90 files changed, 9843 insertions, 1999 deletions

diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index 3537d385035e..d3f3f7b1d32c 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -11,6 +11,7 @@ menuconfig BT
         select CRYPTO_BLKCIPHER
         select CRYPTO_AES
         select CRYPTO_ECB
+        select CRYPTO_SHA256
         help
           Bluetooth is low-cost, low-power, short-range wireless technology.
           It was designed as a replacement for cables and other short-range
@@ -47,4 +48,3 @@ source "net/bluetooth/cmtp/Kconfig"
 source "net/bluetooth/hidp/Kconfig"
 
 source "drivers/bluetooth/Kconfig"
-
diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index fa6d94a4602a..dea6a287daca 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -10,4 +10,4 @@ obj-$(CONFIG_BT_HIDP)	+= hidp/
 
 bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o \
         hci_sock.o hci_sysfs.o l2cap_core.o l2cap_sock.o smp.o sco.o lib.o \
-        a2mp.o
+        a2mp.o amp.o
diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c
index 0760d1fed6f0..2f67d5ecc907 100644
--- a/net/bluetooth/a2mp.c
+++ b/net/bluetooth/a2mp.c
@@ -16,6 +16,11 @@
 #include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/l2cap.h>
 #include <net/bluetooth/a2mp.h>
+#include <net/bluetooth/amp.h>
+
+/* Global AMP Manager list */
+LIST_HEAD(amp_mgr_list);
+DEFINE_MUTEX(amp_mgr_list_lock);
 
 /* A2MP build & send command helper functions */
 static struct a2mp_cmd *__a2mp_build(u8 code, u8 ident, u16 len, void *data)
@@ -37,8 +42,7 @@ static struct a2mp_cmd *__a2mp_build(u8 code, u8 ident, u16 len, void *data)
         return cmd;
 }
 
-static void a2mp_send(struct amp_mgr *mgr, u8 code, u8 ident, u16 len,
-                      void *data)
+void a2mp_send(struct amp_mgr *mgr, u8 code, u8 ident, u16 len, void *data)
 {
         struct l2cap_chan *chan = mgr->a2mp_chan;
         struct a2mp_cmd *cmd;
@@ -63,6 +67,14 @@ static void a2mp_send(struct amp_mgr *mgr, u8 code, u8 ident, u16 len,
         kfree(cmd);
 }
 
+u8 __next_ident(struct amp_mgr *mgr)
+{
+        if (++mgr->ident == 0)
+                mgr->ident = 1;
+
+        return mgr->ident;
+}
+
 static inline void __a2mp_cl_bredr(struct a2mp_cl *cl)
 {
         cl->id = 0;
@@ -161,6 +173,83 @@ static int a2mp_discover_req(struct amp_mgr *mgr, struct sk_buff *skb,
         return 0;
 }
 
+static int a2mp_discover_rsp(struct amp_mgr *mgr, struct sk_buff *skb,
+                             struct a2mp_cmd *hdr)
+{
+        struct a2mp_discov_rsp *rsp = (void *) skb->data;
+        u16 len = le16_to_cpu(hdr->len);
+        struct a2mp_cl *cl;
+        u16 ext_feat;
+        bool found = false;
+
+        if (len < sizeof(*rsp))
+                return -EINVAL;
+
+        len -= sizeof(*rsp);
+        skb_pull(skb, sizeof(*rsp));
+
+        ext_feat = le16_to_cpu(rsp->ext_feat);
+
+        BT_DBG("mtu %d efm 0x%4.4x", le16_to_cpu(rsp->mtu), ext_feat);
+
+        /* check that packet is not broken for now */
+        while (ext_feat & A2MP_FEAT_EXT) {
+                if (len < sizeof(ext_feat))
+                        return -EINVAL;
+
+                ext_feat = get_unaligned_le16(skb->data);
+                BT_DBG("efm 0x%4.4x", ext_feat);
+                len -= sizeof(ext_feat);
+                skb_pull(skb, sizeof(ext_feat));
+        }
+
+        cl = (void *) skb->data;
+        while (len >= sizeof(*cl)) {
+                BT_DBG("Remote AMP id %d type %d status %d", cl->id, cl->type,
+                       cl->status);
+
+                if (cl->id != HCI_BREDR_ID && cl->type == HCI_AMP) {
+                        struct a2mp_info_req req;
+
+                        found = true;
+                        req.id = cl->id;
+                        a2mp_send(mgr, A2MP_GETINFO_REQ, __next_ident(mgr),
+                                  sizeof(req), &req);
+                }
+
+                len -= sizeof(*cl);
+                cl = (void *) skb_pull(skb, sizeof(*cl));
+        }
+
+        /* Fall back to L2CAP init sequence */
+        if (!found) {
+                struct l2cap_conn *conn = mgr->l2cap_conn;
+                struct l2cap_chan *chan;
+
+                mutex_lock(&conn->chan_lock);
+
+                list_for_each_entry(chan, &conn->chan_l, list) {
+
+                        BT_DBG("chan %p state %s", chan,
+                               state_to_string(chan->state));
+
+                        if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP)
+                                continue;
+
+                        l2cap_chan_lock(chan);
+
+                        if (chan->state == BT_CONNECT)
+                                l2cap_send_conn_req(chan);
+
+                        l2cap_chan_unlock(chan);
+                }
+
+                mutex_unlock(&conn->chan_lock);
+        }
+
+        return 0;
+}
+
 static int a2mp_change_notify(struct amp_mgr *mgr, struct sk_buff *skb,
                               struct a2mp_cmd *hdr)
 {
@@ -181,7 +270,6 @@ static int a2mp_getinfo_req(struct amp_mgr *mgr, struct sk_buff *skb,
                             struct a2mp_cmd *hdr)
 {
         struct a2mp_info_req *req  = (void *) skb->data;
-        struct a2mp_info_rsp rsp;
         struct hci_dev *hdev;
 
         if (le16_to_cpu(hdr->len) < sizeof(*req))
@@ -189,53 +277,93 @@ static int a2mp_getinfo_req(struct amp_mgr *mgr, struct sk_buff *skb,
 
         BT_DBG("id %d", req->id);
 
-        rsp.id = req->id;
-        rsp.status = A2MP_STATUS_INVALID_CTRL_ID;
-
         hdev = hci_dev_get(req->id);
-        if (hdev && hdev->amp_type != HCI_BREDR) {
-                rsp.status = 0;
-                rsp.total_bw = cpu_to_le32(hdev->amp_total_bw);
-                rsp.max_bw = cpu_to_le32(hdev->amp_max_bw);
-                rsp.min_latency = cpu_to_le32(hdev->amp_min_latency);
-                rsp.pal_cap = cpu_to_le16(hdev->amp_pal_cap);
-                rsp.assoc_size = cpu_to_le16(hdev->amp_assoc_size);
+        if (!hdev || hdev->dev_type != HCI_AMP) {
+                struct a2mp_info_rsp rsp;
+
+                rsp.id = req->id;
+                rsp.status = A2MP_STATUS_INVALID_CTRL_ID;
+
+                a2mp_send(mgr, A2MP_GETINFO_RSP, hdr->ident, sizeof(rsp),
+                          &rsp);
+
+                goto done;
         }
 
+        mgr->state = READ_LOC_AMP_INFO;
+        hci_send_cmd(hdev, HCI_OP_READ_LOCAL_AMP_INFO, 0, NULL);
+
+done:
         if (hdev)
                 hci_dev_put(hdev);
 
-        a2mp_send(mgr, A2MP_GETINFO_RSP, hdr->ident, sizeof(rsp), &rsp);
-
         skb_pull(skb, sizeof(*req));
         return 0;
 }
 
+static int a2mp_getinfo_rsp(struct amp_mgr *mgr, struct sk_buff *skb,
+                            struct a2mp_cmd *hdr)
+{
+        struct a2mp_info_rsp *rsp = (struct a2mp_info_rsp *) skb->data;
+        struct a2mp_amp_assoc_req req;
+        struct amp_ctrl *ctrl;
+
+        if (le16_to_cpu(hdr->len) < sizeof(*rsp))
+                return -EINVAL;
+
+        BT_DBG("id %d status 0x%2.2x", rsp->id, rsp->status);
+
+        if (rsp->status)
+                return -EINVAL;
+
+        ctrl = amp_ctrl_add(mgr, rsp->id);
+        if (!ctrl)
+                return -ENOMEM;
+
+        req.id = rsp->id;
+        a2mp_send(mgr, A2MP_GETAMPASSOC_REQ, __next_ident(mgr), sizeof(req),
+                  &req);
+
+        skb_pull(skb, sizeof(*rsp));
+        return 0;
+}
+
 static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb,
                                 struct a2mp_cmd *hdr)
 {
         struct a2mp_amp_assoc_req *req = (void *) skb->data;
         struct hci_dev *hdev;
+        struct amp_mgr *tmp;
 
         if (le16_to_cpu(hdr->len) < sizeof(*req))
                 return -EINVAL;
 
         BT_DBG("id %d", req->id);
 
+        /* Make sure that other request is not processed */
+        tmp = amp_mgr_lookup_by_state(READ_LOC_AMP_ASSOC);
+
         hdev = hci_dev_get(req->id);
-        if (!hdev || hdev->amp_type == HCI_BREDR) {
+        if (!hdev || hdev->amp_type == HCI_BREDR || tmp) {
                 struct a2mp_amp_assoc_rsp rsp;
                 rsp.id = req->id;
-                rsp.status = A2MP_STATUS_INVALID_CTRL_ID;
+
+                if (tmp) {
+                        rsp.status = A2MP_STATUS_COLLISION_OCCURED;
+                        amp_mgr_put(tmp);
+                } else {
+                        rsp.status = A2MP_STATUS_INVALID_CTRL_ID;
+                }
 
                 a2mp_send(mgr, A2MP_GETAMPASSOC_RSP, hdr->ident, sizeof(rsp),
                           &rsp);
-                goto clean;
+
+                goto done;
         }
 
-        /* Placeholder for HCI Read AMP Assoc */
+        amp_read_loc_assoc(hdev, mgr);
 
-clean:
+done:
         if (hdev)
                 hci_dev_put(hdev);
 
@@ -243,6 +371,68 @@ clean:
         return 0;
 }
 
+static int a2mp_getampassoc_rsp(struct amp_mgr *mgr, struct sk_buff *skb,
+                                struct a2mp_cmd *hdr)
+{
+        struct a2mp_amp_assoc_rsp *rsp = (void *) skb->data;
+        u16 len = le16_to_cpu(hdr->len);
+        struct hci_dev *hdev;
+        struct amp_ctrl *ctrl;
+        struct hci_conn *hcon;
+        size_t assoc_len;
+
+        if (len < sizeof(*rsp))
+                return -EINVAL;
+
+        assoc_len = len - sizeof(*rsp);
+
+        BT_DBG("id %d status 0x%2.2x assoc len %zu", rsp->id, rsp->status,
+               assoc_len);
+
+        if (rsp->status)
+                return -EINVAL;
+
+        /* Save remote ASSOC data */
+        ctrl = amp_ctrl_lookup(mgr, rsp->id);
+        if (ctrl) {
+                u8 *assoc;
+
+                assoc = kzalloc(assoc_len, GFP_KERNEL);
+                if (!assoc) {
+                        amp_ctrl_put(ctrl);
+                        return -ENOMEM;
+                }
+
+                memcpy(assoc, rsp->amp_assoc, assoc_len);
+                ctrl->assoc = assoc;
+                ctrl->assoc_len = assoc_len;
+                ctrl->assoc_rem_len = assoc_len;
+                ctrl->assoc_len_so_far = 0;
+
+                amp_ctrl_put(ctrl);
+        }
+
+        /* Create Phys Link */
+        hdev = hci_dev_get(rsp->id);
+        if (!hdev)
+                return -EINVAL;
+
+        hcon = phylink_add(hdev, mgr, rsp->id, true);
+        if (!hcon)
+                goto done;
+
+        BT_DBG("Created hcon %p: loc:%d -> rem:%d", hcon, hdev->id, rsp->id);
+
+        mgr->bredr_chan->remote_amp_id = rsp->id;
+
+        amp_create_phylink(hdev, mgr, hcon);
+
+done:
+        hci_dev_put(hdev);
+        skb_pull(skb, len);
+        return 0;
+}
+
 static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
                                    struct a2mp_cmd *hdr)
 {
@@ -250,6 +440,8 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
 
         struct a2mp_physlink_rsp rsp;
         struct hci_dev *hdev;
+        struct hci_conn *hcon;
+        struct amp_ctrl *ctrl;
 
         if (le16_to_cpu(hdr->len) < sizeof(*req))
                 return -EINVAL;
@@ -265,9 +457,43 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
                 goto send_rsp;
         }
 
-        /* TODO process physlink create */
+        ctrl = amp_ctrl_lookup(mgr, rsp.remote_id);
+        if (!ctrl) {
+                ctrl = amp_ctrl_add(mgr, rsp.remote_id);
+                if (ctrl) {
+                        amp_ctrl_get(ctrl);
+                } else {
+                        rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION;
+                        goto send_rsp;
+                }
+        }
 
-        rsp.status = A2MP_STATUS_SUCCESS;
+        if (ctrl) {
+                size_t assoc_len = le16_to_cpu(hdr->len) - sizeof(*req);
+                u8 *assoc;
+
+                assoc = kzalloc(assoc_len, GFP_KERNEL);
+                if (!assoc) {
+                        amp_ctrl_put(ctrl);
+                        return -ENOMEM;
+                }
+
+                memcpy(assoc, req->amp_assoc, assoc_len);
+                ctrl->assoc = assoc;
+                ctrl->assoc_len = assoc_len;
+                ctrl->assoc_rem_len = assoc_len;
+                ctrl->assoc_len_so_far = 0;
+
+                amp_ctrl_put(ctrl);
+        }
+
+        hcon = phylink_add(hdev, mgr, req->local_id, false);
+        if (hcon) {
+                amp_accept_phylink(hdev, mgr, hcon);
+                rsp.status = A2MP_STATUS_SUCCESS;
+        } else {
+                rsp.status = A2MP_STATUS_UNABLE_START_LINK_CREATION;
+        }
 
 send_rsp:
         if (hdev)
@@ -286,6 +512,7 @@ static int a2mp_discphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
         struct a2mp_physlink_req *req = (void *) skb->data;
         struct a2mp_physlink_rsp rsp;
         struct hci_dev *hdev;
+        struct hci_conn *hcon;
 
         if (le16_to_cpu(hdr->len) < sizeof(*req))
                 return -EINVAL;
@@ -296,14 +523,22 @@ static int a2mp_discphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb,
         rsp.remote_id = req->local_id;
         rsp.status = A2MP_STATUS_SUCCESS;
 
