14 files changed, 403 insertions, 187 deletions

diff --git a/net/wireless/Makefile b/net/wireless/Makefile
index d74cc77fa57a..3ecaa9179977 100644
--- a/net/wireless/Makefile
+++ b/net/wireless/Makefile
@@ -5,7 +5,8 @@ obj-$(CONFIG_LIB80211_CRYPT_WEP) += lib80211_crypt_wep.o
 obj-$(CONFIG_LIB80211_CRYPT_CCMP) += lib80211_crypt_ccmp.o
 obj-$(CONFIG_LIB80211_CRYPT_TKIP) += lib80211_crypt_tkip.o
 
-cfg80211-y += core.o sysfs.o radiotap.o util.o reg.o scan.o nl80211.o mlme.o ibss.o sme.o
+cfg80211-y += core.o sysfs.o radiotap.o util.o reg.o scan.o nl80211.o
+cfg80211-y += mlme.o ibss.o sme.o chan.o
 cfg80211-$(CONFIG_CFG80211_DEBUGFS) += debugfs.o
 cfg80211-$(CONFIG_WIRELESS_EXT) += wext-compat.o wext-sme.o
 
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
new file mode 100644
index 000000000000..a46ac6c9b365
--- /dev/null
+++ b/net/wireless/chan.c
@@ -0,0 +1,89 @@
+/*
+ * This file contains helper code to handle channel
+ * settings and keeping track of what is possible at
+ * any point in time.
+ *
+ * Copyright 2009       Johannes Berg <johannes@sipsolutions.net>
+ */
+
+#include <net/cfg80211.h>
+#include "core.h"
+
+struct ieee80211_channel *
+rdev_fixed_channel(struct cfg80211_registered_device *rdev,
+                   struct wireless_dev *for_wdev)
+{
+        struct wireless_dev *wdev;
+        struct ieee80211_channel *result = NULL;
+
+        WARN_ON(!mutex_is_locked(&rdev->devlist_mtx));
+
+        list_for_each_entry(wdev, &rdev->netdev_list, list) {
+                if (wdev == for_wdev)
+                        continue;
+
+                /*
+                 * Lock manually to tell lockdep about allowed
+                 * nesting here if for_wdev->mtx is held already.
+                 * This is ok as it's all under the rdev devlist
+                 * mutex and as such can only be done once at any
+                 * given time.
+                 */
+                mutex_lock_nested(&wdev->mtx, SINGLE_DEPTH_NESTING);
+                if (wdev->current_bss)
+                        result = wdev->current_bss->pub.channel;
+                wdev_unlock(wdev);
+
+                if (result)
+                        break;
+        }
+
+        return result;
+}
+
+int rdev_set_freq(struct cfg80211_registered_device *rdev,
+                  struct wireless_dev *for_wdev,
+                  int freq, enum nl80211_channel_type channel_type)
+{
+        struct ieee80211_channel *chan;
+        struct ieee80211_sta_ht_cap *ht_cap;
+        int result;
+
+        if (rdev_fixed_channel(rdev, for_wdev))
+                return -EBUSY;
+
+        if (!rdev->ops->set_channel)
+                return -EOPNOTSUPP;
+
+        chan = ieee80211_get_channel(&rdev->wiphy, freq);
+
+        /* Primary channel not allowed */
+        if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
+                return -EINVAL;
+
+        if (channel_type == NL80211_CHAN_HT40MINUS &&
+            chan->flags & IEEE80211_CHAN_NO_HT40MINUS)
+                return -EINVAL;
+        else if (channel_type == NL80211_CHAN_HT40PLUS &&
+                 chan->flags & IEEE80211_CHAN_NO_HT40PLUS)
+                return -EINVAL;
+
+        ht_cap = &rdev->wiphy.bands[chan->band]->ht_cap;
+
+        if (channel_type != NL80211_CHAN_NO_HT) {
+                if (!ht_cap->ht_supported)
+                        return -EINVAL;
+
+                if (!(ht_cap->cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) ||
+                    ht_cap->cap & IEEE80211_HT_CAP_40MHZ_INTOLERANT)
+                        return -EINVAL;
+        }
+
+        result = rdev->ops->set_channel(&rdev->wiphy, chan, channel_type);
+        if (result)
+                return result;
+
+        rdev->channel = chan;
+
+        return 0;
+}
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 1e189306560d..bc99e4ec7463 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -32,6 +32,7 @@ MODULE_DESCRIPTION("wireless configuration support");
  * only read the list, and that can happen quite
  * often because we need to do it for each command */
 LIST_HEAD(cfg80211_rdev_list);
+int cfg80211_rdev_list_generation;
 
 /*
  * This is used to protect the cfg80211_rdev_list
@@ -411,6 +412,8 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
         rdev->wiphy.dev.class = &ieee80211_class;
         rdev->wiphy.dev.platform_data = rdev;
 
+        rdev->wiphy.ps_default = CONFIG_CFG80211_DEFAULT_PS_VALUE;
+
         wiphy_net_set(&rdev->wiphy, &init_net);
 
         rdev->rfkill_ops.set_block = cfg80211_rfkill_set_block;
@@ -511,6 +514,7 @@ int wiphy_register(struct wiphy *wiphy)
         wiphy_update_regulatory(wiphy, NL80211_REGDOM_SET_BY_CORE);
 
         list_add(&rdev->list, &cfg80211_rdev_list);
+        cfg80211_rdev_list_generation++;
 
         mutex_unlock(&cfg80211_mutex);
 
@@ -593,13 +597,14 @@ void wiphy_unregister(struct wiphy *wiphy)
         reg_device_remove(wiphy);
 
         list_del(&rdev->list);
+        cfg80211_rdev_list_generation++;
         device_del(&rdev->wiphy.dev);
         debugfs_remove(rdev->wiphy.debugfsdir);
 
         mutex_unlock(&cfg80211_mutex);
 
+        flush_work(&rdev->scan_done_wk);
         cancel_work_sync(&rdev->conn_work);
-        cancel_work_sync(&rdev->scan_done_wk);
         kfree(rdev->scan_req);
         flush_work(&rdev->event_work);
 }
@@ -653,6 +658,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                 spin_lock_init(&wdev->event_lock);
                 mutex_lock(&rdev->devlist_mtx);
                 list_add(&wdev->list, &rdev->netdev_list);
+                rdev->devlist_generation++;
                 /* can only change netns with wiphy */
                 dev->features |= NETIF_F_NETNS_LOCAL;
 
