add_supp_channels(struct ieee80211_sub_if_data *sdata,
+                                 struct sk_buff *skb)
+{
+        /*
+         * Add possible channels for TDLS. These are channels that are allowed
+         * to be active.
+         */
+        u8 subband_cnt;
+        u8 *pos = skb_put(skb, 2);
+        *pos++ = WLAN_EID_SUPPORTED_CHANNELS;
+        /*
+         * 5GHz and 2GHz channels numbers can overlap. Ignore this for now, as
+         * this doesn't happen in real world scenarios.
+         */
+        /* 2GHz, with 5MHz spacing */
+        subband_cnt = ieee80211_tdls_add_subband(sdata, skb, 2412, 2472, 5);
+        /* 5GHz, with 20MHz spacing */
+        subband_cnt += ieee80211_tdls_add_subband(sdata, skb, 5000, 5825, 20);
+        /* length */
+        *pos = 2 * subband_cnt;
+}
+static void ieee80211_tdls_add_bss_coex_ie(struct sk_buff *skb)
+{
+        u8 *pos = (void *)skb_put(skb, 3);
+        *pos++ = WLAN_EID_BSS_COEX_2040;
+        *pos++ = 1; /* len */
+        *pos++ = WLAN_BSS_COEX_INFORMATION_REQUEST;
+}
 static u16 ieee80211_get_tdls_sta_capab(struct ieee80211_sub_if_data *sdata,
                                        u16 status_code)
 {
@@ -190,6 +272,7 @@ ieee80211_tdls_add_setup_start_ies(struct ieee80211_sub_if_data *sdata,
        ieee80211_add_srates_ie(sdata, skb, false, band);
        ieee80211_add_ext_srates_ie(sdata, skb, false, band);
+        ieee80211_tdls_add_supp_channels(sdata, skb);
        /* add any custom IEs that go before Extended Capabilities */
        if (extra_ies_len) {
@@ -209,7 +292,7 @@ ieee80211_tdls_add_setup_start_ies(struct ieee80211_sub_if_data *sdata,
                offset = noffset;
        }
-        ieee80211_tdls_add_ext_capab(skb);
+        ieee80211_tdls_add_ext_capab(local, skb);
        /* add the QoS element if we support it */
        if (local->hw.queues >= IEEE80211_NUM_ACS &&
@@ -271,6 +354,10 @@ ieee80211_tdls_add_setup_start_ies(struct ieee80211_sub_if_data *sdata,
        rcu_read_unlock();
+        if (ht_cap.ht_supported &&
+            (ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40))
+                ieee80211_tdls_add_bss_coex_ie(skb);
        /* add any remaining IEs */
        if (extra_ies_len) {
                noffset = extra_ies_len;
@@ -362,11 +449,68 @@ ieee80211_tdls_add_setup_cfm_ies(struct ieee80211_sub_if_data *sdata,
        ieee80211_tdls_add_link_ie(sdata, skb, peer, initiator);
 }
+static void
+ieee80211_tdls_add_chan_switch_req_ies(struct ieee80211_sub_if_data *sdata,
+                                       struct sk_buff *skb, const u8 *peer,
+                                       bool initiator, const u8 *extra_ies,
+                                       size_t extra_ies_len, u8 oper_class,
+                                       struct cfg80211_chan_def *chandef)
+{
+        struct ieee80211_tdls_data *tf;
+        size_t offset = 0, noffset;
+        u8 *pos;
+        if (WARN_ON_ONCE(!chandef))
+                return;
+        tf = (void *)skb->data;
+        tf->u.chan_switch_req.target_channel =
+                ieee80211_frequency_to_channel(chandef->chan->center_freq);
+        tf->u.chan_switch_req.oper_class = oper_class;
+        if (extra_ies_len) {
+                static const u8 before_lnkie[] = {
+                        WLAN_EID_SECONDARY_CHANNEL_OFFSET,
+                };
+                noffset = ieee80211_ie_split(extra_ies, extra_ies_len,
+                                             before_lnkie,
+                                             ARRAY_SIZE(before_lnkie),
+                                             offset);
+                pos = skb_put(skb, noffset - offset);
+                memcpy(pos, extra_ies + offset, noffset - offset);
+                offset = noffset;
+        }
+        ieee80211_tdls_add_link_ie(sdata, skb, peer, initiator);
+        /* add any remaining IEs */
+        if (extra_ies_len) {
+                noffset = extra_ies_len;
+                pos = skb_put(skb, noffset - offset);
+                memcpy(pos, extra_ies + offset, noffset - offset);
+        }
+}
+static void
+ieee80211_tdls_add_chan_switch_resp_ies(struct ieee80211_sub_if_data *sdata,
+                                        struct sk_buff *skb, const u8 *peer,
+                                        u16 status_code, bool initiator,
+                                        const u8 *extra_ies,
+                                        size_t extra_ies_len)
+{
+        if (status_code == 0)
+                ieee80211_tdls_add_link_ie(sdata, skb, peer, initiator);
+        if (extra_ies_len)
+                memcpy(skb_put(skb, extra_ies_len), extra_ies, extra_ies_len);
+}
 static void ieee80211_tdls_add_ies(struct ieee80211_sub_if_data *sdata,
                                   struct sk_buff *skb, const u8 *peer,
                                   u8 action_code, u16 status_code,
                                   bool initiator, const u8 *extra_ies,
-                                   size_t extra_ies_len)
+                                   size_t extra_ies_len, u8 oper_class,
+                                   struct cfg80211_chan_def *chandef)
 {
        switch (action_code) {
        case WLAN_TDLS_SETUP_REQUEST:
@@ -393,6 +537,18 @@ static void ieee80211_tdls_add_ies(struct ieee80211_sub_if_data *sdata,
                if (status_code == 0 || action_code == WLAN_TDLS_TEARDOWN)
                        ieee80211_tdls_add_link_ie(sdata, skb, peer, initiator);
                break;
+        case WLAN_TDLS_CHANNEL_SWITCH_REQUEST:
+                ieee80211_tdls_add_chan_switch_req_ies(sdata, skb, peer,
+                                                       initiator, extra_ies,
+                                                       extra_ies_len,
+                                                       oper_class, chandef);
+                break;
+        case WLAN_TDLS_CHANNEL_SWITCH_RESPONSE:
+                ieee80211_tdls_add_chan_switch_resp_ies(sdata, skb, peer,
+                                                        status_code,
+                                                        initiator, extra_ies,
+                                                        extra_ies_len);
+                break;
        }
 }
@@ -459,6 +615,19 @@ ieee80211_prep_tdls_encap_data(struct wiphy *wiphy, struct net_device *dev,
                skb_put(skb, sizeof(tf->u.discover_req));
                tf->u.discover_req.dialog_token = dialog_token;
                break;
+        case WLAN_TDLS_CHANNEL_SWITCH_REQUEST:
+                tf->category = WLAN_CATEGORY_TDLS;
+                tf->action_code = WLAN_TDLS_CHANNEL_SWITCH_REQUEST;
+                skb_put(skb, sizeof(tf->u.chan_switch_req));
+                break;
+        case WLAN_TDLS_CHANNEL_SWITCH_RESPONSE:
+                tf->category = WLAN_CATEGORY_TDLS;
+                tf->action_code = WLAN_TDLS_CHANNEL_SWITCH_RESPONSE;
+                skb_put(skb, sizeof(tf->u.chan_switch_resp));
+                tf->u.chan_switch_resp.status_code = cpu_to_le16(status_code);
+                break;
        default:
                return -EINVAL;
        }
@@ -502,32 +671,33 @@ ieee80211_prep_tdls_direct(struct wiphy *wiphy, struct net_device *dev,
        return 0;
 }
-static int
+static struct sk_buff *
-ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
+ieee80211_tdls_build_mgmt_packet_data(struct ieee80211_sub_if_data *sdata,
-                                const u8 *peer, u8 action_code,
+                                      const u8 *peer, u8 action_code,
-                                u8 dialog_token, u16 status_code,
+                                      u8 dialog_token, u16 status_code,
-                                u32 peer_capability, bool initiator,
+                                      bool initiator, const u8 *extra_ies,
-                                const u8 *extra_ies, size_t extra_ies_len)
+                                      size_t extra_ies_len, u8 oper_class,
+                                      struct cfg80211_chan_def *chandef)
 {
-        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
        struct ieee80211_local *local = sdata->local;
-        struct sk_buff *skb = NULL;
+        struct sk_buff *skb;
-        bool send_direct;
-        struct sta_info *sta;
        int ret;
-        skb = dev_alloc_skb(local->hw.extra_tx_headroom +
+        skb = netdev_alloc_skb(sdata->dev,
-                            max(sizeof(struct ieee80211_mgmt),
+                               local->hw.extra_tx_headroom +
-                                sizeof(struct ieee80211_tdls_data)) +
+                               max(sizeof(struct ieee80211_mgmt),
-                            50 + /* supported rates */
+                                   sizeof(struct ieee80211_tdls_data)) +
-                            7 + /* ext capab */
+                               50 + /* supported rates */
-                            26 + /* max(WMM-info, WMM-param) */
+                               7 + /* ext capab */
-                            2 + max(sizeof(struct ieee80211_ht_cap),
+                               26 + /* max(WMM-info, WMM-param) */
-                                    sizeof(struct ieee80211_ht_operation)) +
+                               2 + max(sizeof(struct ieee80211_ht_cap),
-                            extra_ies_len +
+                                       sizeof(struct ieee80211_ht_operation)) +
-                            sizeof(struct ieee80211_tdls_lnkie));
+                               50 + /* supported channels */
+                               3 + /* 40/20 BSS coex */
+                               extra_ies_len +
+                               sizeof(struct ieee80211_tdls_lnkie));
        if (!skb)
-                return -ENOMEM;
+                return NULL;
        skb_reserve(skb, local->hw.extra_tx_headroom);
@@ -537,16 +707,18 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
        case WLAN_TDLS_SETUP_CONFIRM:
        case WLAN_TDLS_TEARDOWN:
        case WLAN_TDLS_DISCOVERY_REQUEST:
-                ret = ieee80211_prep_tdls_encap_data(wiphy, dev, peer,
+        case WLAN_TDLS_CHANNEL_SWITCH_REQUEST:
+        case WLAN_TDLS_CHANNEL_SWITCH_RESPONSE:
+                ret = ieee80211_prep_tdls_encap_data(local->hw.wiphy,
+                                                     sdata->dev, peer,
                                                     action_code, dialog_token,
                                                     status_code, skb);
-                send_direct = false;
                break;
        case WLAN_PUB_ACTION_TDLS_DISCOVER_RES:
-                ret = ieee80211_prep_tdls_direct(wiphy, dev, peer, action_code,
+                ret = ieee80211_prep_tdls_direct(local->hw.wiphy, sdata->dev,
+                                                 peer, action_code,
                                                 dialog_token, status_code,
                                                 skb);
-                send_direct = true;
                break;
        default:
                ret = -ENOTSUPP;
@@ -556,14 +728,40 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
        if (ret < 0)
                goto fail;
+        ieee80211_tdls_add_ies(sdata, skb, peer, action_code, status_code,
+                               initiator, extra_ies, extra_ies_len, oper_class,
+                               chandef);
+        return skb;
+fail:
+        dev_kfree_skb(skb);
+        return NULL;
+}
+static int
+ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
+                                const u8 *peer, u8 action_code, u8 dialog_token,
+                                u16 status_code, u32 peer_capability,
+                                bool initiator, const u8 *extra_ies,
+                                size_t extra_ies_len, u8 oper_class,
+                                struct cfg80211_chan_def *chandef)
+{
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct sk_buff *skb = NULL;
+        struct sta_info *sta;
+        u32 flags = 0;
+        int ret = 0;
        rcu_read_lock();
        sta = sta_info_get(sdata, peer);
        /* infer the initiator if we can, to support old userspace */
        switch (action_code) {
        case WLAN_TDLS_SETUP_REQUEST:
-                if (sta)
+                if (sta) {
                        set_sta_flag(sta, WLAN_STA_TDLS_INITIATOR);
+                        sta->sta.tdls_initiator = false;
+                }
                /* fall-through */
        case WLAN_TDLS_SETUP_CONFIRM:
        case WLAN_TDLS_DISCOVERY_REQUEST:
@@ -575,13 +773,17 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
                 * Make the last packet sent take effect for the initiator
                 * value.
                 */
-                if (sta)
+                if (sta) {
                        clear_sta_flag(sta, WLAN_STA_TDLS_INITIATOR);
+                        sta->sta.tdls_initiator = true;
+                }
                /* fall-through */
        case WLAN_PUB_ACTION_TDLS_DISCOVER_RES:
                initiator = false;
                break;
        case WLAN_TDLS_TEARDOWN:
+        case WLAN_TDLS_CHANNEL_SWITCH_REQUEST:
+        case WLAN_TDLS_CHANNEL_SWITCH_RESPONSE:
                /* any value is ok */
                break;
        default:
@@ -596,9 +798,17 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
        if (ret < 0)
                goto fail;
-        ieee80211_tdls_add_ies(sdata, skb, peer, action_code, status_code,
+        skb = ieee80211_tdls_build_mgmt_packet_data(sdata, peer, action_code,
-                               initiator, extra_ies, extra_ies_len);
+                                                    dialog_token, status_code,
-        if (send_direct) {
+                                                    initiator, extra_ies,
+                                                    extra_ies_len, oper_class,
+                                                    chandef);
+        if (!skb) {
+                ret = -EINVAL;
+                goto fail;
+        }
+        if (action_code == WLAN_PUB_ACTION_TDLS_DISCOVER_RES) {
                ieee80211_tx_skb(sdata, skb);
                return 0;
        }
@@ -619,9 +829,44 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev,
                break;
        }
+        /*
+         * Set the WLAN_TDLS_TEARDOWN flag to indicate a teardown in progress.
+         * Later, if no ACK is returned from peer, we will re-send the teardown
+         * packet through the AP.
+         */
+        if ((action_code == WLAN_TDLS_TEARDOWN) &&
+            (sdata->local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)) {
+                struct sta_info *sta = NULL;
+                bool try_resend; /* Should we keep skb for possible resend */
+                /* If not sending directly to peer - no point in keeping skb */
+                rcu_read_lock();
+                sta = sta_info_get(sdata, peer);
+                try_resend = sta && test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH);
+                rcu_read_unlock();
+                spin_lock_bh(&sdata->u.mgd.teardown_lock);
+                if (try_resend && !sdata->u.mgd.teardown_skb) {
+                        /* Mark it as requiring TX status callback  */
+                        flags |= IEEE80211_TX_CTL_REQ_TX_STATUS |
+                                 IEEE80211_TX_INTFL_MLME_CONN_TX;
+                        /*
+                         * skb is copied since mac80211 will later set
+                         * properties that might not be the same as the AP,
+                         * such as encryption, QoS, addresses, etc.
+                         *
+                         * No problem if skb_copy() fails, so no need to check.
+                         */
+                        sdata->u.mgd.teardown_skb = skb_copy(skb, GFP_ATOMIC);
+                        sdata->u.mgd.orig_teardown_skb = skb;
+                }
+                spin_unlock_bh(&sdata->u.mgd.teardown_lock);
+        }
        /* disable bottom halves when entering the Tx path */
        local_bh_disable();
-        ret = ieee80211_subif_start_xmit(skb, dev);
+        __ieee80211_subif_start_xmit(skb, dev, flags);
        local_bh_enable();
        return ret;
@@ -672,7 +917,8 @@ ieee80211_tdls_mgmt_setup(struct wiphy *wiphy, struct net_device *dev,
        ret = ieee80211_tdls_prep_mgmt_packet(wiphy, dev, peer, action_code,
                                              dialog_token, status_code,
                                              peer_capability, initiator,
-                                              extra_ies, extra_ies_len);
+                                              extra_ies, extra_ies_len, 0,
+                                              NULL);
        if (ret < 0)
                goto exit;
@@ -711,7 +957,8 @@ ieee80211_tdls_mgmt_teardown(struct wiphy *wiphy, struct net_device *dev,
        ret = ieee80211_tdls_prep_mgmt_packet(wiphy, dev, peer, action_code,
                                              dialog_token, status_code,
                                              peer_capability, initiator,
-                                              extra_ies, extra_ies_len);
+                                              extra_ies, extra_ies_len, 0,
+                                              NULL);
        if (ret < 0)
                sdata_err(sdata, "Failed sending TDLS teardown packet %d\n",
                          ret);
@@ -781,7 +1028,7 @@ int ieee80211_tdls_mgmt(struct wiphy *wiphy, struct net_device *dev,
                                                      status_code,
                                                      peer_capability,
                                                      initiator, extra_ies,
-                                                      extra_ies_len);
+                                                      extra_ies_len, 0, NULL);
                break;
        default:
                ret = -EOPNOTSUPP;
@@ -884,3 +1131,480 @@ void ieee80211_tdls_oper_request(struct ieee80211_vif *vif, const u8 *peer,
        cfg80211_tdls_oper_request(sdata->dev, peer, oper, reason_code, gfp);
 }
 EXPORT_SYMBOL(ieee80211_tdls_oper_request);
+static void
+iee80211_tdls_add_ch_switch_timing(u8 *buf, u16 switch_time, u16 switch_timeout)
+{
+        struct ieee80211_ch_switch_timing *ch_sw;
+        *buf++ = WLAN_EID_CHAN_SWITCH_TIMING;
+        *buf++ = sizeof(struct ieee80211_ch_switch_timing);
+        ch_sw = (void *)buf;
+        ch_sw->switch_time = cpu_to_le16(switch_time);
+        ch_sw->switch_timeout = cpu_to_le16(switch_timeout);
+}
+/* find switch timing IE in SKB ready for Tx */
+static const u8 *ieee80211_tdls_find_sw_timing_ie(struct sk_buff *skb)
+{
+        struct ieee80211_tdls_data *tf;
+        const u8 *ie_start;
+        /*
+         * Get the offset for the new location of the switch timing IE.
+         * The SKB network header will now point to the "payload_type"
+         * element of the TDLS data frame struct.
+         */
+        tf = container_of(skb->data + skb_network_offset(skb),
+                          struct ieee80211_tdls_data, payload_type);
+        ie_start = tf->u.chan_switch_req.variable;
+        return cfg80211_find_ie(WLAN_EID_CHAN_SWITCH_TIMING, ie_start,
+                                skb->len - (ie_start - skb->data));
+}
+static struct sk_buff *
+ieee80211_tdls_ch_sw_tmpl_get(struct sta_info *sta, u8 oper_class,
+                              struct cfg80211_chan_def *chandef,
+                              u32 *ch_sw_tm_ie_offset)
+{
+        struct ieee80211_sub_if_data *sdata = sta->sdata;
+        u8 extra_ies[2 + sizeof(struct ieee80211_sec_chan_offs_ie) +
+                     2 + sizeof(struct ieee80211_ch_switch_timing)];
+        int extra_ies_len = 2 + sizeof(struct ieee80211_ch_switch_timing);
+        u8 *pos = extra_ies;
+        struct sk_buff *skb;
+        /*
+         * if chandef points to a wide channel add a Secondary-Channel
+         * Offset information element
+         */
+        if (chandef->width == NL80211_CHAN_WIDTH_40) {
+                struct ieee80211_sec_chan_offs_ie *sec_chan_ie;
+                bool ht40plus;
+                *pos++ = WLAN_EID_SECONDARY_CHANNEL_OFFSET;
+                *pos++ = sizeof(*sec_chan_ie);
+                sec_chan_ie = (void *)pos;
+                ht40plus = cfg80211_get_chandef_type(chandef) ==
+                                                        NL80211_CHAN_HT40PLUS;
+                sec_chan_ie->sec_chan_offs = ht40plus ?
+                                             IEEE80211_HT_PARAM_CHA_SEC_ABOVE :
+                                             IEEE80211_HT_PARAM_CHA_SEC_BELOW;
+                pos += sizeof(*sec_chan_ie);
+                extra_ies_len += 2 + sizeof(struct ieee80211_sec_chan_offs_ie);
+        }
+        /* just set the values to 0, this is a template */
+        iee80211_tdls_add_ch_switch_timing(pos, 0, 0);
+        skb = ieee80211_tdls_build_mgmt_packet_data(sdata, sta->sta.addr,
+                                              WLAN_TDLS_CHANNEL_SWITCH_REQUEST,
+                                              0, 0, !sta->sta.tdls_initiator,
+                                              extra_ies, extra_ies_len,
+                                              oper_class, chandef);
+        if (!skb)
+                return NULL;
+        skb = ieee80211_build_data_template(sdata, skb, 0);
+        if (IS_ERR(skb)) {
+                tdls_dbg(sdata, "Failed building TDLS channel switch frame\n");
+                return NULL;
+        }
+        if (ch_sw_tm_ie_offset) {
+                const u8 *tm_ie = ieee80211_tdls_find_sw_timing_ie(skb);
+                if (!tm_ie) {
+                        tdls_dbg(sdata, "No switch timing IE in TDLS switch\n");
+                        dev_kfree_skb_any(skb);
+                        return NULL;
+                }
+                *ch_sw_tm_ie_offset = tm_ie - skb->data;
+        }
+        tdls_dbg(sdata,
+                 "TDLS channel switch request template for %pM ch %d width %d\n",
+                 sta->sta.addr, chandef->chan->center_freq, chandef->width);
+        return skb;
+}
+int
+ieee80211_tdls_channel_switch(struct wiphy *wiphy, struct net_device *dev,
+                              const u8 *addr, u8 oper_class,
+                              struct cfg80211_chan_def *chandef)
+{
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_local *local = sdata->local;
+        struct sta_info *sta;
+        struct sk_buff *skb = NULL;
+        u32 ch_sw_tm_ie;
+        int ret;
+        mutex_lock(&local->sta_mtx);
+        sta = sta_info_get(sdata, addr);
+        if (!sta) {
+                tdls_dbg(sdata,
+                         "Invalid TDLS peer %pM for channel switch request\n",
+                         addr);
+                ret = -ENOENT;
+                goto out;
+        }
+        if (!test_sta_flag(sta, WLAN_STA_TDLS_CHAN_SWITCH)) {
+                tdls_dbg(sdata, "TDLS channel switch unsupported by %pM\n",
+                         addr);
+                ret = -ENOTSUPP;
+                goto out;
+        }
+        skb = ieee80211_tdls_ch_sw_tmpl_get(sta, oper_class, chandef,
+                                            &ch_sw_tm_ie);
+        if (!skb) {
+                ret = -ENOENT;
+                goto out;
+        }
+        ret = drv_tdls_channel_switch(local, sdata, &sta->sta, oper_class,
+                                      chandef, skb, ch_sw_tm_ie);
+        if (!ret)
+                set_sta_flag(sta, WLAN_STA_TDLS_OFF_CHANNEL);
+out:
+        mutex_unlock(&local->sta_mtx);
+        dev_kfree_skb_any(skb);
+        return ret;
+}
+void
+ieee80211_tdls_cancel_channel_switch(struct wiphy *wiphy,
+                                     struct net_device *dev,
+                                     const u8 *addr)
+{
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_local *local = sdata->local;
+        struct sta_info *sta;
+        mutex_lock(&local->sta_mtx);
+        sta = sta_info_get(sdata, addr);
+        if (!sta) {
+                tdls_dbg(sdata,
+                         "Invalid TDLS peer %pM for channel switch cancel\n",
+                         addr);
+                goto out;
+        }
+        if (!test_sta_flag(sta, WLAN_STA_TDLS_OFF_CHANNEL)) {
+                tdls_dbg(sdata, "TDLS channel switch not initiated by %pM\n",
+                         addr);
+                goto out;
+        }
+        drv_tdls_cancel_channel_switch(local, sdata, &sta->sta);
+        clear_sta_flag(sta, WLAN_STA_TDLS_OFF_CHANNEL);
+out:
+        mutex_unlock(&local->sta_mtx);
+}
+static struct sk_buff *
+ieee80211_tdls_ch_sw_resp_tmpl_get(struct sta_info *sta,
+                                   u32 *ch_sw_tm_ie_offset)
+{
+        struct ieee80211_sub_if_data *sdata = sta->sdata;
+        struct sk_buff *skb;
+        u8 extra_ies[2 + sizeof(struct ieee80211_ch_switch_timing)];
+        /* initial timing are always zero in the template */
+        iee80211_tdls_add_ch_switch_timing(extra_ies, 0, 0);
+        skb = ieee80211_tdls_build_mgmt_packet_data(sdata, sta->sta.addr,
+                                        WLAN_TDLS_CHANNEL_SWITCH_RESPONSE,
+                                        0, 0, !sta->sta.tdls_initiator,
+                                        extra_ies, sizeof(extra_ies), 0, NULL);
+        if (!skb)
+                return NULL;
+        skb = ieee80211_build_data_template(sdata, skb, 0);
+        if (IS_ERR(skb)) {
+                tdls_dbg(sdata,
+                         "Failed building TDLS channel switch resp frame\n");
+                return NULL;
+        }
+        if (ch_sw_tm_ie_offset) {
+                const u8 *tm_ie = ieee80211_tdls_find_sw_timing_ie(skb);
+                if (!tm_ie) {
+                        tdls_dbg(sdata,
+                                 "No switch timing IE in TDLS switch resp\n");
+                        dev_kfree_skb_any(skb);
+                        return NULL;
+                }
+                *ch_sw_tm_ie_offset = tm_ie - skb->data;
+        }
+        tdls_dbg(sdata, "TDLS get channel switch response template for %pM\n",
+                 sta->sta.addr);
+        return skb;
+}
+static int
+ieee80211_process_tdls_channel_switch_resp(struct ieee80211_sub_if_data *sdata,
+                                           struct sk_buff *skb)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct ieee802_11_elems elems;
+        struct sta_info *sta;
+        struct ieee80211_tdls_data *tf = (void *)skb->data;
+        bool local_initiator;
+        struct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(skb);
+        int baselen = offsetof(typeof(*tf), u.chan_switch_resp.variable);
+        struct ieee80211_tdls_ch_sw_params params = {};
+        int ret;
+        params.action_code = WLAN_TDLS_CHANNEL_SWITCH_RESPONSE;
+        params.timestamp = rx_status->device_timestamp;
+        if (skb->len < baselen) {
+                tdls_dbg(sdata, "TDLS channel switch resp too short: %d\n",
+                         skb->len);
+                return -EINVAL;
+        }
+        mutex_lock(&local->sta_mtx);
+        sta = sta_info_get(sdata, tf->sa);
+        if (!sta || !test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH)) {
+                tdls_dbg(sdata, "TDLS chan switch from non-peer sta %pM\n",
+                         tf->sa);
+                ret = -EINVAL;
+                goto out;
+        }
+        params.sta = &sta->sta;
+        params.status = le16_to_cpu(tf->u.chan_switch_resp.status_code);
+        if (params.status != 0) {
+                ret = 0;
+                goto call_drv;
+        }
+        ieee802_11_parse_elems(tf->u.chan_switch_resp.variable,
+                               skb->len - baselen, false, &elems);
+        if (elems.parse_error) {
+                tdls_dbg(sdata, "Invalid IEs in TDLS channel switch resp\n");
+                ret = -EINVAL;
+                goto out;
+        }
+        if (!elems.ch_sw_timing || !elems.lnk_id) {
+                tdls_dbg(sdata, "TDLS channel switch resp - missing IEs\n");
+                ret = -EINVAL;
+                goto out;
+        }
+        /* validate the initiator is set correctly */
+        local_initiator =
+                !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
+        if (local_initiator == sta->sta.tdls_initiator) {
+                tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n");
+                ret = -EINVAL;
+                goto out;
+        }
+        params.switch_time = le16_to_cpu(elems.ch_sw_timing->switch_time);
+        params.switch_timeout = le16_to_cpu(elems.ch_sw_timing->switch_timeout);
+        params.tmpl_skb =
+                ieee80211_tdls_ch_sw_resp_tmpl_get(sta, &params.ch_sw_tm_ie);
+        if (!params.tmpl_skb) {
+                ret = -ENOENT;
+                goto out;
+        }
+call_drv:
+        drv_tdls_recv_channel_switch(sdata->local, sdata, &params);
+        tdls_dbg(sdata,
+                 "TDLS channel switch response received from %pM status %d\n",
+                 tf->sa, params.status);
+out:
+        mutex_unlock(&local->sta_mtx);
+        dev_kfree_skb_any(params.tmpl_skb);
+        return ret;
+}
+static int
+ieee80211_process_tdls_channel_switch_req(struct ieee80211_sub_if_data *sdata,
+                                          struct sk_buff *skb)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct ieee802_11_elems elems;
+        struct cfg80211_chan_def chandef;
+        struct ieee80211_channel *chan;
+        enum nl80211_channel_type chan_type;
+        int freq;
+        u8 target_channel, oper_class;
+        bool local_initiator;
+        struct sta_info *sta;
+        enum ieee80211_band band;
+        struct ieee80211_tdls_data *tf = (void *)skb->data;
+        struct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(skb);
+        int baselen = offsetof(typeof(*tf), u.chan_switch_req.variable);
+        struct ieee80211_tdls_ch_sw_params params = {};
+        int ret = 0;
+        params.action_code = WLAN_TDLS_CHANNEL_SWITCH_REQUEST;
+        params.timestamp = rx_status->device_timestamp;
+        if (skb->len < baselen) {
+                tdls_dbg(sdata, "TDLS channel switch req too short: %d\n",
+                         skb->len);
+                return -EINVAL;
+        }
+        target_channel = tf->u.chan_switch_req.target_channel;
+        oper_class = tf->u.chan_switch_req.oper_class;
+        /*
+         * We can't easily infer the channel band. The operating class is
+         * ambiguous - there are multiple tables (US/Europe/JP/Global). The
+         * solution here is to treat channels with number >14 as 5GHz ones,
+         * and specifically check for the (oper_class, channel) combinations
+         * where this doesn't hold. These are thankfully unique according to
+         * IEEE802.11-2012.