-        hdev = hci_dev_get(req->local_id);
+        hdev = hci_dev_get(req->remote_id);
         if (!hdev) {
                 rsp.status = A2MP_STATUS_INVALID_CTRL_ID;
                 goto send_rsp;
         }
 
+        hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, mgr->l2cap_conn->dst);
+        if (!hcon) {
+                BT_ERR("No phys link exist");
+                rsp.status = A2MP_STATUS_NO_PHYSICAL_LINK_EXISTS;
+                goto clean;
+        }
+
         /* TODO Disconnect Phys Link here */
 
+clean:
         hci_dev_put(hdev);
 
 send_rsp:
@@ -377,10 +612,19 @@ static int a2mp_chan_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
                         err = a2mp_discphyslink_req(mgr, skb, hdr);
                         break;
 
-                case A2MP_CHANGE_RSP:
                 case A2MP_DISCOVER_RSP:
+                        err = a2mp_discover_rsp(mgr, skb, hdr);
+                        break;
+
                 case A2MP_GETINFO_RSP:
+                        err = a2mp_getinfo_rsp(mgr, skb, hdr);
+                        break;
+
                 case A2MP_GETAMPASSOC_RSP:
+                        err = a2mp_getampassoc_rsp(mgr, skb, hdr);
+                        break;
+
+                case A2MP_CHANGE_RSP:
                 case A2MP_CREATEPHYSLINK_RSP:
                 case A2MP_DISCONNPHYSLINK_RSP:
                         err = a2mp_cmd_rsp(mgr, skb, hdr);
@@ -455,9 +699,10 @@ static struct l2cap_ops a2mp_chan_ops = {
         .new_connection = l2cap_chan_no_new_connection,
         .teardown = l2cap_chan_no_teardown,
         .ready = l2cap_chan_no_ready,
+        .defer = l2cap_chan_no_defer,
 };
 
-static struct l2cap_chan *a2mp_chan_open(struct l2cap_conn *conn)
+static struct l2cap_chan *a2mp_chan_open(struct l2cap_conn *conn, bool locked)
 {
         struct l2cap_chan *chan;
         int err;
@@ -492,7 +737,10 @@ static struct l2cap_chan *a2mp_chan_open(struct l2cap_conn *conn)
 
         chan->conf_state = 0;
 
-        l2cap_chan_add(conn, chan);
+        if (locked)
+                __l2cap_chan_add(conn, chan);
+        else
+                l2cap_chan_add(conn, chan);
 
         chan->remote_mps = chan->omtu;
         chan->mps = chan->omtu;
@@ -503,11 +751,13 @@ static struct l2cap_chan *a2mp_chan_open(struct l2cap_conn *conn)
 }
 
 /* AMP Manager functions */
-void amp_mgr_get(struct amp_mgr *mgr)
+struct amp_mgr *amp_mgr_get(struct amp_mgr *mgr)
 {
         BT_DBG("mgr %p orig refcnt %d", mgr, atomic_read(&mgr->kref.refcount));
 
         kref_get(&mgr->kref);
+
+        return mgr;
 }
 
 static void amp_mgr_destroy(struct kref *kref)
@@ -516,6 +766,11 @@ static void amp_mgr_destroy(struct kref *kref)
 
         BT_DBG("mgr %p", mgr);
 
+        mutex_lock(&amp_mgr_list_lock);
+        list_del(&mgr->list);
+        mutex_unlock(&amp_mgr_list_lock);
+
+        amp_ctrl_list_flush(mgr);
         kfree(mgr);
 }
 
@@ -526,7 +781,7 @@ int amp_mgr_put(struct amp_mgr *mgr)
         return kref_put(&mgr->kref, &amp_mgr_destroy);
 }
 
-static struct amp_mgr *amp_mgr_create(struct l2cap_conn *conn)
+static struct amp_mgr *amp_mgr_create(struct l2cap_conn *conn, bool locked)
 {
         struct amp_mgr *mgr;
         struct l2cap_chan *chan;
@@ -539,7 +794,7 @@ static struct amp_mgr *amp_mgr_create(struct l2cap_conn *conn)
 
         mgr->l2cap_conn = conn;
 
-        chan = a2mp_chan_open(conn);
+        chan = a2mp_chan_open(conn, locked);
         if (!chan) {
                 kfree(mgr);
                 return NULL;
@@ -552,6 +807,14 @@ static struct amp_mgr *amp_mgr_create(struct l2cap_conn *conn)
 
         kref_init(&mgr->kref);
 
+        /* Remote AMP ctrl list initialization */
+        INIT_LIST_HEAD(&mgr->amp_ctrls);
+        mutex_init(&mgr->amp_ctrls_lock);
+
+        mutex_lock(&amp_mgr_list_lock);
+        list_add(&mgr->list, &amp_mgr_list);
+        mutex_unlock(&amp_mgr_list_lock);
+
         return mgr;
 }
 
@@ -560,7 +823,7 @@ struct l2cap_chan *a2mp_channel_create(struct l2cap_conn *conn,
 {
         struct amp_mgr *mgr;
 
-        mgr = amp_mgr_create(conn);
+        mgr = amp_mgr_create(conn, false);
         if (!mgr) {
                 BT_ERR("Could not create AMP manager");
                 return NULL;
@@ -570,3 +833,139 @@ struct l2cap_chan *a2mp_channel_create(struct l2cap_conn *conn,
 
         return mgr->a2mp_chan;
 }
+
+struct amp_mgr *amp_mgr_lookup_by_state(u8 state)
+{
+        struct amp_mgr *mgr;
+
+        mutex_lock(&amp_mgr_list_lock);
+        list_for_each_entry(mgr, &amp_mgr_list, list) {
+                if (mgr->state == state) {
+                        amp_mgr_get(mgr);
+                        mutex_unlock(&amp_mgr_list_lock);
+                        return mgr;
+                }
+        }
+        mutex_unlock(&amp_mgr_list_lock);
+
+        return NULL;
+}
+
+void a2mp_send_getinfo_rsp(struct hci_dev *hdev)
+{
+        struct amp_mgr *mgr;
+        struct a2mp_info_rsp rsp;
+
+        mgr = amp_mgr_lookup_by_state(READ_LOC_AMP_INFO);
+        if (!mgr)
+                return;
+
+        BT_DBG("%s mgr %p", hdev->name, mgr);
+
+        rsp.id = hdev->id;
+        rsp.status = A2MP_STATUS_INVALID_CTRL_ID;
+
+        if (hdev->amp_type != HCI_BREDR) {
+                rsp.status = 0;
+                rsp.total_bw = cpu_to_le32(hdev->amp_total_bw);
+                rsp.max_bw = cpu_to_le32(hdev->amp_max_bw);
+                rsp.min_latency = cpu_to_le32(hdev->amp_min_latency);
+                rsp.pal_cap = cpu_to_le16(hdev->amp_pal_cap);
+                rsp.assoc_size = cpu_to_le16(hdev->amp_assoc_size);
+        }
+
+        a2mp_send(mgr, A2MP_GETINFO_RSP, mgr->ident, sizeof(rsp), &rsp);
+        amp_mgr_put(mgr);
+}
+
+void a2mp_send_getampassoc_rsp(struct hci_dev *hdev, u8 status)
+{
+        struct amp_mgr *mgr;
+        struct amp_assoc *loc_assoc = &hdev->loc_assoc;
+        struct a2mp_amp_assoc_rsp *rsp;
+        size_t len;
+
+        mgr = amp_mgr_lookup_by_state(READ_LOC_AMP_ASSOC);
+        if (!mgr)
+                return;
+
+        BT_DBG("%s mgr %p", hdev->name, mgr);
+
+        len = sizeof(struct a2mp_amp_assoc_rsp) + loc_assoc->len;
+        rsp = kzalloc(len, GFP_KERNEL);
+        if (!rsp) {
+                amp_mgr_put(mgr);
+                return;
+        }
+
+        rsp->id = hdev->id;
+
+        if (status) {
+                rsp->status = A2MP_STATUS_INVALID_CTRL_ID;
+        } else {
+                rsp->status = A2MP_STATUS_SUCCESS;
+                memcpy(rsp->amp_assoc, loc_assoc->data, loc_assoc->len);
+        }
+
+        a2mp_send(mgr, A2MP_GETAMPASSOC_RSP, mgr->ident, len, rsp);
+        amp_mgr_put(mgr);
+        kfree(rsp);
+}
+
+void a2mp_send_create_phy_link_req(struct hci_dev *hdev, u8 status)
+{
+        struct amp_mgr *mgr;
+        struct amp_assoc *loc_assoc = &hdev->loc_assoc;
+        struct a2mp_physlink_req *req;
+        struct l2cap_chan *bredr_chan;
+        size_t len;
+
+        mgr = amp_mgr_lookup_by_state(READ_LOC_AMP_ASSOC_FINAL);
+        if (!mgr)
+                return;
+
+        len = sizeof(*req) + loc_assoc->len;
+
+        BT_DBG("%s mgr %p assoc_len %zu", hdev->name, mgr, len);
+
+        req = kzalloc(len, GFP_KERNEL);
+        if (!req) {
+                amp_mgr_put(mgr);
+                return;
+        }
+
+        bredr_chan = mgr->bredr_chan;
+        if (!bredr_chan)
+                goto clean;
+
+        req->local_id = hdev->id;
+        req->remote_id = bredr_chan->remote_amp_id;
+        memcpy(req->amp_assoc, loc_assoc->data, loc_assoc->len);
+
+        a2mp_send(mgr, A2MP_CREATEPHYSLINK_REQ, __next_ident(mgr), len, req);
+
+clean:
+        amp_mgr_put(mgr);
+        kfree(req);
+}
+
+void a2mp_discover_amp(struct l2cap_chan *chan)
+{
+        struct l2cap_conn *conn = chan->conn;
+        struct amp_mgr *mgr = conn->hcon->amp_mgr;
+        struct a2mp_discov_req req;
+
+        BT_DBG("chan %p conn %p mgr %p", chan, conn, mgr);
+
+        if (!mgr) {
+                mgr = amp_mgr_create(conn, true);
+                if (!mgr)
+                        return;
+        }
+
+        mgr->bredr_chan = chan;
+
+        req.mtu = cpu_to_le16(L2CAP_A2MP_DEFAULT_MTU);
+        req.ext_feat = 0;
+        a2mp_send(mgr, A2MP_DISCOVER_REQ, 1, sizeof(req), &req);
+}
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index ba033f09196e..5355df63d39b 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -569,7 +569,6 @@ static int bt_seq_show(struct seq_file *seq, void *v)
 {
         struct bt_seq_state *s = seq->private;
         struct bt_sock_list *l = s->l;
-        bdaddr_t src_baswapped, dst_baswapped;
 
         if (v == SEQ_START_TOKEN) {
                 seq_puts(seq ,"sk               RefCnt Rmem   Wmem   User   Inode  Src Dst Parent");
@@ -583,18 +582,17 @@ static int bt_seq_show(struct seq_file *seq, void *v)
         } else {
                 struct sock *sk = sk_entry(v);
                 struct bt_sock *bt = bt_sk(sk);
-                baswap(&src_baswapped, &bt->src);
-                baswap(&dst_baswapped, &bt->dst);
 