@@ -670,7 +676,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                 wdev->wext.default_key = -1;
                 wdev->wext.default_mgmt_key = -1;
                 wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
-                wdev->wext.ps = CONFIG_CFG80211_DEFAULT_PS_VALUE;
+                wdev->wext.ps = wdev->wiphy->ps_default;
                 wdev->wext.ps_timeout = 100;
                 if (rdev->ops->set_power_mgmt)
                         if (rdev->ops->set_power_mgmt(wdev->wiphy, dev,
@@ -706,6 +712,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
         case NETDEV_UP:
 #ifdef CONFIG_WIRELESS_EXT
                 cfg80211_lock_rdev(rdev);
+                mutex_lock(&rdev->devlist_mtx);
                 wdev_lock(wdev);
                 switch (wdev->iftype) {
                 case NL80211_IFTYPE_ADHOC:
@@ -718,10 +725,18 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                         break;
                 }
                 wdev_unlock(wdev);
+                mutex_unlock(&rdev->devlist_mtx);
                 cfg80211_unlock_rdev(rdev);
 #endif
                 break;
         case NETDEV_UNREGISTER:
+                cfg80211_lock_rdev(rdev);
+
+                if (WARN_ON(rdev->scan_req && rdev->scan_req->dev == dev)) {
+                        rdev->scan_req->aborted = true;
+                        ___cfg80211_scan_done(rdev);
+                }
+
                 mutex_lock(&rdev->devlist_mtx);
                 /*
                  * It is possible to get NETDEV_UNREGISTER
@@ -733,12 +748,14 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                 if (!list_empty(&wdev->list)) {
                         sysfs_remove_link(&dev->dev.kobj, "phy80211");
                         list_del_init(&wdev->list);
+                        rdev->devlist_generation++;
                         mutex_destroy(&wdev->mtx);
 #ifdef CONFIG_WIRELESS_EXT
                         kfree(wdev->wext.keys);
 #endif
                 }
                 mutex_unlock(&rdev->devlist_mtx);
+                cfg80211_unlock_rdev(rdev);
                 break;
         case NETDEV_PRE_UP:
                 if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype)))
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 325c17e6198c..c603f5286326 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -49,6 +49,7 @@ struct cfg80211_registered_device {
         /* associate netdev list */
         struct mutex devlist_mtx;
         struct list_head netdev_list;
+        int devlist_generation;
 
         /* BSSes/scanning */
         spinlock_t bss_lock;
@@ -101,6 +102,7 @@ bool wiphy_idx_valid(int wiphy_idx)
 
 extern struct mutex cfg80211_mutex;
 extern struct list_head cfg80211_rdev_list;
+extern int cfg80211_rdev_list_generation;
 
 #define assert_cfg80211_lock() WARN_ON(!mutex_is_locked(&cfg80211_mutex))
 
@@ -335,7 +337,8 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
 int __cfg80211_connect(struct cfg80211_registered_device *rdev,
                        struct net_device *dev,
                        struct cfg80211_connect_params *connect,
-                       struct cfg80211_cached_keys *connkeys);
+                       struct cfg80211_cached_keys *connkeys,
+                       const u8 *prev_bssid);
 int cfg80211_connect(struct cfg80211_registered_device *rdev,
                      struct net_device *dev,
                      struct cfg80211_connect_params *connect,
@@ -353,6 +356,7 @@ int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev,
                               struct wireless_dev *wdev);
 
 void cfg80211_conn_work(struct work_struct *work);
+bool cfg80211_sme_failed_reassoc(struct wireless_dev *wdev);
 
 /* internal helpers */
 int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
@@ -364,6 +368,14 @@ void cfg80211_sme_scan_done(struct net_device *dev);
 void cfg80211_sme_rx_auth(struct net_device *dev, const u8 *buf, size_t len);
 void cfg80211_sme_disassoc(struct net_device *dev, int idx);
 void __cfg80211_scan_done(struct work_struct *wk);
+void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev);
 void cfg80211_upload_connect_keys(struct wireless_dev *wdev);
 
+struct ieee80211_channel *
+rdev_fixed_channel(struct cfg80211_registered_device *rdev,
+                   struct wireless_dev *for_wdev);
+int rdev_set_freq(struct cfg80211_registered_device *rdev,
+                  struct wireless_dev *for_wdev,
+                  int freq, enum nl80211_channel_type channel_type);
+
 #endif /* __NET_WIRELESS_CORE_H */
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index 4d7a084b35e2..42840a01be74 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -78,10 +78,15 @@ int __cfg80211_join_ibss(struct cfg80211_registered_device *rdev,
                          struct cfg80211_cached_keys *connkeys)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
+        struct ieee80211_channel *chan;
         int err;
 
         ASSERT_WDEV_LOCK(wdev);
 
+        chan = rdev_fixed_channel(rdev, wdev);
+        if (chan && chan != params->channel)
+                return -EBUSY;
+
         if (wdev->ssid_len)
                 return -EALREADY;
 
@@ -112,9 +117,11 @@ int cfg80211_join_ibss(struct cfg80211_registered_device *rdev,
         struct wireless_dev *wdev = dev->ieee80211_ptr;
         int err;
 
+        mutex_lock(&rdev->devlist_mtx);
         wdev_lock(wdev);
         err = __cfg80211_join_ibss(rdev, dev, params, connkeys);
         wdev_unlock(wdev);
+        mutex_unlock(&rdev->devlist_mtx);
 
         return err;
 }
@@ -264,27 +271,32 @@ int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev,
 
 int cfg80211_ibss_wext_siwfreq(struct net_device *dev,
                                struct iw_request_info *info,
-                               struct iw_freq *freq, char *extra)
+                               struct iw_freq *wextfreq, char *extra)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
-        struct ieee80211_channel *chan;
-        int err;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
+        struct ieee80211_channel *chan = NULL;
+        int err, freq;
 
         /* call only for ibss! */
         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_ADHOC))
                 return -EINVAL;
 
-        if (!wiphy_to_dev(wdev->wiphy)->ops->join_ibss)
+        if (!rdev->ops->join_ibss)
                 return -EOPNOTSUPP;
 
-        chan = cfg80211_wext_freq(wdev->wiphy, freq);
-        if (chan && IS_ERR(chan))
-                return PTR_ERR(chan);
+        freq = cfg80211_wext_freq(wdev->wiphy, wextfreq);
+        if (freq < 0)
+                return freq;
 
-        if (chan &&
-            (chan->flags & IEEE80211_CHAN_NO_IBSS ||
-             chan->flags & IEEE80211_CHAN_DISABLED))
-                return -EINVAL;
+        if (freq) {
+                chan = ieee80211_get_channel(wdev->wiphy, freq);
+                if (!chan)
+                        return -EINVAL;
+                if (chan->flags & IEEE80211_CHAN_NO_IBSS ||
+                    chan->flags & IEEE80211_CHAN_DISABLED)
+                        return -EINVAL;
+        }
 
         if (wdev->wext.ibss.channel == chan)
                 return 0;
@@ -292,8 +304,7 @@ int cfg80211_ibss_wext_siwfreq(struct net_device *dev,
         wdev_lock(wdev);
         err = 0;
         if (wdev->ssid_len)
-                err = __cfg80211_leave_ibss(wiphy_to_dev(wdev->wiphy),
-                                            dev, true);
+                err = __cfg80211_leave_ibss(rdev, dev, true);
         wdev_unlock(wdev);
 
         if (err)
@@ -307,9 +318,11 @@ int cfg80211_ibss_wext_siwfreq(struct net_device *dev,
                 wdev->wext.ibss.channel_fixed = false;
         }
 