+         * We consider only the 2GHz and 5GHz bands and 20MHz+ channels as
+         * valid here.
+         */
+        if ((oper_class == 112 || oper_class == 2 || oper_class == 3 ||
+             oper_class == 4 || oper_class == 5 || oper_class == 6) &&
+             target_channel < 14)
+                band = IEEE80211_BAND_5GHZ;
+        else
+                band = target_channel < 14 ? IEEE80211_BAND_2GHZ :
+                                             IEEE80211_BAND_5GHZ;
+        freq = ieee80211_channel_to_frequency(target_channel, band);
+        if (freq == 0) {
+                tdls_dbg(sdata, "Invalid channel in TDLS chan switch: %d\n",
+                         target_channel);
+                return -EINVAL;
+        }
+        chan = ieee80211_get_channel(sdata->local->hw.wiphy, freq);
+        if (!chan) {
+                tdls_dbg(sdata,
+                         "Unsupported channel for TDLS chan switch: %d\n",
+                         target_channel);
+                return -EINVAL;
+        }
+        ieee802_11_parse_elems(tf->u.chan_switch_req.variable,
+                               skb->len - baselen, false, &elems);
+        if (elems.parse_error) {
+                tdls_dbg(sdata, "Invalid IEs in TDLS channel switch req\n");
+                return -EINVAL;
+        }
+        if (!elems.ch_sw_timing || !elems.lnk_id) {
+                tdls_dbg(sdata, "TDLS channel switch req - missing IEs\n");
+                return -EINVAL;
+        }
+        mutex_lock(&local->sta_mtx);
+        sta = sta_info_get(sdata, tf->sa);
+        if (!sta || !test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH)) {
+                tdls_dbg(sdata, "TDLS chan switch from non-peer sta %pM\n",
+                         tf->sa);
+                ret = -EINVAL;
+                goto out;
+        }
+        params.sta = &sta->sta;
+        /* validate the initiator is set correctly */
+        local_initiator =
+                !memcmp(elems.lnk_id->init_sta, sdata->vif.addr, ETH_ALEN);
+        if (local_initiator == sta->sta.tdls_initiator) {
+                tdls_dbg(sdata, "TDLS chan switch invalid lnk-id initiator\n");
+                ret = -EINVAL;
+                goto out;
+        }
+        if (!sta->sta.ht_cap.ht_supported) {
+                chan_type = NL80211_CHAN_NO_HT;
+        } else if (!elems.sec_chan_offs) {
+                chan_type = NL80211_CHAN_HT20;
+        } else {
+                switch (elems.sec_chan_offs->sec_chan_offs) {
+                case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
+                        chan_type = NL80211_CHAN_HT40PLUS;
+                        break;
+                case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
+                        chan_type = NL80211_CHAN_HT40MINUS;
+                        break;
+                default:
+                        chan_type = NL80211_CHAN_HT20;
+                        break;
+                }
+        }
+        cfg80211_chandef_create(&chandef, chan, chan_type);
+        params.chandef = &chandef;
+        params.switch_time = le16_to_cpu(elems.ch_sw_timing->switch_time);
+        params.switch_timeout = le16_to_cpu(elems.ch_sw_timing->switch_timeout);
+        params.tmpl_skb =
+                ieee80211_tdls_ch_sw_resp_tmpl_get(sta,
+                                                   &params.ch_sw_tm_ie);
+        if (!params.tmpl_skb) {
+                ret = -ENOENT;
+                goto out;
+        }
+        drv_tdls_recv_channel_switch(sdata->local, sdata, &params);
+        tdls_dbg(sdata,
+                 "TDLS ch switch request received from %pM ch %d width %d\n",
+                 tf->sa, params.chandef->chan->center_freq,
+                 params.chandef->width);
+out:
+        mutex_unlock(&local->sta_mtx);
+        dev_kfree_skb_any(params.tmpl_skb);
+        return ret;
+}
+void ieee80211_process_tdls_channel_switch(struct ieee80211_sub_if_data *sdata,
+                                           struct sk_buff *skb)
+{
+        struct ieee80211_tdls_data *tf = (void *)skb->data;
+        struct wiphy *wiphy = sdata->local->hw.wiphy;
+        /* make sure the driver supports it */
+        if (!(wiphy->features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
+                return;
+        /* we want to access the entire packet */
+        if (skb_linearize(skb))
+                return;
+        /*
+         * The packet/size was already validated by mac80211 Rx path, only look
+         * at the action type.
+         */
+        switch (tf->action_code) {
+        case WLAN_TDLS_CHANNEL_SWITCH_REQUEST:
+                ieee80211_process_tdls_channel_switch_req(sdata, skb);
+                break;
+        case WLAN_TDLS_CHANNEL_SWITCH_RESPONSE:
+                ieee80211_process_tdls_channel_switch_resp(sdata, skb);
+                break;
+        default:
+                WARN_ON_ONCE(1);
+                return;
+        }
+}
diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h
index 38fae7ebe984..8e461a02c6a8 100644
--- a/net/mac80211/trace.h
+++ b/net/mac80211/trace.h
@@ -16,6 +16,7 @@
 #define STA_ENTRY       __array(char, sta_addr, ETH_ALEN)
 #define STA_ASSIGN      (sta ? memcpy(__entry->sta_addr, sta->addr, ETH_ALEN) : memset(__entry->sta_addr, 0, ETH_ALEN))
+#define STA_NAMED_ASSIGN(s)     memcpy(__entry->sta_addr, (s)->addr, ETH_ALEN)
 #define STA_PR_FMT      " sta:%pM"
 #define STA_PR_ARG      __entry->sta_addr
@@ -595,14 +596,33 @@ DEFINE_EVENT(local_sdata_evt, drv_sched_scan_stop,
        TP_ARGS(local, sdata)
 );
-DEFINE_EVENT(local_only_evt, drv_sw_scan_start,
+TRACE_EVENT(drv_sw_scan_start,
-        TP_PROTO(struct ieee80211_local *local),
+        TP_PROTO(struct ieee80211_local *local,
-        TP_ARGS(local)
+                 struct ieee80211_sub_if_data *sdata,
+                 const u8 *mac_addr),
+        TP_ARGS(local, sdata, mac_addr),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                __array(char, mac_addr, ETH_ALEN)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                memcpy(__entry->mac_addr, mac_addr, ETH_ALEN);
+        ),
+        TP_printk(LOCAL_PR_FMT ", " VIF_PR_FMT ", addr:%pM",
+                  LOCAL_PR_ARG, VIF_PR_ARG, __entry->mac_addr)
 );
-DEFINE_EVENT(local_only_evt, drv_sw_scan_complete,
+DEFINE_EVENT(local_sdata_evt, drv_sw_scan_complete,
-        TP_PROTO(struct ieee80211_local *local),
+        TP_PROTO(struct ieee80211_local *local,
-        TP_ARGS(local)
+                 struct ieee80211_sub_if_data *sdata),
+        TP_ARGS(local, sdata)
 );
 TRACE_EVENT(drv_get_stats,
@@ -826,6 +846,13 @@ DEFINE_EVENT(sta_event, drv_sta_pre_rcu_remove,
        TP_ARGS(local, sdata, sta)
 );
+DEFINE_EVENT(sta_event, drv_sta_rate_tbl_update,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_sta *sta),
+        TP_ARGS(local, sdata, sta)
+);
 TRACE_EVENT(drv_conf_tx,
        TP_PROTO(struct ieee80211_local *local,
                 struct ieee80211_sub_if_data *sdata,
@@ -987,29 +1014,34 @@ TRACE_EVENT(drv_flush,
 TRACE_EVENT(drv_channel_switch,
        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
                 struct ieee80211_channel_switch *ch_switch),
-        TP_ARGS(local, ch_switch),
+        TP_ARGS(local, sdata, ch_switch),
        TP_STRUCT__entry(
                LOCAL_ENTRY
+                VIF_ENTRY
                CHANDEF_ENTRY
                __field(u64, timestamp)
+                __field(u32, device_timestamp)
                __field(bool, block_tx)
                __field(u8, count)
        ),
        TP_fast_assign(
                LOCAL_ASSIGN;
+                VIF_ASSIGN;
                CHANDEF_ASSIGN(&ch_switch->chandef)
                __entry->timestamp = ch_switch->timestamp;
+                __entry->device_timestamp = ch_switch->device_timestamp;
                __entry->block_tx = ch_switch->block_tx;
                __entry->count = ch_switch->count;
        ),
        TP_printk(
-                LOCAL_PR_FMT " new " CHANDEF_PR_FMT " count:%d",
+                LOCAL_PR_FMT VIF_PR_FMT " new " CHANDEF_PR_FMT " count:%d",
-                LOCAL_PR_ARG, CHANDEF_PR_ARG, __entry->count
+                LOCAL_PR_ARG, VIF_PR_ARG, CHANDEF_PR_ARG, __entry->count
        )
 );
@@ -1557,9 +1589,26 @@ DEFINE_EVENT(local_sdata_evt, drv_stop_ap,
        TP_ARGS(local, sdata)
 );
-DEFINE_EVENT(local_only_evt, drv_restart_complete,
+TRACE_EVENT(drv_reconfig_complete,
-        TP_PROTO(struct ieee80211_local *local),
+        TP_PROTO(struct ieee80211_local *local,
-        TP_ARGS(local)
+                 enum ieee80211_reconfig_type reconfig_type),
+        TP_ARGS(local, reconfig_type),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(u8, reconfig_type)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->reconfig_type = reconfig_type;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT  " reconfig_type:%d",
+                LOCAL_PR_ARG, __entry->reconfig_type
+        )
 );
 #if IS_ENABLED(CONFIG_IPV6)
@@ -1780,6 +1829,12 @@ TRACE_EVENT(api_cqm_rssi_notify,
        )
 );
+DEFINE_EVENT(local_sdata_evt, api_cqm_beacon_loss_notify,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata),
+        TP_ARGS(local, sdata)
+);
 TRACE_EVENT(api_scan_completed,
        TP_PROTO(struct ieee80211_local *local, bool aborted),
@@ -2106,6 +2161,175 @@ TRACE_EVENT(drv_channel_switch_beacon,
        )
 );
+TRACE_EVENT(drv_pre_channel_switch,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_channel_switch *ch_switch),
+        TP_ARGS(local, sdata, ch_switch),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                CHANDEF_ENTRY
+                __field(u64, timestamp)
+                __field(u32, device_timestamp)
+                __field(bool, block_tx)
+                __field(u8, count)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                CHANDEF_ASSIGN(&ch_switch->chandef)
+                __entry->timestamp = ch_switch->timestamp;
+                __entry->device_timestamp = ch_switch->device_timestamp;
+                __entry->block_tx = ch_switch->block_tx;
+                __entry->count = ch_switch->count;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT VIF_PR_FMT " prepare channel switch to "
+                CHANDEF_PR_FMT  " count:%d block_tx:%d timestamp:%llu",
+                LOCAL_PR_ARG, VIF_PR_ARG, CHANDEF_PR_ARG, __entry->count,
+                __entry->block_tx, __entry->timestamp
+        )
+);
+DEFINE_EVENT(local_sdata_evt, drv_post_channel_switch,
+             TP_PROTO(struct ieee80211_local *local,
+                      struct ieee80211_sub_if_data *sdata),
+             TP_ARGS(local, sdata)
+);
+TRACE_EVENT(drv_get_txpower,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 int dbm, int ret),
+        TP_ARGS(local, sdata, dbm, ret),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                __field(int, dbm)
+                __field(int, ret)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                __entry->dbm = dbm;
+                __entry->ret = ret;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT VIF_PR_FMT " dbm:%d ret:%d",
+                LOCAL_PR_ARG, VIF_PR_ARG, __entry->dbm, __entry->ret
+        )
+);
+TRACE_EVENT(drv_tdls_channel_switch,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_sta *sta, u8 oper_class,
+                 struct cfg80211_chan_def *chandef),
+        TP_ARGS(local, sdata, sta, oper_class, chandef),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                STA_ENTRY
+                __field(u8, oper_class)
+                CHANDEF_ENTRY
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                STA_ASSIGN;
+                __entry->oper_class = oper_class;
+                CHANDEF_ASSIGN(chandef)
+        ),
+        TP_printk(
+                LOCAL_PR_FMT VIF_PR_FMT " tdls channel switch to"
+                CHANDEF_PR_FMT  " oper_class:%d " STA_PR_FMT,
+                LOCAL_PR_ARG, VIF_PR_ARG, CHANDEF_PR_ARG, __entry->oper_class,
+                STA_PR_ARG
+        )
+);
+TRACE_EVENT(drv_tdls_cancel_channel_switch,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_sta *sta),
+        TP_ARGS(local, sdata, sta),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                STA_ENTRY
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                STA_ASSIGN;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT VIF_PR_FMT
+                " tdls cancel channel switch with " STA_PR_FMT,
+                LOCAL_PR_ARG, VIF_PR_ARG, STA_PR_ARG
+        )
+);
+TRACE_EVENT(drv_tdls_recv_channel_switch,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_tdls_ch_sw_params *params),
+        TP_ARGS(local, sdata, params),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                __field(u8, action_code)
+                STA_ENTRY
+                CHANDEF_ENTRY
+                __field(u32, status)
+                __field(bool, peer_initiator)
+                __field(u32, timestamp)
+                __field(u16, switch_time)
+                __field(u16, switch_timeout)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                STA_NAMED_ASSIGN(params->sta);
+                CHANDEF_ASSIGN(params->chandef)
+                __entry->peer_initiator = params->sta->tdls_initiator;
+                __entry->action_code = params->action_code;
+                __entry->status = params->status;
+                __entry->timestamp = params->timestamp;
+                __entry->switch_time = params->switch_time;
+                __entry->switch_timeout = params->switch_timeout;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT VIF_PR_FMT " received tdls channel switch packet"
+                " action:%d status:%d time:%d switch time:%d switch"
+                " timeout:%d initiator: %d chan:" CHANDEF_PR_FMT STA_PR_FMT,
+                LOCAL_PR_ARG, VIF_PR_ARG, __entry->action_code, __entry->status,
+                __entry->timestamp, __entry->switch_time,
+                __entry->switch_timeout, __entry->peer_initiator,
+                CHANDEF_PR_ARG, STA_PR_ARG
+        )
+);
 #ifdef CONFIG_MAC80211_MESSAGE_TRACING
 #undef TRACE_SYSTEM
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 900632a250ec..058686a721a1 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -60,7 +60,7 @@ static __le16 ieee80211_duration(struct ieee80211_tx_data *tx,
        rcu_read_unlock();
        /* assume HW handles this */
-        if (tx->rate.flags & IEEE80211_TX_RC_MCS)
+        if (tx->rate.flags & (IEEE80211_TX_RC_MCS | IEEE80211_TX_RC_VHT_MCS))
                return 0;
        /* uh huh? */
@@ -296,6 +296,9 @@ ieee80211_tx_h_check_assoc(struct ieee80211_tx_data *tx)
                 */
                return TX_DROP;
+        if (tx->sdata->vif.type == NL80211_IFTYPE_OCB)
+                return TX_CONTINUE;
        if (tx->sdata->vif.type == NL80211_IFTYPE_WDS)
                return TX_CONTINUE;
@@ -1423,8 +1426,7 @@ EXPORT_SYMBOL(ieee80211_tx_prepare_skb);
 * Returns false if the frame couldn't be transmitted but was queued instead.
 */
 static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
-                         struct sk_buff *skb, bool txpending,
+                         struct sk_buff *skb, bool txpending)
-                         enum ieee80211_band band)
 {
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_tx_data tx;
@@ -1449,8 +1451,6 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
                return true;
        }
-        info->band = band;
        /* set up hw_queue value early */
        if (!(info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) ||
            !(local->hw.flags & IEEE80211_HW_QUEUE_CONTROL))
@@ -1498,8 +1498,7 @@ static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
        return 0;
 }
-void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb,
+void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
-                    enum ieee80211_band band)
 {
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
@@ -1534,7 +1533,7 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb,
        }
        ieee80211_set_qos_hdr(sdata, skb);
-        ieee80211_tx(sdata, skb, false, band);
+        ieee80211_tx(sdata, skb, false);
 }
 static bool ieee80211_parse_tx_radiotap(struct sk_buff *skb)
@@ -1754,7 +1753,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
                                     sdata->vif.type))
                goto fail_rcu;
-        ieee80211_xmit(sdata, skb, chandef->chan->band);
+        info->band = chandef->chan->band;
+        ieee80211_xmit(sdata, skb);
        rcu_read_unlock();
        return NETDEV_TX_OK;
@@ -1784,23 +1784,26 @@ static void ieee80211_tx_latency_start_msrmnt(struct ieee80211_local *local,
 }
 /**
- * ieee80211_subif_start_xmit - netif start_xmit function for Ethernet-type
+ * ieee80211_build_hdr - build 802.11 header in the given frame
- * subinterfaces (wlan#, WDS, and VLAN interfaces)
+ * @sdata: virtual interface to build the header for
- * @skb: packet to be sent
+ * @skb: the skb to build the header in
- * @dev: incoming interface
+ * @info_flags: skb flags to set
+ *
+ * This function takes the skb with 802.3 header and reformats the header to
+ * the appropriate IEEE 802.11 header based on which interface the packet is
+ * being transmitted on.
+ *
+ * Note that this function also takes care of the TX status request and
+ * potential unsharing of the SKB - this needs to be interleaved with the
+ * header building.
 *
- * Returns: NETDEV_TX_OK both on success and on failure. On failure skb will
+ * The function requires the read-side RCU lock held
- *      be freed.
 *
- * This function takes in an Ethernet header and encapsulates it with suitable
+ * Returns: the (possibly reallocated) skb or an ERR_PTR() code
- * IEEE 802.11 header based on which interface the packet is coming in. The
- * encapsulated packet will then be passed to master interface, wlan#.11, for
- * transmission (through low-level driver).
 */
-netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
+static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata,
-                                    struct net_device *dev)
+                                           struct sk_buff *skb, u32 info_flags)
 {
-        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_tx_info *info;
        int head_need;
@@ -1816,25 +1819,17 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
        bool wme_sta = false, authorized = false, tdls_auth = false;
        bool tdls_peer = false, tdls_setup_frame = false;
        bool multicast;
-        u32 info_flags = 0;
        u16 info_id = 0;
        struct ieee80211_chanctx_conf *chanctx_conf;
        struct ieee80211_sub_if_data *ap_sdata;
        enum ieee80211_band band;
+        int ret;
-        if (unlikely(skb->len < ETH_HLEN))
-                goto fail;
        /* convert Ethernet header to proper 802.11 header (based on
         * operation mode) */
        ethertype = (skb->data[12] << 8) | skb->data[13];
        fc = cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_DATA);
-        rcu_read_lock();
-        /* Measure frame arrival for Tx latency statistics calculation */
-        ieee80211_tx_latency_start_msrmnt(local, skb);
        switch (sdata->vif.type) {
        case NL80211_IFTYPE_AP_VLAN:
                sta = rcu_dereference(sdata->u.vlan.sta);
@@ -1852,8 +1847,10 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                ap_sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
                                        u.ap);
                chanctx_conf = rcu_dereference(ap_sdata->vif.chanctx_conf);
-                if (!chanctx_conf)
+                if (!chanctx_conf) {
-                        goto fail_rcu;
+                        ret = -ENOTCONN;
+                        goto free;
+                }
                band = chanctx_conf->def.chan->band;
                if (sta)
                        break;
@@ -1861,8 +1858,10 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
        case NL80211_IFTYPE_AP:
                if (sdata->vif.type == NL80211_IFTYPE_AP)
                        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
-                if (!chanctx_conf)
+                if (!chanctx_conf) {
-                        goto fail_rcu;
+                        ret = -ENOTCONN;
+                        goto free;
+                }
                fc |= cpu_to_le16(IEEE80211_FCTL_FROMDS);
                /* DA BSSID SA */
                memcpy(hdr.addr1, skb->data, ETH_ALEN);
@@ -1949,8 +1948,10 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                }
                chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
-                if (!chanctx_conf)
+                if (!chanctx_conf) {
-                        goto fail_rcu;
+                        ret = -ENOTCONN;
+                        goto free;
+                }
                band = chanctx_conf->def.chan->band;
                break;
 #endif
@@ -1980,8 +1981,10 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                 * of a link teardown after a TDLS sta is removed due to being
                 * unreachable.
                 */
-                if (tdls_peer && !tdls_auth && !tdls_setup_frame)
+                if (tdls_peer && !tdls_auth && !tdls_setup_frame) {
-                        goto fail_rcu;
+                        ret = -EINVAL;
+                        goto free;
+                }
                /* send direct packets to authorized TDLS peers */
                if (tdls_peer && tdls_auth) {
@@ -2009,8 +2012,23 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                        hdrlen = 24;
                }
                chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
-                if (!chanctx_conf)
+                if (!chanctx_conf) {
-                        goto fail_rcu;
+                        ret = -ENOTCONN;
+                        goto free;
+                }
+                band = chanctx_conf->def.chan->band;
+                break;
+        case NL80211_IFTYPE_OCB:
+                /* DA SA BSSID */
+                memcpy(hdr.addr1, skb->data, ETH_ALEN);
+                memcpy(hdr.addr2, skb->data + ETH_ALEN, ETH_ALEN);
+                eth_broadcast_addr(hdr.addr3);
+                hdrlen = 24;
+                chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+                if (!chanctx_conf) {
+                        ret = -ENOTCONN;
+                        goto free;
+                }
                band = chanctx_conf->def.chan->band;
                break;
        case NL80211_IFTYPE_ADHOC:
@@ -2020,12 +2038,15 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                memcpy(hdr.addr3, sdata->u.ibss.bssid, ETH_ALEN);
                hdrlen = 24;
                chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
-                if (!chanctx_conf)
+                if (!chanctx_conf) {
-                        goto fail_rcu;
+                        ret = -ENOTCONN;
+                        goto free;
+                }
                band = chanctx_conf->def.chan->band;
                break;
        default:
-                goto fail_rcu;
+                ret = -EINVAL;
+                goto free;
        }
        /*
@@ -2057,17 +2078,19 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
         * EAPOL frames from the local station.
         */
        if (unlikely(!ieee80211_vif_is_mesh(&sdata->vif) &&
+                     (sdata->vif.type != NL80211_IFTYPE_OCB) &&
                     !multicast && !authorized &&
                     (cpu_to_be16(ethertype) != sdata->control_port_protocol ||
                      !ether_addr_equal(sdata->vif.addr, skb->data + ETH_ALEN)))) {
 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
                net_info_ratelimited("%s: dropped frame to %pM (unauthorized port)\n",
-                                    dev->name, hdr.addr1);
+                                    sdata->name, hdr.addr1);
 #endif
                I802_DEBUG_INC(local->tx_handlers_drop_unauth_port);
-                goto fail_rcu;
+                ret = -EPERM;
+                goto free;
        }
        if (unlikely(!multicast && skb->sk &&
@@ -2104,8 +2127,10 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                skb = skb_clone(skb, GFP_ATOMIC);
                kfree_skb(tmp_skb);
-                if (!skb)
+                if (!skb) {
-                        goto fail_rcu;
+                        ret = -ENOMEM;
+                        goto free;
+                }
        }
        hdr.frame_control = fc;
@@ -2154,7 +2179,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                if (ieee80211_skb_resize(sdata, skb, head_need, true)) {
                        ieee80211_free_txskb(&local->hw, skb);
                        skb = NULL;
-                        goto fail_rcu;
+                        return ERR_PTR(-ENOMEM);
                }
        }
@@ -2188,9 +2213,6 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
        nh_pos += hdrlen;
        h_pos += hdrlen;
-        dev->stats.tx_packets++;
-        dev->stats.tx_bytes += skb->len;
        /* Update skb pointers to various headers since this modified frame
         * is going to go through Linux networking code that may potentially
         * need things like pointer to IP header. */
@@ -2201,23 +2223,90 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
        info = IEEE80211_SKB_CB(skb);
        memset(info, 0, sizeof(*info));
-        dev->trans_start = jiffies;
        info->flags = info_flags;
        info->ack_frame_id = info_id;
+        info->band = band;
-        ieee80211_xmit(sdata, skb, band);
+        return skb;
-        rcu_read_unlock();
+ free:
+        kfree_skb(skb);
+        return ERR_PTR(ret);
+}
-        return NETDEV_TX_OK;
+void __ieee80211_subif_start_xmit(struct sk_buff *skb,
+                                  struct net_device *dev,
+                                  u32 info_flags)
+{
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_local *local = sdata->local;
+        if (unlikely(skb->len < ETH_HLEN)) {
+                kfree_skb(skb);
+                return;
+        }
+        rcu_read_lock();
+        /* Measure frame arrival for Tx latency statistics calculation */
+        ieee80211_tx_latency_start_msrmnt(local, skb);
+        skb = ieee80211_build_hdr(sdata, skb, info_flags);
+        if (IS_ERR(skb))
+                goto out;
- fail_rcu:
+        dev->stats.tx_packets++;
+        dev->stats.tx_bytes += skb->len;
+        dev->trans_start = jiffies;
+        ieee80211_xmit(sdata, skb);
+ out:
        rcu_read_unlock();
- fail:
+}
-        dev_kfree_skb(skb);
+/**
+ * ieee80211_subif_start_xmit - netif start_xmit function for 802.3 vifs
+ * @skb: packet to be sent
+ * @dev: incoming interface
+ *
+ * On failure skb will be freed.