-                seq_printf(seq, "%pK %-6d %-6u %-6u %-6u %-6lu %pM %pM %-6lu",
+                seq_printf(seq,
+                           "%pK %-6d %-6u %-6u %-6u %-6lu %pMR %pMR %-6lu",
                            sk,
                            atomic_read(&sk->sk_refcnt),
                            sk_rmem_alloc_get(sk),
                            sk_wmem_alloc_get(sk),
                            from_kuid(seq_user_ns(seq), sock_i_uid(sk)),
                            sock_i_ino(sk),
-                           &src_baswapped,
-                           &dst_baswapped,
+                           &bt->src,
+                           &bt->dst,
                            bt->parent? sock_i_ino(bt->parent): 0LU);
 
                 if (l->custom_seq_show) {
diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c
new file mode 100644
index 000000000000..1b0d92c0643a
--- /dev/null
+++ b/net/bluetooth/amp.c
@@ -0,0 +1,471 @@
+/*
+   Copyright (c) 2011,2012 Intel Corp.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License version 2 and
+   only version 2 as published by the Free Software Foundation.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+*/
+
+#include <net/bluetooth/bluetooth.h>
+#include <net/bluetooth/hci.h>
+#include <net/bluetooth/hci_core.h>
+#include <net/bluetooth/a2mp.h>
+#include <net/bluetooth/amp.h>
+#include <crypto/hash.h>
+
+/* Remote AMP Controllers interface */
+void amp_ctrl_get(struct amp_ctrl *ctrl)
+{
+        BT_DBG("ctrl %p orig refcnt %d", ctrl,
+               atomic_read(&ctrl->kref.refcount));
+
+        kref_get(&ctrl->kref);
+}
+
+static void amp_ctrl_destroy(struct kref *kref)
+{
+        struct amp_ctrl *ctrl = container_of(kref, struct amp_ctrl, kref);
+
+        BT_DBG("ctrl %p", ctrl);
+
+        kfree(ctrl->assoc);
+        kfree(ctrl);
+}
+
+int amp_ctrl_put(struct amp_ctrl *ctrl)
+{
+        BT_DBG("ctrl %p orig refcnt %d", ctrl,
+               atomic_read(&ctrl->kref.refcount));
+
+        return kref_put(&ctrl->kref, &amp_ctrl_destroy);
+}
+
+struct amp_ctrl *amp_ctrl_add(struct amp_mgr *mgr, u8 id)
+{
+        struct amp_ctrl *ctrl;
+
+        ctrl = kzalloc(sizeof(*ctrl), GFP_KERNEL);
+        if (!ctrl)
+                return NULL;
+
+        kref_init(&ctrl->kref);
+        ctrl->id = id;
+
+        mutex_lock(&mgr->amp_ctrls_lock);
+        list_add(&ctrl->list, &mgr->amp_ctrls);
+        mutex_unlock(&mgr->amp_ctrls_lock);
+
+        BT_DBG("mgr %p ctrl %p", mgr, ctrl);
+
+        return ctrl;
+}
+
+void amp_ctrl_list_flush(struct amp_mgr *mgr)
+{
+        struct amp_ctrl *ctrl, *n;
+
+        BT_DBG("mgr %p", mgr);
+
+        mutex_lock(&mgr->amp_ctrls_lock);
+        list_for_each_entry_safe(ctrl, n, &mgr->amp_ctrls, list) {
+                list_del(&ctrl->list);
+                amp_ctrl_put(ctrl);
+        }
+        mutex_unlock(&mgr->amp_ctrls_lock);
+}
+
+struct amp_ctrl *amp_ctrl_lookup(struct amp_mgr *mgr, u8 id)
+{
+        struct amp_ctrl *ctrl;
+
+        BT_DBG("mgr %p id %d", mgr, id);
+
+        mutex_lock(&mgr->amp_ctrls_lock);
+        list_for_each_entry(ctrl, &mgr->amp_ctrls, list) {
+                if (ctrl->id == id) {
+                        amp_ctrl_get(ctrl);
+                        mutex_unlock(&mgr->amp_ctrls_lock);
+                        return ctrl;
+                }
+        }
+        mutex_unlock(&mgr->amp_ctrls_lock);
+
+        return NULL;
+}
+
+/* Physical Link interface */
+static u8 __next_handle(struct amp_mgr *mgr)
+{
+        if (++mgr->handle == 0)
+                mgr->handle = 1;
+
+        return mgr->handle;
+}
+
+struct hci_conn *phylink_add(struct hci_dev *hdev, struct amp_mgr *mgr,
+                             u8 remote_id, bool out)
+{
+        bdaddr_t *dst = mgr->l2cap_conn->dst;
+        struct hci_conn *hcon;
+
+        hcon = hci_conn_add(hdev, AMP_LINK, dst);
+        if (!hcon)
+                return NULL;
+
+        BT_DBG("hcon %p dst %pMR", hcon, dst);
+
+        hcon->state = BT_CONNECT;
+        hcon->attempt++;
+        hcon->handle = __next_handle(mgr);
+        hcon->remote_id = remote_id;
+        hcon->amp_mgr = amp_mgr_get(mgr);
+        hcon->out = out;
+
+        return hcon;
+}
+
+/* AMP crypto key generation interface */
+static int hmac_sha256(u8 *key, u8 ksize, char *plaintext, u8 psize, u8 *output)
+{
+        int ret = 0;
+        struct crypto_shash *tfm;
+
+        if (!ksize)
+                return -EINVAL;
+
+        tfm = crypto_alloc_shash("hmac(sha256)", 0, 0);
+        if (IS_ERR(tfm)) {
+                BT_DBG("crypto_alloc_ahash failed: err %ld", PTR_ERR(tfm));
+                return PTR_ERR(tfm);
+        }
+
+        ret = crypto_shash_setkey(tfm, key, ksize);
+        if (ret) {
+                BT_DBG("crypto_ahash_setkey failed: err %d", ret);
+        } else {
+                struct {
+                        struct shash_desc shash;
+                        char ctx[crypto_shash_descsize(tfm)];
+                } desc;
+
+                desc.shash.tfm = tfm;
+                desc.shash.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
+
+                ret = crypto_shash_digest(&desc.shash, plaintext, psize,
+                                          output);
+        }
+
+        crypto_free_shash(tfm);
+        return ret;
+}
+
+int phylink_gen_key(struct hci_conn *conn, u8 *data, u8 *len, u8 *type)
+{
+        struct hci_dev *hdev = conn->hdev;
+        struct link_key *key;
+        u8 keybuf[HCI_AMP_LINK_KEY_SIZE];
+        u8 gamp_key[HCI_AMP_LINK_KEY_SIZE];
+        int err;
+
+        if (!hci_conn_check_link_mode(conn))
+                return -EACCES;
+
+        BT_DBG("conn %p key_type %d", conn, conn->key_type);
+
+        /* Legacy key */
+        if (conn->key_type < 3) {
+                BT_ERR("Legacy key type %d", conn->key_type);
+                return -EACCES;
+        }
+
+        *type = conn->key_type;
+        *len = HCI_AMP_LINK_KEY_SIZE;
+
+        key = hci_find_link_key(hdev, &conn->dst);
+        if (!key) {
+                BT_DBG("No Link key for conn %p dst %pMR", conn, &conn->dst);
+                return -EACCES;
+        }
+
+        /* BR/EDR Link Key concatenated together with itself */
+        memcpy(&keybuf[0], key->val, HCI_LINK_KEY_SIZE);
+        memcpy(&keybuf[HCI_LINK_KEY_SIZE], key->val, HCI_LINK_KEY_SIZE);
+
+        /* Derive Generic AMP Link Key (gamp) */
+        err = hmac_sha256(keybuf, HCI_AMP_LINK_KEY_SIZE, "gamp", 4, gamp_key);
+        if (err) {
+                BT_ERR("Could not derive Generic AMP Key: err %d", err);
+                return err;
+        }
+
+        if (conn->key_type == HCI_LK_DEBUG_COMBINATION) {
+                BT_DBG("Use Generic AMP Key (gamp)");
+                memcpy(data, gamp_key, HCI_AMP_LINK_KEY_SIZE);
+                return err;
+        }
+
+        /* Derive Dedicated AMP Link Key: "802b" is 802.11 PAL keyID */
+        return hmac_sha256(gamp_key, HCI_AMP_LINK_KEY_SIZE, "802b", 4, data);
+}
+
+void amp_read_loc_assoc_frag(struct hci_dev *hdev, u8 phy_handle)
+{
+        struct hci_cp_read_local_amp_assoc cp;
+        struct amp_assoc *loc_assoc = &hdev->loc_assoc;
+
+        BT_DBG("%s handle %d", hdev->name, phy_handle);
+
+        cp.phy_handle = phy_handle;
+        cp.max_len = cpu_to_le16(hdev->amp_assoc_size);
+        cp.len_so_far = cpu_to_le16(loc_assoc->offset);
+
+        hci_send_cmd(hdev, HCI_OP_READ_LOCAL_AMP_ASSOC, sizeof(cp), &cp);
+}
+
+void amp_read_loc_assoc(struct hci_dev *hdev, struct amp_mgr *mgr)
+{
+        struct hci_cp_read_local_amp_assoc cp;
+
+        memset(&hdev->loc_assoc, 0, sizeof(struct amp_assoc));
+        memset(&cp, 0, sizeof(cp));
+
+        cp.max_len = cpu_to_le16(hdev->amp_assoc_size);
+
+        mgr->state = READ_LOC_AMP_ASSOC;
+        hci_send_cmd(hdev, HCI_OP_READ_LOCAL_AMP_ASSOC, sizeof(cp), &cp);
+}
+
+void amp_read_loc_assoc_final_data(struct hci_dev *hdev,
+                                   struct hci_conn *hcon)
+{
+        struct hci_cp_read_local_amp_assoc cp;
+        struct amp_mgr *mgr = hcon->amp_mgr;
+
+        cp.phy_handle = hcon->handle;
+        cp.len_so_far = cpu_to_le16(0);
+        cp.max_len = cpu_to_le16(hdev->amp_assoc_size);
+
+        mgr->state = READ_LOC_AMP_ASSOC_FINAL;
+
+        /* Read Local AMP Assoc final link information data */
+        hci_send_cmd(hdev, HCI_OP_READ_LOCAL_AMP_ASSOC, sizeof(cp), &cp);
+}
+
+/* Write AMP Assoc data fragments, returns true with last fragment written*/
+static bool amp_write_rem_assoc_frag(struct hci_dev *hdev,
+                                     struct hci_conn *hcon)
+{
+        struct hci_cp_write_remote_amp_assoc *cp;
+        struct amp_mgr *mgr = hcon->amp_mgr;
+        struct amp_ctrl *ctrl;
+        u16 frag_len, len;
+
+        ctrl = amp_ctrl_lookup(mgr, hcon->remote_id);
+        if (!ctrl)
+                return false;
+
+        if (!ctrl->assoc_rem_len) {
+                BT_DBG("all fragments are written");
+                ctrl->assoc_rem_len = ctrl->assoc_len;
+                ctrl->assoc_len_so_far = 0;
+
+                amp_ctrl_put(ctrl);
+                return true;
+        }
+
+        frag_len = min_t(u16, 248, ctrl->assoc_rem_len);
+        len = frag_len + sizeof(*cp);
+
+        cp = kzalloc(len, GFP_KERNEL);
+        if (!cp) {
+                amp_ctrl_put(ctrl);
+                return false;
+        }
+
+        BT_DBG("hcon %p ctrl %p frag_len %u assoc_len %u rem_len %u",
+               hcon, ctrl, frag_len, ctrl->assoc_len, ctrl->assoc_rem_len);
+
+        cp->phy_handle = hcon->handle;
+        cp->len_so_far = cpu_to_le16(ctrl->assoc_len_so_far);
+        cp->rem_len = cpu_to_le16(ctrl->assoc_rem_len);
+        memcpy(cp->frag, ctrl->assoc, frag_len);
+
+        ctrl->assoc_len_so_far += frag_len;
+        ctrl->assoc_rem_len -= frag_len;
+
+        amp_ctrl_put(ctrl);
+
+        hci_send_cmd(hdev, HCI_OP_WRITE_REMOTE_AMP_ASSOC, len, cp);
+
+        kfree(cp);
+
+        return false;
+}
+
+void amp_write_rem_assoc_continue(struct hci_dev *hdev, u8 handle)
+{
+        struct hci_conn *hcon;
+
+        BT_DBG("%s phy handle 0x%2.2x", hdev->name, handle);
+
+        hcon = hci_conn_hash_lookup_handle(hdev, handle);
+        if (!hcon)
+                return;
+
+        amp_write_rem_assoc_frag(hdev, hcon);
+}
+
+void amp_write_remote_assoc(struct hci_dev *hdev, u8 handle)
+{
+        struct hci_conn *hcon;
+
+        BT_DBG("%s phy handle 0x%2.2x", hdev->name, handle);
+
+        hcon = hci_conn_hash_lookup_handle(hdev, handle);
+        if (!hcon)
+                return;
+
+        BT_DBG("%s phy handle 0x%2.2x hcon %p", hdev->name, handle, hcon);
+
+        amp_write_rem_assoc_frag(hdev, hcon);
+}
+
+void amp_create_phylink(struct hci_dev *hdev, struct amp_mgr *mgr,
+                        struct hci_conn *hcon)
+{
+        struct hci_cp_create_phy_link cp;
+
+        cp.phy_handle = hcon->handle;
+
+        BT_DBG("%s hcon %p phy handle 0x%2.2x", hdev->name, hcon,
+               hcon->handle);
+
+        if (phylink_gen_key(mgr->l2cap_conn->hcon, cp.key, &cp.key_len,
+                            &cp.key_type)) {
+                BT_DBG("Cannot create link key");
+                return;
+        }
+
+        hci_send_cmd(hdev, HCI_OP_CREATE_PHY_LINK, sizeof(cp), &cp);
+}
+
+void amp_accept_phylink(struct hci_dev *hdev, struct amp_mgr *mgr,
+                        struct hci_conn *hcon)
+{
+        struct hci_cp_accept_phy_link cp;
+
+        cp.phy_handle = hcon->handle;
+
+        BT_DBG("%s hcon %p phy handle 0x%2.2x", hdev->name, hcon,
+               hcon->handle);
+
+        if (phylink_gen_key(mgr->l2cap_conn->hcon, cp.key, &cp.key_len,
+                            &cp.key_type)) {
+                BT_DBG("Cannot create link key");
+                return;
+        }
+
+        hci_send_cmd(hdev, HCI_OP_ACCEPT_PHY_LINK, sizeof(cp), &cp);
+}
+
+void amp_physical_cfm(struct hci_conn *bredr_hcon, struct hci_conn *hs_hcon)
+{
+        struct hci_dev *bredr_hdev = hci_dev_hold(bredr_hcon->hdev);
+        struct amp_mgr *mgr = hs_hcon->amp_mgr;
+        struct l2cap_chan *bredr_chan;
+
+        BT_DBG("bredr_hcon %p hs_hcon %p mgr %p", bredr_hcon, hs_hcon, mgr);
+
+        if (!bredr_hdev || !mgr || !mgr->bredr_chan)
+                return;
+
+        bredr_chan = mgr->bredr_chan;
+
+        l2cap_chan_lock(bredr_chan);
+
+        set_bit(FLAG_EFS_ENABLE, &bredr_chan->flags);
+        bredr_chan->remote_amp_id = hs_hcon->remote_id;
+        bredr_chan->local_amp_id = hs_hcon->hdev->id;
+        bredr_chan->hs_hcon = hs_hcon;
+        bredr_chan->conn->mtu = hs_hcon->hdev->block_mtu;
+
+        __l2cap_physical_cfm(bredr_chan, 0);
+
+        l2cap_chan_unlock(bredr_chan);
+
+        hci_dev_put(bredr_hdev);
+}
+
+void amp_create_logical_link(struct l2cap_chan *chan)
+{
+        struct hci_cp_create_accept_logical_link cp;
+        struct hci_conn *hcon;
+        struct hci_dev *hdev;
+
+        BT_DBG("chan %p", chan);
+
+        if (!chan->hs_hcon)
+                return;
+
+        hdev = hci_dev_hold(chan->hs_hcon->hdev);
+        if (!hdev)
+                return;
+
+        BT_DBG("chan %p dst %pMR", chan, chan->conn->dst);
+
+        hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, chan->conn->dst);
+        if (!hcon)
+                goto done;
+
+        cp.phy_handle = hcon->handle;
+
+        cp.tx_flow_spec.id = chan->local_id;
+        cp.tx_flow_spec.stype = chan->local_stype;
+        cp.tx_flow_spec.msdu = cpu_to_le16(chan->local_msdu);
+        cp.tx_flow_spec.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
+        cp.tx_flow_spec.acc_lat = cpu_to_le32(chan->local_acc_lat);
+        cp.tx_flow_spec.flush_to = cpu_to_le32(chan->local_flush_to);
+
+        cp.rx_flow_spec.id = chan->remote_id;
+        cp.rx_flow_spec.stype = chan->remote_stype;
+        cp.rx_flow_spec.msdu = cpu_to_le16(chan->remote_msdu);
+        cp.rx_flow_spec.sdu_itime = cpu_to_le32(chan->remote_sdu_itime);
+        cp.rx_flow_spec.acc_lat = cpu_to_le32(chan->remote_acc_lat);
+        cp.rx_flow_spec.flush_to = cpu_to_le32(chan->remote_flush_to);
+
+        if (hcon->out)
+                hci_send_cmd(hdev, HCI_OP_CREATE_LOGICAL_LINK, sizeof(cp),
+                             &cp);
+        else
+                hci_send_cmd(hdev, HCI_OP_ACCEPT_LOGICAL_LINK, sizeof(cp),
+                             &cp);
+
+done:
+        hci_dev_put(hdev);
+}
+
+void amp_disconnect_logical_link(struct hci_chan *hchan)
+{
+        struct hci_conn *hcon = hchan->conn;
+        struct hci_cp_disconn_logical_link cp;
+
+        if (hcon->state != BT_CONNECTED) {
+                BT_DBG("hchan %p not connected", hchan);
+                return;
+        }
+
+        cp.log_handle = cpu_to_le16(hchan->handle);
+        hci_send_cmd(hcon->hdev, HCI_OP_DISCONN_LOGICAL_LINK, sizeof(cp), &cp);
+}
+
+void amp_destroy_logical_link(struct hci_chan *hchan, u8 reason)
+{
+        BT_DBG("hchan %p", hchan);
+
+        hci_chan_del(hchan);
+}
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 4a6620bc1570..a5b639702637 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -182,8 +182,7 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
                         a2 = data;
                         data += ETH_ALEN;
 