+        mutex_lock(&rdev->devlist_mtx);
         wdev_lock(wdev);
-        err = cfg80211_ibss_wext_join(wiphy_to_dev(wdev->wiphy), wdev);
+        err = cfg80211_ibss_wext_join(rdev, wdev);
         wdev_unlock(wdev);
+        mutex_unlock(&rdev->devlist_mtx);
 
         return err;
 }
@@ -347,6 +360,7 @@ int cfg80211_ibss_wext_siwessid(struct net_device *dev,
                                 struct iw_point *data, char *ssid)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
         size_t len = data->length;
         int err;
 
@@ -354,14 +368,13 @@ int cfg80211_ibss_wext_siwessid(struct net_device *dev,
         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_ADHOC))
                 return -EINVAL;
 
-        if (!wiphy_to_dev(wdev->wiphy)->ops->join_ibss)
+        if (!rdev->ops->join_ibss)
                 return -EOPNOTSUPP;
 
         wdev_lock(wdev);
         err = 0;
         if (wdev->ssid_len)
-                err = __cfg80211_leave_ibss(wiphy_to_dev(wdev->wiphy),
-                                            dev, true);
+                err = __cfg80211_leave_ibss(rdev, dev, true);
         wdev_unlock(wdev);
 
         if (err)
@@ -375,9 +388,11 @@ int cfg80211_ibss_wext_siwessid(struct net_device *dev,
         memcpy(wdev->wext.ibss.ssid, ssid, len);
         wdev->wext.ibss.ssid_len = len;
 
+        mutex_lock(&rdev->devlist_mtx);
         wdev_lock(wdev);
-        err = cfg80211_ibss_wext_join(wiphy_to_dev(wdev->wiphy), wdev);
+        err = cfg80211_ibss_wext_join(rdev, wdev);
         wdev_unlock(wdev);
+        mutex_unlock(&rdev->devlist_mtx);
 
         return err;
 }
@@ -414,6 +429,7 @@ int cfg80211_ibss_wext_siwap(struct net_device *dev,
                              struct sockaddr *ap_addr, char *extra)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
         u8 *bssid = ap_addr->sa_data;
         int err;
 
@@ -421,7 +437,7 @@ int cfg80211_ibss_wext_siwap(struct net_device *dev,
         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_ADHOC))
                 return -EINVAL;
 
-        if (!wiphy_to_dev(wdev->wiphy)->ops->join_ibss)
+        if (!rdev->ops->join_ibss)
                 return -EOPNOTSUPP;
 
         if (ap_addr->sa_family != ARPHRD_ETHER)
@@ -443,8 +459,7 @@ int cfg80211_ibss_wext_siwap(struct net_device *dev,
         wdev_lock(wdev);
         err = 0;
         if (wdev->ssid_len)
-                err = __cfg80211_leave_ibss(wiphy_to_dev(wdev->wiphy),
-                                            dev, true);
+                err = __cfg80211_leave_ibss(rdev, dev, true);
         wdev_unlock(wdev);
 
         if (err)
@@ -456,9 +471,11 @@ int cfg80211_ibss_wext_siwap(struct net_device *dev,
         } else
                 wdev->wext.ibss.bssid = NULL;
 
+        mutex_lock(&rdev->devlist_mtx);
         wdev_lock(wdev);
-        err = cfg80211_ibss_wext_join(wiphy_to_dev(wdev->wiphy), wdev);
+        err = cfg80211_ibss_wext_join(rdev, wdev);
         wdev_unlock(wdev);
+        mutex_unlock(&rdev->devlist_mtx);
 
         return err;
 }
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 525e8e247b30..da64071ceb84 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -67,6 +67,16 @@ void cfg80211_send_rx_assoc(struct net_device *dev, const u8 *buf, size_t len)
 
         status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);
 
+        /*
+         * This is a bit of a hack, we don't notify userspace of
+         * a (re-)association reply if we tried to send a reassoc
+         * and got a reject -- we only try again with an assoc
+         * frame instead of reassoc.
+         */
+        if (status_code != WLAN_STATUS_SUCCESS && wdev->conn &&
+            cfg80211_sme_failed_reassoc(wdev))
+                goto out;
+
         nl80211_send_rx_assoc(rdev, dev, buf, len, GFP_KERNEL);
 
         if (status_code == WLAN_STATUS_SUCCESS) {
@@ -97,6 +107,7 @@ void cfg80211_send_rx_assoc(struct net_device *dev, const u8 *buf, size_t len)
                 cfg80211_put_bss(&bss->pub);
         }
 
+ out:
         wdev_unlock(wdev);
 }
 EXPORT_SYMBOL(cfg80211_send_rx_assoc);
@@ -149,7 +160,7 @@ static void __cfg80211_send_deauth(struct net_device *dev,
 
                 reason_code = le16_to_cpu(mgmt->u.deauth.reason_code);
 
-                from_ap = memcmp(mgmt->da, dev->dev_addr, ETH_ALEN) == 0;
+                from_ap = memcmp(mgmt->sa, dev->dev_addr, ETH_ALEN) != 0;
                 __cfg80211_disconnected(dev, NULL, 0, reason_code, from_ap);
         } else if (wdev->sme_state == CFG80211_SME_CONNECTING) {
                 __cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, NULL, 0,
@@ -198,7 +209,7 @@ static void __cfg80211_send_disassoc(struct net_device *dev,
                 return;
 
         if (wdev->current_bss &&
-            memcmp(wdev->current_bss, bssid, ETH_ALEN) == 0) {
+            memcmp(wdev->current_bss->pub.bssid, bssid, ETH_ALEN) == 0) {
                 for (i = 0; i < MAX_AUTH_BSSES; i++) {
                         if (wdev->authtry_bsses[i] || wdev->auth_bsses[i])
                                 continue;
@@ -215,7 +226,7 @@ static void __cfg80211_send_disassoc(struct net_device *dev,
 
         reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
 
-        from_ap = memcmp(mgmt->da, dev->dev_addr, ETH_ALEN) == 0;
+        from_ap = memcmp(mgmt->sa, dev->dev_addr, ETH_ALEN) != 0;
         __cfg80211_disconnected(dev, NULL, 0, reason_code, from_ap);
 }
 
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 0cd548267d4a..a8aaadeb6773 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -408,6 +408,9 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
         NLA_PUT_U32(msg, NL80211_ATTR_WIPHY, dev->wiphy_idx);
         NLA_PUT_STRING(msg, NL80211_ATTR_WIPHY_NAME, wiphy_name(&dev->wiphy));
 
+        NLA_PUT_U32(msg, NL80211_ATTR_GENERATION,
+                    cfg80211_rdev_list_generation);
+
         NLA_PUT_U8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
                    dev->wiphy.retry_short);
         NLA_PUT_U8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
@@ -701,15 +704,8 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
 
         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
                 enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
-                struct ieee80211_channel *chan;
-                struct ieee80211_sta_ht_cap *ht_cap;
                 u32 freq;
 