+ */
+netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
+                                       struct net_device *dev)
+{
+        __ieee80211_subif_start_xmit(skb, dev, 0);
        return NETDEV_TX_OK;
 }
+struct sk_buff *
+ieee80211_build_data_template(struct ieee80211_sub_if_data *sdata,
+                              struct sk_buff *skb, u32 info_flags)
+{
+        struct ieee80211_hdr *hdr;
+        struct ieee80211_tx_data tx = {
+                .local = sdata->local,
+                .sdata = sdata,
+        };
+        rcu_read_lock();
+        skb = ieee80211_build_hdr(sdata, skb, info_flags);
+        if (IS_ERR(skb))
+                goto out;
+        hdr = (void *)skb->data;
+        tx.sta = sta_info_get(sdata, hdr->addr1);
+        tx.skb = skb;
+        if (ieee80211_tx_h_select_key(&tx) != TX_CONTINUE) {
+                rcu_read_unlock();
+                kfree_skb(skb);
+                return ERR_PTR(-EINVAL);
+        }
+out:
+        rcu_read_unlock();
+        return skb;
+}
 /*
 * ieee80211_clear_tx_pending may not be called in a context where
@@ -2257,8 +2346,8 @@ static bool ieee80211_tx_pending_skb(struct ieee80211_local *local,
                        dev_kfree_skb(skb);
                        return true;
                }
-                result = ieee80211_tx(sdata, skb, true,
+                info->band = chanctx_conf->def.chan->band;
-                                      chanctx_conf->def.chan->band);
+                result = ieee80211_tx(sdata, skb, true);
        } else {
                struct sk_buff_head skbs;
@@ -2872,19 +2961,16 @@ struct sk_buff *ieee80211_nullfunc_get(struct ieee80211_hw *hw,
 EXPORT_SYMBOL(ieee80211_nullfunc_get);
 struct sk_buff *ieee80211_probereq_get(struct ieee80211_hw *hw,
-                                       struct ieee80211_vif *vif,
+                                       const u8 *src_addr,
                                       const u8 *ssid, size_t ssid_len,
                                       size_t tailroom)
 {
-        struct ieee80211_sub_if_data *sdata;
+        struct ieee80211_local *local = hw_to_local(hw);
-        struct ieee80211_local *local;
        struct ieee80211_hdr_3addr *hdr;
        struct sk_buff *skb;
        size_t ie_ssid_len;
        u8 *pos;
-        sdata = vif_to_sdata(vif);
-        local = sdata->local;
        ie_ssid_len = 2 + ssid_len;
        skb = dev_alloc_skb(local->hw.extra_tx_headroom + sizeof(*hdr) +
@@ -2899,7 +2985,7 @@ struct sk_buff *ieee80211_probereq_get(struct ieee80211_hw *hw,
        hdr->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
                                         IEEE80211_STYPE_PROBE_REQ);
        eth_broadcast_addr(hdr->addr1);
-        memcpy(hdr->addr2, vif->addr, ETH_ALEN);
+        memcpy(hdr->addr2, src_addr, ETH_ALEN);
        eth_broadcast_addr(hdr->addr3);
        pos = skb_put(skb, ie_ssid_len);
@@ -3018,6 +3104,97 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
 }
 EXPORT_SYMBOL(ieee80211_get_buffered_bc);
+int ieee80211_reserve_tid(struct ieee80211_sta *pubsta, u8 tid)
+{
+        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
+        struct ieee80211_sub_if_data *sdata = sta->sdata;
+        struct ieee80211_local *local = sdata->local;
+        int ret;
+        u32 queues;
+        lockdep_assert_held(&local->sta_mtx);
+        /* only some cases are supported right now */
+        switch (sdata->vif.type) {
+        case NL80211_IFTYPE_STATION:
+        case NL80211_IFTYPE_AP:
+        case NL80211_IFTYPE_AP_VLAN:
+                break;
+        default:
+                WARN_ON(1);
+                return -EINVAL;
+        }
+        if (WARN_ON(tid >= IEEE80211_NUM_UPS))
+                return -EINVAL;
+        if (sta->reserved_tid == tid) {
+                ret = 0;
+                goto out;
+        }
+        if (sta->reserved_tid != IEEE80211_TID_UNRESERVED) {
+                sdata_err(sdata, "TID reservation already active\n");
+                ret = -EALREADY;
+                goto out;
+        }
+        ieee80211_stop_vif_queues(sdata->local, sdata,
+                                  IEEE80211_QUEUE_STOP_REASON_RESERVE_TID);
+        synchronize_net();
+        /* Tear down BA sessions so we stop aggregating on this TID */
+        if (local->hw.flags & IEEE80211_HW_AMPDU_AGGREGATION) {
+                set_sta_flag(sta, WLAN_STA_BLOCK_BA);
+                __ieee80211_stop_tx_ba_session(sta, tid,
+                                               AGG_STOP_LOCAL_REQUEST);
+        }
+        queues = BIT(sdata->vif.hw_queue[ieee802_1d_to_ac[tid]]);
+        __ieee80211_flush_queues(local, sdata, queues);
+        sta->reserved_tid = tid;
+        ieee80211_wake_vif_queues(local, sdata,
+                                  IEEE80211_QUEUE_STOP_REASON_RESERVE_TID);
+        if (local->hw.flags & IEEE80211_HW_AMPDU_AGGREGATION)
+                clear_sta_flag(sta, WLAN_STA_BLOCK_BA);
+        ret = 0;
+ out:
+        return ret;
+}
+EXPORT_SYMBOL(ieee80211_reserve_tid);
+void ieee80211_unreserve_tid(struct ieee80211_sta *pubsta, u8 tid)
+{
+        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
+        struct ieee80211_sub_if_data *sdata = sta->sdata;
+        lockdep_assert_held(&sdata->local->sta_mtx);
+        /* only some cases are supported right now */
+        switch (sdata->vif.type) {
+        case NL80211_IFTYPE_STATION:
+        case NL80211_IFTYPE_AP:
+        case NL80211_IFTYPE_AP_VLAN:
+                break;
+        default:
+                WARN_ON(1);
+                return;
+        }
+        if (tid != sta->reserved_tid) {
+                sdata_err(sdata, "TID to unreserve (%d) isn't reserved\n", tid);
+                return;
+        }
+        sta->reserved_tid = IEEE80211_TID_UNRESERVED;
+}
+EXPORT_SYMBOL(ieee80211_unreserve_tid);
 void __ieee80211_tx_skb_tid_band(struct ieee80211_sub_if_data *sdata,
                                 struct sk_buff *skb, int tid,
                                 enum ieee80211_band band)
@@ -3039,6 +3216,7 @@ void __ieee80211_tx_skb_tid_band(struct ieee80211_sub_if_data *sdata,
         * requirements are that we do not come into tx with bhs on.
         */
        local_bh_disable();
-        ieee80211_xmit(sdata, skb, band);
+        IEEE80211_SKB_CB(skb)->band = band;
+        ieee80211_xmit(sdata, skb);
        local_bh_enable();
 }
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 3c61060a4d2b..974ebe70f5b0 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -576,15 +576,19 @@ ieee80211_get_vif_queues(struct ieee80211_local *local,
        return queues;
 }
-void ieee80211_flush_queues(struct ieee80211_local *local,
+void __ieee80211_flush_queues(struct ieee80211_local *local,
-                            struct ieee80211_sub_if_data *sdata)
+                              struct ieee80211_sub_if_data *sdata,
+                              unsigned int queues)
 {
-        unsigned int queues;
        if (!local->ops->flush)
                return;
-        queues = ieee80211_get_vif_queues(local, sdata);
+        /*
+         * If no queue was set, or if the HW doesn't support
+         * IEEE80211_HW_QUEUE_CONTROL - flush all queues
+         */
+        if (!queues || !(local->hw.flags & IEEE80211_HW_QUEUE_CONTROL))
+                queues = ieee80211_get_vif_queues(local, sdata);
        ieee80211_stop_queues_by_reason(&local->hw, queues,
                                        IEEE80211_QUEUE_STOP_REASON_FLUSH,
@@ -597,6 +601,12 @@ void ieee80211_flush_queues(struct ieee80211_local *local,
                                        false);
 }
+void ieee80211_flush_queues(struct ieee80211_local *local,
+                            struct ieee80211_sub_if_data *sdata)
+{
+        __ieee80211_flush_queues(local, sdata, 0);
+}
 void ieee80211_stop_vif_queues(struct ieee80211_local *local,
                               struct ieee80211_sub_if_data *sdata,
                               enum queue_stop_reason reason)
@@ -693,6 +703,34 @@ void ieee80211_iterate_active_interfaces_rtnl(
 }
 EXPORT_SYMBOL_GPL(ieee80211_iterate_active_interfaces_rtnl);
+static void __iterate_stations(struct ieee80211_local *local,
+                               void (*iterator)(void *data,
+                                                struct ieee80211_sta *sta),
+                               void *data)
+{
+        struct sta_info *sta;
+        list_for_each_entry_rcu(sta, &local->sta_list, list) {
+                if (!sta->uploaded)
+                        continue;
+                iterator(data, &sta->sta);
+        }
+}
+void ieee80211_iterate_stations_atomic(struct ieee80211_hw *hw,
+                        void (*iterator)(void *data,
+                                         struct ieee80211_sta *sta),
+                        void *data)
+{
+        struct ieee80211_local *local = hw_to_local(hw);
+        rcu_read_lock();
+        __iterate_stations(local, iterator, data);
+        rcu_read_unlock();
+}
+EXPORT_SYMBOL_GPL(ieee80211_iterate_stations_atomic);
 struct ieee80211_vif *wdev_to_ieee80211_vif(struct wireless_dev *wdev)
 {
        struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
@@ -803,6 +841,9 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
                case WLAN_EID_SECONDARY_CHANNEL_OFFSET:
                case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
                case WLAN_EID_CHAN_SWITCH_PARAM:
+                case WLAN_EID_EXT_CAPABILITY:
+                case WLAN_EID_CHAN_SWITCH_TIMING:
+                case WLAN_EID_LINK_ID:
                /*
                 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible
                 * that if the content gets bigger it might be needed more than once
@@ -822,6 +863,24 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
                elem_parse_failed = false;
                switch (id) {
+                case WLAN_EID_LINK_ID:
+                        if (elen + 2 != sizeof(struct ieee80211_tdls_lnkie)) {
+                                elem_parse_failed = true;
+                                break;
+                        }
+                        elems->lnk_id = (void *)(pos - 2);
+                        break;
+                case WLAN_EID_CHAN_SWITCH_TIMING:
+                        if (elen != sizeof(struct ieee80211_ch_switch_timing)) {
+                                elem_parse_failed = true;
+                                break;
+                        }
+                        elems->ch_sw_timing = (void *)pos;
+                        break;
+                case WLAN_EID_EXT_CAPABILITY:
+                        elems->ext_capab = pos;
+                        elems->ext_capab_len = elen;
+                        break;
                case WLAN_EID_SSID:
                        elems->ssid = pos;
                        elems->ssid_len = elen;
@@ -1073,6 +1132,7 @@ void ieee80211_set_wmm_default(struct ieee80211_sub_if_data *sdata,
        struct ieee80211_chanctx_conf *chanctx_conf;
        int ac;
        bool use_11b, enable_qos;
+        bool is_ocb; /* Use another EDCA parameters if dot11OCBActivated=true */
        int aCWmin, aCWmax;
        if (!local->ops->conf_tx)
@@ -1097,6 +1157,8 @@ void ieee80211_set_wmm_default(struct ieee80211_sub_if_data *sdata,
         */
        enable_qos = (sdata->vif.type != NL80211_IFTYPE_STATION);
+        is_ocb = (sdata->vif.type == NL80211_IFTYPE_OCB);
        /* Set defaults according to 802.11-2007 Table 7-37 */
        aCWmax = 1023;
        if (use_11b)
@@ -1118,7 +1180,10 @@ void ieee80211_set_wmm_default(struct ieee80211_sub_if_data *sdata,
                                qparam.cw_max = aCWmax;
                                qparam.cw_min = aCWmin;
                                qparam.txop = 0;
-                                qparam.aifs = 7;
+                                if (is_ocb)
+                                        qparam.aifs = 9;
+                                else
+                                        qparam.aifs = 7;
                                break;
                        /* never happens but let's not leave undefined */
                        default:
@@ -1126,21 +1191,32 @@ void ieee80211_set_wmm_default(struct ieee80211_sub_if_data *sdata,
                                qparam.cw_max = aCWmax;
                                qparam.cw_min = aCWmin;
                                qparam.txop = 0;
-                                qparam.aifs = 3;
+                                if (is_ocb)
+                                        qparam.aifs = 6;
+                                else
+                                        qparam.aifs = 3;
                                break;
                        case IEEE80211_AC_VI:
                                qparam.cw_max = aCWmin;
                                qparam.cw_min = (aCWmin + 1) / 2 - 1;
-                                if (use_11b)
+                                if (is_ocb)
+                                        qparam.txop = 0;
+                                else if (use_11b)
                                        qparam.txop = 6016/32;
                                else
                                        qparam.txop = 3008/32;
-                                qparam.aifs = 2;
+                                if (is_ocb)
+                                        qparam.aifs = 3;
+                                else
+                                        qparam.aifs = 2;
                                break;
                        case IEEE80211_AC_VO:
                                qparam.cw_max = (aCWmin + 1) / 2 - 1;
                                qparam.cw_min = (aCWmin + 1) / 4 - 1;
-                                if (use_11b)
+                                if (is_ocb)
+                                        qparam.txop = 0;
+                                else if (use_11b)
                                        qparam.txop = 3264/32;
                                else
                                        qparam.txop = 1504/32;
@@ -1263,6 +1339,7 @@ static int ieee80211_build_preq_ies_band(struct ieee80211_local *local,
        int ext_rates_len;
        int shift;
        u32 rate_flags;
+        bool have_80mhz = false;
        *offset = 0;
@@ -1391,7 +1468,15 @@ static int ieee80211_build_preq_ies_band(struct ieee80211_local *local,
                *offset = noffset;
        }
-        if (sband->vht_cap.vht_supported) {
+        /* Check if any channel in this sband supports at least 80 MHz */
+        for (i = 0; i < sband->n_channels; i++) {
+                if (!(sband->channels[i].flags & IEEE80211_CHAN_NO_80MHZ)) {
+                        have_80mhz = true;
+                        break;
+                }
+        }
+        if (sband->vht_cap.vht_supported && have_80mhz) {
                if (end - pos < 2 + sizeof(struct ieee80211_vht_cap))
                        goto out_err;
                pos = ieee80211_ie_build_vht_cap(pos, &sband->vht_cap,
@@ -1447,7 +1532,8 @@ int ieee80211_build_preq_ies(struct ieee80211_local *local, u8 *buffer,
 };
 struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
-                                          u8 *dst, u32 ratemask,
+                                          const u8 *src, const u8 *dst,
+                                          u32 ratemask,
                                          struct ieee80211_channel *chan,
                                          const u8 *ssid, size_t ssid_len,
                                          const u8 *ie, size_t ie_len,
@@ -1472,8 +1558,8 @@ struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
        else
                chandef.chan = chan;
-        skb = ieee80211_probereq_get(&local->hw, &sdata->vif,
+        skb = ieee80211_probereq_get(&local->hw, src, ssid, ssid_len,
-                                     ssid, ssid_len, 100 + ie_len);
+                                     100 + ie_len);
        if (!skb)
                return NULL;
@@ -1495,7 +1581,8 @@ struct sk_buff *ieee80211_build_probe_req(struct ieee80211_sub_if_data *sdata,
        return skb;
 }
-void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst,
+void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata,
+                              const u8 *src, const u8 *dst,
                              const u8 *ssid, size_t ssid_len,
                              const u8 *ie, size_t ie_len,
                              u32 ratemask, bool directed, u32 tx_flags,
@@ -1503,7 +1590,7 @@ void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst,
 {
        struct sk_buff *skb;
-        skb = ieee80211_build_probe_req(sdata, dst, ratemask, channel,
+        skb = ieee80211_build_probe_req(sdata, src, dst, ratemask, channel,
                                        ssid, ssid_len,
                                        ie, ie_len, directed);
        if (skb) {
@@ -1645,6 +1732,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
        int res, i;
        bool reconfig_due_to_wowlan = false;
        struct ieee80211_sub_if_data *sched_scan_sdata;
+        struct cfg80211_sched_scan_request *sched_scan_req;
        bool sched_scan_stopped = false;
 #ifdef CONFIG_PM
@@ -1813,6 +1901,10 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                        ieee80211_bss_info_change_notify(sdata, changed);
                        sdata_unlock(sdata);
                        break;
+                case NL80211_IFTYPE_OCB:
+                        changed |= BSS_CHANGED_OCB;
+                        ieee80211_bss_info_change_notify(sdata, changed);
+                        break;
                case NL80211_IFTYPE_ADHOC:
                        changed |= BSS_CHANGED_IBSS;
                        /* fall through */
@@ -1931,13 +2023,15 @@ int ieee80211_reconfig(struct ieee80211_local *local)
        mutex_lock(&local->mtx);
        sched_scan_sdata = rcu_dereference_protected(local->sched_scan_sdata,
                                                lockdep_is_held(&local->mtx));
-        if (sched_scan_sdata && local->sched_scan_req)
+        sched_scan_req = rcu_dereference_protected(local->sched_scan_req,
+                                                lockdep_is_held(&local->mtx));
+        if (sched_scan_sdata && sched_scan_req)
                /*
                 * Sched scan stopped, but we don't want to report it. Instead,
                 * we're trying to reschedule.
                 */
                if (__ieee80211_request_sched_scan_start(sched_scan_sdata,
-                                                         local->sched_scan_req))
+                                                         sched_scan_req))
                        sched_scan_stopped = true;
        mutex_unlock(&local->mtx);
@@ -1949,7 +2043,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
         * We may want to change that later, however.
         */
        if (!local->suspended || reconfig_due_to_wowlan)
-                drv_restart_complete(local);
+                drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART);
        if (!local->suspended)
                return 0;
@@ -1960,6 +2054,9 @@ int ieee80211_reconfig(struct ieee80211_local *local)
        mb();
        local->resuming = false;
+        if (!reconfig_due_to_wowlan)
+                drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_SUSPEND);
        list_for_each_entry(sdata, &local->interfaces, list) {
                if (!ieee80211_sdata_running(sdata))
                        continue;
@@ -2052,42 +2149,36 @@ static bool ieee80211_id_in_list(const u8 *ids, int n_ids, u8 id)
        return false;
 }
-/**
+size_t ieee80211_ie_split_ric(const u8 *ies, size_t ielen,
- * ieee80211_ie_split - split an IE buffer according to ordering
+                              const u8 *ids, int n_ids,
- *
+                              const u8 *after_ric, int n_after_ric,
- * @ies: the IE buffer
+                              size_t offset)
- * @ielen: the length of the IE buffer
- * @ids: an array with element IDs that are allowed before
- *      the split
- * @n_ids: the size of the element ID array
- * @offset: offset where to start splitting in the buffer
- *
- * This function splits an IE buffer by updating the @offset
- * variable to point to the location where the buffer should be
- * split.
- *
- * It assumes that the given IE buffer is well-formed, this
- * has to be guaranteed by the caller!
- *
- * It also assumes that the IEs in the buffer are ordered
- * correctly, if not the result of using this function will not
- * be ordered correctly either, i.e. it does no reordering.
- *
- * The function returns the offset where the next part of the
- * buffer starts, which may be @ielen if the entire (remainder)
- * of the buffer should be used.
- */
-size_t ieee80211_ie_split(const u8 *ies, size_t ielen,
-                          const u8 *ids, int n_ids, size_t offset)
 {
        size_t pos = offset;
-        while (pos < ielen && ieee80211_id_in_list(ids, n_ids, ies[pos]))
+        while (pos < ielen && ieee80211_id_in_list(ids, n_ids, ies[pos])) {
-                pos += 2 + ies[pos + 1];
+                if (ies[pos] == WLAN_EID_RIC_DATA && n_after_ric) {
+                        pos += 2 + ies[pos + 1];
+                        while (pos < ielen &&
+                               !ieee80211_id_in_list(after_ric, n_after_ric,
+                                                     ies[pos]))
+                                pos += 2 + ies[pos + 1];
+                } else {
+                        pos += 2 + ies[pos + 1];
+                }
+        }
        return pos;
 }
+size_t ieee80211_ie_split(const u8 *ies, size_t ielen,
+                          const u8 *ids, int n_ids, size_t offset)
+{
+        return ieee80211_ie_split_ric(ies, ielen, ids, n_ids, NULL, 0, offset);
+}
+EXPORT_SYMBOL(ieee80211_ie_split);
 size_t ieee80211_ie_split_vendor(const u8 *ies, size_t ielen, size_t offset)
 {
        size_t pos = offset;
@@ -2526,11 +2617,23 @@ void ieee80211_dfs_radar_detected_work(struct work_struct *work)
        struct ieee80211_local *local =
                container_of(work, struct ieee80211_local, radar_detected_work);
        struct cfg80211_chan_def chandef = local->hw.conf.chandef;
+        struct ieee80211_chanctx *ctx;
+        int num_chanctx = 0;
+        mutex_lock(&local->chanctx_mtx);
+        list_for_each_entry(ctx, &local->chanctx_list, list) {
+                if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
+                        continue;
+                num_chanctx++;
+                chandef = ctx->conf.def;
+        }
+        mutex_unlock(&local->chanctx_mtx);
        ieee80211_dfs_cac_cancel(local);
-        if (local->use_chanctx)
+        if (num_chanctx > 1)
-                /* currently not handled */
+                /* XXX: multi-channel is not supported yet */
                WARN_ON(1);
        else
                cfg80211_radar_event(local->hw.wiphy, &chandef, GFP_KERNEL);
diff --git a/net/mac80211/vht.c b/net/mac80211/vht.c
index 671ce0d27a80..bc9e8fc48785 100644
--- a/net/mac80211/vht.c
+++ b/net/mac80211/vht.c
@@ -287,6 +287,8 @@ enum ieee80211_sta_rx_bandwidth ieee80211_sta_cur_vht_bw(struct sta_info *sta)
                /* fall through */
        case NL80211_CHAN_WIDTH_20_NOHT:
        case NL80211_CHAN_WIDTH_20:
+                bw = IEEE80211_STA_RX_BW_20;
+                break;
        case NL80211_CHAN_WIDTH_40:
                bw = sta->sta.ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40 ?
                                IEEE80211_STA_RX_BW_40 : IEEE80211_STA_RX_BW_20;
diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c
index 9181fb6d6437..a4220e92f0cc 100644
--- a/net/mac80211/wep.c
+++ b/net/mac80211/wep.c
@@ -111,8 +111,6 @@ static u8 *ieee80211_wep_add_iv(struct ieee80211_local *local,
            (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
                return newhdr + hdrlen;
-        skb_set_network_header(skb, skb_network_offset(skb) +
-                                    IEEE80211_WEP_IV_LEN);
        ieee80211_wep_get_iv(local, keylen, keyidx, newhdr + hdrlen);
        return newhdr + hdrlen;
 }
diff --git a/net/mac80211/wme.c b/net/mac80211/wme.c
index 3b873989992c..9eb0aee9105b 100644
--- a/net/mac80211/wme.c
+++ b/net/mac80211/wme.c
@@ -53,11 +53,49 @@ static int wme_downgrade_ac(struct sk_buff *skb)
        }
 }
+/**
+ * ieee80211_fix_reserved_tid - return the TID to use if this one is reserved
+ * @tid: the assumed-reserved TID
+ *
+ * Returns: the alternative TID to use, or 0 on error
+ */
+static inline u8 ieee80211_fix_reserved_tid(u8 tid)
+{
+        switch (tid) {
+        case 0:
+                return 3;
+        case 1:
+                return 2;
+        case 2:
+                return 1;
+        case 3:
+                return 0;
+        case 4:
+                return 5;
+        case 5:
+                return 4;
+        case 6:
+                return 7;
+        case 7:
+                return 6;
+        }
+        return 0;
+}
 static u16 ieee80211_downgrade_queue(struct ieee80211_sub_if_data *sdata,
-                                     struct sk_buff *skb)
+                                     struct sta_info *sta, struct sk_buff *skb)
 {
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
        /* in case we are a client verify acm is not set for this ac */
-        while (unlikely(sdata->wmm_acm & BIT(skb->priority))) {
+        while (sdata->wmm_acm & BIT(skb->priority)) {
+                int ac = ieee802_1d_to_ac[skb->priority];
+                if (ifmgd->tx_tspec[ac].admitted_time &&
+                    skb->priority == ifmgd->tx_tspec[ac].up)
+                        return ac;
                if (wme_downgrade_ac(skb)) {
                        /*
                         * This should not really happen. The AP has marked all
@@ -69,6 +107,10 @@ static u16 ieee80211_downgrade_queue(struct ieee80211_sub_if_data *sdata,
                }
        }
+        /* Check to see if this is a reserved TID */
+        if (sta && sta->reserved_tid == skb->priority)
+                skb->priority = ieee80211_fix_reserved_tid(skb->priority);
        /* look up which queue to use for frames with this 1d tag */
        return ieee802_1d_to_ac[skb->priority];
 }
@@ -96,7 +138,7 @@ u16 ieee80211_select_queue_80211(struct ieee80211_sub_if_data *sdata,
        p = ieee80211_get_qos_ctl(hdr);
        skb->priority = *p & IEEE80211_QOS_CTL_TAG1D_MASK;
-        return ieee80211_downgrade_queue(sdata, skb);
+        return ieee80211_downgrade_queue(sdata, NULL, skb);
 }
 /* Indicate which queue to use. */
@@ -108,6 +150,7 @@ u16 ieee80211_select_queue(struct ieee80211_sub_if_data *sdata,
        const u8 *ra = NULL;
        bool qos = false;
        struct mac80211_qos_map *qos_map;
+        u16 ret;
        if (local->hw.queues < IEEE80211_NUM_ACS || skb->len < 6) {
                skb->priority = 0; /* required for correct WPA/11i MIC */
@@ -134,11 +177,20 @@ u16 ieee80211_select_queue(struct ieee80211_sub_if_data *sdata,
                break;
 #endif
        case NL80211_IFTYPE_STATION:
+                /* might be a TDLS station */
+                sta = sta_info_get(sdata, skb->data);
+                if (sta)
+                        qos = sta->sta.wme;
                ra = sdata->u.mgd.bssid;
                break;
        case NL80211_IFTYPE_ADHOC:
                ra = skb->data;
                break;
+        case NL80211_IFTYPE_OCB:
+                /* all stations are required to support WME */
+                qos = true;
+                break;
        default:
                break;
        }
@@ -148,27 +200,29 @@ u16 ieee80211_select_queue(struct ieee80211_sub_if_data *sdata,
                if (sta)
                        qos = sta->sta.wme;
        }
-        rcu_read_unlock();
        if (!qos) {
                skb->priority = 0; /* required for correct WPA/11i MIC */
-                return IEEE80211_AC_BE;
+                ret = IEEE80211_AC_BE;
+                goto out;
        }
        if (skb->protocol == sdata->control_port_protocol) {
                skb->priority = 7;
-                return ieee80211_downgrade_queue(sdata, skb);
+                goto downgrade;
        }
        /* use the data classifier to determine what 802.1d tag the
         * data frame has */
-        rcu_read_lock();
        qos_map = rcu_dereference(sdata->qos_map);
        skb->priority = cfg80211_classify8021d(skb, qos_map ?