-                        BT_DBG("mc filter %s -> %s",
-                                batostr((void *) a1), batostr((void *) a2));
+                        BT_DBG("mc filter %pMR -> %pMR", a1, a2);
 
                         /* Iterate from a1 to a2 */
                         set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
diff --git a/net/bluetooth/bnep/netdev.c b/net/bluetooth/bnep/netdev.c
index 98f86f91d47c..e58c8b32589c 100644
--- a/net/bluetooth/bnep/netdev.c
+++ b/net/bluetooth/bnep/netdev.c
@@ -25,7 +25,6 @@
    SOFTWARE IS DISCLAIMED.
 */
 
-#include <linux/export.h>
 #include <linux/etherdevice.h>
 
 #include <net/bluetooth/bluetooth.h>
diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
index 50f0d135eb8f..a4a9d4b6816c 100644
--- a/net/bluetooth/cmtp/capi.c
+++ b/net/bluetooth/cmtp/capi.c
@@ -20,7 +20,7 @@
    SOFTWARE IS DISCLAIMED.
 */
 
-#include <linux/module.h>
+#include <linux/export.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 #include <linux/types.h>
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index 6c9c1fd601ca..e0a6ebf2baa6 100644
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -353,7 +353,7 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
 
         BT_DBG("mtu %d", session->mtu);
 
-        sprintf(session->name, "%s", batostr(&bt_sk(sock->sk)->dst));
+        sprintf(session->name, "%pMR", &bt_sk(sock->sk)->dst);
 
         session->sock  = sock;
         session->state = BT_CONFIG;
diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c
index aacb802d1ee4..1c57482112b6 100644
--- a/net/bluetooth/cmtp/sock.c
+++ b/net/bluetooth/cmtp/sock.c
@@ -20,7 +20,7 @@
    SOFTWARE IS DISCLAIMED.
 */
 
-#include <linux/module.h>
+#include <linux/export.h>
 
 #include <linux/types.h>
 #include <linux/capability.h>
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index b9196a44f759..25bfce0666eb 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -130,6 +130,20 @@ void hci_acl_disconn(struct hci_conn *conn, __u8 reason)
         hci_send_cmd(conn->hdev, HCI_OP_DISCONNECT, sizeof(cp), &cp);
 }
 
+static void hci_amp_disconn(struct hci_conn *conn, __u8 reason)
+{
+        struct hci_cp_disconn_phy_link cp;
+
+        BT_DBG("hcon %p", conn);
+
+        conn->state = BT_DISCONN;
+
+        cp.phy_handle = HCI_PHY_HANDLE(conn->handle);
+        cp.reason = reason;
+        hci_send_cmd(conn->hdev, HCI_OP_DISCONN_PHY_LINK,
+                     sizeof(cp), &cp);
+}
+
 static void hci_add_sco(struct hci_conn *conn, __u16 handle)
 {
         struct hci_dev *hdev = conn->hdev;
@@ -230,11 +244,24 @@ void hci_sco_setup(struct hci_conn *conn, __u8 status)
         }
 }
 
+static void hci_conn_disconnect(struct hci_conn *conn)
+{
+        __u8 reason = hci_proto_disconn_ind(conn);
+
+        switch (conn->type) {
+        case ACL_LINK:
+                hci_acl_disconn(conn, reason);
+                break;
+        case AMP_LINK:
+                hci_amp_disconn(conn, reason);
+                break;
+        }
+}
+
 static void hci_conn_timeout(struct work_struct *work)
 {
         struct hci_conn *conn = container_of(work, struct hci_conn,
                                              disc_work.work);
-        __u8 reason;
 
         BT_DBG("hcon %p state %s", conn, state_to_string(conn->state));
 
@@ -253,8 +280,7 @@ static void hci_conn_timeout(struct work_struct *work)
                 break;
         case BT_CONFIG:
         case BT_CONNECTED:
-                reason = hci_proto_disconn_ind(conn);
-                hci_acl_disconn(conn, reason);
+                hci_conn_disconnect(conn);
                 break;
         default:
                 conn->state = BT_CLOSED;
@@ -320,7 +346,7 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
 {
         struct hci_conn *conn;
 
-        BT_DBG("%s dst %s", hdev->name, batostr(dst));
+        BT_DBG("%s dst %pMR", hdev->name, dst);
 
         conn = kzalloc(sizeof(struct hci_conn), GFP_KERNEL);
         if (!conn)
@@ -437,7 +463,7 @@ struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
         int use_src = bacmp(src, BDADDR_ANY);
         struct hci_dev *hdev = NULL, *d;
 
-        BT_DBG("%s -> %s", batostr(src), batostr(dst));
+        BT_DBG("%pMR -> %pMR", src, dst);
 
         read_lock(&hci_dev_list_lock);
 
@@ -476,6 +502,9 @@ static struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
 {
         struct hci_conn *le;
 
+        if (test_bit(HCI_LE_PERIPHERAL, &hdev->flags))
+                return ERR_PTR(-ENOTSUPP);
+
         le = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
         if (!le) {
                 le = hci_conn_hash_lookup_state(hdev, LE_LINK, BT_CONNECT);
@@ -567,7 +596,7 @@ static struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type,
 struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst,
                              __u8 dst_type, __u8 sec_level, __u8 auth_type)
 {
-        BT_DBG("%s dst %s type 0x%x", hdev->name, batostr(dst), type);
+        BT_DBG("%s dst %pMR type 0x%x", hdev->name, dst, type);
 
         switch (type) {
         case LE_LINK:
@@ -933,6 +962,7 @@ struct hci_chan *hci_chan_create(struct hci_conn *conn)
 
         chan->conn = conn;
         skb_queue_head_init(&chan->data_q);
+        chan->state = BT_CONNECTED;
 
         list_add_rcu(&chan->list, &conn->chan_list);
 
@@ -950,6 +980,8 @@ void hci_chan_del(struct hci_chan *chan)
 
         synchronize_rcu();
 
+        hci_conn_put(conn);
+
         skb_queue_purge(&chan->data_q);
         kfree(chan);
 }
@@ -963,3 +995,35 @@ void hci_chan_list_flush(struct hci_conn *conn)
         list_for_each_entry_safe(chan, n, &conn->chan_list, list)
                 hci_chan_del(chan);
 }
+
+static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
+                                                 __u16 handle)
+{
+        struct hci_chan *hchan;
+
+        list_for_each_entry(hchan, &hcon->chan_list, list) {
+                if (hchan->handle == handle)
+                        return hchan;
+        }
+
+        return NULL;
+}
+
+struct hci_chan *hci_chan_lookup_handle(struct hci_dev *hdev, __u16 handle)
+{
+        struct hci_conn_hash *h = &hdev->conn_hash;
+        struct hci_conn *hcon;
+        struct hci_chan *hchan = NULL;
+
+        rcu_read_lock();
+
+        list_for_each_entry_rcu(hcon, &h->list, list) {
+                hchan = __hci_chan_lookup_handle(hcon, handle);
+                if (hchan)
+                        break;
+        }
+
+        rcu_read_unlock();
+
+        return hchan;
+}
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 8a0ce706aebd..7140f83328a2 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -178,48 +178,13 @@ static void hci_reset_req(struct hci_dev *hdev, unsigned long opt)
 
 static void bredr_init(struct hci_dev *hdev)
 {
-        struct hci_cp_delete_stored_link_key cp;
-        __le16 param;
-        __u8 flt_type;
-
         hdev->flow_ctl_mode = HCI_FLOW_CTL_MODE_PACKET_BASED;
 
-        /* Mandatory initialization */
-
         /* Read Local Supported Features */
         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
 
         /* Read Local Version */
         hci_send_cmd(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL);
-
-        /* Read Buffer Size (ACL mtu, max pkt, etc.) */
-        hci_send_cmd(hdev, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
-
-        /* Read BD Address */
-        hci_send_cmd(hdev, HCI_OP_READ_BD_ADDR, 0, NULL);
-
-        /* Read Class of Device */
-        hci_send_cmd(hdev, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
-
-        /* Read Local Name */
-        hci_send_cmd(hdev, HCI_OP_READ_LOCAL_NAME, 0, NULL);
-
-        /* Read Voice Setting */
-        hci_send_cmd(hdev, HCI_OP_READ_VOICE_SETTING, 0, NULL);
-
-        /* Optional initialization */
-
-        /* Clear Event Filters */
-        flt_type = HCI_FLT_CLEAR_ALL;
-        hci_send_cmd(hdev, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
-
-        /* Connection accept timeout ~20 secs */
-        param = __constant_cpu_to_le16(0x7d00);
-        hci_send_cmd(hdev, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
-
-        bacpy(&cp.bdaddr, BDADDR_ANY);
-        cp.delete_all = 1;
-        hci_send_cmd(hdev, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
 }
 
 static void amp_init(struct hci_dev *hdev)
@@ -273,14 +238,6 @@ static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
         }
 }
 
-static void hci_le_init_req(struct hci_dev *hdev, unsigned long opt)
-{
-        BT_DBG("%s", hdev->name);
-
-        /* Read LE buffer size */
-        hci_send_cmd(hdev, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
-}
-
 static void hci_scan_req(struct hci_dev *hdev, unsigned long opt)
 {
         __u8 scan = opt;
@@ -405,7 +362,7 @@ struct inquiry_entry *hci_inquiry_cache_lookup(struct hci_dev *hdev,
         struct discovery_state *cache = &hdev->discovery;
         struct inquiry_entry *e;
 
-        BT_DBG("cache %p, %s", cache, batostr(bdaddr));
+        BT_DBG("cache %p, %pMR", cache, bdaddr);
 
         list_for_each_entry(e, &cache->all, all) {
                 if (!bacmp(&e->data.bdaddr, bdaddr))
@@ -421,7 +378,7 @@ struct inquiry_entry *hci_inquiry_cache_lookup_unknown(struct hci_dev *hdev,
         struct discovery_state *cache = &hdev->discovery;
         struct inquiry_entry *e;
 
-        BT_DBG("cache %p, %s", cache, batostr(bdaddr));
+        BT_DBG("cache %p, %pMR", cache, bdaddr);
 
         list_for_each_entry(e, &cache->unknown, list) {
                 if (!bacmp(&e->data.bdaddr, bdaddr))
@@ -438,7 +395,7 @@ struct inquiry_entry *hci_inquiry_cache_lookup_resolve(struct hci_dev *hdev,
         struct discovery_state *cache = &hdev->discovery;
         struct inquiry_entry *e;
 
-        BT_DBG("cache %p bdaddr %s state %d", cache, batostr(bdaddr), state);
+        BT_DBG("cache %p bdaddr %pMR state %d", cache, bdaddr, state);
 
         list_for_each_entry(e, &cache->resolve, list) {
                 if (!bacmp(bdaddr, BDADDR_ANY) && e->name_state == state)
@@ -475,7 +432,9 @@ bool hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data,
         struct discovery_state *cache = &hdev->discovery;
         struct inquiry_entry *ie;
 
-        BT_DBG("cache %p, %s", cache, batostr(&data->bdaddr));
+        BT_DBG("cache %p, %pMR", cache, &data->bdaddr);
+
+        hci_remove_remote_oob_data(hdev, &data->bdaddr);
 
         if (ssp)
                 *ssp = data->ssp_mode;
@@ -637,6 +596,99 @@ done:
         return err;
 }
 