-                if (!rdev->ops->set_channel) {
-                        result = -EOPNOTSUPP;
-                        goto bad_res;
-                }
-
                 result = -EINVAL;
 
                 if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
@@ -723,42 +719,12 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
                 }
 
                 freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
-                chan = ieee80211_get_channel(&rdev->wiphy, freq);
-
-                /* Primary channel not allowed */
-                if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
-                        goto bad_res;
-
-                if (channel_type == NL80211_CHAN_HT40MINUS &&
-                    (chan->flags & IEEE80211_CHAN_NO_HT40MINUS))
-                        goto bad_res;
-                else if (channel_type == NL80211_CHAN_HT40PLUS &&
-                         (chan->flags & IEEE80211_CHAN_NO_HT40PLUS))
-                        goto bad_res;
-
-                /*
-                 * At this point we know if that if HT40 was requested
-                 * we are allowed to use it and the extension channel
-                 * exists.
-                 */
-
-                ht_cap = &rdev->wiphy.bands[chan->band]->ht_cap;
-
-                /* no HT capabilities or intolerant */
-                if (channel_type != NL80211_CHAN_NO_HT) {
-                        if (!ht_cap->ht_supported)
-                                goto bad_res;
-                        if (!(ht_cap->cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) ||
-                            (ht_cap->cap & IEEE80211_HT_CAP_40MHZ_INTOLERANT))
-                                goto bad_res;
-                }
 
-                result = rdev->ops->set_channel(&rdev->wiphy, chan,
-                                                channel_type);
+                mutex_lock(&rdev->devlist_mtx);
+                result = rdev_set_freq(rdev, NULL, freq, channel_type);
+                mutex_unlock(&rdev->devlist_mtx);
                 if (result)
                         goto bad_res;
-
-                rdev->channel = chan;
         }
 
         changed = 0;
@@ -862,6 +828,11 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 pid, u32 seq, int flags,
         NLA_PUT_U32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
         NLA_PUT_STRING(msg, NL80211_ATTR_IFNAME, dev->name);
         NLA_PUT_U32(msg, NL80211_ATTR_IFTYPE, dev->ieee80211_ptr->iftype);
+
+        NLA_PUT_U32(msg, NL80211_ATTR_GENERATION,
+                    rdev->devlist_generation ^
+                        (cfg80211_rdev_list_generation << 2));
+
         return genlmsg_end(msg, hdr);
 
  nla_put_failure:
@@ -875,12 +846,12 @@ static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *
         int if_idx = 0;
         int wp_start = cb->args[0];
         int if_start = cb->args[1];
-        struct cfg80211_registered_device *dev;
+        struct cfg80211_registered_device *rdev;
         struct wireless_dev *wdev;
 
         mutex_lock(&cfg80211_mutex);
-        list_for_each_entry(dev, &cfg80211_rdev_list, list) {
-                if (!net_eq(wiphy_net(&dev->wiphy), sock_net(skb->sk)))
+        list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
+                if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
                         continue;
                 if (wp_idx < wp_start) {
                         wp_idx++;
@@ -888,21 +859,21 @@ static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *
                 }
                 if_idx = 0;
 
-                mutex_lock(&dev->devlist_mtx);
-                list_for_each_entry(wdev, &dev->netdev_list, list) {
+                mutex_lock(&rdev->devlist_mtx);
+                list_for_each_entry(wdev, &rdev->netdev_list, list) {
                         if (if_idx < if_start) {
                                 if_idx++;
                                 continue;
                         }
                         if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).pid,
                                                cb->nlh->nlmsg_seq, NLM_F_MULTI,
-                                               dev, wdev->netdev) < 0) {
-                                mutex_unlock(&dev->devlist_mtx);
+                                               rdev, wdev->netdev) < 0) {
+                                mutex_unlock(&rdev->devlist_mtx);
                                 goto out;
                         }
                         if_idx++;
                 }
-                mutex_unlock(&dev->devlist_mtx);
+                mutex_unlock(&rdev->devlist_mtx);
 
                 wp_idx++;
         }
@@ -1653,6 +1624,8 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
         NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, dev->ifindex);
         NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr);
 
+        NLA_PUT_U32(msg, NL80211_ATTR_GENERATION, sinfo->generation);
+
         sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
         if (!sinfoattr)
                 goto nla_put_failure;
@@ -2138,6 +2111,8 @@ static int nl80211_send_mpath(struct sk_buff *msg, u32 pid, u32 seq,
         NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, dst);
         NLA_PUT(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop);
 
+        NLA_PUT_U32(msg, NL80211_ATTR_GENERATION, pinfo->generation);
+
         pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
         if (!pinfoattr)
                 goto nla_put_failure;
@@ -3027,10 +3002,9 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
                 goto out;
         }
 
-        request->channels = (void *)((char *)request + sizeof(*request));
         request->n_channels = n_channels;
         if (n_ssids)
-                request->ssids = (void *)(request->channels + n_channels);
+                request->ssids = (void *)&request->channels[n_channels];
         request->n_ssids = n_ssids;
         if (ie_len) {
                 if (request->ssids)
@@ -3127,8 +3101,7 @@ static int nl80211_send_bss(struct sk_buff *msg, u32 pid, u32 seq, int flags,
         if (!hdr)
                 return -1;
 
-        NLA_PUT_U32(msg, NL80211_ATTR_SCAN_GENERATION,
-                    rdev->bss_generation);
+        NLA_PUT_U32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation);
         NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex);
 
         bss = nla_nest_start(msg, NL80211_ATTR_BSS);
@@ -3453,7 +3426,7 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
         struct cfg80211_registered_device *rdev;
         struct net_device *dev;
         struct cfg80211_crypto_settings crypto;
-        struct ieee80211_channel *chan;
+        struct ieee80211_channel *chan, *fixedchan;
         const u8 *bssid, *ssid, *ie = NULL, *prev_bssid = NULL;
         int err, ssid_len, ie_len = 0;
         bool use_mfp = false;
@@ -3496,6 +3469,15 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
                 goto out;
         }
 
+        mutex_lock(&rdev->devlist_mtx);
+        fixedchan = rdev_fixed_channel(rdev, NULL);
+        if (fixedchan && chan != fixedchan) {
+                err = -EBUSY;
+                mutex_unlock(&rdev->devlist_mtx);
+                goto out;
+        }
+        mutex_unlock(&rdev->devlist_mtx);
+
         ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
         ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
 