                                               &qos_map->qos_map : NULL);
-        rcu_read_unlock();
-        return ieee80211_downgrade_queue(sdata, skb);
+ downgrade:
+        ret = ieee80211_downgrade_queue(sdata, sta, skb);
+ out:
+        rcu_read_unlock();
+        return ret;
 }
 /**
diff --git a/net/mac80211/wme.h b/net/mac80211/wme.h
index 7fea4bb8acbc..80151edc5195 100644
--- a/net/mac80211/wme.h
+++ b/net/mac80211/wme.h
@@ -13,8 +13,6 @@
 #include <linux/netdevice.h>
 #include "ieee80211_i.h"
-extern const int ieee802_1d_to_ac[8];
 u16 ieee80211_select_queue_80211(struct ieee80211_sub_if_data *sdata,
                                 struct sk_buff *skb,
                                 struct ieee80211_hdr *hdr);
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 983527a4c1ab..12398fde02e8 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -209,8 +209,6 @@ static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
        pos = skb_push(skb, IEEE80211_TKIP_IV_LEN);
        memmove(pos, pos + IEEE80211_TKIP_IV_LEN, hdrlen);
-        skb_set_network_header(skb, skb_network_offset(skb) +
-                                    IEEE80211_TKIP_IV_LEN);
        pos += hdrlen;
        /* the HW only needs room for the IV, but not the actual IV */
@@ -434,8 +432,6 @@ static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
        pos = skb_push(skb, IEEE80211_CCMP_HDR_LEN);
        memmove(pos, pos + IEEE80211_CCMP_HDR_LEN, hdrlen);
-        skb_set_network_header(skb, skb_network_offset(skb) +
-                                    IEEE80211_CCMP_HDR_LEN);
        /* the HW only needs room for the IV, but not the actual IV */
        if (info->control.hw_key &&
@@ -575,7 +571,6 @@ ieee80211_crypto_cs_encrypt(struct ieee80211_tx_data *tx,
        pos = skb_push(skb, cs->hdr_len);
        memmove(pos, pos + cs->hdr_len, hdrlen);
-        skb_set_network_header(skb, skb_network_offset(skb) + cs->hdr_len);
        return TX_CONTINUE;
 }
diff --git a/net/nfc/digital_dep.c b/net/nfc/digital_dep.c
index b60aa35c074f..f72be7433df3 100644
--- a/net/nfc/digital_dep.c
+++ b/net/nfc/digital_dep.c
@@ -17,6 +17,9 @@
 #include "digital.h"
+#define DIGITAL_NFC_DEP_N_RETRY_NACK    2
+#define DIGITAL_NFC_DEP_N_RETRY_ATN     2
 #define DIGITAL_NFC_DEP_FRAME_DIR_OUT 0xD4
 #define DIGITAL_NFC_DEP_FRAME_DIR_IN  0xD5
@@ -32,20 +35,32 @@
 #define DIGITAL_ATR_REQ_MIN_SIZE 16
 #define DIGITAL_ATR_REQ_MAX_SIZE 64
-#define DIGITAL_LR_BITS_PAYLOAD_SIZE_254B 0x30
+#define DIGITAL_DID_MAX 14
-#define DIGITAL_FSL_BITS_PAYLOAD_SIZE_254B \
-                                (DIGITAL_LR_BITS_PAYLOAD_SIZE_254B >> 4)
+#define DIGITAL_PAYLOAD_SIZE_MAX        254
+#define DIGITAL_PAYLOAD_BITS_TO_PP(s)   (((s) & 0x3) << 4)
+#define DIGITAL_PAYLOAD_PP_TO_BITS(s)   (((s) >> 4) & 0x3)
+#define DIGITAL_PAYLOAD_BITS_TO_FSL(s)  ((s) & 0x3)
+#define DIGITAL_PAYLOAD_FSL_TO_BITS(s)  ((s) & 0x3)
 #define DIGITAL_GB_BIT  0x02
+#define DIGITAL_NFC_DEP_REQ_RES_HEADROOM        2 /* SoD: [SB (NFC-A)] + LEN */
+#define DIGITAL_NFC_DEP_REQ_RES_TAILROOM        2 /* EoD: 2-byte CRC */
 #define DIGITAL_NFC_DEP_PFB_TYPE(pfb) ((pfb) & 0xE0)
 #define DIGITAL_NFC_DEP_PFB_TIMEOUT_BIT 0x10
+#define DIGITAL_NFC_DEP_PFB_MI_BIT      0x10
+#define DIGITAL_NFC_DEP_PFB_NACK_BIT    0x10
+#define DIGITAL_NFC_DEP_PFB_DID_BIT     0x04
 #define DIGITAL_NFC_DEP_PFB_IS_TIMEOUT(pfb) \
                                ((pfb) & DIGITAL_NFC_DEP_PFB_TIMEOUT_BIT)
-#define DIGITAL_NFC_DEP_MI_BIT_SET(pfb)  ((pfb) & 0x10)
+#define DIGITAL_NFC_DEP_MI_BIT_SET(pfb)  ((pfb) & DIGITAL_NFC_DEP_PFB_MI_BIT)
+#define DIGITAL_NFC_DEP_NACK_BIT_SET(pfb) ((pfb) & DIGITAL_NFC_DEP_PFB_NACK_BIT)
 #define DIGITAL_NFC_DEP_NAD_BIT_SET(pfb) ((pfb) & 0x08)
-#define DIGITAL_NFC_DEP_DID_BIT_SET(pfb) ((pfb) & 0x04)
+#define DIGITAL_NFC_DEP_DID_BIT_SET(pfb) ((pfb) & DIGITAL_NFC_DEP_PFB_DID_BIT)
 #define DIGITAL_NFC_DEP_PFB_PNI(pfb)     ((pfb) & 0x03)
 #define DIGITAL_NFC_DEP_PFB_I_PDU          0x00
@@ -97,6 +112,34 @@ struct digital_dep_req_res {
 static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
                                    struct sk_buff *resp);
+static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
+                                    struct sk_buff *resp);
+static const u8 digital_payload_bits_map[4] = {
+        [0] = 64,
+        [1] = 128,
+        [2] = 192,
+        [3] = 254
+};
+static u8 digital_payload_bits_to_size(u8 payload_bits)
+{
+        if (payload_bits >= ARRAY_SIZE(digital_payload_bits_map))
+                return 0;
+        return digital_payload_bits_map[payload_bits];
+}
+static u8 digital_payload_size_to_bits(u8 payload_size)
+{
+        int i;
+        for (i = 0; i < ARRAY_SIZE(digital_payload_bits_map); i++)
+                if (digital_payload_bits_map[i] == payload_size)
+                        return i;
+        return 0xff;
+}
 static void digital_skb_push_dep_sod(struct nfc_digital_dev *ddev,
                                     struct sk_buff *skb)
@@ -129,6 +172,106 @@ static int digital_skb_pull_dep_sod(struct nfc_digital_dev *ddev,
        return 0;
 }
+static struct sk_buff *
+digital_send_dep_data_prep(struct nfc_digital_dev *ddev, struct sk_buff *skb,
+                           struct digital_dep_req_res *dep_req_res,
+                           struct digital_data_exch *data_exch)
+{
+        struct sk_buff *new_skb;
+        if (skb->len > ddev->remote_payload_max) {
+                dep_req_res->pfb |= DIGITAL_NFC_DEP_PFB_MI_BIT;
+                new_skb = digital_skb_alloc(ddev, ddev->remote_payload_max);
+                if (!new_skb) {
+                        kfree_skb(ddev->chaining_skb);
+                        ddev->chaining_skb = NULL;
+                        return ERR_PTR(-ENOMEM);
+                }
+                skb_reserve(new_skb, ddev->tx_headroom + NFC_HEADER_SIZE +
+                                        DIGITAL_NFC_DEP_REQ_RES_HEADROOM);
+                memcpy(skb_put(new_skb, ddev->remote_payload_max), skb->data,
+                       ddev->remote_payload_max);
+                skb_pull(skb, ddev->remote_payload_max);
+                ddev->chaining_skb = skb;
+                ddev->data_exch = data_exch;
+        } else {
+                ddev->chaining_skb = NULL;
+                new_skb = skb;
+        }
+        return new_skb;
+}
+static struct sk_buff *
+digital_recv_dep_data_gather(struct nfc_digital_dev *ddev, u8 pfb,
+                             struct sk_buff *resp,
+                             int (*send_ack)(struct nfc_digital_dev *ddev,
+                                             struct digital_data_exch
+                                                             *data_exch),
+                             struct digital_data_exch *data_exch)
+{
+        struct sk_buff *new_skb;
+        int rc;
+        if (DIGITAL_NFC_DEP_MI_BIT_SET(pfb) && (!ddev->chaining_skb)) {
+                ddev->chaining_skb =
+                        nfc_alloc_recv_skb(8 * ddev->local_payload_max,
+                                           GFP_KERNEL);
+                if (!ddev->chaining_skb) {
+                        rc = -ENOMEM;
+                        goto error;
+                }
+        }
+        if (ddev->chaining_skb) {
+                if (resp->len > skb_tailroom(ddev->chaining_skb)) {
+                        new_skb = skb_copy_expand(ddev->chaining_skb,
+                                                  skb_headroom(
+                                                          ddev->chaining_skb),
+                                                  8 * ddev->local_payload_max,
+                                                  GFP_KERNEL);
+                        if (!new_skb) {
+                                rc = -ENOMEM;
+                                goto error;
+                        }
+                        kfree_skb(ddev->chaining_skb);
+                        ddev->chaining_skb = new_skb;
+                }
+                memcpy(skb_put(ddev->chaining_skb, resp->len), resp->data,
+                       resp->len);
+                kfree_skb(resp);
+                resp = NULL;
+                if (DIGITAL_NFC_DEP_MI_BIT_SET(pfb)) {
+                        rc = send_ack(ddev, data_exch);
+                        if (rc)
+                                goto error;
+                        return NULL;
+                }
+                resp = ddev->chaining_skb;
+                ddev->chaining_skb = NULL;
+        }
+        return resp;
+error:
+        kfree_skb(resp);
+        kfree_skb(ddev->chaining_skb);
+        ddev->chaining_skb = NULL;
+        return ERR_PTR(rc);
+}
 static void digital_in_recv_psl_res(struct nfc_digital_dev *ddev, void *arg,
                                    struct sk_buff *resp)
 {
@@ -198,6 +341,8 @@ static int digital_in_send_psl_req(struct nfc_digital_dev *ddev,
 {
        struct sk_buff *skb;
        struct digital_psl_req *psl_req;
+        int rc;
+        u8 payload_size, payload_bits;
        skb = digital_skb_alloc(ddev, sizeof(*psl_req));
        if (!skb)
@@ -211,14 +356,24 @@ static int digital_in_send_psl_req(struct nfc_digital_dev *ddev,
        psl_req->cmd = DIGITAL_CMD_PSL_REQ;
        psl_req->did = 0;
        psl_req->brs = (0x2 << 3) | 0x2; /* 424F both directions */
-        psl_req->fsl = DIGITAL_FSL_BITS_PAYLOAD_SIZE_254B;
+        payload_size = min(ddev->local_payload_max, ddev->remote_payload_max);
+        payload_bits = digital_payload_size_to_bits(payload_size);
+        psl_req->fsl = DIGITAL_PAYLOAD_BITS_TO_FSL(payload_bits);
+        ddev->local_payload_max = payload_size;
+        ddev->remote_payload_max = payload_size;
        digital_skb_push_dep_sod(ddev, skb);
        ddev->skb_add_crc(skb);
-        return digital_in_send_cmd(ddev, skb, 500, digital_in_recv_psl_res,
+        rc = digital_in_send_cmd(ddev, skb, 500, digital_in_recv_psl_res,
-                                   target);
+                                 target);
+        if (rc)
+                kfree_skb(skb);
+        return rc;
 }
 static void digital_in_recv_atr_res(struct nfc_digital_dev *ddev, void *arg,
@@ -226,7 +381,7 @@ static void digital_in_recv_atr_res(struct nfc_digital_dev *ddev, void *arg,
 {
        struct nfc_target *target = arg;
        struct digital_atr_res *atr_res;
-        u8 gb_len;
+        u8 gb_len, payload_bits;
        int rc;
        if (IS_ERR(resp)) {
@@ -256,6 +411,14 @@ static void digital_in_recv_atr_res(struct nfc_digital_dev *ddev, void *arg,
        atr_res = (struct digital_atr_res *)resp->data;
+        payload_bits = DIGITAL_PAYLOAD_PP_TO_BITS(atr_res->pp);
+        ddev->remote_payload_max = digital_payload_bits_to_size(payload_bits);
+        if (!ddev->remote_payload_max) {
+                rc = -EINVAL;
+                goto exit;
+        }
        rc = nfc_set_remote_general_bytes(ddev->nfc_dev, atr_res->gb, gb_len);
        if (rc)
                goto exit;
@@ -286,6 +449,8 @@ int digital_in_send_atr_req(struct nfc_digital_dev *ddev,
        struct sk_buff *skb;
        struct digital_atr_req *atr_req;
        uint size;
+        int rc;
+        u8 payload_bits;
        size = DIGITAL_ATR_REQ_MIN_SIZE + gb_len;
@@ -314,7 +479,9 @@ int digital_in_send_atr_req(struct nfc_digital_dev *ddev,
        atr_req->bs = 0;
        atr_req->br = 0;
-        atr_req->pp = DIGITAL_LR_BITS_PAYLOAD_SIZE_254B;
+        ddev->local_payload_max = DIGITAL_PAYLOAD_SIZE_MAX;
+        payload_bits = digital_payload_size_to_bits(ddev->local_payload_max);
+        atr_req->pp = DIGITAL_PAYLOAD_BITS_TO_PP(payload_bits);
        if (gb_len) {
                atr_req->pp |= DIGITAL_GB_BIT;
@@ -325,8 +492,113 @@ int digital_in_send_atr_req(struct nfc_digital_dev *ddev,
        ddev->skb_add_crc(skb);
-        return digital_in_send_cmd(ddev, skb, 500, digital_in_recv_atr_res,
+        rc = digital_in_send_cmd(ddev, skb, 500, digital_in_recv_atr_res,
-                                   target);
+                                 target);
+        if (rc)
+                kfree_skb(skb);
+        return rc;
+}
+static int digital_in_send_ack(struct nfc_digital_dev *ddev,
+                               struct digital_data_exch *data_exch)
+{
+        struct digital_dep_req_res *dep_req;
+        struct sk_buff *skb;
+        int rc;
+        skb = digital_skb_alloc(ddev, 1);
+        if (!skb)
+                return -ENOMEM;
+        skb_push(skb, sizeof(struct digital_dep_req_res));
+        dep_req = (struct digital_dep_req_res *)skb->data;
+        dep_req->dir = DIGITAL_NFC_DEP_FRAME_DIR_OUT;
+        dep_req->cmd = DIGITAL_CMD_DEP_REQ;
+        dep_req->pfb = DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU |
+                       ddev->curr_nfc_dep_pni;
+        digital_skb_push_dep_sod(ddev, skb);
+        ddev->skb_add_crc(skb);
+        ddev->saved_skb = skb_get(skb);
+        ddev->saved_skb_len = skb->len;
+        rc = digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res,
+                                 data_exch);
+        if (rc) {
+                kfree_skb(skb);
+                kfree_skb(ddev->saved_skb);
+                ddev->saved_skb = NULL;
+        }
+        return rc;
+}
+static int digital_in_send_nack(struct nfc_digital_dev *ddev,
+                                struct digital_data_exch *data_exch)
+{
+        struct digital_dep_req_res *dep_req;
+        struct sk_buff *skb;
+        int rc;
+        skb = digital_skb_alloc(ddev, 1);
+        if (!skb)
+                return -ENOMEM;
+        skb_push(skb, sizeof(struct digital_dep_req_res));
+        dep_req = (struct digital_dep_req_res *)skb->data;
+        dep_req->dir = DIGITAL_NFC_DEP_FRAME_DIR_OUT;
+        dep_req->cmd = DIGITAL_CMD_DEP_REQ;
+        dep_req->pfb = DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU |
+                       DIGITAL_NFC_DEP_PFB_NACK_BIT | ddev->curr_nfc_dep_pni;
+        digital_skb_push_dep_sod(ddev, skb);
+        ddev->skb_add_crc(skb);
+        rc = digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res,
+                                 data_exch);
+        if (rc)
+                kfree_skb(skb);
+        return rc;
+}
+static int digital_in_send_atn(struct nfc_digital_dev *ddev,
+                               struct digital_data_exch *data_exch)
+{
+        struct digital_dep_req_res *dep_req;
+        struct sk_buff *skb;
+        int rc;
+        skb = digital_skb_alloc(ddev, 1);
+        if (!skb)
+                return -ENOMEM;
+        skb_push(skb, sizeof(struct digital_dep_req_res));
+        dep_req = (struct digital_dep_req_res *)skb->data;
+        dep_req->dir = DIGITAL_NFC_DEP_FRAME_DIR_OUT;
+        dep_req->cmd = DIGITAL_CMD_DEP_REQ;
+        dep_req->pfb = DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU;
+        digital_skb_push_dep_sod(ddev, skb);
+        ddev->skb_add_crc(skb);
+        rc = digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res,
+                                 data_exch);
+        if (rc)
+                kfree_skb(skb);
+        return rc;
 }
 static int digital_in_send_rtox(struct nfc_digital_dev *ddev,
@@ -355,12 +627,30 @@ static int digital_in_send_rtox(struct nfc_digital_dev *ddev,
        ddev->skb_add_crc(skb);
+        ddev->saved_skb = skb_get(skb);
+        ddev->saved_skb_len = skb->len;
        rc = digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res,
                                 data_exch);
+        if (rc) {
+                kfree_skb(skb);
+                kfree_skb(ddev->saved_skb);
+                ddev->saved_skb = NULL;
+        }
        return rc;
 }
+static int digital_in_send_saved_skb(struct nfc_digital_dev *ddev,
+                                     struct digital_data_exch *data_exch)
+{
+        skb_get(ddev->saved_skb);
+        skb_push(ddev->saved_skb, ddev->saved_skb_len);
+        return digital_in_send_cmd(ddev, ddev->saved_skb, 1500,
+                                   digital_in_recv_dep_res, data_exch);
+}
 static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
                                    struct sk_buff *resp)
 {
@@ -373,25 +663,67 @@ static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
        if (IS_ERR(resp)) {
                rc = PTR_ERR(resp);
                resp = NULL;
+                if (((rc != -ETIMEDOUT) || ddev->nack_count) &&
+                    (ddev->nack_count++ < DIGITAL_NFC_DEP_N_RETRY_NACK)) {
+                        ddev->atn_count = 0;
+                        rc = digital_in_send_nack(ddev, data_exch);
+                        if (rc)
+                                goto error;
+                        return;
+                } else if ((rc == -ETIMEDOUT) &&
+                           (ddev->atn_count++ < DIGITAL_NFC_DEP_N_RETRY_ATN)) {
+                        ddev->nack_count = 0;
+                        rc = digital_in_send_atn(ddev, data_exch);
+                        if (rc)
+                                goto error;
+                        return;
+                }
+                goto exit;
+        }
+        rc = digital_skb_pull_dep_sod(ddev, resp);
+        if (rc) {
+                PROTOCOL_ERR("14.4.1.2");
                goto exit;
        }
        rc = ddev->skb_check_crc(resp);
        if (rc) {
+                if ((resp->len >= 4) &&
+                    (ddev->nack_count++ < DIGITAL_NFC_DEP_N_RETRY_NACK)) {
+                        ddev->atn_count = 0;
+                        rc = digital_in_send_nack(ddev, data_exch);
+                        if (rc)
+                                goto error;
+                        kfree_skb(resp);
+                        return;
+                }
                PROTOCOL_ERR("14.4.1.6");
                goto error;
        }
-        rc = digital_skb_pull_dep_sod(ddev, resp);
+        ddev->atn_count = 0;
-        if (rc) {
+        ddev->nack_count = 0;
-                PROTOCOL_ERR("14.4.1.2");
+        if (resp->len > ddev->local_payload_max) {
+                rc = -EMSGSIZE;
                goto exit;
        }
+        size = sizeof(struct digital_dep_req_res);
        dep_res = (struct digital_dep_req_res *)resp->data;
-        if (resp->len < sizeof(struct digital_dep_req_res) ||
+        if (resp->len < size || dep_res->dir != DIGITAL_NFC_DEP_FRAME_DIR_IN ||
-            dep_res->dir != DIGITAL_NFC_DEP_FRAME_DIR_IN ||
            dep_res->cmd != DIGITAL_CMD_DEP_RES) {
                rc = -EIO;
                goto error;
@@ -399,6 +731,24 @@ static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
        pfb = dep_res->pfb;
+        if (DIGITAL_NFC_DEP_DID_BIT_SET(pfb)) {
+                PROTOCOL_ERR("14.8.2.1");
+                rc = -EIO;
+                goto error;
+        }
+        if (DIGITAL_NFC_DEP_NAD_BIT_SET(pfb)) {
+                rc = -EIO;
+                goto exit;
+        }
+        if (size > resp->len) {
+                rc = -EIO;
+                goto error;
+        }
+        skb_pull(resp, size);
        switch (DIGITAL_NFC_DEP_PFB_TYPE(pfb)) {
        case DIGITAL_NFC_DEP_PFB_I_PDU:
                if (DIGITAL_NFC_DEP_PFB_PNI(pfb) != ddev->curr_nfc_dep_pni) {
@@ -409,21 +759,71 @@ static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
                ddev->curr_nfc_dep_pni =
                        DIGITAL_NFC_DEP_PFB_PNI(ddev->curr_nfc_dep_pni + 1);
+                kfree_skb(ddev->saved_skb);
+                ddev->saved_skb = NULL;
+                resp = digital_recv_dep_data_gather(ddev, pfb, resp,
+                                                    digital_in_send_ack,
+                                                    data_exch);
+                if (IS_ERR(resp)) {
+                        rc = PTR_ERR(resp);
+                        resp = NULL;
+                        goto error;
+                }
+                /* If resp is NULL then we're still chaining so return and
+                 * wait for the next part of the PDU.  Else, the PDU is
+                 * complete so pass it up.
+                 */
+                if (!resp)
+                        return;
                rc = 0;
                break;
        case DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU:
+                if (DIGITAL_NFC_DEP_PFB_PNI(pfb) != ddev->curr_nfc_dep_pni) {
+                        PROTOCOL_ERR("14.12.3.3");
+                        rc = -EIO;
+                        goto exit;
+                }
+                ddev->curr_nfc_dep_pni =
+                        DIGITAL_NFC_DEP_PFB_PNI(ddev->curr_nfc_dep_pni + 1);
+                if (ddev->chaining_skb && !DIGITAL_NFC_DEP_NACK_BIT_SET(pfb)) {
+                        kfree_skb(ddev->saved_skb);
+                        ddev->saved_skb = NULL;
+                        rc = digital_in_send_dep_req(ddev, NULL,
+                                                     ddev->chaining_skb,
+                                                     ddev->data_exch);
+                        if (rc)
+                                goto error;
+                        return;
+                }
                pr_err("Received a ACK/NACK PDU\n");
-                rc = -EIO;
+                rc = -EINVAL;
-                goto error;
+                goto exit;
        case DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU:
-                if (!DIGITAL_NFC_DEP_PFB_IS_TIMEOUT(pfb)) {
+                if (!DIGITAL_NFC_DEP_PFB_IS_TIMEOUT(pfb)) { /* ATN */
-                        rc = -EINVAL;
+                        rc = digital_in_send_saved_skb(ddev, data_exch);
-                        goto error;
+                        if (rc) {
+                                kfree_skb(ddev->saved_skb);
+                                goto error;
+                        }
+                        return;
                }
-                rc = digital_in_send_rtox(ddev, data_exch, resp->data[3]);
+                kfree_skb(ddev->saved_skb);
+                ddev->saved_skb = NULL;
+                rc = digital_in_send_rtox(ddev, data_exch, resp->data[0]);
                if (rc)
                        goto error;
@@ -431,30 +831,18 @@ static void digital_in_recv_dep_res(struct nfc_digital_dev *ddev, void *arg,
                return;
        }
-        if (DIGITAL_NFC_DEP_MI_BIT_SET(pfb)) {
-                pr_err("MI bit set. Chained PDU not supported\n");
-                rc = -EIO;
-                goto error;
-        }
-        size = sizeof(struct digital_dep_req_res);
-        if (DIGITAL_NFC_DEP_DID_BIT_SET(pfb))
-                size++;
-        if (size > resp->len) {
-                rc = -EIO;
-                goto error;
-        }
-        skb_pull(resp, size);
 exit:
        data_exch->cb(data_exch->cb_context, resp, rc);
 error:
        kfree(data_exch);
+        kfree_skb(ddev->chaining_skb);
+        ddev->chaining_skb = NULL;
+        kfree_skb(ddev->saved_skb);
+        ddev->saved_skb = NULL;
        if (rc)
                kfree_skb(resp);
 }
@@ -464,20 +852,47 @@ int digital_in_send_dep_req(struct nfc_digital_dev *ddev,
                            struct digital_data_exch *data_exch)
 {
        struct digital_dep_req_res *dep_req;
+        struct sk_buff *chaining_skb, *tmp_skb;
+        int rc;
        skb_push(skb, sizeof(struct digital_dep_req_res));
        dep_req = (struct digital_dep_req_res *)skb->data;
        dep_req->dir = DIGITAL_NFC_DEP_FRAME_DIR_OUT;
        dep_req->cmd = DIGITAL_CMD_DEP_REQ;
        dep_req->pfb = ddev->curr_nfc_dep_pni;
-        digital_skb_push_dep_sod(ddev, skb);
+        ddev->atn_count = 0;
+        ddev->nack_count = 0;
-        ddev->skb_add_crc(skb);
+        chaining_skb = ddev->chaining_skb;
+        tmp_skb = digital_send_dep_data_prep(ddev, skb, dep_req, data_exch);
+        if (IS_ERR(tmp_skb))
+                return PTR_ERR(tmp_skb);
+        digital_skb_push_dep_sod(ddev, tmp_skb);
+        ddev->skb_add_crc(tmp_skb);
-        return digital_in_send_cmd(ddev, skb, 1500, digital_in_recv_dep_res,
+        ddev->saved_skb = skb_get(tmp_skb);
-                                   data_exch);
+        ddev->saved_skb_len = tmp_skb->len;
+        rc = digital_in_send_cmd(ddev, tmp_skb, 1500, digital_in_recv_dep_res,
+                                 data_exch);
+        if (rc) {
+                if (tmp_skb != skb)
+                        kfree_skb(tmp_skb);
+                kfree_skb(chaining_skb);
+                ddev->chaining_skb = NULL;
+                kfree_skb(ddev->saved_skb);
+                ddev->saved_skb = NULL;
+        }
+        return rc;
 }
 static void digital_tg_set_rf_tech(struct nfc_digital_dev *ddev, u8 rf_tech)
@@ -507,11 +922,106 @@ static void digital_tg_set_rf_tech(struct nfc_digital_dev *ddev, u8 rf_tech)
        }
 }
+static int digital_tg_send_ack(struct nfc_digital_dev *ddev,
+                               struct digital_data_exch *data_exch)
+{
+        struct digital_dep_req_res *dep_res;
+        struct sk_buff *skb;
+        int rc;
+        skb = digital_skb_alloc(ddev, 1);
+        if (!skb)
+                return -ENOMEM;
+        skb_push(skb, sizeof(struct digital_dep_req_res));
+        dep_res = (struct digital_dep_req_res *)skb->data;
+        dep_res->dir = DIGITAL_NFC_DEP_FRAME_DIR_IN;
+        dep_res->cmd = DIGITAL_CMD_DEP_RES;
+        dep_res->pfb = DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU |
+                       ddev->curr_nfc_dep_pni;
+        if (ddev->did) {
+                dep_res->pfb |= DIGITAL_NFC_DEP_PFB_DID_BIT;
+                memcpy(skb_put(skb, sizeof(ddev->did)), &ddev->did,
+                       sizeof(ddev->did));
+        }
+        ddev->curr_nfc_dep_pni =
+                DIGITAL_NFC_DEP_PFB_PNI(ddev->curr_nfc_dep_pni + 1);
+        digital_skb_push_dep_sod(ddev, skb);
+        ddev->skb_add_crc(skb);
+        ddev->saved_skb = skb_get(skb);
+        ddev->saved_skb_len = skb->len;
+        rc = digital_tg_send_cmd(ddev, skb, 1500, digital_tg_recv_dep_req,
+                                 data_exch);
+        if (rc) {
+                kfree_skb(skb);
+                kfree_skb(ddev->saved_skb);
+                ddev->saved_skb = NULL;
+        }
+        return rc;
+}
+static int digital_tg_send_atn(struct nfc_digital_dev *ddev)
+{
+        struct digital_dep_req_res *dep_res;
+        struct sk_buff *skb;
+        int rc;
+        skb = digital_skb_alloc(ddev, 1);
+        if (!skb)
+                return -ENOMEM;
+        skb_push(skb, sizeof(struct digital_dep_req_res));
+        dep_res = (struct digital_dep_req_res *)skb->data;
+        dep_res->dir = DIGITAL_NFC_DEP_FRAME_DIR_IN;
+        dep_res->cmd = DIGITAL_CMD_DEP_RES;
+        dep_res->pfb = DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU;
+        if (ddev->did) {
+                dep_res->pfb |= DIGITAL_NFC_DEP_PFB_DID_BIT;
+                memcpy(skb_put(skb, sizeof(ddev->did)), &ddev->did,
+                       sizeof(ddev->did));
+        }
+        digital_skb_push_dep_sod(ddev, skb);
+        ddev->skb_add_crc(skb);
+        rc = digital_tg_send_cmd(ddev, skb, 1500, digital_tg_recv_dep_req,
+                                 NULL);
+        if (rc)
+                kfree_skb(skb);
+        return rc;
+}
+static int digital_tg_send_saved_skb(struct nfc_digital_dev *ddev)
+{
+        skb_get(ddev->saved_skb);
+        skb_push(ddev->saved_skb, ddev->saved_skb_len);
+        return digital_tg_send_cmd(ddev, ddev->saved_skb, 1500,
+                                   digital_tg_recv_dep_req, NULL);
+}
 static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
                                    struct sk_buff *resp)
 {
        int rc;
        struct digital_dep_req_res *dep_req;
+        u8 pfb;
        size_t size;
        if (IS_ERR(resp)) {
@@ -532,6 +1042,11 @@ static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
                goto exit;
        }
+        if (resp->len > ddev->local_payload_max) {
+                rc = -EMSGSIZE;
+                goto exit;
+        }
        size = sizeof(struct digital_dep_req_res);
        dep_req = (struct digital_dep_req_res *)resp->data;
@@ -541,34 +1056,147 @@ static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
                goto exit;
        }
-        if (DIGITAL_NFC_DEP_DID_BIT_SET(dep_req->pfb))
+        pfb = dep_req->pfb;
-                size++;
-        if (resp->len < size) {
+        if (DIGITAL_NFC_DEP_DID_BIT_SET(pfb)) {
+                if (ddev->did && (ddev->did == resp->data[3])) {
+                        size++;
+                } else {
+                        rc = -EIO;
+                        goto exit;
+                }
+        } else if (ddev->did) {
                rc = -EIO;
                goto exit;
        }
-        switch (DIGITAL_NFC_DEP_PFB_TYPE(dep_req->pfb)) {
+        if (DIGITAL_NFC_DEP_NAD_BIT_SET(pfb)) {
+                rc = -EIO;
+                goto exit;
+        }
+        if (size > resp->len) {
+                rc = -EIO;
+                goto exit;
+        }
+        skb_pull(resp, size);
+        switch (DIGITAL_NFC_DEP_PFB_TYPE(pfb)) {
        case DIGITAL_NFC_DEP_PFB_I_PDU:
                pr_debug("DIGITAL_NFC_DEP_PFB_I_PDU\n");
-                ddev->curr_nfc_dep_pni = DIGITAL_NFC_DEP_PFB_PNI(dep_req->pfb);
+                if ((ddev->atn_count && (DIGITAL_NFC_DEP_PFB_PNI(pfb - 1) !=
+                                                ddev->curr_nfc_dep_pni)) ||
+                    (DIGITAL_NFC_DEP_PFB_PNI(pfb) != ddev->curr_nfc_dep_pni)) {
+                        PROTOCOL_ERR("14.12.3.4");
+                        rc = -EIO;
+                        goto exit;
+                }
+                if (ddev->atn_count) {
+                        ddev->atn_count = 0;
+                        rc = digital_tg_send_saved_skb(ddev);
+                        if (rc)
+                                goto exit;
+                        return;
+                }
+                kfree_skb(ddev->saved_skb);
+                ddev->saved_skb = NULL;
+                resp = digital_recv_dep_data_gather(ddev, pfb, resp,
+                                                    digital_tg_send_ack, NULL);
+                if (IS_ERR(resp)) {
+                        rc = PTR_ERR(resp);
+                        resp = NULL;
+                        goto exit;
+                }
+                /* If resp is NULL then we're still chaining so return and
+                 * wait for the next part of the PDU.  Else, the PDU is
+                 * complete so pass it up.