+static u8 create_ad(struct hci_dev *hdev, u8 *ptr)
+{
+        u8 ad_len = 0, flags = 0;
+        size_t name_len;
+
+        if (test_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags))
+                flags |= LE_AD_GENERAL;
+
+        if (!lmp_bredr_capable(hdev))
+                flags |= LE_AD_NO_BREDR;
+
+        if (lmp_le_br_capable(hdev))
+                flags |= LE_AD_SIM_LE_BREDR_CTRL;
+
+        if (lmp_host_le_br_capable(hdev))
+                flags |= LE_AD_SIM_LE_BREDR_HOST;
+
+        if (flags) {
+                BT_DBG("adv flags 0x%02x", flags);
+
+                ptr[0] = 2;
+                ptr[1] = EIR_FLAGS;
+                ptr[2] = flags;
+
+                ad_len += 3;
+                ptr += 3;
+        }
+
+        if (hdev->adv_tx_power != HCI_TX_POWER_INVALID) {
+                ptr[0] = 2;
+                ptr[1] = EIR_TX_POWER;
+                ptr[2] = (u8) hdev->adv_tx_power;
+
+                ad_len += 3;
+                ptr += 3;
+        }
+
+        name_len = strlen(hdev->dev_name);
+        if (name_len > 0) {
+                size_t max_len = HCI_MAX_AD_LENGTH - ad_len - 2;
+
+                if (name_len > max_len) {
+                        name_len = max_len;
+                        ptr[1] = EIR_NAME_SHORT;
+                } else
+                        ptr[1] = EIR_NAME_COMPLETE;
+
+                ptr[0] = name_len + 1;
+
+                memcpy(ptr + 2, hdev->dev_name, name_len);
+
+                ad_len += (name_len + 2);
+                ptr += (name_len + 2);
+        }
+
+        return ad_len;
+}
+
+int hci_update_ad(struct hci_dev *hdev)
+{
+        struct hci_cp_le_set_adv_data cp;
+        u8 len;
+        int err;
+
+        hci_dev_lock(hdev);
+
+        if (!lmp_le_capable(hdev)) {
+                err = -EINVAL;
+                goto unlock;
+        }
+
+        memset(&cp, 0, sizeof(cp));
+
+        len = create_ad(hdev, cp.data);
+
+        if (hdev->adv_data_len == len &&
+            memcmp(cp.data, hdev->adv_data, len) == 0) {
+                err = 0;
+                goto unlock;
+        }
+
+        memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
+        hdev->adv_data_len = len;
+
+        cp.length = len;
+        err = hci_send_cmd(hdev, HCI_OP_LE_SET_ADV_DATA, sizeof(cp), &cp);
+
+unlock:
+        hci_dev_unlock(hdev);
+
+        return err;
+}
+
 /* ---- HCI ioctl helpers ---- */
 
 int hci_dev_open(__u16 dev)
@@ -687,10 +739,6 @@ int hci_dev_open(__u16 dev)
 
                 ret = __hci_request(hdev, hci_init_req, 0, HCI_INIT_TIMEOUT);
 
-                if (lmp_host_le_capable(hdev))
-                        ret = __hci_request(hdev, hci_le_init_req, 0,
-                                            HCI_INIT_TIMEOUT);
-
                 clear_bit(HCI_INIT, &hdev->flags);
         }
 
@@ -698,6 +746,7 @@ int hci_dev_open(__u16 dev)
                 hci_dev_hold(hdev);
                 set_bit(HCI_UP, &hdev->flags);
                 hci_notify(hdev, HCI_DEV_UP);
+                hci_update_ad(hdev);
                 if (!test_bit(HCI_SETUP, &hdev->dev_flags) &&
                     mgmt_valid_hdev(hdev)) {
                         hci_dev_lock(hdev);
@@ -1039,10 +1088,17 @@ int hci_get_dev_info(void __user *arg)
         di.type     = (hdev->bus & 0x0f) | (hdev->dev_type << 4);
         di.flags    = hdev->flags;
         di.pkt_type = hdev->pkt_type;
-        di.acl_mtu  = hdev->acl_mtu;
-        di.acl_pkts = hdev->acl_pkts;
-        di.sco_mtu  = hdev->sco_mtu;
-        di.sco_pkts = hdev->sco_pkts;
+        if (lmp_bredr_capable(hdev)) {
+                di.acl_mtu  = hdev->acl_mtu;
+                di.acl_pkts = hdev->acl_pkts;
+                di.sco_mtu  = hdev->sco_mtu;
+                di.sco_pkts = hdev->sco_pkts;
+        } else {
+                di.acl_mtu  = hdev->le_mtu;
+                di.acl_pkts = hdev->le_pkts;
+                di.sco_mtu  = 0;
+                di.sco_pkts = 0;
+        }
         di.link_policy = hdev->link_policy;
         di.link_mode   = hdev->link_mode;
 
@@ -1259,7 +1315,7 @@ int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
                 list_add(&key->list, &hdev->link_keys);
         }
 
-        BT_DBG("%s key for %s type %u", hdev->name, batostr(bdaddr), type);
+        BT_DBG("%s key for %pMR type %u", hdev->name, bdaddr, type);
 
         /* Some buggy controller combinations generate a changed
          * combination key for legacy pairing even when there's no
@@ -1338,7 +1394,7 @@ int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
         if (!key)
                 return -ENOENT;
 
-        BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
+        BT_DBG("%s removing %pMR", hdev->name, bdaddr);
 
         list_del(&key->list);
         kfree(key);
@@ -1354,7 +1410,7 @@ int hci_remove_ltk(struct hci_dev *hdev, bdaddr_t *bdaddr)
                 if (bacmp(bdaddr, &k->bdaddr))
                         continue;
 
-                BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
+                BT_DBG("%s removing %pMR", hdev->name, bdaddr);
 
                 list_del(&k->list);
                 kfree(k);
@@ -1401,7 +1457,7 @@ int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
         if (!data)
                 return -ENOENT;
 
-        BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
+        BT_DBG("%s removing %pMR", hdev->name, bdaddr);
 
         list_del(&data->list);
         kfree(data);
@@ -1440,7 +1496,7 @@ int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
         memcpy(data->hash, hash, sizeof(data->hash));
         memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
 
-        BT_DBG("%s for %s", hdev->name, batostr(bdaddr));
+        BT_DBG("%s for %pMR", hdev->name, bdaddr);
 
         return 0;
 }
@@ -1617,6 +1673,9 @@ int hci_le_scan(struct hci_dev *hdev, u8 type, u16 interval, u16 window,
 
         BT_DBG("%s", hdev->name);
 
+        if (test_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags))
+                return -ENOTSUPP;
+
         if (work_busy(&hdev->le_scan))
                 return -EINPROGRESS;
 
@@ -1643,6 +1702,8 @@ struct hci_dev *hci_alloc_dev(void)
         hdev->esco_type = (ESCO_HV1);
         hdev->link_mode = (HCI_LM_ACCEPT);
         hdev->io_capability = 0x03; /* No Input No Output */
+        hdev->inq_tx_power = HCI_TX_POWER_INVALID;
+        hdev->adv_tx_power = HCI_TX_POWER_INVALID;
 
         hdev->sniff_max_interval = 800;
         hdev->sniff_min_interval = 80;
@@ -1754,11 +1815,11 @@ int hci_register_dev(struct hci_dev *hdev)
         if (hdev->dev_type != HCI_AMP)
                 set_bit(HCI_AUTO_OFF, &hdev->dev_flags);
 
-        schedule_work(&hdev->power_on);
-
         hci_notify(hdev, HCI_DEV_REG);
         hci_dev_hold(hdev);
 
+        schedule_work(&hdev->power_on);
+
         return id;
 
 err_wqueue:
@@ -2153,9 +2214,10 @@ static void hci_add_acl_hdr(struct sk_buff *skb, __u16 handle, __u16 flags)
         hdr->dlen   = cpu_to_le16(len);
 }
 
-static void hci_queue_acl(struct hci_conn *conn, struct sk_buff_head *queue,
+static void hci_queue_acl(struct hci_chan *chan, struct sk_buff_head *queue,
                           struct sk_buff *skb, __u16 flags)
 {
+        struct hci_conn *conn = chan->conn;
         struct hci_dev *hdev = conn->hdev;
         struct sk_buff *list;
 
@@ -2163,7 +2225,18 @@ static void hci_queue_acl(struct hci_conn *conn, struct sk_buff_head *queue,
         skb->data_len = 0;
 
         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
-        hci_add_acl_hdr(skb, conn->handle, flags);
+
+        switch (hdev->dev_type) {
+        case HCI_BREDR:
+                hci_add_acl_hdr(skb, conn->handle, flags);
+                break;
+        case HCI_AMP:
+                hci_add_acl_hdr(skb, chan->handle, flags);
+                break;
+        default:
+                BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
+                return;
+        }
 
         list = skb_shinfo(skb)->frag_list;
         if (!list) {
@@ -2202,14 +2275,13 @@ static void hci_queue_acl(struct hci_conn *conn, struct sk_buff_head *queue,
 
 void hci_send_acl(struct hci_chan *chan, struct sk_buff *skb, __u16 flags)
 {
-        struct hci_conn *conn = chan->conn;
-        struct hci_dev *hdev = conn->hdev;
+        struct hci_dev *hdev = chan->conn->hdev;
 
         BT_DBG("%s chan %p flags 0x%4.4x", hdev->name, chan, flags);
 
         skb->dev = (void *) hdev;
 
-        hci_queue_acl(conn, &chan->data_q, skb, flags);
+        hci_queue_acl(chan, &chan->data_q, skb, flags);
 
         queue_work(hdev->workqueue, &hdev->tx_work);
 }
@@ -2311,8 +2383,8 @@ static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
         /* Kill stalled connections */
         list_for_each_entry_rcu(c, &h->list, list) {
                 if (c->type == type && c->sent) {
-                        BT_ERR("%s killing stalled connection %s",
-                               hdev->name, batostr(&c->dst));
+                        BT_ERR("%s killing stalled connection %pMR",
+                               hdev->name, &c->dst);
                         hci_acl_disconn(c, HCI_ERROR_REMOTE_USER_TERM);
                 }
         }
@@ -2381,6 +2453,9 @@ static struct hci_chan *hci_chan_sent(struct hci_dev *hdev, __u8 type,
         case ACL_LINK:
                 cnt = hdev->acl_cnt;
                 break;
+        case AMP_LINK:
+                cnt = hdev->block_cnt;
+                break;
         case SCO_LINK:
         case ESCO_LINK:
                 cnt = hdev->sco_cnt;
@@ -2510,11 +2585,19 @@ static void hci_sched_acl_blk(struct hci_dev *hdev)
         struct hci_chan *chan;
         struct sk_buff *skb;
         int quote;
+        u8 type;
 
         __check_timeout(hdev, cnt);
 
+        BT_DBG("%s", hdev->name);
+
+        if (hdev->dev_type == HCI_AMP)
+                type = AMP_LINK;
+        else
+                type = ACL_LINK;
+
         while (hdev->block_cnt > 0 &&
-               (chan = hci_chan_sent(hdev, ACL_LINK, &quote))) {
+               (chan = hci_chan_sent(hdev, type, &quote))) {
                 u32 priority = (skb_peek(&chan->data_q))->priority;
                 while (quote > 0 && (skb = skb_peek(&chan->data_q))) {
                         int blocks;
@@ -2547,14 +2630,19 @@ static void hci_sched_acl_blk(struct hci_dev *hdev)
         }
 
         if (cnt != hdev->block_cnt)
-                hci_prio_recalculate(hdev, ACL_LINK);
+                hci_prio_recalculate(hdev, type);
 }
 
 static void hci_sched_acl(struct hci_dev *hdev)
 {
         BT_DBG("%s", hdev->name);
 
-        if (!hci_conn_num(hdev, ACL_LINK))
+        /* No ACL link over BR/EDR controller */
+        if (!hci_conn_num(hdev, ACL_LINK) && hdev->dev_type == HCI_BREDR)
+                return;
+
+        /* No AMP link over AMP controller */
+        if (!hci_conn_num(hdev, AMP_LINK) && hdev->dev_type == HCI_AMP)
                 return;
 
         switch (hdev->flow_ctl_mode) {
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 2022b43c7353..9f5c5f244502 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -24,12 +24,13 @@
 
 /* Bluetooth HCI event handling. */
 
-#include <linux/export.h>
 #include <asm/unaligned.h>
 
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/mgmt.h>
+#include <net/bluetooth/a2mp.h>
+#include <net/bluetooth/amp.h>
 
 /* Handle HCI Event packets */
 
@@ -201,6 +202,11 @@ static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
                              BIT(HCI_PERIODIC_INQ));
 
         hdev->discovery.state = DISCOVERY_STOPPED;
+        hdev->inq_tx_power = HCI_TX_POWER_INVALID;
+        hdev->adv_tx_power = HCI_TX_POWER_INVALID;
+
+        memset(hdev->adv_data, 0, sizeof(hdev->adv_data));
+        hdev->adv_data_len = 0;
 }
 
 static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
@@ -223,6 +229,9 @@ static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
 
         hci_dev_unlock(hdev);
 
+        if (!status && !test_bit(HCI_INIT, &hdev->flags))
+                hci_update_ad(hdev);
+
         hci_req_complete(hdev, HCI_OP_WRITE_LOCAL_NAME, status);
 }
 
@@ -438,7 +447,7 @@ static void hci_cc_host_buffer_size(struct hci_dev *hdev, struct sk_buff *skb)
 static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
 {
         __u8 status = *((__u8 *) skb->data);
-        void *sent;
+        struct hci_cp_write_ssp_mode *sent;
 
         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 
@@ -446,10 +455,17 @@ static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
         if (!sent)
                 return;
 