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 0f61ae613f3b..f256dfffbf46 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1018,7 +1018,6 @@ static void handle_channel(struct wiphy *wiphy, enum ieee80211_band band,
                         map_regdom_flags(reg_rule->flags) | bw_flags;
                 chan->max_antenna_gain = chan->orig_mag =
                         (int) MBI_TO_DBI(power_rule->max_antenna_gain);
-                chan->max_bandwidth = KHZ_TO_MHZ(desired_bw_khz);
                 chan->max_power = chan->orig_mpwr =
                         (int) MBM_TO_DBM(power_rule->max_eirp);
                 return;
@@ -1027,7 +1026,6 @@ static void handle_channel(struct wiphy *wiphy, enum ieee80211_band band,
         chan->flags = flags | bw_flags | map_regdom_flags(reg_rule->flags);
         chan->max_antenna_gain = min(chan->orig_mag,
                 (int) MBI_TO_DBI(power_rule->max_antenna_gain));
-        chan->max_bandwidth = KHZ_TO_MHZ(desired_bw_khz);
         if (chan->orig_mpwr)
                 chan->max_power = min(chan->orig_mpwr,
                         (int) MBM_TO_DBM(power_rule->max_eirp));
@@ -1329,7 +1327,6 @@ static void handle_channel_custom(struct wiphy *wiphy,
 
         chan->flags |= map_regdom_flags(reg_rule->flags) | bw_flags;
         chan->max_antenna_gain = (int) MBI_TO_DBI(power_rule->max_antenna_gain);
-        chan->max_bandwidth = KHZ_TO_MHZ(desired_bw_khz);
         chan->max_power = (int) MBM_TO_DBM(power_rule->max_eirp);
 }
 
@@ -1427,7 +1424,7 @@ static int ignore_request(struct wiphy *wiphy,
                         if (last_wiphy != wiphy) {
                                 /*
                                  * Two cards with two APs claiming different
-                                 * different Country IE alpha2s. We could
+                                 * Country IE alpha2s. We could
                                  * intersect them, but that seems unlikely
                                  * to be correct. Reject second one for now.
                                  */
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 0ccf3a07dc02..fe575a24c95c 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -18,19 +18,14 @@
 
 #define IEEE80211_SCAN_RESULT_EXPIRE    (15 * HZ)
 
-void __cfg80211_scan_done(struct work_struct *wk)
+void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev)
 {
-        struct cfg80211_registered_device *rdev;
         struct cfg80211_scan_request *request;
         struct net_device *dev;
 #ifdef CONFIG_WIRELESS_EXT
         union iwreq_data wrqu;
 #endif
 
-        rdev = container_of(wk, struct cfg80211_registered_device,
-                            scan_done_wk);
-
-        mutex_lock(&rdev->mtx);
         request = rdev->scan_req;
 
         dev = request->dev;
@@ -43,9 +38,9 @@ void __cfg80211_scan_done(struct work_struct *wk)
         cfg80211_sme_scan_done(dev);
 
         if (request->aborted)
-                nl80211_send_scan_aborted(wiphy_to_dev(request->wiphy), dev);
+                nl80211_send_scan_aborted(rdev, dev);
         else
-                nl80211_send_scan_done(wiphy_to_dev(request->wiphy), dev);
+                nl80211_send_scan_done(rdev, dev);
 
 #ifdef CONFIG_WIRELESS_EXT
         if (!request->aborted) {
@@ -57,11 +52,22 @@ void __cfg80211_scan_done(struct work_struct *wk)
 
         dev_put(dev);
 
-        cfg80211_unlock_rdev(rdev);
-        wiphy_to_dev(request->wiphy)->scan_req = NULL;
+        rdev->scan_req = NULL;
         kfree(request);
 }
 
+void __cfg80211_scan_done(struct work_struct *wk)
+{
+        struct cfg80211_registered_device *rdev;
+
+        rdev = container_of(wk, struct cfg80211_registered_device,
+                            scan_done_wk);
+
+        cfg80211_lock_rdev(rdev);
+        ___cfg80211_scan_done(rdev);
+        cfg80211_unlock_rdev(rdev);
+}
+
 void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted)
 {
         WARN_ON(request != wiphy_to_dev(request->wiphy)->scan_req);
@@ -562,6 +568,7 @@ void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
         spin_lock_bh(&dev->bss_lock);
 
         list_del(&bss->list);
+        dev->bss_generation++;
         rb_erase(&bss->rbn, &dev->bss_tree);
 
         spin_unlock_bh(&dev->bss_lock);
@@ -611,8 +618,8 @@ int cfg80211_wext_siwscan(struct net_device *dev,
 
         creq->wiphy = wiphy;
         creq->dev = dev;
-        creq->ssids = (void *)(creq + 1);
-        creq->channels = (void *)(creq->ssids + 1);
+        /* SSIDs come after channels */
+        creq->ssids = (void *)&creq->channels[n_channels];
         creq->n_channels = n_channels;
         creq->n_ssids = 1;
 
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 8a7dcbf90602..8e2ef54ea714 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -27,10 +27,10 @@ struct cfg80211_conn {
                 CFG80211_CONN_ASSOCIATE_NEXT,
                 CFG80211_CONN_ASSOCIATING,
         } state;
-        u8 bssid[ETH_ALEN];
+        u8 bssid[ETH_ALEN], prev_bssid[ETH_ALEN];
         u8 *ie;
         size_t ie_len;
-        bool auto_auth;
+        bool auto_auth, prev_bssid_valid;
 };
 
 
@@ -65,7 +65,6 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
         if (!request)
                 return -ENOMEM;
 
-        request->channels = (void *)((char *)request + sizeof(*request));
         if (wdev->conn->params.channel)
                 request->channels[0] = wdev->conn->params.channel;
         else {
@@ -82,7 +81,7 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
                 }
         }
         request->n_channels = n_channels;
-        request->ssids = (void *)(request->channels + n_channels);
+        request->ssids = (void *)&request->channels[n_channels];
         request->n_ssids = 1;
 
         memcpy(request->ssids[0].ssid, wdev->conn->params.ssid,
@@ -110,6 +109,7 @@ static int cfg80211_conn_do_work(struct wireless_dev *wdev)
 {
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
         struct cfg80211_connect_params *params;
+        const u8 *prev_bssid = NULL;
         int err;
 
         ASSERT_WDEV_LOCK(wdev);
@@ -135,15 +135,11 @@ static int cfg80211_conn_do_work(struct wireless_dev *wdev)
         case CFG80211_CONN_ASSOCIATE_NEXT:
                 BUG_ON(!rdev->ops->assoc);
                 wdev->conn->state = CFG80211_CONN_ASSOCIATING;
-                /*
-                 * We could, later, implement roaming here and then actually
-                 * set prev_bssid to non-NULL. But then we need to be aware
-                 * that some APs don't like that -- so we'd need to retry
-                 * the association.
-                 */
+                if (wdev->conn->prev_bssid_valid)
+                        prev_bssid = wdev->conn->prev_bssid;
                 err = __cfg80211_mlme_assoc(rdev, wdev->netdev,
                                             params->channel, params->bssid,
-                                            NULL,
+                                            prev_bssid,
                                             params->ssid, params->ssid_len,
                                             params->ie, params->ie_len,
                                             false, &params->crypto);
@@ -256,9 +252,11 @@ void cfg80211_sme_scan_done(struct net_device *dev)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
 
+        mutex_lock(&wiphy_to_dev(wdev->wiphy)->devlist_mtx);
         wdev_lock(wdev);
         __cfg80211_sme_scan_done(dev);
         wdev_unlock(wdev);
+        mutex_unlock(&wiphy_to_dev(wdev->wiphy)->devlist_mtx);
 }
 
 void cfg80211_sme_rx_auth(struct net_device *dev,
@@ -314,6 +312,28 @@ void cfg80211_sme_rx_auth(struct net_device *dev,
         }
 }
 