+                 */
+                if (!resp)
+                        return;
+                rc = 0;
                break;
        case DIGITAL_NFC_DEP_PFB_ACK_NACK_PDU:
-                pr_err("Received a ACK/NACK PDU\n");
+                if (!DIGITAL_NFC_DEP_NACK_BIT_SET(pfb)) { /* ACK */
-                rc = -EINVAL;
+                        if ((ddev->atn_count &&
-                goto exit;
+                             (DIGITAL_NFC_DEP_PFB_PNI(pfb - 1) !=
+                                                ddev->curr_nfc_dep_pni)) ||
+                            (DIGITAL_NFC_DEP_PFB_PNI(pfb) !=
+                                                ddev->curr_nfc_dep_pni) ||
+                            !ddev->chaining_skb || !ddev->saved_skb) {
+                                rc = -EIO;
+                                goto exit;
+                        }
+                        if (ddev->atn_count) {
+                                ddev->atn_count = 0;
+                                rc = digital_tg_send_saved_skb(ddev);
+                                if (rc)
+                                        goto exit;
+                                return;
+                        }
+                        kfree_skb(ddev->saved_skb);
+                        ddev->saved_skb = NULL;
+                        rc = digital_tg_send_dep_res(ddev, ddev->chaining_skb);
+                        if (rc)
+                                goto exit;
+                } else { /* NACK */
+                        if ((DIGITAL_NFC_DEP_PFB_PNI(pfb + 1) !=
+                                                ddev->curr_nfc_dep_pni) ||
+                            !ddev->saved_skb) {
+                                rc = -EIO;
+                                goto exit;
+                        }
+                        ddev->atn_count = 0;
+                        rc = digital_tg_send_saved_skb(ddev);
+                        if (rc) {
+                                kfree_skb(ddev->saved_skb);
+                                goto exit;
+                        }
+                }
+                return;
        case DIGITAL_NFC_DEP_PFB_SUPERVISOR_PDU:
-                pr_err("Received a SUPERVISOR PDU\n");
+                if (DIGITAL_NFC_DEP_PFB_IS_TIMEOUT(pfb)) {
-                rc = -EINVAL;
+                        rc = -EINVAL;
-                goto exit;
+                        goto exit;
-        }
+                }
-        skb_pull(resp, size);
+                rc = digital_tg_send_atn(ddev);
+                if (rc)
+                        goto exit;
+                ddev->atn_count++;
+                kfree_skb(resp);
+                return;
+        }
        rc = nfc_tm_data_received(ddev->nfc_dev, resp);
 exit:
+        kfree_skb(ddev->chaining_skb);
+        ddev->chaining_skb = NULL;
+        ddev->atn_count = 0;
+        kfree_skb(ddev->saved_skb);
+        ddev->saved_skb = NULL;
        if (rc)
                kfree_skb(resp);
 }
@@ -576,20 +1204,54 @@ exit:
 int digital_tg_send_dep_res(struct nfc_digital_dev *ddev, struct sk_buff *skb)
 {
        struct digital_dep_req_res *dep_res;
+        struct sk_buff *chaining_skb, *tmp_skb;
+        int rc;
        skb_push(skb, sizeof(struct digital_dep_req_res));
        dep_res = (struct digital_dep_req_res *)skb->data;
        dep_res->dir = DIGITAL_NFC_DEP_FRAME_DIR_IN;
        dep_res->cmd = DIGITAL_CMD_DEP_RES;
        dep_res->pfb = ddev->curr_nfc_dep_pni;
-        digital_skb_push_dep_sod(ddev, skb);
+        if (ddev->did) {
+                dep_res->pfb |= DIGITAL_NFC_DEP_PFB_DID_BIT;
-        ddev->skb_add_crc(skb);
+                memcpy(skb_put(skb, sizeof(ddev->did)), &ddev->did,
+                       sizeof(ddev->did));
+        }
+        ddev->curr_nfc_dep_pni =
+                DIGITAL_NFC_DEP_PFB_PNI(ddev->curr_nfc_dep_pni + 1);
+        chaining_skb = ddev->chaining_skb;
+        tmp_skb = digital_send_dep_data_prep(ddev, skb, dep_res, NULL);
+        if (IS_ERR(tmp_skb))
+                return PTR_ERR(tmp_skb);
+        digital_skb_push_dep_sod(ddev, tmp_skb);
+        ddev->skb_add_crc(tmp_skb);
+        ddev->saved_skb = skb_get(tmp_skb);
+        ddev->saved_skb_len = tmp_skb->len;
+        rc = digital_tg_send_cmd(ddev, tmp_skb, 1500, digital_tg_recv_dep_req,
+                                 NULL);
+        if (rc) {
+                if (tmp_skb != skb)
+                        kfree_skb(tmp_skb);
+                kfree_skb(chaining_skb);
+                ddev->chaining_skb = NULL;
-        return digital_tg_send_cmd(ddev, skb, 1500, digital_tg_recv_dep_req,
+                kfree_skb(ddev->saved_skb);
-                                   NULL);
+                ddev->saved_skb = NULL;
+        }
+        return rc;
 }
 static void digital_tg_send_psl_res_complete(struct nfc_digital_dev *ddev,
@@ -632,9 +1294,10 @@ static int digital_tg_send_psl_res(struct nfc_digital_dev *ddev, u8 did,
        ddev->skb_add_crc(skb);
+        ddev->curr_nfc_dep_pni = 0;
        rc = digital_tg_send_cmd(ddev, skb, 0, digital_tg_send_psl_res_complete,
                                 (void *)(unsigned long)rf_tech);
        if (rc)
                kfree_skb(skb);
@@ -647,7 +1310,7 @@ static void digital_tg_recv_psl_req(struct nfc_digital_dev *ddev, void *arg,
        int rc;
        struct digital_psl_req *psl_req;
        u8 rf_tech;
-        u8 dsi;
+        u8 dsi, payload_size, payload_bits;
        if (IS_ERR(resp)) {
                rc = PTR_ERR(resp);
@@ -692,6 +1355,18 @@ static void digital_tg_recv_psl_req(struct nfc_digital_dev *ddev, void *arg,
                goto exit;
        }
+        payload_bits = DIGITAL_PAYLOAD_FSL_TO_BITS(psl_req->fsl);
+        payload_size = digital_payload_bits_to_size(payload_bits);
+        if (!payload_size || (payload_size > min(ddev->local_payload_max,
+                                                 ddev->remote_payload_max))) {
+                rc = -EINVAL;
+                goto exit;
+        }
+        ddev->local_payload_max = payload_size;
+        ddev->remote_payload_max = payload_size;
        rc = digital_tg_send_psl_res(ddev, psl_req->did, rf_tech);
 exit:
@@ -712,6 +1387,8 @@ static void digital_tg_send_atr_res_complete(struct nfc_digital_dev *ddev,
        if (resp->data[0] == DIGITAL_NFC_DEP_NFCA_SOD_SB)
                offset++;
+        ddev->atn_count = 0;
        if (resp->data[offset] == DIGITAL_CMD_PSL_REQ)
                digital_tg_recv_psl_req(ddev, arg, resp);
        else
@@ -723,7 +1400,7 @@ static int digital_tg_send_atr_res(struct nfc_digital_dev *ddev,
 {
        struct digital_atr_res *atr_res;
        struct sk_buff *skb;
-        u8 *gb;
+        u8 *gb, payload_bits;
        size_t gb_len;
        int rc;
@@ -744,7 +1421,11 @@ static int digital_tg_send_atr_res(struct nfc_digital_dev *ddev,
        atr_res->cmd = DIGITAL_CMD_ATR_RES;
        memcpy(atr_res->nfcid3, atr_req->nfcid3, sizeof(atr_req->nfcid3));
        atr_res->to = 8;
-        atr_res->pp = DIGITAL_LR_BITS_PAYLOAD_SIZE_254B;
+        ddev->local_payload_max = DIGITAL_PAYLOAD_SIZE_MAX;
+        payload_bits = digital_payload_size_to_bits(ddev->local_payload_max);
+        atr_res->pp = DIGITAL_PAYLOAD_BITS_TO_PP(payload_bits);
        if (gb_len) {
                skb_put(skb, gb_len);
@@ -756,12 +1437,12 @@ static int digital_tg_send_atr_res(struct nfc_digital_dev *ddev,
        ddev->skb_add_crc(skb);
+        ddev->curr_nfc_dep_pni = 0;
        rc = digital_tg_send_cmd(ddev, skb, 999,
                                 digital_tg_send_atr_res_complete, NULL);
-        if (rc) {
+        if (rc)
                kfree_skb(skb);
-                return rc;
-        }
        return rc;
 }
@@ -772,7 +1453,7 @@ void digital_tg_recv_atr_req(struct nfc_digital_dev *ddev, void *arg,
        int rc;
        struct digital_atr_req *atr_req;
        size_t gb_len, min_size;
-        u8 poll_tech_count;
+        u8 poll_tech_count, payload_bits;
        if (IS_ERR(resp)) {
                rc = PTR_ERR(resp);
@@ -815,11 +1496,22 @@ void digital_tg_recv_atr_req(struct nfc_digital_dev *ddev, void *arg,
        atr_req = (struct digital_atr_req *)resp->data;
        if (atr_req->dir != DIGITAL_NFC_DEP_FRAME_DIR_OUT ||
-            atr_req->cmd != DIGITAL_CMD_ATR_REQ) {
+            atr_req->cmd != DIGITAL_CMD_ATR_REQ ||
+            atr_req->did > DIGITAL_DID_MAX) {
                rc = -EINVAL;
                goto exit;
        }
+        payload_bits = DIGITAL_PAYLOAD_PP_TO_BITS(atr_req->pp);
+        ddev->remote_payload_max = digital_payload_bits_to_size(payload_bits);
+        if (!ddev->remote_payload_max) {
+                rc = -EINVAL;
+                goto exit;
+        }
+        ddev->did = atr_req->did;
        rc = digital_tg_configure_hw(ddev, NFC_DIGITAL_CONFIG_FRAMING,
                                     NFC_DIGITAL_FRAMING_NFC_DEP_ACTIVATED);
        if (rc)
diff --git a/net/nfc/hci/command.c b/net/nfc/hci/command.c
index 677d24bb70f8..91df487aa0a9 100644
--- a/net/nfc/hci/command.c
+++ b/net/nfc/hci/command.c
@@ -345,6 +345,9 @@ int nfc_hci_connect_gate(struct nfc_hci_dev *hdev, u8 dest_host, u8 dest_gate,
        pr_debug("\n");
+        if (hdev->gate2pipe[dest_gate] == NFC_HCI_DO_NOT_CREATE_PIPE)
+                return 0;
        if (hdev->gate2pipe[dest_gate] != NFC_HCI_INVALID_PIPE)
                return -EADDRINUSE;
diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c
index 117708263ced..ef50e7716c4a 100644
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -167,6 +167,48 @@ exit:
 void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
                          struct sk_buff *skb)
 {
+        int r = 0;
+        u8 gate = nfc_hci_pipe2gate(hdev, pipe);
+        u8 local_gate, new_pipe;
+        u8 gate_opened = 0x00;
+        pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd);
+        switch (cmd) {
+        case NFC_HCI_ADM_NOTIFY_PIPE_CREATED:
+                if (skb->len != 5) {
+                        r = -EPROTO;
+                        break;
+                }
+                local_gate = skb->data[3];
+                new_pipe = skb->data[4];
+                nfc_hci_send_response(hdev, gate, NFC_HCI_ANY_OK, NULL, 0);
+                /* save the new created pipe and bind with local gate,
+                 * the description for skb->data[3] is destination gate id
+                 * but since we received this cmd from host controller, we
+                 * are the destination and it is our local gate
+                 */
+                hdev->gate2pipe[local_gate] = new_pipe;
+                break;
+        case NFC_HCI_ANY_OPEN_PIPE:
+                /* if the pipe is already created, we allow remote host to
+                 * open it
+                 */
+                if (gate != 0xff)
+                        nfc_hci_send_response(hdev, gate, NFC_HCI_ANY_OK,
+                                              &gate_opened, 1);
+                break;
+        case NFC_HCI_ADM_NOTIFY_ALL_PIPE_CLEARED:
+                nfc_hci_send_response(hdev, gate, NFC_HCI_ANY_OK, NULL, 0);
+                break;
+        default:
+                pr_info("Discarded unknown cmd %x to gate %x\n", cmd, gate);
+                r = -EINVAL;
+                break;
+        }
        kfree_skb(skb);
 }
@@ -717,6 +759,19 @@ static int hci_disable_se(struct nfc_dev *nfc_dev, u32 se_idx)
        return 0;
 }
+static int hci_se_io(struct nfc_dev *nfc_dev, u32 se_idx,
+                     u8 *apdu, size_t apdu_length,
+                     se_io_cb_t cb, void *cb_context)
+{
+        struct nfc_hci_dev *hdev = nfc_get_drvdata(nfc_dev);
+        if (hdev->ops->se_io)
+                return hdev->ops->se_io(hdev, se_idx, apdu,
+                                        apdu_length, cb, cb_context);
+        return 0;
+}
 static void nfc_hci_failure(struct nfc_hci_dev *hdev, int err)
 {
        mutex_lock(&hdev->msg_tx_mutex);
@@ -830,6 +885,7 @@ static struct nfc_ops hci_nfc_ops = {
        .discover_se = hci_discover_se,
        .enable_se = hci_enable_se,
        .disable_se = hci_disable_se,
+        .se_io = hci_se_io,
 };
 struct nfc_hci_dev *nfc_hci_allocate_device(struct nfc_hci_ops *ops,
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index a3ad69a4c648..c3435f8b20b4 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -401,7 +401,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
        u8 *miux_tlv = NULL, miux_tlv_length;
        u8 *rw_tlv = NULL, rw_tlv_length, rw;
        int err;
-        u16 size = 0, miux;
+        u16 size = 0;
+        __be16 miux;
        pr_debug("Sending CONNECT\n");
@@ -465,7 +466,8 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
        u8 *miux_tlv = NULL, miux_tlv_length;
        u8 *rw_tlv = NULL, rw_tlv_length, rw;
        int err;
-        u16 size = 0, miux;
+        u16 size = 0;
+        __be16 miux;
        pr_debug("Sending CC\n");
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 51e788797317..b18f07ccb504 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1,5 +1,6 @@
 /*
 * Copyright (C) 2011  Intel Corporation. All rights reserved.
+ * Copyright (C) 2014 Marvell International Ltd.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -1511,8 +1512,10 @@ int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb)
        struct nfc_llcp_local *local;
        local = nfc_llcp_find_local(dev);
-        if (local == NULL)
+        if (local == NULL) {
+                kfree_skb(skb);
                return -ENODEV;
+        }
        __nfc_llcp_recv(local, skb);
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 51f077a92fa9..4894c415c441 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -524,13 +524,13 @@ static int llcp_sock_getname(struct socket *sock, struct sockaddr *uaddr,
 static inline unsigned int llcp_accept_poll(struct sock *parent)
 {
-        struct nfc_llcp_sock *llcp_sock, *n, *parent_sock;
+        struct nfc_llcp_sock *llcp_sock, *parent_sock;
        struct sock *sk;
        parent_sock = nfc_llcp_sock(parent);
-        list_for_each_entry_safe(llcp_sock, n, &parent_sock->accept_queue,
+        list_for_each_entry(llcp_sock, &parent_sock->accept_queue,
-                                 accept_queue) {
+                            accept_queue) {
                sk = &llcp_sock->sk;
                if (sk->sk_state == LLCP_CONNECTED)
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 90b16cb40058..51feb5e63008 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -3,6 +3,7 @@
 *  NFC Controller (NFCC) and a Device Host (DH).
 *
 *  Copyright (C) 2011 Texas Instruments, Inc.
+ *  Copyright (C) 2014 Marvell International Ltd.
 *
 *  Written by Ilan Elias <ilane@ti.com>
 *
@@ -196,18 +197,24 @@ static void nci_set_config_req(struct nci_dev *ndev, unsigned long opt)
        nci_send_cmd(ndev, NCI_OP_CORE_SET_CONFIG_CMD, (3 + param->len), &cmd);
 }
+struct nci_rf_discover_param {
+        __u32   im_protocols;
+        __u32   tm_protocols;
+};
 static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt)
 {
+        struct nci_rf_discover_param *param =
+                (struct nci_rf_discover_param *)opt;
        struct nci_rf_disc_cmd cmd;
-        __u32 protocols = opt;
        cmd.num_disc_configs = 0;
        if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
-            (protocols & NFC_PROTO_JEWEL_MASK ||
+            (param->im_protocols & NFC_PROTO_JEWEL_MASK ||
-             protocols & NFC_PROTO_MIFARE_MASK ||
+             param->im_protocols & NFC_PROTO_MIFARE_MASK ||
-             protocols & NFC_PROTO_ISO14443_MASK ||
+             param->im_protocols & NFC_PROTO_ISO14443_MASK ||
-             protocols & NFC_PROTO_NFC_DEP_MASK)) {
+             param->im_protocols & NFC_PROTO_NFC_DEP_MASK)) {
                cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
                        NCI_NFC_A_PASSIVE_POLL_MODE;
                cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
@@ -215,7 +222,7 @@ static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt)
        }
        if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
-            (protocols & NFC_PROTO_ISO14443_B_MASK)) {
+            (param->im_protocols & NFC_PROTO_ISO14443_B_MASK)) {
                cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
                        NCI_NFC_B_PASSIVE_POLL_MODE;
                cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
@@ -223,8 +230,8 @@ static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt)
        }
        if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
-            (protocols & NFC_PROTO_FELICA_MASK ||
+            (param->im_protocols & NFC_PROTO_FELICA_MASK ||
-             protocols & NFC_PROTO_NFC_DEP_MASK)) {
+             param->im_protocols & NFC_PROTO_NFC_DEP_MASK)) {
                cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
                        NCI_NFC_F_PASSIVE_POLL_MODE;
                cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
@@ -232,13 +239,25 @@ static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt)
        }
        if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
-            (protocols & NFC_PROTO_ISO15693_MASK)) {
+            (param->im_protocols & NFC_PROTO_ISO15693_MASK)) {
                cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
                        NCI_NFC_V_PASSIVE_POLL_MODE;
                cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
                cmd.num_disc_configs++;
        }
+        if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS - 1) &&
+            (param->tm_protocols & NFC_PROTO_NFC_DEP_MASK)) {
+                cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
+                        NCI_NFC_A_PASSIVE_LISTEN_MODE;
+                cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
+                cmd.num_disc_configs++;
+                cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
+                        NCI_NFC_F_PASSIVE_LISTEN_MODE;
+                cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
+                cmd.num_disc_configs++;
+        }
        nci_send_cmd(ndev, NCI_OP_RF_DISCOVER_CMD,
                     (1 + (cmd.num_disc_configs * sizeof(struct disc_config))),
                     &cmd);
@@ -280,7 +299,7 @@ static void nci_rf_deactivate_req(struct nci_dev *ndev, unsigned long opt)
 {
        struct nci_rf_deactivate_cmd cmd;
-        cmd.type = NCI_DEACTIVATE_TYPE_IDLE_MODE;
+        cmd.type = opt;
        nci_send_cmd(ndev, NCI_OP_RF_DEACTIVATE_CMD,
                     sizeof(struct nci_rf_deactivate_cmd), &cmd);
@@ -441,6 +460,7 @@ static int nci_set_local_general_bytes(struct nfc_dev *nfc_dev)
 {
        struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
        struct nci_set_config_param param;
+        int rc;
        param.val = nfc_get_local_general_bytes(nfc_dev, &param.len);
        if ((param.val == NULL) || (param.len == 0))
@@ -451,14 +471,45 @@ static int nci_set_local_general_bytes(struct nfc_dev *nfc_dev)
        param.id = NCI_PN_ATR_REQ_GEN_BYTES;
+        rc = nci_request(ndev, nci_set_config_req, (unsigned long)&param,
+                         msecs_to_jiffies(NCI_SET_CONFIG_TIMEOUT));
+        if (rc)
+                return rc;
+        param.id = NCI_LN_ATR_RES_GEN_BYTES;
        return nci_request(ndev, nci_set_config_req, (unsigned long)&param,
                           msecs_to_jiffies(NCI_SET_CONFIG_TIMEOUT));
 }
+static int nci_set_listen_parameters(struct nfc_dev *nfc_dev)
+{
+        struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
+        int rc;
+        __u8 val;
+        val = NCI_LA_SEL_INFO_NFC_DEP_MASK;
+        rc = nci_set_config(ndev, NCI_LA_SEL_INFO, 1, &val);
+        if (rc)
+                return rc;
+        val = NCI_LF_PROTOCOL_TYPE_NFC_DEP_MASK;
+        rc = nci_set_config(ndev, NCI_LF_PROTOCOL_TYPE, 1, &val);
+        if (rc)
+                return rc;
+        val = NCI_LF_CON_BITR_F_212 | NCI_LF_CON_BITR_F_424;
+        return nci_set_config(ndev, NCI_LF_CON_BITR_F, 1, &val);
+}
 static int nci_start_poll(struct nfc_dev *nfc_dev,
                          __u32 im_protocols, __u32 tm_protocols)
 {
        struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
+        struct nci_rf_discover_param param;
        int rc;
        if ((atomic_read(&ndev->state) == NCI_DISCOVERY) ||
@@ -476,13 +527,14 @@ static int nci_start_poll(struct nfc_dev *nfc_dev,
            (atomic_read(&ndev->state) == NCI_POLL_ACTIVE)) {
                pr_debug("target active or w4 select, implicitly deactivate\n");
-                rc = nci_request(ndev, nci_rf_deactivate_req, 0,
+                rc = nci_request(ndev, nci_rf_deactivate_req,
+                                 NCI_DEACTIVATE_TYPE_IDLE_MODE,
                                 msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
                if (rc)
                        return -EBUSY;
        }
-        if (im_protocols & NFC_PROTO_NFC_DEP_MASK) {
+        if ((im_protocols | tm_protocols) & NFC_PROTO_NFC_DEP_MASK) {
                rc = nci_set_local_general_bytes(nfc_dev);
                if (rc) {
                        pr_err("failed to set local general bytes\n");
@@ -490,7 +542,15 @@ static int nci_start_poll(struct nfc_dev *nfc_dev,
                }
        }
-        rc = nci_request(ndev, nci_rf_discover_req, im_protocols,
+        if (tm_protocols & NFC_PROTO_NFC_DEP_MASK) {
+                rc = nci_set_listen_parameters(nfc_dev);
+                if (rc)
+                        pr_err("failed to set listen parameters\n");
+        }
+        param.im_protocols = im_protocols;
+        param.tm_protocols = tm_protocols;
+        rc = nci_request(ndev, nci_rf_discover_req, (unsigned long)&param,
                         msecs_to_jiffies(NCI_RF_DISC_TIMEOUT));
        if (!rc)
@@ -509,7 +569,7 @@ static void nci_stop_poll(struct nfc_dev *nfc_dev)
                return;
        }
-        nci_request(ndev, nci_rf_deactivate_req, 0,
+        nci_request(ndev, nci_rf_deactivate_req, NCI_DEACTIVATE_TYPE_IDLE_MODE,
                    msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
 }
@@ -594,7 +654,8 @@ static void nci_deactivate_target(struct nfc_dev *nfc_dev,
        ndev->target_active_prot = 0;
        if (atomic_read(&ndev->state) == NCI_POLL_ACTIVE) {
-                nci_request(ndev, nci_rf_deactivate_req, 0,
+                nci_request(ndev, nci_rf_deactivate_req,
+                            NCI_DEACTIVATE_TYPE_SLEEP_MODE,
                            msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
        }
 }
@@ -622,9 +683,24 @@ static int nci_dep_link_up(struct nfc_dev *nfc_dev, struct nfc_target *target,
 static int nci_dep_link_down(struct nfc_dev *nfc_dev)
 {
+        struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
+        int rc;
        pr_debug("entry\n");
-        nci_deactivate_target(nfc_dev, NULL);
+        if (nfc_dev->rf_mode == NFC_RF_INITIATOR) {
+                nci_deactivate_target(nfc_dev, NULL);
+        } else {
+                if (atomic_read(&ndev->state) == NCI_LISTEN_ACTIVE ||
+                    atomic_read(&ndev->state) == NCI_DISCOVERY) {
+                        nci_request(ndev, nci_rf_deactivate_req, 0,
+                                msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
+                }
+                rc = nfc_tm_deactivated(nfc_dev);
+                if (rc)
+                        pr_err("error when signaling tm deactivation\n");
+        }
        return 0;
 }
@@ -658,18 +734,58 @@ static int nci_transceive(struct nfc_dev *nfc_dev, struct nfc_target *target,
        return rc;
 }
+static int nci_tm_send(struct nfc_dev *nfc_dev, struct sk_buff *skb)
+{
+        struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
+        int rc;
+        rc = nci_send_data(ndev, NCI_STATIC_RF_CONN_ID, skb);
+        if (rc)
+                pr_err("unable to send data\n");
+        return rc;
+}
 static int nci_enable_se(struct nfc_dev *nfc_dev, u32 se_idx)
 {
+        struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
+        if (ndev->ops->enable_se)
+                return ndev->ops->enable_se(ndev, se_idx);
        return 0;
 }
 static int nci_disable_se(struct nfc_dev *nfc_dev, u32 se_idx)
 {
+        struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
+        if (ndev->ops->disable_se)
+                return ndev->ops->disable_se(ndev, se_idx);
        return 0;
 }
 static int nci_discover_se(struct nfc_dev *nfc_dev)
 {
+        struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
+        if (ndev->ops->discover_se)
+                return ndev->ops->discover_se(ndev);
+        return 0;
+}
+static int nci_se_io(struct nfc_dev *nfc_dev, u32 se_idx,
+                     u8 *apdu, size_t apdu_length,
+                     se_io_cb_t cb, void *cb_context)
+{
+        struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
+        if (ndev->ops->se_io)
+                return ndev->ops->se_io(ndev, se_idx, apdu,
+                                apdu_length, cb, cb_context);
        return 0;
 }
@@ -683,9 +799,11 @@ static struct nfc_ops nci_nfc_ops = {
        .activate_target = nci_activate_target,
        .deactivate_target = nci_deactivate_target,
        .im_transceive = nci_transceive,
+        .tm_send = nci_tm_send,
        .enable_se = nci_enable_se,
        .disable_se = nci_disable_se,
        .discover_se = nci_discover_se,
+        .se_io = nci_se_io,
 };
 /* ---- Interface to NCI drivers ---- */
diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
index 427ef2c7ab68..a2de2a8cb00e 100644
--- a/net/nfc/nci/data.c
+++ b/net/nfc/nci/data.c
@@ -3,6 +3,7 @@
 *  NFC Controller (NFCC) and a Device Host (DH).
 *
 *  Copyright (C) 2011 Texas Instruments, Inc.
+ *  Copyright (C) 2014 Marvell International Ltd.