+        if (!status) {
+                if (sent->mode)
+                        hdev->host_features[0] |= LMP_HOST_SSP;
+                else
+                        hdev->host_features[0] &= ~LMP_HOST_SSP;
+        }
+
         if (test_bit(HCI_MGMT, &hdev->dev_flags))
-                mgmt_ssp_enable_complete(hdev, *((u8 *) sent), status);
+                mgmt_ssp_enable_complete(hdev, sent->mode, status);
         else if (!status) {
-                if (*((u8 *) sent))
+                if (sent->mode)
                         set_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
                 else
                         clear_bit(HCI_SSP_ENABLED, &hdev->dev_flags);
@@ -458,10 +474,10 @@ static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
 
 static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
 {
-        if (hdev->features[6] & LMP_EXT_INQ)
+        if (lmp_ext_inq_capable(hdev))
                 return 2;
 
-        if (hdev->features[3] & LMP_RSSI_INQ)
+        if (lmp_inq_rssi_capable(hdev))
                 return 1;
 
         if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
@@ -505,28 +521,30 @@ static void hci_setup_event_mask(struct hci_dev *hdev)
         if (hdev->hci_ver < BLUETOOTH_VER_1_2)
                 return;
 
-        events[4] |= 0x01; /* Flow Specification Complete */
-        events[4] |= 0x02; /* Inquiry Result with RSSI */
-        events[4] |= 0x04; /* Read Remote Extended Features Complete */
-        events[5] |= 0x08; /* Synchronous Connection Complete */
-        events[5] |= 0x10; /* Synchronous Connection Changed */
+        if (lmp_bredr_capable(hdev)) {
+                events[4] |= 0x01; /* Flow Specification Complete */
+                events[4] |= 0x02; /* Inquiry Result with RSSI */
+                events[4] |= 0x04; /* Read Remote Extended Features Complete */
+                events[5] |= 0x08; /* Synchronous Connection Complete */
+                events[5] |= 0x10; /* Synchronous Connection Changed */
+        }
 
-        if (hdev->features[3] & LMP_RSSI_INQ)
+        if (lmp_inq_rssi_capable(hdev))
                 events[4] |= 0x02; /* Inquiry Result with RSSI */
 
         if (lmp_sniffsubr_capable(hdev))
                 events[5] |= 0x20; /* Sniff Subrating */
 
-        if (hdev->features[5] & LMP_PAUSE_ENC)
+        if (lmp_pause_enc_capable(hdev))
                 events[5] |= 0x80; /* Encryption Key Refresh Complete */
 
-        if (hdev->features[6] & LMP_EXT_INQ)
+        if (lmp_ext_inq_capable(hdev))
                 events[5] |= 0x40; /* Extended Inquiry Result */
 
         if (lmp_no_flush_capable(hdev))
                 events[7] |= 0x01; /* Enhanced Flush Complete */
 
-        if (hdev->features[7] & LMP_LSTO)
+        if (lmp_lsto_capable(hdev))
                 events[6] |= 0x80; /* Link Supervision Timeout Changed */
 
         if (lmp_ssp_capable(hdev)) {
@@ -546,6 +564,53 @@ static void hci_setup_event_mask(struct hci_dev *hdev)
                 events[7] |= 0x20;      /* LE Meta-Event */
 
         hci_send_cmd(hdev, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
+
+        if (lmp_le_capable(hdev)) {
+                memset(events, 0, sizeof(events));
+                events[0] = 0x1f;
+                hci_send_cmd(hdev, HCI_OP_LE_SET_EVENT_MASK,
+                             sizeof(events), events);
+        }
+}
+
+static void bredr_setup(struct hci_dev *hdev)
+{
+        struct hci_cp_delete_stored_link_key cp;
+        __le16 param;
+        __u8 flt_type;
+
+        /* Read Buffer Size (ACL mtu, max pkt, etc.) */
+        hci_send_cmd(hdev, HCI_OP_READ_BUFFER_SIZE, 0, NULL);
+
+        /* Read Class of Device */
+        hci_send_cmd(hdev, HCI_OP_READ_CLASS_OF_DEV, 0, NULL);
+
+        /* Read Local Name */
+        hci_send_cmd(hdev, HCI_OP_READ_LOCAL_NAME, 0, NULL);
+
+        /* Read Voice Setting */
+        hci_send_cmd(hdev, HCI_OP_READ_VOICE_SETTING, 0, NULL);
+
+        /* Clear Event Filters */
+        flt_type = HCI_FLT_CLEAR_ALL;
+        hci_send_cmd(hdev, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
+
+        /* Connection accept timeout ~20 secs */
+        param = __constant_cpu_to_le16(0x7d00);
+        hci_send_cmd(hdev, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
+
+        bacpy(&cp.bdaddr, BDADDR_ANY);
+        cp.delete_all = 1;
+        hci_send_cmd(hdev, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
+}
+
+static void le_setup(struct hci_dev *hdev)
+{
+        /* Read LE Buffer Size */
+        hci_send_cmd(hdev, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
+
+        /* Read LE Advertising Channel TX Power */
+        hci_send_cmd(hdev, HCI_OP_LE_READ_ADV_TX_POWER, 0, NULL);
 }
 
 static void hci_setup(struct hci_dev *hdev)
@@ -553,6 +618,15 @@ static void hci_setup(struct hci_dev *hdev)
         if (hdev->dev_type != HCI_BREDR)
                 return;
 
+        /* Read BD Address */
+        hci_send_cmd(hdev, HCI_OP_READ_BD_ADDR, 0, NULL);
+
+        if (lmp_bredr_capable(hdev))
+                bredr_setup(hdev);
+
+        if (lmp_le_capable(hdev))
+                le_setup(hdev);
+
         hci_setup_event_mask(hdev);
 
         if (hdev->hci_ver > BLUETOOTH_VER_1_1)
@@ -573,13 +647,13 @@ static void hci_setup(struct hci_dev *hdev)
                 }
         }
 
-        if (hdev->features[3] & LMP_RSSI_INQ)
+        if (lmp_inq_rssi_capable(hdev))
                 hci_setup_inquiry_mode(hdev);
 
-        if (hdev->features[7] & LMP_INQ_TX_PWR)
+        if (lmp_inq_tx_pwr_capable(hdev))
                 hci_send_cmd(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
 
-        if (hdev->features[7] & LMP_EXTFEATURES) {
+        if (lmp_ext_feat_capable(hdev)) {
                 struct hci_cp_read_local_ext_features cp;
 
                 cp.page = 0x01;
@@ -626,11 +700,11 @@ static void hci_setup_link_policy(struct hci_dev *hdev)
 
         if (lmp_rswitch_capable(hdev))
                 link_policy |= HCI_LP_RSWITCH;
-        if (hdev->features[0] & LMP_HOLD)
+        if (lmp_hold_capable(hdev))
                 link_policy |= HCI_LP_HOLD;
         if (lmp_sniff_capable(hdev))
                 link_policy |= HCI_LP_SNIFF;
-        if (hdev->features[1] & LMP_PARK)
+        if (lmp_park_capable(hdev))
                 link_policy |= HCI_LP_PARK;
 
         cp.policy = cpu_to_le16(link_policy);
@@ -720,10 +794,10 @@ static void hci_set_le_support(struct hci_dev *hdev)
 
         if (test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) {
                 cp.le = 1;
-                cp.simul = !!(hdev->features[6] & LMP_SIMUL_LE_BR);
+                cp.simul = !!lmp_le_br_capable(hdev);
         }
 
-        if (cp.le != !!(hdev->host_features[0] & LMP_HOST_LE))
+        if (cp.le != !!lmp_host_le_capable(hdev))
                 hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(cp),
                              &cp);
 }
@@ -846,7 +920,7 @@ static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
         BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
 
         if (rp->status)
-                return;
+                goto a2mp_rsp;
 
         hdev->amp_status = rp->amp_status;
         hdev->amp_total_bw = __le32_to_cpu(rp->total_bw);
@@ -860,6 +934,46 @@ static void hci_cc_read_local_amp_info(struct hci_dev *hdev,
         hdev->amp_max_flush_to = __le32_to_cpu(rp->max_flush_to);
 
         hci_req_complete(hdev, HCI_OP_READ_LOCAL_AMP_INFO, rp->status);
+
+a2mp_rsp:
+        a2mp_send_getinfo_rsp(hdev);
+}
+
+static void hci_cc_read_local_amp_assoc(struct hci_dev *hdev,
+                                        struct sk_buff *skb)
+{
+        struct hci_rp_read_local_amp_assoc *rp = (void *) skb->data;
+        struct amp_assoc *assoc = &hdev->loc_assoc;
+        size_t rem_len, frag_len;
+
+        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
+
+        if (rp->status)
+                goto a2mp_rsp;
+
+        frag_len = skb->len - sizeof(*rp);
+        rem_len = __le16_to_cpu(rp->rem_len);
+
+        if (rem_len > frag_len) {
+                BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len);
+
+                memcpy(assoc->data + assoc->offset, rp->frag, frag_len);
+                assoc->offset += frag_len;
+
+                /* Read other fragments */
+                amp_read_loc_assoc_frag(hdev, rp->phy_handle);
+
+                return;
+        }
+
+        memcpy(assoc->data + assoc->offset, rp->frag, rem_len);
+        assoc->len = assoc->offset + rem_len;
+        assoc->offset = 0;
+
+a2mp_rsp:
+        /* Send A2MP Rsp when all fragments are received */
+        a2mp_send_getampassoc_rsp(hdev, rp->status);
+        a2mp_send_create_phy_link_req(hdev, rp->status);
 }
 
 static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
@@ -976,6 +1090,31 @@ static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
         hci_req_complete(hdev, HCI_OP_LE_READ_BUFFER_SIZE, rp->status);
 }
 
+static void hci_cc_le_read_adv_tx_power(struct hci_dev *hdev,
+                                        struct sk_buff *skb)
+{
+        struct hci_rp_le_read_adv_tx_power *rp = (void *) skb->data;
+
+        BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
+
+        if (!rp->status) {
+                hdev->adv_tx_power = rp->tx_power;
+                if (!test_bit(HCI_INIT, &hdev->flags))
+                        hci_update_ad(hdev);
+        }
+
+        hci_req_complete(hdev, HCI_OP_LE_READ_ADV_TX_POWER, rp->status);
+}
+
+static void hci_cc_le_set_event_mask(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        __u8 status = *((__u8 *) skb->data);
+
+        BT_DBG("%s status 0x%2.2x", hdev->name, status);
+
+        hci_req_complete(hdev, HCI_OP_LE_SET_EVENT_MASK, status);
+}
+
 static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
 {
         struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
@@ -1051,6 +1190,33 @@ static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
         hci_dev_unlock(hdev);
 }
 
+static void hci_cc_le_set_adv_enable(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        __u8 *sent, status = *((__u8 *) skb->data);
+
+        BT_DBG("%s status 0x%2.2x", hdev->name, status);
+
+        sent = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_ENABLE);
+        if (!sent)
+                return;
+
+        hci_dev_lock(hdev);
+
+        if (!status) {
+                if (*sent)
+                        set_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags);
+                else
+                        clear_bit(HCI_LE_PERIPHERAL, &hdev->dev_flags);
+        }
+
+        hci_dev_unlock(hdev);
+
+        if (!test_bit(HCI_INIT, &hdev->flags))
+                hci_update_ad(hdev);
+
+        hci_req_complete(hdev, HCI_OP_LE_SET_ADV_ENABLE, status);
+}
+
 static void hci_cc_le_set_scan_param(struct hci_dev *hdev, struct sk_buff *skb)
 {
         __u8 status = *((__u8 *) skb->data);
@@ -1165,6 +1331,11 @@ static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
                         hdev->host_features[0] |= LMP_HOST_LE;
                 else
                         hdev->host_features[0] &= ~LMP_HOST_LE;
+
+                if (sent->simul)
+                        hdev->host_features[0] |= LMP_HOST_LE_BREDR;
+                else
+                        hdev->host_features[0] &= ~LMP_HOST_LE_BREDR;
         }
 
         if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
@@ -1174,6 +1345,20 @@ static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
         hci_req_complete(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, status);
 }
 
+static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
+                                          struct sk_buff *skb)
+{
+        struct hci_rp_write_remote_amp_assoc *rp = (void *) skb->data;
+
+        BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x",
+               hdev->name, rp->status, rp->phy_handle);
+
+        if (rp->status)
+                return;
+
+        amp_write_rem_assoc_continue(hdev, rp->phy_handle);
+}
+
 static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
 {
         BT_DBG("%s status 0x%2.2x", hdev->name, status);
@@ -1210,7 +1395,7 @@ static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
 
         conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
 
-        BT_DBG("%s bdaddr %s hcon %p", hdev->name, batostr(&cp->bdaddr), conn);
+        BT_DBG("%s bdaddr %pMR hcon %p", hdev->name, &cp->bdaddr, conn);
 
         if (status) {
                 if (conn && conn->state == BT_CONNECT) {
@@ -1639,8 +1824,7 @@ static void hci_cs_le_create_conn(struct hci_dev *hdev, __u8 status)
                         return;
                 }
 
-                BT_DBG("%s bdaddr %s conn %p", hdev->name, batostr(&conn->dst),
-                       conn);
+                BT_DBG("%s bdaddr %pMR conn %p", hdev->name, &conn->dst, conn);
 
                 conn->state = BT_CLOSED;
                 mgmt_connect_failed(hdev, &conn->dst, conn->type,
@@ -1657,6 +1841,52 @@ static void hci_cs_le_start_enc(struct hci_dev *hdev, u8 status)
         BT_DBG("%s status 0x%2.2x", hdev->name, status);
 }
 