+bool cfg80211_sme_failed_reassoc(struct wireless_dev *wdev)
+{
+        struct wiphy *wiphy = wdev->wiphy;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
+
+        if (WARN_ON(!wdev->conn))
+                return false;
+
+        if (!wdev->conn->prev_bssid_valid)
+                return false;
+
+        /*
+         * Some stupid APs don't accept reassoc, so we
+         * need to fall back to trying regular assoc.
+         */
+        wdev->conn->prev_bssid_valid = false;
+        wdev->conn->state = CFG80211_CONN_ASSOCIATE_NEXT;
+        schedule_work(&rdev->conn_work);
+
+        return true;
+}
+
 void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
                                const u8 *req_ie, size_t req_ie_len,
                                const u8 *resp_ie, size_t resp_ie_len,
@@ -357,8 +377,11 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
 
                 memset(&wrqu, 0, sizeof(wrqu));
                 wrqu.ap_addr.sa_family = ARPHRD_ETHER;
-                if (bssid && status == WLAN_STATUS_SUCCESS)
+                if (bssid && status == WLAN_STATUS_SUCCESS) {
                         memcpy(wrqu.ap_addr.sa_data, bssid, ETH_ALEN);
+                        memcpy(wdev->wext.prev_bssid, bssid, ETH_ALEN);
+                        wdev->wext.prev_bssid_valid = true;
+                }
                 wireless_send_event(dev, SIOCGIWAP, &wrqu, NULL);
         }
 #endif
@@ -509,6 +532,8 @@ void __cfg80211_roamed(struct wireless_dev *wdev, const u8 *bssid,
         memset(&wrqu, 0, sizeof(wrqu));
         wrqu.ap_addr.sa_family = ARPHRD_ETHER;
         memcpy(wrqu.ap_addr.sa_data, bssid, ETH_ALEN);
+        memcpy(wdev->wext.prev_bssid, bssid, ETH_ALEN);
+        wdev->wext.prev_bssid_valid = true;
         wireless_send_event(wdev->netdev, SIOCGIWAP, &wrqu, NULL);
 #endif
 }
@@ -570,10 +595,30 @@ void __cfg80211_disconnected(struct net_device *dev, const u8 *ie,
         wdev->ssid_len = 0;
 
         if (wdev->conn) {
+                const u8 *bssid;
+                int ret;
+
                 kfree(wdev->conn->ie);
                 wdev->conn->ie = NULL;
                 kfree(wdev->conn);
                 wdev->conn = NULL;
+
+                /*
+                 * If this disconnect was due to a disassoc, we
+                 * we might still have an auth BSS around. For
+                 * the userspace SME that's currently expected,
+                 * but for the kernel SME (nl80211 CONNECT or
+                 * wireless extensions) we want to clear up all
+                 * state.
+                 */
+                for (i = 0; i < MAX_AUTH_BSSES; i++) {
+                        if (!wdev->auth_bsses[i])
+                                continue;
+                        bssid = wdev->auth_bsses[i]->pub.bssid;
+                        ret = __cfg80211_mlme_deauth(rdev, dev, bssid, NULL, 0,
+                                                WLAN_REASON_DEAUTH_LEAVING);
+                        WARN(ret, "deauth failed: %d\n", ret);
+                }
         }
 
         nl80211_send_disconnected(rdev, dev, reason, ie, ie_len, from_ap);
@@ -621,9 +666,11 @@ EXPORT_SYMBOL(cfg80211_disconnected);
 int __cfg80211_connect(struct cfg80211_registered_device *rdev,
                        struct net_device *dev,
                        struct cfg80211_connect_params *connect,
-                       struct cfg80211_cached_keys *connkeys)
+                       struct cfg80211_cached_keys *connkeys,
+                       const u8 *prev_bssid)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
+        struct ieee80211_channel *chan;
         int err;
 
         ASSERT_WDEV_LOCK(wdev);
@@ -631,6 +678,10 @@ int __cfg80211_connect(struct cfg80211_registered_device *rdev,
         if (wdev->sme_state != CFG80211_SME_IDLE)
                 return -EALREADY;
 
+        chan = rdev_fixed_channel(rdev, wdev);
+        if (chan && chan != connect->channel)
+                return -EBUSY;
+
         if (WARN_ON(wdev->connect_keys)) {
                 kfree(wdev->connect_keys);
                 wdev->connect_keys = NULL;
@@ -638,14 +689,28 @@ int __cfg80211_connect(struct cfg80211_registered_device *rdev,
 
         if (connkeys && connkeys->def >= 0) {
                 int idx;
+                u32 cipher;
 
                 idx = connkeys->def;
+                cipher = connkeys->params[idx].cipher;
                 /* If given a WEP key we may need it for shared key auth */
-                if (connkeys->params[idx].cipher == WLAN_CIPHER_SUITE_WEP40 ||
-                    connkeys->params[idx].cipher == WLAN_CIPHER_SUITE_WEP104) {
+                if (cipher == WLAN_CIPHER_SUITE_WEP40 ||
+                    cipher == WLAN_CIPHER_SUITE_WEP104) {
                         connect->key_idx = idx;
                         connect->key = connkeys->params[idx].key;
                         connect->key_len = connkeys->params[idx].key_len;
+
+                        /*
+                         * If ciphers are not set (e.g. when going through
+                         * iwconfig), we have to set them appropriately here.
+                         */
+                        if (connect->crypto.cipher_group == 0)
+                                connect->crypto.cipher_group = cipher;
+
+                        if (connect->crypto.n_ciphers_pairwise == 0) {
+                                connect->crypto.n_ciphers_pairwise = 1;
+                                connect->crypto.ciphers_pairwise[0] = cipher;
+                        }
                 }
         }
 
@@ -701,6 +766,11 @@ int __cfg80211_connect(struct cfg80211_registered_device *rdev,
                 wdev->sme_state = CFG80211_SME_CONNECTING;
                 wdev->connect_keys = connkeys;
 
+                if (prev_bssid) {
+                        memcpy(wdev->conn->prev_bssid, prev_bssid, ETH_ALEN);
+                        wdev->conn->prev_bssid_valid = true;
+                }
+
                 /* we're good if we have both BSSID and channel */
                 if (wdev->conn->params.bssid && wdev->conn->params.channel) {
                         wdev->conn->state = CFG80211_CONN_AUTHENTICATE_NEXT;
@@ -751,9 +821,11 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
 {
         int err;
 