 *
 *  Written by Ilan Elias <ilane@ti.com>
 *
@@ -184,11 +185,16 @@ exit:
 static void nci_add_rx_data_frag(struct nci_dev *ndev,
                                 struct sk_buff *skb,
-                                 __u8 pbf)
+                                 __u8 pbf, __u8 status)
 {
        int reassembly_len;
        int err = 0;
+        if (status) {
+                err = status;
+                goto exit;
+        }
        if (ndev->rx_data_reassembly) {
                reassembly_len = ndev->rx_data_reassembly->len;
@@ -223,13 +229,24 @@ static void nci_add_rx_data_frag(struct nci_dev *ndev,
        }
 exit:
-        nci_data_exchange_complete(ndev, skb, err);
+        if (ndev->nfc_dev->rf_mode == NFC_RF_INITIATOR) {
+                nci_data_exchange_complete(ndev, skb, err);
+        } else if (ndev->nfc_dev->rf_mode == NFC_RF_TARGET) {
+                /* Data received in Target mode, forward to nfc core */
+                err = nfc_tm_data_received(ndev->nfc_dev, skb);
+                if (err)
+                        pr_err("unable to handle received data\n");
+        } else {
+                pr_err("rf mode unknown\n");
+                kfree_skb(skb);
+        }
 }
 /* Rx Data packet */
 void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb)
 {
        __u8 pbf = nci_pbf(skb->data);
+        __u8 status = 0;
        pr_debug("len %d\n", skb->len);
@@ -247,8 +264,9 @@ void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb)
            ndev->target_active_prot == NFC_PROTO_ISO15693) {
                /* frame I/F => remove the status byte */
                pr_debug("frame I/F => remove the status byte\n");
+                status = skb->data[skb->len - 1];
                skb_trim(skb, (skb->len - 1));
        }
-        nci_add_rx_data_frag(ndev, skb, pbf);
+        nci_add_rx_data_frag(ndev, skb, pbf, nci_to_errno(status));
 }
diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index 205b35f666db..22e453cb787d 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -103,7 +103,7 @@ static __u8 *nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
                        struct rf_tech_specific_params_nfca_poll *nfca_poll,
                                                     __u8 *data)
 {
-        nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data));
+        nfca_poll->sens_res = __le16_to_cpu(*((__le16 *)data));
        data += 2;
        nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE);
@@ -167,7 +167,19 @@ static __u8 *nci_extract_rf_params_nfcv_passive_poll(struct nci_dev *ndev,
        return data;
 }
-__u32 nci_get_prop_rf_protocol(struct nci_dev *ndev, __u8 rf_protocol)
+static __u8 *nci_extract_rf_params_nfcf_passive_listen(struct nci_dev *ndev,
+                        struct rf_tech_specific_params_nfcf_listen *nfcf_listen,
+                                                     __u8 *data)
+{
+        nfcf_listen->local_nfcid2_len = min_t(__u8, *data++,
+                                              NFC_NFCID2_MAXSIZE);
+        memcpy(nfcf_listen->local_nfcid2, data, nfcf_listen->local_nfcid2_len);
+        data += nfcf_listen->local_nfcid2_len;
+        return data;
+}
+static __u32 nci_get_prop_rf_protocol(struct nci_dev *ndev, __u8 rf_protocol)
 {
        if (ndev->ops->get_rfprotocol)
                return ndev->ops->get_rfprotocol(ndev, rf_protocol);
@@ -401,17 +413,29 @@ static int nci_extract_activation_params_nfc_dep(struct nci_dev *ndev,
                        struct nci_rf_intf_activated_ntf *ntf, __u8 *data)
 {
        struct activation_params_poll_nfc_dep *poll;
+        struct activation_params_listen_nfc_dep *listen;
        switch (ntf->activation_rf_tech_and_mode) {
        case NCI_NFC_A_PASSIVE_POLL_MODE:
        case NCI_NFC_F_PASSIVE_POLL_MODE:
                poll = &ntf->activation_params.poll_nfc_dep;
-                poll->atr_res_len = min_t(__u8, *data++, 63);
+                poll->atr_res_len = min_t(__u8, *data++,
+                                          NFC_ATR_RES_MAXSIZE - 2);
                pr_debug("atr_res_len %d\n", poll->atr_res_len);
                if (poll->atr_res_len > 0)
                        memcpy(poll->atr_res, data, poll->atr_res_len);
                break;
+        case NCI_NFC_A_PASSIVE_LISTEN_MODE:
+        case NCI_NFC_F_PASSIVE_LISTEN_MODE:
+                listen = &ntf->activation_params.listen_nfc_dep;
+                listen->atr_req_len = min_t(__u8, *data++,
+                                            NFC_ATR_REQ_MAXSIZE - 2);
+                pr_debug("atr_req_len %d\n", listen->atr_req_len);
+                if (listen->atr_req_len > 0)
+                        memcpy(listen->atr_req, data, listen->atr_req_len);
+                break;
        default:
                pr_err("unsupported activation_rf_tech_and_mode 0x%x\n",
                       ntf->activation_rf_tech_and_mode);
@@ -444,6 +468,48 @@ static void nci_target_auto_activated(struct nci_dev *ndev,
        nfc_targets_found(ndev->nfc_dev, ndev->targets, ndev->n_targets);
 }
+static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev,
+                struct nci_rf_intf_activated_ntf *ntf)
+{
+        ndev->remote_gb_len = 0;
+        if (ntf->activation_params_len <= 0)
+                return NCI_STATUS_OK;
+        switch (ntf->activation_rf_tech_and_mode) {
+        case NCI_NFC_A_PASSIVE_POLL_MODE:
+        case NCI_NFC_F_PASSIVE_POLL_MODE:
+                ndev->remote_gb_len = min_t(__u8,
+                        (ntf->activation_params.poll_nfc_dep.atr_res_len
+                                                - NFC_ATR_RES_GT_OFFSET),
+                        NFC_ATR_RES_GB_MAXSIZE);
+                memcpy(ndev->remote_gb,
+                       (ntf->activation_params.poll_nfc_dep.atr_res
+                                                + NFC_ATR_RES_GT_OFFSET),
+                       ndev->remote_gb_len);
+                break;
+        case NCI_NFC_A_PASSIVE_LISTEN_MODE:
+        case NCI_NFC_F_PASSIVE_LISTEN_MODE:
+                ndev->remote_gb_len = min_t(__u8,
+                        (ntf->activation_params.listen_nfc_dep.atr_req_len
+                                                - NFC_ATR_REQ_GT_OFFSET),
+                        NFC_ATR_REQ_GB_MAXSIZE);
+                memcpy(ndev->remote_gb,
+                       (ntf->activation_params.listen_nfc_dep.atr_req
+                                                + NFC_ATR_REQ_GT_OFFSET),
+                       ndev->remote_gb_len);
+                break;
+        default:
+                pr_err("unsupported activation_rf_tech_and_mode 0x%x\n",
+                       ntf->activation_rf_tech_and_mode);
+                return NCI_STATUS_RF_PROTOCOL_ERROR;
+        }
+        return NCI_STATUS_OK;
+}
 static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
                                             struct sk_buff *skb)
 {
@@ -493,6 +559,16 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
                                &(ntf.rf_tech_specific_params.nfcv_poll), data);
                        break;
+                case NCI_NFC_A_PASSIVE_LISTEN_MODE:
+                        /* no RF technology specific parameters */
+                        break;
+                case NCI_NFC_F_PASSIVE_LISTEN_MODE:
+                        data = nci_extract_rf_params_nfcf_passive_listen(ndev,
+                                &(ntf.rf_tech_specific_params.nfcf_listen),
+                                data);
+                        break;
                default:
                        pr_err("unsupported activation_rf_tech_and_mode 0x%x\n",
                               ntf.activation_rf_tech_and_mode);
@@ -546,32 +622,39 @@ exit:
                /* store general bytes to be reported later in dep_link_up */
                if (ntf.rf_interface == NCI_RF_INTERFACE_NFC_DEP) {
-                        ndev->remote_gb_len = 0;
+                        err = nci_store_general_bytes_nfc_dep(ndev, &ntf);
+                        if (err != NCI_STATUS_OK)
-                        if (ntf.activation_params_len > 0) {
+                                pr_err("unable to store general bytes\n");
-                                /* ATR_RES general bytes at offset 15 */
-                                ndev->remote_gb_len = min_t(__u8,
-                                        (ntf.activation_params
-                                        .poll_nfc_dep.atr_res_len
-                                        - NFC_ATR_RES_GT_OFFSET),
-                                        NFC_MAX_GT_LEN);
-                                memcpy(ndev->remote_gb,
-                                       (ntf.activation_params.poll_nfc_dep
-                                       .atr_res + NFC_ATR_RES_GT_OFFSET),
-                                       ndev->remote_gb_len);
-                        }
                }
        }
-        if (atomic_read(&ndev->state) == NCI_DISCOVERY) {
+        if (!(ntf.activation_rf_tech_and_mode & NCI_RF_TECH_MODE_LISTEN_MASK)) {
-                /* A single target was found and activated automatically */
+                /* Poll mode */
-                atomic_set(&ndev->state, NCI_POLL_ACTIVE);
+                if (atomic_read(&ndev->state) == NCI_DISCOVERY) {
-                if (err == NCI_STATUS_OK)
+                        /* A single target was found and activated
-                        nci_target_auto_activated(ndev, &ntf);
+                         * automatically */
-        } else {        /* ndev->state == NCI_W4_HOST_SELECT */
+                        atomic_set(&ndev->state, NCI_POLL_ACTIVE);
-                /* A selected target was activated, so complete the request */
+                        if (err == NCI_STATUS_OK)
-                atomic_set(&ndev->state, NCI_POLL_ACTIVE);
+                                nci_target_auto_activated(ndev, &ntf);
-                nci_req_complete(ndev, err);
+                } else {        /* ndev->state == NCI_W4_HOST_SELECT */
+                        /* A selected target was activated, so complete the
+                         * request */
+                        atomic_set(&ndev->state, NCI_POLL_ACTIVE);
+                        nci_req_complete(ndev, err);
+                }
+        } else {
+                /* Listen mode */
+                atomic_set(&ndev->state, NCI_LISTEN_ACTIVE);
+                if (err == NCI_STATUS_OK &&
+                    ntf.rf_protocol == NCI_RF_PROTOCOL_NFC_DEP) {
+                        err = nfc_tm_activated(ndev->nfc_dev,
+                                               NFC_PROTO_NFC_DEP_MASK,
+                                               NFC_COMM_PASSIVE,
+                                               ndev->remote_gb,
+                                               ndev->remote_gb_len);
+                        if (err != NCI_STATUS_OK)
+                                pr_err("error when signaling tm activation\n");
+                }
        }
 }
@@ -595,8 +678,21 @@ static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev,
        if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags))
                nci_data_exchange_complete(ndev, NULL, -EIO);
-        nci_clear_target_list(ndev);
+        switch (ntf->type) {
-        atomic_set(&ndev->state, NCI_IDLE);
+        case NCI_DEACTIVATE_TYPE_IDLE_MODE:
+                nci_clear_target_list(ndev);
+                atomic_set(&ndev->state, NCI_IDLE);
+                break;
+        case NCI_DEACTIVATE_TYPE_SLEEP_MODE:
+        case NCI_DEACTIVATE_TYPE_SLEEP_AF_MODE:
+                atomic_set(&ndev->state, NCI_W4_HOST_SELECT);
+                break;
+        case NCI_DEACTIVATE_TYPE_DISCOVERY:
+                nci_clear_target_list(ndev);
+                atomic_set(&ndev->state, NCI_DISCOVERY);
+                break;
+        }
        nci_req_complete(ndev, NCI_STATUS_OK);
 }
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index 43cb1c17e267..44989fc8cddf 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -810,6 +810,31 @@ out:
        return rc;
 }
+static int nfc_genl_activate_target(struct sk_buff *skb, struct genl_info *info)
+{
+        struct nfc_dev *dev;
+        u32 device_idx, target_idx, protocol;
+        int rc;
+        if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
+                return -EINVAL;
+        device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
+        dev = nfc_get_device(device_idx);
+        if (!dev)
+                return -ENODEV;
+        target_idx = nla_get_u32(info->attrs[NFC_ATTR_TARGET_INDEX]);
+        protocol = nla_get_u32(info->attrs[NFC_ATTR_PROTOCOLS]);
+        nfc_deactivate_target(dev, target_idx);
+        rc = nfc_activate_target(dev, target_idx, protocol);
+        nfc_put_device(dev);
+        return 0;
+}
 static int nfc_genl_dep_link_up(struct sk_buff *skb, struct genl_info *info)
 {
        struct nfc_dev *dev;
@@ -1285,6 +1310,51 @@ static int nfc_genl_dump_ses_done(struct netlink_callback *cb)
        return 0;
 }
+static int nfc_se_io(struct nfc_dev *dev, u32 se_idx,
+                     u8 *apdu, size_t apdu_length,
+                     se_io_cb_t cb, void *cb_context)
+{
+        struct nfc_se *se;
+        int rc;
+        pr_debug("%s se index %d\n", dev_name(&dev->dev), se_idx);
+        device_lock(&dev->dev);
+        if (!device_is_registered(&dev->dev)) {
+                rc = -ENODEV;
+                goto error;
+        }
+        if (!dev->dev_up) {
+                rc = -ENODEV;
+                goto error;
+        }
+        if (!dev->ops->se_io) {
+                rc = -EOPNOTSUPP;
+                goto error;
+        }
+        se = nfc_find_se(dev, se_idx);
+        if (!se) {
+                rc = -EINVAL;
+                goto error;
+        }
+        if (se->state != NFC_SE_ENABLED) {
+                rc = -ENODEV;
+                goto error;
+        }
+        rc = dev->ops->se_io(dev, se_idx, apdu,
+                        apdu_length, cb, cb_context);
+error:
+        device_unlock(&dev->dev);
+        return rc;
+}
 struct se_io_ctx {
        u32 dev_idx;
        u32 se_idx;
@@ -1367,7 +1437,7 @@ static int nfc_genl_se_io(struct sk_buff *skb, struct genl_info *info)
        ctx->dev_idx = dev_idx;
        ctx->se_idx = se_idx;
-        return dev->ops->se_io(dev, se_idx, apdu, apdu_len, se_io_cb, ctx);
+        return nfc_se_io(dev, se_idx, apdu, apdu_len, se_io_cb, ctx);
 }
 static const struct genl_ops nfc_genl_ops[] = {
@@ -1455,6 +1525,11 @@ static const struct genl_ops nfc_genl_ops[] = {
                .doit = nfc_genl_se_io,
                .policy = nfc_genl_policy,
        },
+        {
+                .cmd = NFC_CMD_ACTIVATE_TARGET,
+                .doit = nfc_genl_activate_target,
+                .policy = nfc_genl_policy,
+        },
 };
diff --git a/net/wireless/Kconfig b/net/wireless/Kconfig
index 29c8675f9a11..22ba971741e5 100644
--- a/net/wireless/Kconfig
+++ b/net/wireless/Kconfig
@@ -175,7 +175,7 @@ config CFG80211_INTERNAL_REGDB
          Most distributions have a CRDA package.  So if unsure, say N.
 config CFG80211_WEXT
-        bool "cfg80211 wireless extensions compatibility"
+        bool
        depends on CFG80211
        select WEXT_CORE
        help
diff --git a/net/wireless/Makefile b/net/wireless/Makefile
index a761670af31d..4c9e39f04ef8 100644
--- a/net/wireless/Makefile
+++ b/net/wireless/Makefile
@@ -10,7 +10,7 @@ obj-$(CONFIG_WEXT_SPY) += wext-spy.o
 obj-$(CONFIG_WEXT_PRIV) += wext-priv.o
 cfg80211-y += core.o sysfs.o radiotap.o util.o reg.o scan.o nl80211.o
-cfg80211-y += mlme.o ibss.o sme.o chan.o ethtool.o mesh.o ap.o trace.o
+cfg80211-y += mlme.o ibss.o sme.o chan.o ethtool.o mesh.o ap.o trace.o ocb.o
 cfg80211-$(CONFIG_CFG80211_DEBUGFS) += debugfs.o
 cfg80211-$(CONFIG_CFG80211_WEXT) += wext-compat.o wext-sme.o
 cfg80211-$(CONFIG_CFG80211_INTERNAL_REGDB) += regdb.o
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index 72d81e2154d5..85506f1d0789 100644
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -115,7 +115,7 @@ bool cfg80211_chandef_valid(const struct cfg80211_chan_def *chandef)
 EXPORT_SYMBOL(cfg80211_chandef_valid);
 static void chandef_primary_freqs(const struct cfg80211_chan_def *c,
-                                  int *pri40, int *pri80)
+                                  u32 *pri40, u32 *pri80)
 {
        int tmp;
@@ -366,6 +366,7 @@ int cfg80211_chandef_dfs_required(struct wiphy *wiphy,
                break;
        case NL80211_IFTYPE_STATION:
+        case NL80211_IFTYPE_OCB:
        case NL80211_IFTYPE_P2P_CLIENT:
        case NL80211_IFTYPE_MONITOR:
        case NL80211_IFTYPE_AP_VLAN:
@@ -892,6 +893,13 @@ cfg80211_get_chan_state(struct wireless_dev *wdev,
                                *radar_detect |= BIT(wdev->chandef.width);
                }
                return;
+        case NL80211_IFTYPE_OCB:
+                if (wdev->chandef.chan) {
+                        *chan = wdev->chandef.chan;
+                        *chanmode = CHAN_MODE_SHARED;
+                        return;
+                }
+                break;
        case NL80211_IFTYPE_MONITOR:
        case NL80211_IFTYPE_AP_VLAN:
        case NL80211_IFTYPE_WDS:
diff --git a/net/wireless/core.c b/net/wireless/core.c
index f52a4cd7017c..53dda7728f86 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -86,11 +86,11 @@ struct wiphy *wiphy_idx_to_wiphy(int wiphy_idx)
        return &rdev->wiphy;
 }
-int cfg80211_dev_rename(struct cfg80211_registered_device *rdev,
+static int cfg80211_dev_check_name(struct cfg80211_registered_device *rdev,
-                        char *newname)
+                                   const char *newname)
 {
        struct cfg80211_registered_device *rdev2;
-        int wiphy_idx, taken = -1, result, digits;
+        int wiphy_idx, taken = -1, digits;
        ASSERT_RTNL();
@@ -109,15 +109,28 @@ int cfg80211_dev_rename(struct cfg80211_registered_device *rdev,
                        return -EINVAL;
        }
+        /* Ensure another device does not already have this name. */
+        list_for_each_entry(rdev2, &cfg80211_rdev_list, list)
+                if (strcmp(newname, wiphy_name(&rdev2->wiphy)) == 0)
+                        return -EINVAL;
+        return 0;
+}
+int cfg80211_dev_rename(struct cfg80211_registered_device *rdev,
+                        char *newname)
+{
+        int result;
+        ASSERT_RTNL();
        /* Ignore nop renames */
-        if (strcmp(newname, dev_name(&rdev->wiphy.dev)) == 0)
+        if (strcmp(newname, wiphy_name(&rdev->wiphy)) == 0)
                return 0;
-        /* Ensure another device does not already have this name. */
+        result = cfg80211_dev_check_name(rdev, newname);
-        list_for_each_entry(rdev2, &cfg80211_rdev_list, list)
+        if (result < 0)
-                if (strcmp(newname, dev_name(&rdev2->wiphy.dev)) == 0)
+                return result;
-                        return -EINVAL;
        result = device_rename(&rdev->wiphy.dev, newname);
        if (result)
@@ -309,7 +322,8 @@ static void cfg80211_destroy_iface_wk(struct work_struct *work)
 /* exported functions */
-struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
+struct wiphy *wiphy_new_nm(const struct cfg80211_ops *ops, int sizeof_priv,
+                           const char *requested_name)
 {
        static atomic_t wiphy_counter = ATOMIC_INIT(0);
@@ -346,7 +360,31 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
        rdev->wiphy_idx--;
        /* give it a proper name */
-        dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx);
+        if (requested_name && requested_name[0]) {
+                int rv;
+                rtnl_lock();
+                rv = cfg80211_dev_check_name(rdev, requested_name);
+                if (rv < 0) {
+                        rtnl_unlock();
+                        goto use_default_name;
+                }
+                rv = dev_set_name(&rdev->wiphy.dev, "%s", requested_name);
+                rtnl_unlock();
+                if (rv)
+                        goto use_default_name;
+        } else {
+use_default_name:
+                /* NOTE:  This is *probably* safe w/out holding rtnl because of
+                 * the restrictions on phy names.  Probably this call could
+                 * fail if some other part of the kernel (re)named a device
+                 * phyX.  But, might should add some locking and check return
+                 * value, and use a different name if this one exists?