+static void hci_cs_create_phylink(struct hci_dev *hdev, u8 status)
+{
+        struct hci_cp_create_phy_link *cp;
+
+        BT_DBG("%s status 0x%2.2x", hdev->name, status);
+
+        cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK);
+        if (!cp)
+                return;
+
+        hci_dev_lock(hdev);
+
+        if (status) {
+                struct hci_conn *hcon;
+
+                hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle);
+                if (hcon)
+                        hci_conn_del(hcon);
+        } else {
+                amp_write_remote_assoc(hdev, cp->phy_handle);
+        }
+
+        hci_dev_unlock(hdev);
+}
+
+static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
+{
+        struct hci_cp_accept_phy_link *cp;
+
+        BT_DBG("%s status 0x%2.2x", hdev->name, status);
+
+        if (status)
+                return;
+
+        cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK);
+        if (!cp)
+                return;
+
+        amp_write_remote_assoc(hdev, cp->phy_handle);
+}
+
+static void hci_cs_create_logical_link(struct hci_dev *hdev, u8 status)
+{
+        BT_DBG("%s status 0x%2.2x", hdev->name, status);
+}
+
 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
         __u8 status = *((__u8 *) skb->data);
@@ -1822,7 +2052,7 @@ static void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
         struct hci_ev_conn_request *ev = (void *) skb->data;
         int mask = hdev->link_mode;
 
-        BT_DBG("%s bdaddr %s type 0x%x", hdev->name, batostr(&ev->bdaddr),
+        BT_DBG("%s bdaddr %pMR type 0x%x", hdev->name, &ev->bdaddr,
                ev->link_type);
 
         mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type);
@@ -2314,6 +2544,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
                 hci_cc_read_local_amp_info(hdev, skb);
                 break;
 
+        case HCI_OP_READ_LOCAL_AMP_ASSOC:
+                hci_cc_read_local_amp_assoc(hdev, skb);
+                break;
+
         case HCI_OP_DELETE_STORED_LINK_KEY:
                 hci_cc_delete_stored_link_key(hdev, skb);
                 break;
@@ -2350,6 +2584,14 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
                 hci_cc_le_read_buffer_size(hdev, skb);
                 break;
 
+        case HCI_OP_LE_READ_ADV_TX_POWER:
+                hci_cc_le_read_adv_tx_power(hdev, skb);
+                break;
+
+        case HCI_OP_LE_SET_EVENT_MASK:
+                hci_cc_le_set_event_mask(hdev, skb);
+                break;
+
         case HCI_OP_USER_CONFIRM_REPLY:
                 hci_cc_user_confirm_reply(hdev, skb);
                 break;
@@ -2370,6 +2612,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
                 hci_cc_le_set_scan_param(hdev, skb);
                 break;
 
+        case HCI_OP_LE_SET_ADV_ENABLE:
+                hci_cc_le_set_adv_enable(hdev, skb);
+                break;
+
         case HCI_OP_LE_SET_SCAN_ENABLE:
                 hci_cc_le_set_scan_enable(hdev, skb);
                 break;
@@ -2386,6 +2632,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
                 hci_cc_write_le_host_supported(hdev, skb);
                 break;
 
+        case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
+                hci_cc_write_remote_amp_assoc(hdev, skb);
+                break;
+
         default:
                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
                 break;
@@ -2467,6 +2717,18 @@ static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
                 hci_cs_le_start_enc(hdev, ev->status);
                 break;
 
+        case HCI_OP_CREATE_PHY_LINK:
+                hci_cs_create_phylink(hdev, ev->status);
+                break;
+
+        case HCI_OP_ACCEPT_PHY_LINK:
+                hci_cs_accept_phylink(hdev, ev->status);
+                break;
+
+        case HCI_OP_CREATE_LOGICAL_LINK:
+                hci_cs_create_logical_link(hdev, ev->status);
+                break;
+
         default:
                 BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
                 break;
@@ -2574,6 +2836,27 @@ static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb)
         queue_work(hdev->workqueue, &hdev->tx_work);
 }
 
+static struct hci_conn *__hci_conn_lookup_handle(struct hci_dev *hdev,
+                                                 __u16 handle)
+{
+        struct hci_chan *chan;
+
+        switch (hdev->dev_type) {
+        case HCI_BREDR:
+                return hci_conn_hash_lookup_handle(hdev, handle);
+        case HCI_AMP:
+                chan = hci_chan_lookup_handle(hdev, handle);
+                if (chan)
+                        return chan->conn;
+                break;
+        default:
+                BT_ERR("%s unknown dev_type %d", hdev->name, hdev->dev_type);
+                break;
+        }
+
+        return NULL;
+}
+
 static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
         struct hci_ev_num_comp_blocks *ev = (void *) skb->data;
@@ -2595,13 +2878,13 @@ static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
 
         for (i = 0; i < ev->num_hndl; i++) {
                 struct hci_comp_blocks_info *info = &ev->handles[i];
-                struct hci_conn *conn;
+                struct hci_conn *conn = NULL;
                 __u16  handle, block_count;
 
                 handle = __le16_to_cpu(info->handle);
                 block_count = __le16_to_cpu(info->blocks);
 
-                conn = hci_conn_hash_lookup_handle(hdev, handle);
+                conn = __hci_conn_lookup_handle(hdev, handle);
                 if (!conn)
                         continue;
 
@@ -2609,6 +2892,7 @@ static void hci_num_comp_blocks_evt(struct hci_dev *hdev, struct sk_buff *skb)
 
                 switch (conn->type) {
                 case ACL_LINK:
+                case AMP_LINK:
                         hdev->block_cnt += block_count;
                         if (hdev->block_cnt > hdev->num_blocks)
                                 hdev->block_cnt = hdev->num_blocks;
@@ -2705,13 +2989,13 @@ static void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
 
         key = hci_find_link_key(hdev, &ev->bdaddr);
         if (!key) {
-                BT_DBG("%s link key not found for %s", hdev->name,
-                       batostr(&ev->bdaddr));
+                BT_DBG("%s link key not found for %pMR", hdev->name,
+                       &ev->bdaddr);
                 goto not_found;
         }
 
-        BT_DBG("%s found key type %u for %s", hdev->name, key->type,
-               batostr(&ev->bdaddr));
+        BT_DBG("%s found key type %u for %pMR", hdev->name, key->type,
+               &ev->bdaddr);
 
         if (!test_bit(HCI_DEBUG_KEYS, &hdev->dev_flags) &&
             key->type == HCI_LK_DEBUG_COMBINATION) {
@@ -3419,6 +3703,130 @@ unlock:
         hci_dev_unlock(hdev);
 }
 
+static void hci_phy_link_complete_evt(struct hci_dev *hdev,
+                                      struct sk_buff *skb)
+{
+        struct hci_ev_phy_link_complete *ev = (void *) skb->data;
+        struct hci_conn *hcon, *bredr_hcon;
+
+        BT_DBG("%s handle 0x%2.2x status 0x%2.2x", hdev->name, ev->phy_handle,
+               ev->status);
+
+        hci_dev_lock(hdev);
+
+        hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
+        if (!hcon) {
+                hci_dev_unlock(hdev);
+                return;
+        }
+
+        if (ev->status) {
+                hci_conn_del(hcon);
+                hci_dev_unlock(hdev);
+                return;
+        }
+
+        bredr_hcon = hcon->amp_mgr->l2cap_conn->hcon;
+
+        hcon->state = BT_CONNECTED;
+        bacpy(&hcon->dst, &bredr_hcon->dst);
+
+        hci_conn_hold(hcon);
+        hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
+        hci_conn_put(hcon);
+
+        hci_conn_hold_device(hcon);
+        hci_conn_add_sysfs(hcon);
+
+        amp_physical_cfm(bredr_hcon, hcon);
+
+        hci_dev_unlock(hdev);
+}
+
+static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_ev_logical_link_complete *ev = (void *) skb->data;
+        struct hci_conn *hcon;
+        struct hci_chan *hchan;
+        struct amp_mgr *mgr;
+
+        BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
+               hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,
+               ev->status);
+
+        hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
+        if (!hcon)
+                return;
+
+        /* Create AMP hchan */
+        hchan = hci_chan_create(hcon);
+        if (!hchan)
+                return;
+
+        hchan->handle = le16_to_cpu(ev->handle);
+
+        BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
+
+        mgr = hcon->amp_mgr;
+        if (mgr && mgr->bredr_chan) {
+                struct l2cap_chan *bredr_chan = mgr->bredr_chan;
+
+                l2cap_chan_lock(bredr_chan);
+
+                bredr_chan->conn->mtu = hdev->block_mtu;
+                l2cap_logical_cfm(bredr_chan, hchan, 0);
+                hci_conn_hold(hcon);
+
+                l2cap_chan_unlock(bredr_chan);
+        }
+}
+
+static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev,
+                                             struct sk_buff *skb)
+{
+        struct hci_ev_disconn_logical_link_complete *ev = (void *) skb->data;
+        struct hci_chan *hchan;
+
+        BT_DBG("%s log handle 0x%4.4x status 0x%2.2x", hdev->name,
+               le16_to_cpu(ev->handle), ev->status);
+
+        if (ev->status)
+                return;
+
+        hci_dev_lock(hdev);
+
+        hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
+        if (!hchan)
+                goto unlock;
+
+        amp_destroy_logical_link(hchan, ev->reason);
+
+unlock:
+        hci_dev_unlock(hdev);
+}
+
+static void hci_disconn_phylink_complete_evt(struct hci_dev *hdev,
+                                             struct sk_buff *skb)
+{
+        struct hci_ev_disconn_phy_link_complete *ev = (void *) skb->data;
+        struct hci_conn *hcon;
+
+        BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
+
+        if (ev->status)
+                return;
+
+        hci_dev_lock(hdev);
+
+        hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
+        if (hcon) {
+                hcon->state = BT_CLOSED;
+                hci_conn_del(hcon);
+        }
+
+        hci_dev_unlock(hdev);
+}
+
 static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
         struct hci_ev_le_conn_complete *ev = (void *) skb->data;
@@ -3558,6 +3966,22 @@ static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
         }
 }
 
+static void hci_chan_selected_evt(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_ev_channel_selected *ev = (void *) skb->data;
+        struct hci_conn *hcon;
+
+        BT_DBG("%s handle 0x%2.2x", hdev->name, ev->phy_handle);
+
+        skb_pull(skb, sizeof(*ev));
+
+        hcon = hci_conn_hash_lookup_handle(hdev, ev->phy_handle);
+        if (!hcon)
+                return;
+
+        amp_read_loc_assoc_final_data(hdev, hcon);
+}
+
 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
 {
         struct hci_event_hdr *hdr = (void *) skb->data;
@@ -3722,10 +4146,30 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
                 hci_le_meta_evt(hdev, skb);
                 break;
 
+        case HCI_EV_CHANNEL_SELECTED:
+                hci_chan_selected_evt(hdev, skb);
+                break;
+
         case HCI_EV_REMOTE_OOB_DATA_REQUEST:
                 hci_remote_oob_data_request_evt(hdev, skb);
                 break;
 
+        case HCI_EV_PHY_LINK_COMPLETE:
+                hci_phy_link_complete_evt(hdev, skb);
+                break;
+
+        case HCI_EV_LOGICAL_LINK_COMPLETE:
+                hci_loglink_complete_evt(hdev, skb);
+                break;
+
+        case HCI_EV_DISCONN_LOGICAL_LINK_COMPLETE:
+                hci_disconn_loglink_complete_evt(hdev, skb);
+                break;
+
+        case HCI_EV_DISCONN_PHY_LINK_COMPLETE:
+                hci_disconn_phylink_complete_evt(hdev, skb);
+                break;
+
         case HCI_EV_NUM_COMP_BLOCKS:
                 hci_num_comp_blocks_evt(hdev, skb);
                 break;
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index a20e61c3653d..55cceee02a84 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -38,7 +38,7 @@ static ssize_t show_link_address(struct device *dev,
                                  struct device_attribute *attr, char *buf)
 {
         struct hci_conn *conn = to_hci_conn(dev);
-        return sprintf(buf, "%s\n", batostr(&conn->dst));
+        return sprintf(buf, "%pMR\n", &conn->dst);
 }
 
 static ssize_t show_link_features(struct device *dev,
@@ -224,7 +224,7 @@ static ssize_t show_address(struct device *dev,
                             struct device_attribute *attr, char *buf)
 {
         struct hci_dev *hdev = to_hci_dev(dev);
-        return sprintf(buf, "%s\n", batostr(&hdev->bdaddr));
+        return sprintf(buf, "%pMR\n", &hdev->bdaddr);
 }
 
 static ssize_t show_features(struct device *dev,
@@ -406,8 +406,8 @@ static int inquiry_cache_show(struct seq_file *f, void *p)
 
         list_for_each_entry(e, &cache->all, all) {
                 struct inquiry_data *data = &e->data;
-                seq_printf(f, "%s %d %d %d 0x%.2x%.2x%.2x 0x%.4x %d %d %u\n",
-                           batostr(&data->bdaddr),
+                seq_printf(f, "%pMR %d %d %d 0x%.2x%.2x%.2x 0x%.4x %d %d %u\n",
+                           &data->bdaddr,
                            data->pscan_rep_mode, data->pscan_period_mode,
                            data->pscan_mode, data->dev_class[2],
                            data->dev_class[1], data->dev_class[0],
@@ -440,7 +440,7 @@ static int blacklist_show(struct seq_file *f, void *p)
         hci_dev_lock(hdev);
 
         list_for_each_entry(b, &hdev->blacklist, list)
-                seq_printf(f, "%s\n", batostr(&b->bdaddr));
+                seq_printf(f, "%pMR\n", &b->bdaddr);
 
         hci_dev_unlock(hdev);
 
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index ccd985da6518..0c0028463fa3 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -932,8 +932,12 @@ static int hidp_setup_hid(struct hidp_session *session,
         hid->country = req->country;
 
         strncpy(hid->name, req->name, 128);
-        strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);
-        strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);
+
+        snprintf(hid->phys, sizeof(hid->phys), "%pMR",
+                 &bt_sk(session->ctrl_sock->sk)->src);
+
+        snprintf(hid->uniq, sizeof(hid->uniq), "%pMR",
+                 &bt_sk(session->ctrl_sock->sk)->dst);
 
         hid->dev.parent = &session->conn->dev;
         hid->ll_driver = &hidp_hid_driver;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a91239dcda41..b52f66d22437 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -38,6 +38,7 @@
 #include <net/bluetooth/l2cap.h>
 #include <net/bluetooth/smp.h>
 #include <net/bluetooth/a2mp.h>
+#include <net/bluetooth/amp.h>
 
 bool disable_ertm;
 