+        mutex_lock(&rdev->devlist_mtx);
         wdev_lock(dev->ieee80211_ptr);
-        err = __cfg80211_connect(rdev, dev, connect, connkeys);
+        err = __cfg80211_connect(rdev, dev, connect, connkeys, NULL);
         wdev_unlock(dev->ieee80211_ptr);
+        mutex_unlock(&rdev->devlist_mtx);
 
         return err;
 }
diff --git a/net/wireless/util.c b/net/wireless/util.c
index ba387d85dcfd..693275a16a26 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -274,11 +274,11 @@ static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
         switch (ae) {
         case 0:
                 return 6;
-        case 1:
+        case MESH_FLAGS_AE_A4:
                 return 12;
-        case 2:
+        case MESH_FLAGS_AE_A5_A6:
                 return 18;
-        case 3:
+        case (MESH_FLAGS_AE_A4 | MESH_FLAGS_AE_A5_A6):
                 return 24;
         default:
                 return 6;
@@ -333,10 +333,18 @@ int ieee80211_data_to_8023(struct sk_buff *skb, u8 *addr,
                 }
                 break;
         case cpu_to_le16(IEEE80211_FCTL_FROMDS):
-                if (iftype != NL80211_IFTYPE_STATION ||
+                if ((iftype != NL80211_IFTYPE_STATION &&
+                    iftype != NL80211_IFTYPE_MESH_POINT) ||
                     (is_multicast_ether_addr(dst) &&
                      !compare_ether_addr(src, addr)))
                         return -1;
+                if (iftype == NL80211_IFTYPE_MESH_POINT) {
+                        struct ieee80211s_hdr *meshdr =
+                                (struct ieee80211s_hdr *) (skb->data + hdrlen);
+                        hdrlen += ieee80211_get_mesh_hdrlen(meshdr);
+                        if (meshdr->flags & MESH_FLAGS_AE_A4)
+                                memcpy(src, meshdr->eaddr1, ETH_ALEN);
+                }
                 break;
         case cpu_to_le16(0):
                 if (iftype != NL80211_IFTYPE_ADHOC)
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index e4e90e249bab..c44917492210 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -267,39 +267,26 @@ EXPORT_SYMBOL_GPL(cfg80211_wext_giwrange);
  * @wiphy: the wiphy
  * @freq: the wext freq encoding
  *
- * Returns a channel, %NULL for auto, or an ERR_PTR for errors!
+ * Returns a frequency, or a negative error code, or 0 for auto.
  */
-struct ieee80211_channel *cfg80211_wext_freq(struct wiphy *wiphy,
-                                             struct iw_freq *freq)
+int cfg80211_wext_freq(struct wiphy *wiphy, struct iw_freq *freq)
 {
-        struct ieee80211_channel *chan;
-        int f;
-
         /*
-         * Parse frequency - return NULL for auto and
+         * Parse frequency - return 0 for auto and
          * -EINVAL for impossible things.
          */
         if (freq->e == 0) {
                 if (freq->m < 0)
-                        return NULL;
-                f = ieee80211_channel_to_frequency(freq->m);
+                        return 0;
+                return ieee80211_channel_to_frequency(freq->m);
         } else {
                 int i, div = 1000000;
                 for (i = 0; i < freq->e; i++)
                         div /= 10;
                 if (div <= 0)
-                        return ERR_PTR(-EINVAL);
-                f = freq->m / div;
+                        return -EINVAL;
+                return freq->m / div;
         }
-
-        /*
-         * Look up channel struct and return -EINVAL when
-         * it cannot be found.
-         */
-        chan = ieee80211_get_channel(wiphy, f);
-        if (!chan)
-                return ERR_PTR(-EINVAL);
-        return chan;
 }
 
 int cfg80211_wext_siwrts(struct net_device *dev,
@@ -761,33 +748,29 @@ EXPORT_SYMBOL_GPL(cfg80211_wext_giwencode);
 
 int cfg80211_wext_siwfreq(struct net_device *dev,
                           struct iw_request_info *info,
-                          struct iw_freq *freq, char *extra)
+                          struct iw_freq *wextfreq, char *extra)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
-        struct ieee80211_channel *chan;
-        int err;
+        int freq, err;
 
         switch (wdev->iftype) {
         case NL80211_IFTYPE_STATION:
-                return cfg80211_mgd_wext_siwfreq(dev, info, freq, extra);
+                return cfg80211_mgd_wext_siwfreq(dev, info, wextfreq, extra);
         case NL80211_IFTYPE_ADHOC:
-                return cfg80211_ibss_wext_siwfreq(dev, info, freq, extra);
+                return cfg80211_ibss_wext_siwfreq(dev, info, wextfreq, extra);
         default:
-                chan = cfg80211_wext_freq(wdev->wiphy, freq);
-                if (!chan)
+                freq = cfg80211_wext_freq(wdev->wiphy, wextfreq);
+                if (freq < 0)
+                        return freq;
+                if (freq == 0)
                         return -EINVAL;
-                if (IS_ERR(chan))
-                        return PTR_ERR(chan);
-                err = rdev->ops->set_channel(wdev->wiphy, chan,
-                                             NL80211_CHAN_NO_HT);
-                if (err)
-                        return err;
-                rdev->channel = chan;
-                return 0;
+                mutex_lock(&rdev->devlist_mtx);
+                err = rdev_set_freq(rdev, NULL, freq, NL80211_CHAN_NO_HT);
+                mutex_unlock(&rdev->devlist_mtx);
+                return err;
         }
 }
-EXPORT_SYMBOL_GPL(cfg80211_wext_siwfreq);
 
 int cfg80211_wext_giwfreq(struct net_device *dev,
                           struct iw_request_info *info,
diff --git a/net/wireless/wext-compat.h b/net/wireless/wext-compat.h
index 9a3774749589..20b3daef6964 100644
--- a/net/wireless/wext-compat.h
+++ b/net/wireless/wext-compat.h
@@ -42,8 +42,7 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev,
                                struct iw_request_info *info,
                                struct iw_point *data, char *ssid);
 
-struct ieee80211_channel *cfg80211_wext_freq(struct wiphy *wiphy,
-                                             struct iw_freq *freq);
+int cfg80211_wext_freq(struct wiphy *wiphy, struct iw_freq *freq);
 
 
 extern const struct iw_handler_def cfg80211_wext_handler;
diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index 7bacbd1c2af6..d16cd9ea4d00 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -15,6 +15,7 @@ int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev,
                               struct wireless_dev *wdev)
 {
         struct cfg80211_cached_keys *ck = NULL;
+        const u8 *prev_bssid = NULL;
         int err, i;
 
         ASSERT_RDEV_LOCK(rdev);
@@ -42,8 +43,12 @@ int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev,
                 for (i = 0; i < 6; i++)
                         ck->params[i].key = ck->data[i];
         }
+
+        if (wdev->wext.prev_bssid_valid)
+                prev_bssid = wdev->wext.prev_bssid;
+
         err = __cfg80211_connect(rdev, wdev->netdev,
-                                 &wdev->wext.connect, ck);
+                                 &wdev->wext.connect, ck, prev_bssid);
         if (err)
                 kfree(ck);
 
@@ -52,25 +57,31 @@ int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev,
 
 int cfg80211_mgd_wext_siwfreq(struct net_device *dev,
                               struct iw_request_info *info,
-                              struct iw_freq *freq, char *extra)
+                              struct iw_freq *wextfreq, char *extra)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
-        struct ieee80211_channel *chan;
-        int err;
+        struct ieee80211_channel *chan = NULL;
+        int err, freq;
 
         /* call only for station! */
         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION))
                 return -EINVAL;
 