+                 */
+                dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx);
+        }
        INIT_LIST_HEAD(&rdev->wdev_list);
        INIT_LIST_HEAD(&rdev->beacon_registrations);
@@ -406,7 +444,7 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
        return &rdev->wiphy;
 }
-EXPORT_SYMBOL(wiphy_new);
+EXPORT_SYMBOL(wiphy_new_nm);
 static int wiphy_verify_combinations(struct wiphy *wiphy)
 {
@@ -503,6 +541,24 @@ int wiphy_register(struct wiphy *wiphy)
                    !wiphy->wowlan->tcp))
                return -EINVAL;
 #endif
+        if (WARN_ON((wiphy->features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH) &&
+                    (!rdev->ops->tdls_channel_switch ||
+                     !rdev->ops->tdls_cancel_channel_switch)))
+                return -EINVAL;
+        /*
+         * if a wiphy has unsupported modes for regulatory channel enforcement,
+         * opt-out of enforcement checking
+         */
+        if (wiphy->interface_modes & ~(BIT(NL80211_IFTYPE_STATION) |
+                                       BIT(NL80211_IFTYPE_P2P_CLIENT) |
+                                       BIT(NL80211_IFTYPE_AP) |
+                                       BIT(NL80211_IFTYPE_P2P_GO) |
+                                       BIT(NL80211_IFTYPE_ADHOC) |
+                                       BIT(NL80211_IFTYPE_P2P_DEVICE) |
+                                       BIT(NL80211_IFTYPE_AP_VLAN) |
+                                       BIT(NL80211_IFTYPE_MONITOR)))
+                wiphy->regulatory_flags |= REGULATORY_IGNORE_STALE_KICKOFF;
        if (WARN_ON(wiphy->coalesce &&
                    (!wiphy->coalesce->n_rules ||
@@ -831,7 +887,22 @@ void __cfg80211_leave(struct cfg80211_registered_device *rdev,
        case NL80211_IFTYPE_P2P_GO:
                __cfg80211_stop_ap(rdev, dev, true);
                break;
-        default:
+        case NL80211_IFTYPE_OCB:
+                __cfg80211_leave_ocb(rdev, dev);
+                break;
+        case NL80211_IFTYPE_WDS:
+                /* must be handled by mac80211/driver, has no APIs */
+                break;
+        case NL80211_IFTYPE_P2P_DEVICE:
+                /* cannot happen, has no netdev */
+                break;
+        case NL80211_IFTYPE_AP_VLAN:
+        case NL80211_IFTYPE_MONITOR:
+                /* nothing to do */
+                break;
+        case NL80211_IFTYPE_UNSPECIFIED:
+        case NUM_NL80211_IFTYPES:
+                /* invalid */
                break;
        }
 }
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 7e3a3cef7df9..faa5b1609aae 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -111,6 +111,7 @@ cfg80211_rdev_free_wowlan(struct cfg80211_registered_device *rdev)
            rdev->wiphy.wowlan_config->tcp->sock)
                sock_release(rdev->wiphy.wowlan_config->tcp->sock);
        kfree(rdev->wiphy.wowlan_config->tcp);
+        kfree(rdev->wiphy.wowlan_config->nd_config);
        kfree(rdev->wiphy.wowlan_config);
 #endif
 }
@@ -290,6 +291,18 @@ int cfg80211_set_mesh_channel(struct cfg80211_registered_device *rdev,
                              struct wireless_dev *wdev,
                              struct cfg80211_chan_def *chandef);
+/* OCB */
+int __cfg80211_join_ocb(struct cfg80211_registered_device *rdev,
+                        struct net_device *dev,
+                        struct ocb_setup *setup);
+int cfg80211_join_ocb(struct cfg80211_registered_device *rdev,
+                      struct net_device *dev,
+                      struct ocb_setup *setup);
+int __cfg80211_leave_ocb(struct cfg80211_registered_device *rdev,
+                         struct net_device *dev);
+int cfg80211_leave_ocb(struct cfg80211_registered_device *rdev,
+                       struct net_device *dev);
 /* AP */
 int __cfg80211_stop_ap(struct cfg80211_registered_device *rdev,
                       struct net_device *dev, bool notify);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index cb9f5a44ffad..a17d6bc6b22c 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -209,7 +209,7 @@ cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
 }
 /* policy for the attributes */
-static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
+static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
        [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
        [NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
                                      .len = 20-1 },
@@ -388,13 +388,14 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
        [NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
        [NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
        [NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
-        [NL80211_ATTR_IFACE_SOCKET_OWNER] = { .type = NLA_FLAG },
+        [NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
        [NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
        [NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
        [NL80211_ATTR_TSID] = { .type = NLA_U8 },
        [NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
        [NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
        [NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
+        [NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
 };
 /* policy for the key attributes */
@@ -428,6 +429,7 @@ nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
        [NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
        [NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
        [NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
+        [NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
 };
 static const struct nla_policy
@@ -884,7 +886,12 @@ static int nl80211_key_allowed(struct wireless_dev *wdev)
                if (!wdev->current_bss)
                        return -ENOLINK;
                break;
-        default:
+        case NL80211_IFTYPE_UNSPECIFIED:
+        case NL80211_IFTYPE_OCB:
+        case NL80211_IFTYPE_MONITOR:
+        case NL80211_IFTYPE_P2P_DEVICE:
+        case NL80211_IFTYPE_WDS:
+        case NUM_NL80211_IFTYPES:
                return -EINVAL;
        }
@@ -1083,6 +1090,8 @@ static int nl80211_send_wowlan(struct sk_buff *msg,
        if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
                return -ENOBUFS;
+        /* TODO: send wowlan net detect */
        nla_nest_end(msg, nl_wowlan);
        return 0;
@@ -1514,8 +1523,8 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
                        if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
                                CMD(channel_switch, CHANNEL_SWITCH);
                        CMD(set_qos_map, SET_QOS_MAP);
-                        if (rdev->wiphy.flags &
+                        if (rdev->wiphy.features &
-                                        WIPHY_FLAG_SUPPORTS_WMM_ADMISSION)
+                                        NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
                                CMD(add_tx_ts, ADD_TX_TS);
                }
                /* add into the if now */
@@ -2308,7 +2317,8 @@ static inline u64 wdev_id(struct wireless_dev *wdev)
 static int nl80211_send_chandef(struct sk_buff *msg,
                                const struct cfg80211_chan_def *chandef)
 {
-        WARN_ON(!cfg80211_chandef_valid(chandef));
+        if (WARN_ON(!cfg80211_chandef_valid(chandef)))
+                return -EINVAL;
        if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
                        chandef->chan->center_freq))
@@ -2336,12 +2346,16 @@ static int nl80211_send_chandef(struct sk_buff *msg,
 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
                              struct cfg80211_registered_device *rdev,
-                              struct wireless_dev *wdev)
+                              struct wireless_dev *wdev, bool removal)
 {
        struct net_device *dev = wdev->netdev;
+        u8 cmd = NL80211_CMD_NEW_INTERFACE;
        void *hdr;
-        hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_INTERFACE);
+        if (removal)
+                cmd = NL80211_CMD_DEL_INTERFACE;
+        hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
        if (!hdr)
                return -1;
@@ -2408,7 +2422,7 @@ static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *
                        }
                        if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
                                               cb->nlh->nlmsg_seq, NLM_F_MULTI,
-                                               rdev, wdev) < 0) {
+                                               rdev, wdev, false) < 0) {
                                goto out;
                        }
                        if_idx++;
@@ -2436,7 +2450,7 @@ static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
                return -ENOMEM;
        if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
-                               rdev, wdev) < 0) {
+                               rdev, wdev, false) < 0) {
                nlmsg_free(msg);
                return -ENOBUFS;
        }
@@ -2582,7 +2596,7 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
        struct vif_params params;
        struct wireless_dev *wdev;
-        struct sk_buff *msg;
+        struct sk_buff *msg, *event;
        int err;
        enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
        u32 flags;
@@ -2605,7 +2619,9 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
            !(rdev->wiphy.interface_modes & (1 << type)))
                return -EOPNOTSUPP;
-        if (type == NL80211_IFTYPE_P2P_DEVICE && info->attrs[NL80211_ATTR_MAC]) {
+        if ((type == NL80211_IFTYPE_P2P_DEVICE ||
+             rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
+            info->attrs[NL80211_ATTR_MAC]) {
                nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
                           ETH_ALEN);
                if (!is_valid_ether_addr(params.macaddr))
@@ -2634,12 +2650,15 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
        wdev = rdev_add_virtual_intf(rdev,
                                nla_data(info->attrs[NL80211_ATTR_IFNAME]),
                                type, err ? NULL : &flags, &params);
-        if (IS_ERR(wdev)) {
+        if (WARN_ON(!wdev)) {
+                nlmsg_free(msg);
+                return -EPROTO;
+        } else if (IS_ERR(wdev)) {
                nlmsg_free(msg);
                return PTR_ERR(wdev);
        }
-        if (info->attrs[NL80211_ATTR_IFACE_SOCKET_OWNER])
+        if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
                wdev->owner_nlportid = info->snd_portid;
        switch (type) {
@@ -2675,11 +2694,25 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
        }
        if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
-                               rdev, wdev) < 0) {
+                               rdev, wdev, false) < 0) {
                nlmsg_free(msg);
                return -ENOBUFS;
        }
+        event = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (event) {
+                if (nl80211_send_iface(event, 0, 0, 0,
+                                       rdev, wdev, false) < 0) {
+                        nlmsg_free(event);
+                        goto out;
+                }
+                genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
+                                        event, 0, NL80211_MCGRP_CONFIG,
+                                        GFP_KERNEL);
+        }
+out:
        return genlmsg_reply(msg, info);
 }
@@ -2687,10 +2720,18 @@ static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
 {
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
        struct wireless_dev *wdev = info->user_ptr[1];
+        struct sk_buff *msg;
+        int status;
        if (!rdev->ops->del_virtual_intf)
                return -EOPNOTSUPP;
+        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (msg && nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, true) < 0) {
+                nlmsg_free(msg);
+                msg = NULL;
+        }
        /*
         * If we remove a wireless device without a netdev then clear
         * user_ptr[1] so that nl80211_post_doit won't dereference it
@@ -2701,7 +2742,15 @@ static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
        if (!wdev->netdev)
                info->user_ptr[1] = NULL;
-        return rdev_del_virtual_intf(rdev, wdev);
+        status = rdev_del_virtual_intf(rdev, wdev);
+        if (status >= 0 && msg)
+                genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
+                                        msg, 0, NL80211_MCGRP_CONFIG,
+                                        GFP_KERNEL);
+        else
+                nlmsg_free(msg);
+        return status;
 }
 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
@@ -4398,10 +4447,12 @@ static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
 {
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
        struct net_device *dev = info->user_ptr[1];
-        u8 *mac_addr = NULL;
+        struct station_del_parameters params;
+        memset(&params, 0, sizeof(params));
        if (info->attrs[NL80211_ATTR_MAC])
-                mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
+                params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
        if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
@@ -4412,7 +4463,28 @@ static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
        if (!rdev->ops->del_station)
                return -EOPNOTSUPP;
-        return rdev_del_station(rdev, dev, mac_addr);
+        if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
+                params.subtype =
+                        nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
+                if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
+                    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
+                        return -EINVAL;
+        } else {
+                /* Default to Deauthentication frame */
+                params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
+        }
+        if (info->attrs[NL80211_ATTR_REASON_CODE]) {
+                params.reason_code =
+                        nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
+                if (params.reason_code == 0)
+                        return -EINVAL; /* 0 is reserved */
+        } else {
+                /* Default to reason code 2 */
+                params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
+        }
+        return rdev_del_station(rdev, dev, &params);
 }
 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
@@ -4423,7 +4495,7 @@ static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
        void *hdr;
        struct nlattr *pinfoattr;
-        hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_STATION);
+        hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
        if (!hdr)
                return -1;
@@ -4624,6 +4696,96 @@ static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
        return rdev_del_mpath(rdev, dev, dst);
 }
+static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        int err;
+        struct net_device *dev = info->user_ptr[1];
+        struct mpath_info pinfo;
+        struct sk_buff *msg;
+        u8 *dst = NULL;
+        u8 mpp[ETH_ALEN];
+        memset(&pinfo, 0, sizeof(pinfo));
+        if (!info->attrs[NL80211_ATTR_MAC])
+                return -EINVAL;
+        dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
+        if (!rdev->ops->get_mpp)
+                return -EOPNOTSUPP;
+        if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
+                return -EOPNOTSUPP;
+        err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
+        if (err)
+                return err;
+        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!msg)
+                return -ENOMEM;
+        if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
+                               dev, dst, mpp, &pinfo) < 0) {
+                nlmsg_free(msg);
+                return -ENOBUFS;
+        }
+        return genlmsg_reply(msg, info);
+}
+static int nl80211_dump_mpp(struct sk_buff *skb,
+                            struct netlink_callback *cb)
+{
+        struct mpath_info pinfo;
+        struct cfg80211_registered_device *rdev;
+        struct wireless_dev *wdev;
+        u8 dst[ETH_ALEN];
+        u8 mpp[ETH_ALEN];
+        int path_idx = cb->args[2];
+        int err;
+        err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+        if (err)
+                return err;
+        if (!rdev->ops->dump_mpp) {
+                err = -EOPNOTSUPP;
+                goto out_err;
+        }
+        if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
+                err = -EOPNOTSUPP;
+                goto out_err;
+        }
+        while (1) {
+                err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
+                                    mpp, &pinfo);
+                if (err == -ENOENT)
+                        break;
+                if (err)
+                        goto out_err;
+                if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
+                                       cb->nlh->nlmsg_seq, NLM_F_MULTI,
+                                       wdev->netdev, dst, mpp,
+                                       &pinfo) < 0)
+                        goto out;
+                path_idx++;
+        }
+ out:
+        cb->args[2] = path_idx;
+        err = skb->len;
+ out_err:
+        nl80211_finish_wdev_dump(rdev);
+        return err;
+}
 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
 {
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
@@ -5260,11 +5422,11 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
 {
        struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
        struct nlattr *nl_reg_rule;
-        char *alpha2 = NULL;
+        char *alpha2;
-        int rem_reg_rules = 0, r = 0;
+        int rem_reg_rules, r;
        u32 num_rules = 0, rule_idx = 0, size_of_regd;
        enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
-        struct ieee80211_regdomain *rd = NULL;
+        struct ieee80211_regdomain *rd;
        if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
                return -EINVAL;
@@ -5358,6 +5520,43 @@ static int validate_scan_freqs(struct nlattr *freqs)
        return n_channels;
 }
+static int nl80211_parse_random_mac(struct nlattr **attrs,
+                                    u8 *mac_addr, u8 *mac_addr_mask)
+{
+        int i;
+        if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
+                memset(mac_addr, 0, ETH_ALEN);
+                memset(mac_addr_mask, 0, ETH_ALEN);
+                mac_addr[0] = 0x2;
+                mac_addr_mask[0] = 0x3;
+                return 0;
+        }
+        /* need both or none */
+        if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
+                return -EINVAL;
+        memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
+        memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
+        /* don't allow or configure an mcast address */
+        if (!is_multicast_ether_addr(mac_addr_mask) ||
+            is_multicast_ether_addr(mac_addr))
+                return -EINVAL;
+        /*
+         * allow users to pass a MAC address that has bits set outside
+         * of the mask, but don't bother drivers with having to deal
+         * with such bits
+         */
+        for (i = 0; i < ETH_ALEN; i++)
+                mac_addr[i] &= mac_addr_mask[i];
+        return 0;
+}
 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
 {
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
@@ -5535,6 +5734,25 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
                        err = -EOPNOTSUPP;
                        goto out_free;
                }
+                if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
+                        if (!(wiphy->features &
+                                        NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR)) {
+                                err = -EOPNOTSUPP;
+                                goto out_free;
+                        }
+                        if (wdev->current_bss) {
+                                err = -EOPNOTSUPP;
+                                goto out_free;
+                        }
+                        err = nl80211_parse_random_mac(info->attrs,
+                                                       request->mac_addr,
+                                                       request->mac_addr_mask);
+                        if (err)
+                                goto out_free;
+                }
        }
        request->no_cck =
@@ -5561,14 +5779,12 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
        return err;
 }
-static int nl80211_start_sched_scan(struct sk_buff *skb,
+static struct cfg80211_sched_scan_request *
-                                    struct genl_info *info)
+nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
+                         struct nlattr **attrs)
 {
        struct cfg80211_sched_scan_request *request;
-        struct cfg80211_registered_device *rdev = info->user_ptr[0];
-        struct net_device *dev = info->user_ptr[1];
        struct nlattr *attr;
-        struct wiphy *wiphy;
        int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i;
        u32 interval;
        enum ieee80211_band band;
@@ -5576,38 +5792,32 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
        struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
        s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
-        if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
+        if (!is_valid_ie_attr(attrs[NL80211_ATTR_IE]))
-            !rdev->ops->sched_scan_start)
+                return ERR_PTR(-EINVAL);
-                return -EOPNOTSUPP;
-        if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
-                return -EINVAL;
-        if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
+        if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
-                return -EINVAL;
+                return ERR_PTR(-EINVAL);
-        interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
+        interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
        if (interval == 0)
-                return -EINVAL;
+                return ERR_PTR(-EINVAL);
-        wiphy = &rdev->wiphy;
-        if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
+        if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
                n_channels = validate_scan_freqs(
-                                info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
+                                attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
                if (!n_channels)
-                        return -EINVAL;
+                        return ERR_PTR(-EINVAL);
        } else {
                n_channels = ieee80211_get_num_supported_channels(wiphy);
        }
-        if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
+        if (attrs[NL80211_ATTR_SCAN_SSIDS])
-                nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
+                nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
                                    tmp)
                        n_ssids++;
        if (n_ssids > wiphy->max_sched_scan_ssids)
-                return -EINVAL;
+                return ERR_PTR(-EINVAL);
        /*
         * First, count the number of 'real' matchsets. Due to an issue with
@@ -5618,9 +5828,9 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
         * older userspace that treated a matchset with only the RSSI as the
         * global RSSI for all other matchsets - if there are other matchsets.
         */
-        if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
+        if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
                nla_for_each_nested(attr,
-                                    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
+                                    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
                                    tmp) {
                        struct nlattr *rssi;
@@ -5628,7 +5838,7 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
                                        nla_data(attr), nla_len(attr),
                                        nl80211_match_policy);
                        if (err)
-                                return err;
+                                return ERR_PTR(err);
                        /* add other standalone attributes here */
                        if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
                                n_match_sets++;
@@ -5645,30 +5855,23 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
                n_match_sets = 1;
        if (n_match_sets > wiphy->max_match_sets)
-                return -EINVAL;
+                return ERR_PTR(-EINVAL);
-        if (info->attrs[NL80211_ATTR_IE])
+        if (attrs[NL80211_ATTR_IE])
-                ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
+                ie_len = nla_len(attrs[NL80211_ATTR_IE]);
        else
                ie_len = 0;
        if (ie_len > wiphy->max_sched_scan_ie_len)
-                return -EINVAL;
+                return ERR_PTR(-EINVAL);
-        if (rdev->sched_scan_req) {
-                err = -EINPROGRESS;
-                goto out;
-        }
        request = kzalloc(sizeof(*request)
                        + sizeof(*request->ssids) * n_ssids
                        + sizeof(*request->match_sets) * n_match_sets
                        + sizeof(*request->channels) * n_channels
                        + ie_len, GFP_KERNEL);
-        if (!request) {
+        if (!request)
-                err = -ENOMEM;
+                return ERR_PTR(-ENOMEM);
-                goto out;
-        }
        if (n_ssids)
                request->ssids = (void *)&request->channels[n_channels];
@@ -5693,10 +5896,10 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
        request->n_match_sets = n_match_sets;
        i = 0;
-        if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
+        if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
                /* user specified, bail out if channel not found */
                nla_for_each_nested(attr,
-                                    info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
+                                    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
                                    tmp) {
                        struct ieee80211_channel *chan;
@@ -5742,8 +5945,8 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
        request->n_channels = i;
        i = 0;
-        if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+        if (attrs[NL80211_ATTR_SCAN_SSIDS]) {
-                nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
+                nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
                                    tmp) {
                        if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
                                err = -EINVAL;
@@ -5757,9 +5960,9 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
        }
        i = 0;
-        if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
+        if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
                nla_for_each_nested(attr,
-                                    info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
+                                    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
                                    tmp) {
                        struct nlattr *ssid, *rssi;
@@ -5814,36 +6017,88 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
        if (ie_len) {
                request->ie_len = ie_len;
                memcpy((void *)request->ie,
-                       nla_data(info->attrs[NL80211_ATTR_IE]),
+                       nla_data(attrs[NL80211_ATTR_IE]),
                       request->ie_len);
        }
-        if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
+        if (attrs[NL80211_ATTR_SCAN_FLAGS]) {
                request->flags = nla_get_u32(
-                        info->attrs[NL80211_ATTR_SCAN_FLAGS]);
+                        attrs[NL80211_ATTR_SCAN_FLAGS]);
                if ((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
                    !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) {
                        err = -EOPNOTSUPP;
                        goto out_free;
                }
+                if (request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
+                        u32 flg = NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR;
+                        if (!wdev) /* must be net-detect */
+                                flg = NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
+                        if (!(wiphy->features & flg)) {
+                                err = -EOPNOTSUPP;
+                                goto out_free;
+                        }
+                        if (wdev && wdev->current_bss) {
+                                err = -EOPNOTSUPP;
+                                goto out_free;
+                        }
+                        err = nl80211_parse_random_mac(attrs, request->mac_addr,
+                                                       request->mac_addr_mask);
+                        if (err)
+                                goto out_free;
+                }
        }
-        request->dev = dev;
-        request->wiphy = &rdev->wiphy;
        request->interval = interval;
        request->scan_start = jiffies;
-        err = rdev_sched_scan_start(rdev, dev, request);
+        return request;
-        if (!err) {
-                rdev->sched_scan_req = request;
-                nl80211_send_sched_scan(rdev, dev,
-                                        NL80211_CMD_START_SCHED_SCAN);
-                goto out;
-        }
 out_free:
        kfree(request);
-out:
+        return ERR_PTR(err);
+}
+static int nl80211_start_sched_scan(struct sk_buff *skb,
+                                    struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct net_device *dev = info->user_ptr[1];
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        int err;
+        if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
+            !rdev->ops->sched_scan_start)
+                return -EOPNOTSUPP;
+        if (rdev->sched_scan_req)
+                return -EINPROGRESS;
+        rdev->sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
+                                                        info->attrs);
+        err = PTR_ERR_OR_ZERO(rdev->sched_scan_req);
+        if (err)
+                goto out_err;
+        err = rdev_sched_scan_start(rdev, dev, rdev->sched_scan_req);
+        if (err)
+                goto out_free;
+        rdev->sched_scan_req->dev = dev;
+        rdev->sched_scan_req->wiphy = &rdev->wiphy;
+        nl80211_send_sched_scan(rdev, dev,
+                                NL80211_CMD_START_SCHED_SCAN);
+        return 0;
+out_free:
+        kfree(rdev->sched_scan_req);
+out_err:
+        rdev->sched_scan_req = NULL;
        return err;
 }
@@ -5923,10 +6178,10 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
         * function is called under RTNL lock, so this should not be a problem.
         */
        static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
-        u8 radar_detect_width = 0;
        int err;
        bool need_new_beacon = false;
        int len, i;
+        u32 cs_count;
        if (!rdev->ops->channel_switch ||
            !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
@@ -5963,7 +6218,14 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
        if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
                return -EINVAL;
-        params.count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
+        /* Even though the attribute is u32, the specification says
+         * u8, so let's make sure we don't overflow.
+         */
+        cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
+        if (cs_count > 255)
+                return -EINVAL;
+        params.count = cs_count;
        if (!need_new_beacon)
                goto skip_beacons;
@@ -6051,10 +6313,8 @@ skip_beacons:
        if (err < 0)
                return err;
-        if (err > 0) {
+        if (err > 0)
-                radar_detect_width = BIT(params.chandef.width);
                params.radar_required = true;
-        }
        if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
                params.block_tx = true;
@@ -6303,8 +6563,6 @@ static int nl80211_dump_survey(struct sk_buff *skb,
        }
        while (1) {
-                struct ieee80211_channel *chan;
                res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
                if (res == -ENOENT)
                        break;
@@ -6317,9 +6575,7 @@ static int nl80211_dump_survey(struct sk_buff *skb,
                        goto out;
                }
-                chan = ieee80211_get_channel(&rdev->wiphy,
+                if (survey.channel->flags & IEEE80211_CHAN_DISABLED) {
-                                             survey.channel->center_freq);
-                if (!chan || chan->flags & IEEE80211_CHAN_DISABLED) {
                        survey_idx++;
                        continue;
                }
@@ -8151,6 +8407,28 @@ static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
        return -EINVAL;
 }
+static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct net_device *dev = info->user_ptr[1];
+        struct ocb_setup setup = {};
+        int err;
+        err = nl80211_parse_chandef(rdev, info, &setup.chandef);
+        if (err)
+                return err;
+        return cfg80211_join_ocb(rdev, dev, &setup);
+}
+static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct net_device *dev = info->user_ptr[1];
+        return cfg80211_leave_ocb(rdev, dev);
+}
 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
 {
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
@@ -8534,6 +8812,39 @@ static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
        return 0;
 }
+static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
+                                   const struct wiphy_wowlan_support *wowlan,
+                                   struct nlattr *attr,
+                                   struct cfg80211_wowlan *trig)
+{
+        struct nlattr **tb;
+        int err;
+        tb = kzalloc(NUM_NL80211_ATTR * sizeof(*tb), GFP_KERNEL);
+        if (!tb)
+                return -ENOMEM;
+        if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
+                err = -EOPNOTSUPP;
+                goto out;
+        }
+        err = nla_parse(tb, NL80211_ATTR_MAX,
+                        nla_data(attr), nla_len(attr),
+                        nl80211_policy);
+        if (err)
+                goto out;
+        trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb);
+        err = PTR_ERR_OR_ZERO(trig->nd_config);
+        if (err)
+                trig->nd_config = NULL;
+out:
+        kfree(tb);
+        return err;
+}
 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
 {
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
@@ -8679,6 +8990,14 @@ static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
                        goto error;
        }
+        if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
+                err = nl80211_parse_wowlan_nd(
+                        rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
+                        &new_triggers);
+                if (err)
+                        goto error;
+        }
        ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
        if (!ntrig) {
                err = -ENOMEM;
@@ -9436,7 +9755,7 @@ static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
        u16 admitted_time = 0;
        int err;
-        if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_WMM_ADMISSION))
+        if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
                return -EOPNOTSUPP;
        if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
@@ -9452,12 +9771,10 @@ static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
                return -EINVAL;
        /* WMM uses TIDs 0-7 even for TSPEC */
-        if (tsid < IEEE80211_FIRST_TSPEC_TSID) {
+        if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
-                if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_WMM_ADMISSION))
-                        return -EINVAL;
-        } else {
                /* TODO: handle 802.11 TSPEC/admission control
-                 * need more attributes for that (e.g. BA session requirement)
+                 * need more attributes for that (e.g. BA session requirement);
+                 * change the WMM adminssion test above to allow both then
                 */
                return -EINVAL;
        }
@@ -9513,6 +9830,98 @@ static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
        return err;
 }
+static int nl80211_tdls_channel_switch(struct sk_buff *skb,
+                                       struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct net_device *dev = info->user_ptr[1];
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        struct cfg80211_chan_def chandef = {};
+        const u8 *addr;
+        u8 oper_class;
+        int err;
+        if (!rdev->ops->tdls_channel_switch ||
+            !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
+                return -EOPNOTSUPP;
+        switch (dev->ieee80211_ptr->iftype) {
+        case NL80211_IFTYPE_STATION:
+        case NL80211_IFTYPE_P2P_CLIENT:
+                break;
+        default:
+                return -EOPNOTSUPP;
+        }
+        if (!info->attrs[NL80211_ATTR_MAC] ||
+            !info->attrs[NL80211_ATTR_OPER_CLASS])
+                return -EINVAL;
+        err = nl80211_parse_chandef(rdev, info, &chandef);
+        if (err)
+                return err;
+        /*
+         * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
+         * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
+         * specification is not defined for them.
+         */
+        if (chandef.chan->band == IEEE80211_BAND_2GHZ &&
+            chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
+            chandef.width != NL80211_CHAN_WIDTH_20)
+                return -EINVAL;
+        /* we will be active on the TDLS link */
+        if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef, wdev->iftype))
+                return -EINVAL;
+        /* don't allow switching to DFS channels */
+        if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
+                return -EINVAL;
+        addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
+        oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
+        wdev_lock(wdev);
+        err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
+        wdev_unlock(wdev);
+        return err;
+}
+static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
+                                              struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct net_device *dev = info->user_ptr[1];
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        const u8 *addr;
+        if (!rdev->ops->tdls_channel_switch ||
+            !rdev->ops->tdls_cancel_channel_switch ||
+            !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
+                return -EOPNOTSUPP;
+        switch (dev->ieee80211_ptr->iftype) {
+        case NL80211_IFTYPE_STATION:
+        case NL80211_IFTYPE_P2P_CLIENT:
+                break;
+        default:
+                return -EOPNOTSUPP;
+        }
+        if (!info->attrs[NL80211_ATTR_MAC])
+                return -EINVAL;
+        addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
+        wdev_lock(wdev);
+        rdev_tdls_cancel_channel_switch(rdev, dev, addr);
+        wdev_unlock(wdev);
+        return 0;
+}
 #define NL80211_FLAG_NEED_WIPHY         0x01
 #define NL80211_FLAG_NEED_NETDEV        0x02
 #define NL80211_FLAG_NEED_RTNL          0x04
@@ -9774,6 +10183,15 @@ static const struct genl_ops nl80211_ops[] = {
                                  NL80211_FLAG_NEED_RTNL,
        },
        {
+                .cmd = NL80211_CMD_GET_MPP,
+                .doit = nl80211_get_mpp,
+                .dumpit = nl80211_dump_mpp,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
+        {
                .cmd = NL80211_CMD_SET_MPATH,
                .doit = nl80211_set_mpath,
                .policy = nl80211_policy,
@@ -10087,6 +10505,22 @@ static const struct genl_ops nl80211_ops[] = {
                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
+        {
+                .cmd = NL80211_CMD_JOIN_OCB,
+                .doit = nl80211_join_ocb,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
+        {
+                .cmd = NL80211_CMD_LEAVE_OCB,
+                .doit = nl80211_leave_ocb,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
 #ifdef CONFIG_PM
        {
                .cmd = NL80211_CMD_GET_WOWLAN,
@@ -10286,6 +10720,22 @@ static const struct genl_ops nl80211_ops[] = {
                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
+        {
+                .cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
+                .doit = nl80211_tdls_channel_switch,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
+        {
+                .cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
+                .doit = nl80211_tdls_cancel_channel_switch,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
 };
 /* notification functions */
@@ -11317,55 +11767,155 @@ void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
 }
 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
-void cfg80211_cqm_rssi_notify(struct net_device *dev,
+static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
-                              enum nl80211_cqm_rssi_threshold_event rssi_event,
+                                            const char *mac, gfp_t gfp)
-                              gfp_t gfp)
 {
        struct wireless_dev *wdev = dev->ieee80211_ptr;
-        struct wiphy *wiphy = wdev->wiphy;
+        struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
-        struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+        struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
-        struct sk_buff *msg;
+        void **cb;
-        struct nlattr *pinfoattr;
-        void *hdr;
-        trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
-        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
        if (!msg)
-                return;
+                return NULL;
-        hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
+        cb = (void **)msg->cb;
-        if (!hdr) {
+        cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
+        if (!cb[0]) {
                nlmsg_free(msg);
-                return;
+                return NULL;
        }
        if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
            nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
                goto nla_put_failure;
-        pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
+        if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
-        if (!pinfoattr)
                goto nla_put_failure;
-        if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
+        cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
-                        rssi_event))
+        if (!cb[1])
                goto nla_put_failure;
-        nla_nest_end(msg, pinfoattr);
+        cb[2] = rdev;
-        genlmsg_end(msg, hdr);
+        return msg;
+ nla_put_failure:
+        nlmsg_free(msg);
+        return NULL;
+}
+static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
+{
+        void **cb = (void **)msg->cb;
+        struct cfg80211_registered_device *rdev = cb[2];
+        nla_nest_end(msg, cb[1]);
+        genlmsg_end(msg, cb[0]);
+        memset(msg->cb, 0, sizeof(msg->cb));
        genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
                                NL80211_MCGRP_MLME, gfp);
+}
+void cfg80211_cqm_rssi_notify(struct net_device *dev,
+                              enum nl80211_cqm_rssi_threshold_event rssi_event,
+                              gfp_t gfp)
+{
+        struct sk_buff *msg;
+        trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
+        if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
+                    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
+                return;
+        msg = cfg80211_prepare_cqm(dev, NULL, gfp);
+        if (!msg)
+                return;
+        if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
+                        rssi_event))
+                goto nla_put_failure;
+        cfg80211_send_cqm(msg, gfp);
        return;
 nla_put_failure:
-        genlmsg_cancel(msg, hdr);
        nlmsg_free(msg);
 }
 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
+void cfg80211_cqm_txe_notify(struct net_device *dev,
+                             const u8 *peer, u32 num_packets,
+                             u32 rate, u32 intvl, gfp_t gfp)
+{
+        struct sk_buff *msg;
+        msg = cfg80211_prepare_cqm(dev, peer, gfp);
+        if (!msg)
+                return;
+        if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
+                goto nla_put_failure;
+        if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
+                goto nla_put_failure;
+        if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
+                goto nla_put_failure;
+        cfg80211_send_cqm(msg, gfp);
+        return;
+ nla_put_failure:
+        nlmsg_free(msg);
+}
+EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
+void cfg80211_cqm_pktloss_notify(struct net_device *dev,
+                                 const u8 *peer, u32 num_packets, gfp_t gfp)
+{
+        struct sk_buff *msg;
+        trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
+        msg = cfg80211_prepare_cqm(dev, peer, gfp);
+        if (!msg)
+                return;
+        if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
+                goto nla_put_failure;
+        cfg80211_send_cqm(msg, gfp);
+        return;
+ nla_put_failure:
+        nlmsg_free(msg);
+}
+EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
+void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
+{
+        struct sk_buff *msg;
+        msg = cfg80211_prepare_cqm(dev, NULL, gfp);
+        if (!msg)
+                return;
+        if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
+                goto nla_put_failure;
+        cfg80211_send_cqm(msg, gfp);
+        return;
+ nla_put_failure:
+        nlmsg_free(msg);
+}
+EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
                                     struct net_device *netdev, const u8 *bssid,
                                     const u8 *replay_ctr, gfp_t gfp)
@@ -11483,7 +12033,9 @@ EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
                                     struct net_device *netdev,
                                     struct cfg80211_chan_def *chandef,
-                                     gfp_t gfp)
+                                     gfp_t gfp,
+                                     enum nl80211_commands notif,
+                                     u8 count)
 {
        struct sk_buff *msg;
        void *hdr;
@@ -11492,7 +12044,7 @@ static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
        if (!msg)
                return;
-        hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CH_SWITCH_NOTIFY);
+        hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
        if (!hdr) {
                nlmsg_free(msg);
                return;
@@ -11504,6 +12056,10 @@ static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
        if (nl80211_send_chandef(msg, chandef))
                goto nla_put_failure;
+        if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
+            (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
+                        goto nla_put_failure;
        genlmsg_end(msg, hdr);
        genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
@@ -11526,70 +12082,27 @@ void cfg80211_ch_switch_notify(struct net_device *dev,
        trace_cfg80211_ch_switch_notify(dev, chandef);
-        if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
-                    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
-                    wdev->iftype != NL80211_IFTYPE_ADHOC &&
-                    wdev->iftype != NL80211_IFTYPE_MESH_POINT))
-                return;
        wdev->chandef = *chandef;
        wdev->preset_chandef = *chandef;
-        nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
+        nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
+                                 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
 }
 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
-void cfg80211_cqm_txe_notify(struct net_device *dev,
+void cfg80211_ch_switch_started_notify(struct net_device *dev,
-                             const u8 *peer, u32 num_packets,
+                                       struct cfg80211_chan_def *chandef,
-                             u32 rate, u32 intvl, gfp_t gfp)
+                                       u8 count)
 {
        struct wireless_dev *wdev = dev->ieee80211_ptr;
        struct wiphy *wiphy = wdev->wiphy;
        struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
-        struct sk_buff *msg;
-        struct nlattr *pinfoattr;
-        void *hdr;
-        msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
-        if (!msg)
-                return;
-        hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
-        if (!hdr) {
-                nlmsg_free(msg);
-                return;
-        }
-        if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
-            nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
-            nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
-                goto nla_put_failure;
-        pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
-        if (!pinfoattr)
-                goto nla_put_failure;
-        if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
-                goto nla_put_failure;
-        if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
-                goto nla_put_failure;
-        if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
+        trace_cfg80211_ch_switch_started_notify(dev, chandef);
-                goto nla_put_failure;
-        nla_nest_end(msg, pinfoattr);
+        nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
+                                 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
-        genlmsg_end(msg, hdr);
-        genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
-                                NL80211_MCGRP_MLME, gfp);
-        return;
- nla_put_failure:
-        genlmsg_cancel(msg, hdr);
-        nlmsg_free(msg);
 }
-EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
+EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
 void
 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
@@ -11639,54 +12152,6 @@ nl80211_radar_notify(struct cfg80211_registered_device *rdev,
        nlmsg_free(msg);
 }
-void cfg80211_cqm_pktloss_notify(struct net_device *dev,
-                                 const u8 *peer, u32 num_packets, gfp_t gfp)
-{
-        struct wireless_dev *wdev = dev->ieee80211_ptr;
-        struct wiphy *wiphy = wdev->wiphy;
-        struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
-        struct sk_buff *msg;
-        struct nlattr *pinfoattr;
-        void *hdr;
-        trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
-        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
-        if (!msg)
-                return;
-        hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
-        if (!hdr) {
-                nlmsg_free(msg);
-                return;
-        }
-        if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
-            nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
-            nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer))
-                goto nla_put_failure;
-        pinfoattr = nla_nest_start(msg, NL80211_ATTR_CQM);
-        if (!pinfoattr)
-                goto nla_put_failure;
-        if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
-                goto nla_put_failure;
-        nla_nest_end(msg, pinfoattr);
-        genlmsg_end(msg, hdr);
-        genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
-                                NL80211_MCGRP_MLME, gfp);
-        return;
- nla_put_failure:
-        genlmsg_cancel(msg, hdr);
-        nlmsg_free(msg);
-}
-EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
                           u64 cookie, bool acked, gfp_t gfp)
 {
@@ -11774,6 +12239,67 @@ void cfg80211_report_obss_beacon(struct wiphy *wiphy,
 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
 #ifdef CONFIG_PM
+static int cfg80211_net_detect_results(struct sk_buff *msg,
+                                       struct cfg80211_wowlan_wakeup *wakeup)
+{
+        struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
+        struct nlattr *nl_results, *nl_match, *nl_freqs;
+        int i, j;
+        nl_results = nla_nest_start(
+                msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
+        if (!nl_results)
+                return -EMSGSIZE;
+        for (i = 0; i < nd->n_matches; i++) {
+                struct cfg80211_wowlan_nd_match *match = nd->matches[i];
+                nl_match = nla_nest_start(msg, i);
+                if (!nl_match)
+                        break;
+                /* The SSID attribute is optional in nl80211, but for
+                 * simplicity reasons it's always present in the
+                 * cfg80211 structure.  If a driver can't pass the
+                 * SSID, that needs to be changed.  A zero length SSID
+                 * is still a valid SSID (wildcard), so it cannot be
+                 * used for this purpose.