-        chan = cfg80211_wext_freq(wdev->wiphy, freq);
-        if (chan && IS_ERR(chan))
-                return PTR_ERR(chan);
+        freq = cfg80211_wext_freq(wdev->wiphy, wextfreq);
+        if (freq < 0)
+                return freq;
 
-        if (chan && (chan->flags & IEEE80211_CHAN_DISABLED))
-                return -EINVAL;
+        if (freq) {
+                chan = ieee80211_get_channel(wdev->wiphy, freq);
+                if (!chan)
+                        return -EINVAL;
+                if (chan->flags & IEEE80211_CHAN_DISABLED)
+                        return -EINVAL;
+        }
 
         cfg80211_lock_rdev(rdev);
+        mutex_lock(&rdev->devlist_mtx);
         wdev_lock(wdev);
 
         if (wdev->sme_state != CFG80211_SME_IDLE) {
@@ -84,9 +95,8 @@ int cfg80211_mgd_wext_siwfreq(struct net_device *dev,
                 /* if SSID set, we'll try right again, avoid event */
                 if (wdev->wext.connect.ssid_len)
                         event = false;
-                err = __cfg80211_disconnect(wiphy_to_dev(wdev->wiphy),
-                                            dev, WLAN_REASON_DEAUTH_LEAVING,
-                                            event);
+                err = __cfg80211_disconnect(rdev, dev,
+                                            WLAN_REASON_DEAUTH_LEAVING, event);
                 if (err)
                         goto out;
         }
@@ -95,17 +105,15 @@ int cfg80211_mgd_wext_siwfreq(struct net_device *dev,
         wdev->wext.connect.channel = chan;
 
         /* SSID is not set, we just want to switch channel */
-        if (wdev->wext.connect.ssid_len && chan) {
-                err = -EOPNOTSUPP;
-                if (rdev->ops->set_channel)
-                        err = rdev->ops->set_channel(wdev->wiphy, chan,
-                                                     NL80211_CHAN_NO_HT);
+        if (chan && !wdev->wext.connect.ssid_len) {
+                err = rdev_set_freq(rdev, wdev, freq, NL80211_CHAN_NO_HT);
                 goto out;
         }
 
-        err = cfg80211_mgd_wext_connect(wiphy_to_dev(wdev->wiphy), wdev);
+        err = cfg80211_mgd_wext_connect(rdev, wdev);
  out:
         wdev_unlock(wdev);
+        mutex_unlock(&rdev->devlist_mtx);
         cfg80211_unlock_rdev(rdev);
         return err;
 }
@@ -143,6 +151,7 @@ int cfg80211_mgd_wext_siwessid(struct net_device *dev,
                                struct iw_point *data, char *ssid)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
         size_t len = data->length;
         int err;
 
@@ -157,7 +166,8 @@ int cfg80211_mgd_wext_siwessid(struct net_device *dev,
         if (len > 0 && ssid[len - 1] == '\0')
                 len--;
 
-        cfg80211_lock_rdev(wiphy_to_dev(wdev->wiphy));
+        cfg80211_lock_rdev(rdev);
+        mutex_lock(&rdev->devlist_mtx);
         wdev_lock(wdev);
 
         err = 0;
@@ -173,23 +183,24 @@ int cfg80211_mgd_wext_siwessid(struct net_device *dev,
                 /* if SSID set now, we'll try to connect, avoid event */
                 if (len)
                         event = false;
-                err = __cfg80211_disconnect(wiphy_to_dev(wdev->wiphy),
-                                            dev, WLAN_REASON_DEAUTH_LEAVING,
-                                            event);
+                err = __cfg80211_disconnect(rdev, dev,
+                                            WLAN_REASON_DEAUTH_LEAVING, event);
                 if (err)
                         goto out;
         }
 
+        wdev->wext.prev_bssid_valid = false;
         wdev->wext.connect.ssid = wdev->wext.ssid;
         memcpy(wdev->wext.ssid, ssid, len);
         wdev->wext.connect.ssid_len = len;
 
         wdev->wext.connect.crypto.control_port = false;
 
-        err = cfg80211_mgd_wext_connect(wiphy_to_dev(wdev->wiphy), wdev);
+        err = cfg80211_mgd_wext_connect(rdev, wdev);
  out:
         wdev_unlock(wdev);
-        cfg80211_unlock_rdev(wiphy_to_dev(wdev->wiphy));
+        mutex_unlock(&rdev->devlist_mtx);
+        cfg80211_unlock_rdev(rdev);
         return err;
 }
 
@@ -206,7 +217,15 @@ int cfg80211_mgd_wext_giwessid(struct net_device *dev,
         data->flags = 0;
 
         wdev_lock(wdev);
-        if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
+        if (wdev->current_bss) {
+                const u8 *ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
+                                                    WLAN_EID_SSID);
+                if (ie) {
+                        data->flags = 1;
+                        data->length = ie[1];
+                        memcpy(ssid, ie + 2, data->length);
+                }
+        } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
                 data->flags = 1;
                 data->length = wdev->wext.connect.ssid_len;
                 memcpy(ssid, wdev->wext.connect.ssid, data->length);
@@ -222,6 +241,7 @@ int cfg80211_mgd_wext_siwap(struct net_device *dev,
                             struct sockaddr *ap_addr, char *extra)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
         u8 *bssid = ap_addr->sa_data;
         int err;
 
@@ -236,7 +256,8 @@ int cfg80211_mgd_wext_siwap(struct net_device *dev,
         if (is_zero_ether_addr(bssid) || is_broadcast_ether_addr(bssid))
                 bssid = NULL;
 
-        cfg80211_lock_rdev(wiphy_to_dev(wdev->wiphy));
+        cfg80211_lock_rdev(rdev);
+        mutex_lock(&rdev->devlist_mtx);
         wdev_lock(wdev);
 
         if (wdev->sme_state != CFG80211_SME_IDLE) {
@@ -250,9 +271,8 @@ int cfg80211_mgd_wext_siwap(struct net_device *dev,
                     compare_ether_addr(bssid, wdev->wext.connect.bssid) == 0)
                         goto out;
 
-                err = __cfg80211_disconnect(wiphy_to_dev(wdev->wiphy),
-                                            dev, WLAN_REASON_DEAUTH_LEAVING,
-                                            false);
+                err = __cfg80211_disconnect(rdev, dev,
+                                            WLAN_REASON_DEAUTH_LEAVING, false);
                 if (err)
                         goto out;
         }
@@ -263,10 +283,11 @@ int cfg80211_mgd_wext_siwap(struct net_device *dev,
         } else
                 wdev->wext.connect.bssid = NULL;
 
-        err = cfg80211_mgd_wext_connect(wiphy_to_dev(wdev->wiphy), wdev);
+        err = cfg80211_mgd_wext_connect(rdev, wdev);
  out:
         wdev_unlock(wdev);
-        cfg80211_unlock_rdev(wiphy_to_dev(wdev->wiphy));
+        mutex_unlock(&rdev->devlist_mtx);
+        cfg80211_unlock_rdev(rdev);
         return err;
 }