+                 */
+                if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
+                            match->ssid.ssid)) {
+                        nla_nest_cancel(msg, nl_match);
+                        goto out;
+                }
+                if (match->n_channels) {
+                        nl_freqs = nla_nest_start(
+                                msg, NL80211_ATTR_SCAN_FREQUENCIES);
+                        if (!nl_freqs) {
+                                nla_nest_cancel(msg, nl_match);
+                                goto out;
+                        }
+                        for (j = 0; j < match->n_channels; j++) {
+                                if (nla_put_u32(msg,
+                                                NL80211_ATTR_WIPHY_FREQ,
+                                                match->channels[j])) {
+                                        nla_nest_cancel(msg, nl_freqs);
+                                        nla_nest_cancel(msg, nl_match);
+                                        goto out;
+                                }
+                        }
+                        nla_nest_end(msg, nl_freqs);
+                }
+                nla_nest_end(msg, nl_match);
+        }
+out:
+        nla_nest_end(msg, nl_results);
+        return 0;
+}
 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
                                   struct cfg80211_wowlan_wakeup *wakeup,
                                   gfp_t gfp)
@@ -11868,6 +12394,10 @@ void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
                                goto free_msg;
                }
+                if (wakeup->net_detect &&
+                    cfg80211_net_detect_results(msg, wakeup))
+                                goto free_msg;
                nla_nest_end(msg, reasons);
        }
diff --git a/net/wireless/ocb.c b/net/wireless/ocb.c
new file mode 100644
index 000000000000..c00d4a792319
--- /dev/null
+++ b/net/wireless/ocb.c
@@ -0,0 +1,88 @@
+/*
+ * OCB mode implementation
+ *
+ * Copyright: (c) 2014 Czech Technical University in Prague
+ *            (c) 2014 Volkswagen Group Research
+ * Author:    Rostislav Lisovy <rostislav.lisovy@fel.cvut.cz>
+ * Funded by: Volkswagen Group Research
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/ieee80211.h>
+#include <net/cfg80211.h>
+#include "nl80211.h"
+#include "core.h"
+#include "rdev-ops.h"
+int __cfg80211_join_ocb(struct cfg80211_registered_device *rdev,
+                        struct net_device *dev,
+                        struct ocb_setup *setup)
+{
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        int err;
+        ASSERT_WDEV_LOCK(wdev);
+        if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
+                return -EOPNOTSUPP;
+        if (WARN_ON(!setup->chandef.chan))
+                return -EINVAL;
+        err = rdev_join_ocb(rdev, dev, setup);
+        if (!err)
+                wdev->chandef = setup->chandef;
+        return err;
+}
+int cfg80211_join_ocb(struct cfg80211_registered_device *rdev,
+                      struct net_device *dev,
+                      struct ocb_setup *setup)
+{
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        int err;
+        wdev_lock(wdev);
+        err = __cfg80211_join_ocb(rdev, dev, setup);
+        wdev_unlock(wdev);
+        return err;
+}
+int __cfg80211_leave_ocb(struct cfg80211_registered_device *rdev,
+                         struct net_device *dev)
+{
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        int err;
+        ASSERT_WDEV_LOCK(wdev);
+        if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
+                return -EOPNOTSUPP;
+        if (!rdev->ops->leave_ocb)
+                return -EOPNOTSUPP;
+        err = rdev_leave_ocb(rdev, dev);
+        if (!err)
+                memset(&wdev->chandef, 0, sizeof(wdev->chandef));
+        return err;
+}
+int cfg80211_leave_ocb(struct cfg80211_registered_device *rdev,
+                       struct net_device *dev)
+{
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        int err;
+        wdev_lock(wdev);
+        err = __cfg80211_leave_ocb(rdev, dev);
+        wdev_unlock(wdev);
+        return err;
+}
diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h
index f6d457d6a558..35cfb7134bdb 100644
--- a/net/wireless/rdev-ops.h
+++ b/net/wireless/rdev-ops.h
@@ -178,11 +178,12 @@ static inline int rdev_add_station(struct cfg80211_registered_device *rdev,
 }
 static inline int rdev_del_station(struct cfg80211_registered_device *rdev,
-                                   struct net_device *dev, u8 *mac)
+                                   struct net_device *dev,
+                                   struct station_del_parameters *params)
 {
        int ret;
-        trace_rdev_del_station(&rdev->wiphy, dev, mac);
+        trace_rdev_del_station(&rdev->wiphy, dev, params);
-        ret = rdev->ops->del_station(&rdev->wiphy, dev, mac);
+        ret = rdev->ops->del_station(&rdev->wiphy, dev, params);
        trace_rdev_return_int(&rdev->wiphy, ret);
        return ret;
 }
@@ -263,6 +264,18 @@ static inline int rdev_get_mpath(struct cfg80211_registered_device *rdev,
 }
+static inline int rdev_get_mpp(struct cfg80211_registered_device *rdev,
+                               struct net_device *dev, u8 *dst, u8 *mpp,
+                               struct mpath_info *pinfo)
+{
+        int ret;
+        trace_rdev_get_mpp(&rdev->wiphy, dev, dst, mpp);
+        ret = rdev->ops->get_mpp(&rdev->wiphy, dev, dst, mpp, pinfo);
+        trace_rdev_return_int_mpath_info(&rdev->wiphy, ret, pinfo);
+        return ret;
+}
 static inline int rdev_dump_mpath(struct cfg80211_registered_device *rdev,
                                  struct net_device *dev, int idx, u8 *dst,
                                  u8 *next_hop, struct mpath_info *pinfo)
@@ -271,7 +284,20 @@ static inline int rdev_dump_mpath(struct cfg80211_registered_device *rdev,
        int ret;
        trace_rdev_dump_mpath(&rdev->wiphy, dev, idx, dst, next_hop);
        ret = rdev->ops->dump_mpath(&rdev->wiphy, dev, idx, dst, next_hop,
-                                     pinfo);
+                                    pinfo);
+        trace_rdev_return_int_mpath_info(&rdev->wiphy, ret, pinfo);
+        return ret;
+}
+static inline int rdev_dump_mpp(struct cfg80211_registered_device *rdev,
+                                struct net_device *dev, int idx, u8 *dst,
+                                u8 *mpp, struct mpath_info *pinfo)
+{
+        int ret;
+        trace_rdev_dump_mpp(&rdev->wiphy, dev, idx, dst, mpp);
+        ret = rdev->ops->dump_mpp(&rdev->wiphy, dev, idx, dst, mpp, pinfo);
        trace_rdev_return_int_mpath_info(&rdev->wiphy, ret, pinfo);
        return ret;
 }
@@ -322,6 +348,27 @@ static inline int rdev_leave_mesh(struct cfg80211_registered_device *rdev,
        return ret;
 }
+static inline int rdev_join_ocb(struct cfg80211_registered_device *rdev,
+                                struct net_device *dev,
+                                struct ocb_setup *setup)
+{
+        int ret;
+        trace_rdev_join_ocb(&rdev->wiphy, dev, setup);
+        ret = rdev->ops->join_ocb(&rdev->wiphy, dev, setup);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+static inline int rdev_leave_ocb(struct cfg80211_registered_device *rdev,
+                                 struct net_device *dev)
+{
+        int ret;
+        trace_rdev_leave_ocb(&rdev->wiphy, dev);
+        ret = rdev->ops->leave_ocb(&rdev->wiphy, dev);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
 static inline int rdev_change_bss(struct cfg80211_registered_device *rdev,
                                  struct net_device *dev,
                                  struct bss_parameters *params)
@@ -946,4 +993,28 @@ rdev_del_tx_ts(struct cfg80211_registered_device *rdev,
        return ret;
 }
+static inline int
+rdev_tdls_channel_switch(struct cfg80211_registered_device *rdev,
+                         struct net_device *dev, const u8 *addr,
+                         u8 oper_class, struct cfg80211_chan_def *chandef)
+{
+        int ret;
+        trace_rdev_tdls_channel_switch(&rdev->wiphy, dev, addr, oper_class,
+                                       chandef);
+        ret = rdev->ops->tdls_channel_switch(&rdev->wiphy, dev, addr,
+                                             oper_class, chandef);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+static inline void
+rdev_tdls_cancel_channel_switch(struct cfg80211_registered_device *rdev,
+                                struct net_device *dev, const u8 *addr)
+{
+        trace_rdev_tdls_cancel_channel_switch(&rdev->wiphy, dev, addr);
+        rdev->ops->tdls_cancel_channel_switch(&rdev->wiphy, dev, addr);
+        trace_rdev_return_void(&rdev->wiphy);
+}
 #endif /* __CFG80211_RDEV_OPS */
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index b725a31a4751..47be6163381c 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -56,6 +56,7 @@
 #include <net/cfg80211.h>
 #include "core.h"
 #include "reg.h"
+#include "rdev-ops.h"
 #include "regdb.h"
 #include "nl80211.h"
@@ -66,6 +67,12 @@
 #define REG_DBG_PRINT(args...)
 #endif
+/*
+ * Grace period we give before making sure all current interfaces reside on
+ * channels allowed by the current regulatory domain.
+ */
+#define REG_ENFORCE_GRACE_MS 60000
 /**
 * enum reg_request_treatment - regulatory request treatment
 *
@@ -210,6 +217,9 @@ struct reg_beacon {
        struct ieee80211_channel chan;
 };
+static void reg_check_chans_work(struct work_struct *work);
+static DECLARE_DELAYED_WORK(reg_check_chans, reg_check_chans_work);
 static void reg_todo(struct work_struct *work);
 static DECLARE_WORK(reg_work, reg_todo);
@@ -573,8 +583,9 @@ static const struct ieee80211_regdomain *reg_get_regdomain(struct wiphy *wiphy)
        return get_cfg80211_regdom();
 }
-unsigned int reg_get_max_bandwidth(const struct ieee80211_regdomain *rd,
+static unsigned int
-                                   const struct ieee80211_reg_rule *rule)
+reg_get_max_bandwidth_from_range(const struct ieee80211_regdomain *rd,
+                                 const struct ieee80211_reg_rule *rule)
 {
        const struct ieee80211_freq_range *freq_range = &rule->freq_range;
        const struct ieee80211_freq_range *freq_range_tmp;
@@ -622,6 +633,27 @@ unsigned int reg_get_max_bandwidth(const struct ieee80211_regdomain *rd,
        return end_freq - start_freq;
 }
+unsigned int reg_get_max_bandwidth(const struct ieee80211_regdomain *rd,
+                                   const struct ieee80211_reg_rule *rule)
+{
+        unsigned int bw = reg_get_max_bandwidth_from_range(rd, rule);
+        if (rule->flags & NL80211_RRF_NO_160MHZ)
+                bw = min_t(unsigned int, bw, MHZ_TO_KHZ(80));
+        if (rule->flags & NL80211_RRF_NO_80MHZ)
+                bw = min_t(unsigned int, bw, MHZ_TO_KHZ(40));
+        /*
+         * HT40+/HT40- limits are handled per-channel. Only limit BW if both
+         * are not allowed.
+         */
+        if (rule->flags & NL80211_RRF_NO_HT40MINUS &&
+            rule->flags & NL80211_RRF_NO_HT40PLUS)
+                bw = min_t(unsigned int, bw, MHZ_TO_KHZ(20));
+        return bw;
+}
 /* Sanity check on a regulatory rule */
 static bool is_valid_reg_rule(const struct ieee80211_reg_rule *rule)
 {
@@ -946,6 +978,16 @@ static u32 map_regdom_flags(u32 rd_flags)
                channel_flags |= IEEE80211_CHAN_NO_OFDM;
        if (rd_flags & NL80211_RRF_NO_OUTDOOR)
                channel_flags |= IEEE80211_CHAN_INDOOR_ONLY;
+        if (rd_flags & NL80211_RRF_GO_CONCURRENT)
+                channel_flags |= IEEE80211_CHAN_GO_CONCURRENT;
+        if (rd_flags & NL80211_RRF_NO_HT40MINUS)
+                channel_flags |= IEEE80211_CHAN_NO_HT40MINUS;
+        if (rd_flags & NL80211_RRF_NO_HT40PLUS)
+                channel_flags |= IEEE80211_CHAN_NO_HT40PLUS;
+        if (rd_flags & NL80211_RRF_NO_80MHZ)
+                channel_flags |= IEEE80211_CHAN_NO_80MHZ;
+        if (rd_flags & NL80211_RRF_NO_160MHZ)
+                channel_flags |= IEEE80211_CHAN_NO_160MHZ;
        return channel_flags;
 }
@@ -1486,6 +1528,96 @@ static void reg_call_notifier(struct wiphy *wiphy,
                wiphy->reg_notifier(wiphy, request);
 }
+static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
+{
+        struct ieee80211_channel *ch;
+        struct cfg80211_chan_def chandef;
+        struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+        bool ret = true;
+        wdev_lock(wdev);
+        if (!wdev->netdev || !netif_running(wdev->netdev))
+                goto out;
+        switch (wdev->iftype) {
+        case NL80211_IFTYPE_AP:
+        case NL80211_IFTYPE_P2P_GO:
+                if (!wdev->beacon_interval)
+                        goto out;
+                ret = cfg80211_reg_can_beacon(wiphy,
+                                              &wdev->chandef, wdev->iftype);
+                break;
+        case NL80211_IFTYPE_STATION:
+        case NL80211_IFTYPE_P2P_CLIENT:
+        case NL80211_IFTYPE_ADHOC:
+                if (!wdev->current_bss ||
+                    !wdev->current_bss->pub.channel)
+                        goto out;
+                ch = wdev->current_bss->pub.channel;
+                if (rdev->ops->get_channel &&
+                    !rdev_get_channel(rdev, wdev, &chandef))
+                        ret = cfg80211_chandef_usable(wiphy, &chandef,
+                                                      IEEE80211_CHAN_DISABLED);
+                else
+                        ret = !(ch->flags & IEEE80211_CHAN_DISABLED);
+                break;
+        case NL80211_IFTYPE_MONITOR:
+        case NL80211_IFTYPE_AP_VLAN:
+        case NL80211_IFTYPE_P2P_DEVICE:
+                /* no enforcement required */
+                break;
+        default:
+                /* others not implemented for now */
+                WARN_ON(1);
+                break;
+        }
+out:
+        wdev_unlock(wdev);
+        return ret;
+}
+static void reg_leave_invalid_chans(struct wiphy *wiphy)
+{
+        struct wireless_dev *wdev;
+        struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+        ASSERT_RTNL();
+        list_for_each_entry(wdev, &rdev->wdev_list, list)
+                if (!reg_wdev_chan_valid(wiphy, wdev))
+                        cfg80211_leave(rdev, wdev);
+}
+static void reg_check_chans_work(struct work_struct *work)
+{
+        struct cfg80211_registered_device *rdev;
+        REG_DBG_PRINT("Verifying active interfaces after reg change\n");
+        rtnl_lock();
+        list_for_each_entry(rdev, &cfg80211_rdev_list, list)
+                if (!(rdev->wiphy.regulatory_flags &
+                      REGULATORY_IGNORE_STALE_KICKOFF))
+                        reg_leave_invalid_chans(&rdev->wiphy);
+        rtnl_unlock();
+}
+static void reg_check_channels(void)
+{
+        /*
+         * Give usermode a chance to do something nicer (move to another
+         * channel, orderly disconnection), before forcing a disconnection.
+         */
+        mod_delayed_work(system_power_efficient_wq,
+                         &reg_check_chans,
+                         msecs_to_jiffies(REG_ENFORCE_GRACE_MS));
+}
 static void wiphy_update_regulatory(struct wiphy *wiphy,
                                    enum nl80211_reg_initiator initiator)
 {
@@ -1525,6 +1657,8 @@ static void update_all_wiphy_regulatory(enum nl80211_reg_initiator initiator)
                wiphy = &rdev->wiphy;
                wiphy_update_regulatory(wiphy, initiator);
        }
+        reg_check_channels();
 }
 static void handle_channel_custom(struct wiphy *wiphy,
@@ -1565,10 +1699,23 @@ static void handle_channel_custom(struct wiphy *wiphy,
        if (max_bandwidth_khz < MHZ_TO_KHZ(160))
                bw_flags |= IEEE80211_CHAN_NO_160MHZ;
+        chan->dfs_state_entered = jiffies;
+        chan->dfs_state = NL80211_DFS_USABLE;
+        chan->beacon_found = false;
        chan->flags |= map_regdom_flags(reg_rule->flags) | bw_flags;
        chan->max_antenna_gain = (int) MBI_TO_DBI(power_rule->max_antenna_gain);
        chan->max_reg_power = chan->max_power =
                (int) MBM_TO_DBM(power_rule->max_eirp);
+        if (chan->flags & IEEE80211_CHAN_RADAR) {
+                if (reg_rule->dfs_cac_ms)
+                        chan->dfs_cac_ms = reg_rule->dfs_cac_ms;
+                else
+                        chan->dfs_cac_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
+        }
+        chan->max_power = chan->max_reg_power;
 }
 static void handle_band_custom(struct wiphy *wiphy,
@@ -1931,8 +2078,10 @@ static void reg_process_hint(struct regulatory_request *reg_request)
        /* This is required so that the orig_* parameters are saved */
        if (treatment == REG_REQ_ALREADY_SET && wiphy &&
-            wiphy->regulatory_flags & REGULATORY_STRICT_REG)
+            wiphy->regulatory_flags & REGULATORY_STRICT_REG) {
                wiphy_update_regulatory(wiphy, reg_request->initiator);
+                reg_check_channels();
+        }
        return;
@@ -2813,6 +2962,7 @@ void regulatory_exit(void)
        cancel_work_sync(&reg_work);
        cancel_delayed_work_sync(&reg_timeout);
+        cancel_delayed_work_sync(&reg_check_chans);
        /* Lock to suppress warnings */
        rtnl_lock();
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index dc1668ff543b..0ab3711c79a0 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -80,9 +80,18 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
        if (!request)
                return -ENOMEM;
-        if (wdev->conn->params.channel)
+        if (wdev->conn->params.channel) {
+                enum ieee80211_band band = wdev->conn->params.channel->band;
+                struct ieee80211_supported_band *sband =
+                        wdev->wiphy->bands[band];
+                if (!sband) {
+                        kfree(request);
+                        return -EINVAL;
+                }
                request->channels[0] = wdev->conn->params.channel;
-        else {
+                request->rates[band] = (1 << sband->n_bitrates) - 1;
+        } else {
                int i = 0, j;
                enum ieee80211_band band;
                struct ieee80211_supported_band *bands;
diff --git a/net/wireless/trace.h b/net/wireless/trace.h
index 625a6e6d1168..ad38910f7036 100644
--- a/net/wireless/trace.h
+++ b/net/wireless/trace.h
@@ -600,6 +600,11 @@ DEFINE_EVENT(wiphy_netdev_evt, rdev_leave_ibss,
        TP_ARGS(wiphy, netdev)
 );
+DEFINE_EVENT(wiphy_netdev_evt, rdev_leave_ocb,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
+        TP_ARGS(wiphy, netdev)
+);
 DEFINE_EVENT(wiphy_netdev_evt, rdev_flush_pmksa,
        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
        TP_ARGS(wiphy, netdev)
@@ -680,9 +685,34 @@ DECLARE_EVENT_CLASS(wiphy_netdev_mac_evt,
                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(sta_mac))
 );
-DEFINE_EVENT(wiphy_netdev_mac_evt, rdev_del_station,
+DECLARE_EVENT_CLASS(station_del,
-        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, const u8 *mac),
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
-        TP_ARGS(wiphy, netdev, mac)
+                 struct station_del_parameters *params),
+        TP_ARGS(wiphy, netdev, params),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(sta_mac)
+                __field(u8, subtype)
+                __field(u16, reason_code)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(sta_mac, params->mac);
+                __entry->subtype = params->subtype;
+                __entry->reason_code = params->reason_code;
+        ),
+        TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", station mac: " MAC_PR_FMT
+                  ", subtype: %u, reason_code: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(sta_mac),
+                  __entry->subtype, __entry->reason_code)
+);
+DEFINE_EVENT(station_del, rdev_del_station,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct station_del_parameters *params),
+        TP_ARGS(wiphy, netdev, params)
 );
 DEFINE_EVENT(wiphy_netdev_mac_evt, rdev_get_station,
@@ -801,6 +831,51 @@ TRACE_EVENT(rdev_dump_mpath,
                  MAC_PR_ARG(next_hop))
 );
+TRACE_EVENT(rdev_get_mpp,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 u8 *dst, u8 *mpp),
+        TP_ARGS(wiphy, netdev, dst, mpp),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(dst)
+                MAC_ENTRY(mpp)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(dst, dst);
+                MAC_ASSIGN(mpp, mpp);
+        ),
+        TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", destination: " MAC_PR_FMT
+                  ", mpp: " MAC_PR_FMT, WIPHY_PR_ARG, NETDEV_PR_ARG,
+                  MAC_PR_ARG(dst), MAC_PR_ARG(mpp))
+);
+TRACE_EVENT(rdev_dump_mpp,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, int idx,
+                 u8 *dst, u8 *mpp),
+        TP_ARGS(wiphy, netdev, idx, mpp, dst),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(dst)
+                MAC_ENTRY(mpp)
+                __field(int, idx)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(dst, dst);
+                MAC_ASSIGN(mpp, mpp);
+                __entry->idx = idx;
+        ),
+        TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", index: %d, destination: "
+                  MAC_PR_FMT ", mpp: " MAC_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->idx, MAC_PR_ARG(dst),
+                  MAC_PR_ARG(mpp))
+);
 TRACE_EVENT(rdev_return_int_mpath_info,
        TP_PROTO(struct wiphy *wiphy, int ret, struct mpath_info *pinfo),
        TP_ARGS(wiphy, ret, pinfo),
@@ -1246,6 +1321,22 @@ TRACE_EVENT(rdev_join_ibss,
                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(bssid), __entry->ssid)
 );
+TRACE_EVENT(rdev_join_ocb,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 const struct ocb_setup *setup),
+        TP_ARGS(wiphy, netdev, setup),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+        ),
+        TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG)
+);
 TRACE_EVENT(rdev_set_wiphy_params,
        TP_PROTO(struct wiphy *wiphy, u32 changed),
        TP_ARGS(wiphy, changed),
@@ -1941,6 +2032,48 @@ TRACE_EVENT(rdev_del_tx_ts,
                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(peer), __entry->tsid)
 );
+TRACE_EVENT(rdev_tdls_channel_switch,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 const u8 *addr, u8 oper_class,
+                 struct cfg80211_chan_def *chandef),
+        TP_ARGS(wiphy, netdev, addr, oper_class, chandef),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(addr)
+                __field(u8, oper_class)
+                CHAN_DEF_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(addr, addr);
+                CHAN_DEF_ASSIGN(chandef);
+        ),
+        TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", " MAC_PR_FMT
+                  " oper class %d, " CHAN_DEF_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(addr),
+                  __entry->oper_class, CHAN_DEF_PR_ARG)
+);
+TRACE_EVENT(rdev_tdls_cancel_channel_switch,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 const u8 *addr),
+        TP_ARGS(wiphy, netdev, addr),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(addr)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(addr, addr);
+        ),
+        TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", " MAC_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(addr))
+);
 /*************************************************************
 *           cfg80211 exported functions traces              *
 *************************************************************/
@@ -2264,6 +2397,22 @@ TRACE_EVENT(cfg80211_ch_switch_notify,
                  NETDEV_PR_ARG, CHAN_DEF_PR_ARG)
 );
+TRACE_EVENT(cfg80211_ch_switch_started_notify,
+        TP_PROTO(struct net_device *netdev,
+                 struct cfg80211_chan_def *chandef),
+        TP_ARGS(netdev, chandef),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                CHAN_DEF_ENTRY
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                CHAN_DEF_ASSIGN(chandef);
+        ),
+        TP_printk(NETDEV_PR_FMT ", " CHAN_DEF_PR_FMT,
+                  NETDEV_PR_ARG, CHAN_DEF_PR_ARG)
+);
 TRACE_EVENT(cfg80211_radar_event,
        TP_PROTO(struct wiphy *wiphy, struct cfg80211_chan_def *chandef),
        TP_ARGS(wiphy, chandef),
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 5e233a577d0f..d0ac795445b7 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -442,7 +442,8 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
                break;
        case cpu_to_le16(0):
                if (iftype != NL80211_IFTYPE_ADHOC &&
-                    iftype != NL80211_IFTYPE_STATION)
+                    iftype != NL80211_IFTYPE_STATION &&
+                    iftype != NL80211_IFTYPE_OCB)
                                return -1;
                break;
        }
@@ -519,6 +520,7 @@ int ieee80211_data_from_8023(struct sk_buff *skb, const u8 *addr,
                memcpy(hdr.addr3, skb->data, ETH_ALEN);
                hdrlen = 24;
                break;
+        case NL80211_IFTYPE_OCB:
        case NL80211_IFTYPE_ADHOC:
                /* DA SA BSSID */
                memcpy(hdr.addr1, skb->data, ETH_ALEN);
@@ -937,6 +939,7 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
                        if (dev->ieee80211_ptr->use_4addr)
                                break;
                        /* fall through */
+                case NL80211_IFTYPE_OCB:
                case NL80211_IFTYPE_P2P_CLIENT:
                case NL80211_IFTYPE_ADHOC:
                        dev->priv_flags |= IFF_DONT_BRIDGE;