@@ -48,19 +49,20 @@ static LIST_HEAD(chan_list);
 static DEFINE_RWLOCK(chan_list_lock);
 
 static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
-                                u8 code, u8 ident, u16 dlen, void *data);
+                                       u8 code, u8 ident, u16 dlen, void *data);
 static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
-                                                                void *data);
+                           void *data);
 static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
 static void l2cap_send_disconn_req(struct l2cap_conn *conn,
                                    struct l2cap_chan *chan, int err);
 
 static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
-                    struct sk_buff_head *skbs, u8 event);
+                     struct sk_buff_head *skbs, u8 event);
 
 /* ---- L2CAP channels ---- */
 
-static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
+static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
+                                                   u16 cid)
 {
         struct l2cap_chan *c;
 
@@ -71,7 +73,8 @@ static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16
         return NULL;
 }
 
-static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
+static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn,
+                                                   u16 cid)
 {
         struct l2cap_chan *c;
 
@@ -84,7 +87,8 @@ static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16
 
 /* Find channel with given SCID.
  * Returns locked channel. */
-static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
+static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn,
+                                                 u16 cid)
 {
         struct l2cap_chan *c;
 
@@ -97,7 +101,25 @@ static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 ci
         return c;
 }
 
-static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
+/* Find channel with given DCID.
+ * Returns locked channel.
+ */
+static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn,
+                                                 u16 cid)
+{
+        struct l2cap_chan *c;
+
+        mutex_lock(&conn->chan_lock);
+        c = __l2cap_get_chan_by_dcid(conn, cid);
+        if (c)
+                l2cap_chan_lock(c);
+        mutex_unlock(&conn->chan_lock);
+
+        return c;
+}
+
+static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn,
+                                                    u8 ident)
 {
         struct l2cap_chan *c;
 
@@ -108,6 +130,20 @@ static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8
         return NULL;
 }
 
+static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn,
+                                                  u8 ident)
+{
+        struct l2cap_chan *c;
+
+        mutex_lock(&conn->chan_lock);
+        c = __l2cap_get_chan_by_ident(conn, ident);
+        if (c)
+                l2cap_chan_lock(c);
+        mutex_unlock(&conn->chan_lock);
+
+        return c;
+}
+
 static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
 {
         struct l2cap_chan *c;
@@ -178,7 +214,7 @@ static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
 static void __l2cap_state_change(struct l2cap_chan *chan, int state)
 {
         BT_DBG("chan %p %s -> %s", chan, state_to_string(chan->state),
-                                                state_to_string(state));
+               state_to_string(state));
 
         chan->state = state;
         chan->ops->state_change(chan, state);
@@ -361,7 +397,7 @@ static void l2cap_seq_list_append(struct l2cap_seq_list *seq_list, u16 seq)
 static void l2cap_chan_timeout(struct work_struct *work)
 {
         struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
-                                                        chan_timer.work);
+                                               chan_timer.work);
         struct l2cap_conn *conn = chan->conn;
         int reason;
 
@@ -373,7 +409,7 @@ static void l2cap_chan_timeout(struct work_struct *work)
         if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
                 reason = ECONNREFUSED;
         else if (chan->state == BT_CONNECT &&
-                                        chan->sec_level != BT_SECURITY_SDP)
+                 chan->sec_level != BT_SECURITY_SDP)
                 reason = ECONNREFUSED;
         else
                 reason = ETIMEDOUT;
@@ -455,7 +491,7 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan)
         set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
 }
 
-static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
+void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
 {
         BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
                __le16_to_cpu(chan->psm), chan->dcid);
@@ -504,7 +540,7 @@ static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
         chan->local_msdu        = L2CAP_DEFAULT_MAX_SDU_SIZE;
         chan->local_sdu_itime   = L2CAP_DEFAULT_SDU_ITIME;
         chan->local_acc_lat     = L2CAP_DEFAULT_ACC_LAT;
-        chan->local_flush_to    = L2CAP_DEFAULT_FLUSH_TO;
+        chan->local_flush_to    = L2CAP_EFS_DEFAULT_FLUSH_TO;
 
         l2cap_chan_hold(chan);
 
@@ -527,6 +563,7 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
         BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
 
         if (conn) {
+                struct amp_mgr *mgr = conn->hcon->amp_mgr;
                 /* Delete from channel list */
                 list_del(&chan->list);
 
@@ -536,10 +573,19 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
 
                 if (chan->chan_type != L2CAP_CHAN_CONN_FIX_A2MP)
                         hci_conn_put(conn->hcon);
+
+                if (mgr && mgr->bredr_chan == chan)
+                        mgr->bredr_chan = NULL;
+        }
+
+        if (chan->hs_hchan) {
+                struct hci_chan *hs_hchan = chan->hs_hchan;
+
+                BT_DBG("chan %p disconnect hs_hchan %p", chan, hs_hchan);
+                amp_disconnect_logical_link(hs_hchan);
         }
 
-        if (chan->ops->teardown)
-                chan->ops->teardown(chan, err);
+        chan->ops->teardown(chan, err);
 
         if (test_bit(CONF_NOT_COMPLETE, &chan->conf_state))
                 return;
@@ -573,19 +619,18 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason)
         struct l2cap_conn *conn = chan->conn;
         struct sock *sk = chan->sk;
 
-        BT_DBG("chan %p state %s sk %p", chan,
-                                        state_to_string(chan->state), sk);
+        BT_DBG("chan %p state %s sk %p", chan, state_to_string(chan->state),
+               sk);
 
         switch (chan->state) {
         case BT_LISTEN:
-                if (chan->ops->teardown)
-                        chan->ops->teardown(chan, 0);
+                chan->ops->teardown(chan, 0);
                 break;
 
         case BT_CONNECTED:
         case BT_CONFIG:
                 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
-                                        conn->hcon->type == ACL_LINK) {
+                    conn->hcon->type == ACL_LINK) {
                         __set_chan_timer(chan, sk->sk_sndtimeo);
                         l2cap_send_disconn_req(conn, chan, reason);
                 } else
@@ -594,7 +639,7 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason)
 
         case BT_CONNECT2:
                 if (chan->chan_type == L2CAP_CHAN_CONN_ORIENTED &&
-                                        conn->hcon->type == ACL_LINK) {
+                    conn->hcon->type == ACL_LINK) {
                         struct l2cap_conn_rsp rsp;
                         __u16 result;
 
@@ -609,7 +654,7 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason)
                         rsp.result = cpu_to_le16(result);
                         rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
                         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
-                                                        sizeof(rsp), &rsp);
+                                       sizeof(rsp), &rsp);
                 }
 
                 l2cap_chan_del(chan, reason);
@@ -621,8 +666,7 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason)
                 break;
 
         default:
-                if (chan->ops->teardown)
-                        chan->ops->teardown(chan, 0);
+                chan->ops->teardown(chan, 0);
                 break;
         }
 }
@@ -691,7 +735,8 @@ static u8 l2cap_get_ident(struct l2cap_conn *conn)
         return id;
 }
 
-static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
+static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
+                           void *data)
 {
         struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
         u8 flags;
@@ -712,16 +757,31 @@ static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
         hci_send_acl(conn->hchan, skb, flags);
 }
 
+static bool __chan_is_moving(struct l2cap_chan *chan)
+{
+        return chan->move_state != L2CAP_MOVE_STABLE &&
+               chan->move_state != L2CAP_MOVE_WAIT_PREPARE;
+}
+
 static void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
 {
         struct hci_conn *hcon = chan->conn->hcon;
         u16 flags;
 
         BT_DBG("chan %p, skb %p len %d priority %u", chan, skb, skb->len,
-                                                        skb->priority);
+               skb->priority);
+
+        if (chan->hs_hcon && !__chan_is_moving(chan)) {
+                if (chan->hs_hchan)
+                        hci_send_acl(chan->hs_hchan, skb, ACL_COMPLETE);
+                else
+                        kfree_skb(skb);
+
+                return;
+        }
 
         if (!test_bit(FLAG_FLUSHABLE, &chan->flags) &&
-                                        lmp_no_flush_capable(hcon->hdev))
+            lmp_no_flush_capable(hcon->hdev))
                 flags = ACL_START_NO_FLUSH;
         else
                 flags = ACL_START;
@@ -895,6 +955,9 @@ static void l2cap_send_sframe(struct l2cap_chan *chan,
         if (!control->sframe)
                 return;
 
+        if (__chan_is_moving(chan))
+                return;
+
         if (test_and_clear_bit(CONN_SEND_FBIT, &chan->conn_state) &&
             !control->poll)
                 control->final = 1;
@@ -946,7 +1009,25 @@ static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
         return !test_bit(CONF_CONNECT_PEND, &chan->conf_state);
 }
 
-static void l2cap_send_conn_req(struct l2cap_chan *chan)
+static bool __amp_capable(struct l2cap_chan *chan)
+{
+        struct l2cap_conn *conn = chan->conn;
+
+        if (enable_hs &&
+            chan->chan_policy == BT_CHANNEL_POLICY_AMP_PREFERRED &&
+            conn->fixed_chan_mask & L2CAP_FC_A2MP)
+                return true;
+        else
+                return false;
+}
+
+static bool l2cap_check_efs(struct l2cap_chan *chan)
+{
+        /* Check EFS parameters */
+        return true;
+}
+
+void l2cap_send_conn_req(struct l2cap_chan *chan)
 {
         struct l2cap_conn *conn = chan->conn;
         struct l2cap_conn_req req;
@@ -961,6 +1042,76 @@ static void l2cap_send_conn_req(struct l2cap_chan *chan)
         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ, sizeof(req), &req);
 }
 
+static void l2cap_send_create_chan_req(struct l2cap_chan *chan, u8 amp_id)
+{
+        struct l2cap_create_chan_req req;
+        req.scid = cpu_to_le16(chan->scid);
+        req.psm  = chan->psm;
+        req.amp_id = amp_id;
+
+        chan->ident = l2cap_get_ident(chan->conn);
+
+        l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_REQ,
+                       sizeof(req), &req);
+}
+
+static void l2cap_move_setup(struct l2cap_chan *chan)
+{
+        struct sk_buff *skb;
+
+        BT_DBG("chan %p", chan);
+
+        if (chan->mode != L2CAP_MODE_ERTM)
+                return;
+
+        __clear_retrans_timer(chan);
+        __clear_monitor_timer(chan);
+        __clear_ack_timer(chan);
+
+        chan->retry_count = 0;
+        skb_queue_walk(&chan->tx_q, skb) {
+                if (bt_cb(skb)->control.retries)
+                        bt_cb(skb)->control.retries = 1;
+                else
+                        break;
+        }
+
+        chan->expected_tx_seq = chan->buffer_seq;
+
+        clear_bit(CONN_REJ_ACT, &chan->conn_state);
+        clear_bit(CONN_SREJ_ACT, &chan->conn_state);
+        l2cap_seq_list_clear(&chan->retrans_list);
+        l2cap_seq_list_clear(&chan->srej_list);
+        skb_queue_purge(&chan->srej_q);
+
+        chan->tx_state = L2CAP_TX_STATE_XMIT;
+        chan->rx_state = L2CAP_RX_STATE_MOVE;
+
+        set_bit(CONN_REMOTE_BUSY, &chan->conn_state);
+}
+
+static void l2cap_move_done(struct l2cap_chan *chan)
+{
+        u8 move_role = chan->move_role;
+        BT_DBG("chan %p", chan);
+
+        chan->move_state = L2CAP_MOVE_STABLE;
+        chan->move_role = L2CAP_MOVE_ROLE_NONE;
+
+        if (chan->mode != L2CAP_MODE_ERTM)
+                return;
+
+        switch (move_role) {
+        case L2CAP_MOVE_ROLE_INITIATOR:
+                l2cap_tx(chan, NULL, NULL, L2CAP_EV_EXPLICIT_POLL);
+                chan->rx_state = L2CAP_RX_STATE_WAIT_F;
+                break;
+        case L2CAP_MOVE_ROLE_RESPONDER:
+                chan->rx_state = L2CAP_RX_STATE_WAIT_P;
+                break;
+        }
+}
+
 static void l2cap_chan_ready(struct l2cap_chan *chan)
 {
         /* This clears all conf flags, including CONF_NOT_COMPLETE */
@@ -972,6 +1123,16 @@ static void l2cap_chan_ready(struct l2cap_chan *chan)
         chan->ops->ready(chan);
 }
 
+static void l2cap_start_connection(struct l2cap_chan *chan)
+{
+        if (__amp_capable(chan)) {
+                BT_DBG("chan %p AMP capable: discover AMPs", chan);
+                a2mp_discover_amp(chan);
+        } else {
+                l2cap_send_conn_req(chan);
+        }
+}
+
 static void l2cap_do_start(struct l2cap_chan *chan)
 {
         struct l2cap_conn *conn = chan->conn;
@@ -986,8 +1147,9 @@ static void l2cap_do_start(struct l2cap_chan *chan)
                         return;
 
                 if (l2cap_chan_check_security(chan) &&
-                                __l2cap_no_conn_pending(chan))
-                        l2cap_send_conn_req(chan);
+                    __l2cap_no_conn_pending(chan)) {
+                        l2cap_start_connection(chan);
+                }
         } else {
                 struct l2cap_info_req req;
                 req.type = __constant_cpu_to_le16(L2CAP_IT_FEAT_MASK);
@@ -997,8 +1159,8 @@ static void l2cap_do_start(struct l2cap_chan *chan)
 
                 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
 
-                l2cap_send_cmd(conn, conn->info_ident,
-                                        L2CAP_INFO_REQ, sizeof(req), &req);
+                l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
+                               sizeof(req), &req);
         }
 }
 
@@ -1018,7 +1180,8 @@ static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
         }
 }
 
-static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
+static void l2cap_send_disconn_req(struct l2cap_conn *conn,
+                                   struct l2cap_chan *chan, int err)
 {
         struct sock *sk = chan->sk;
         struct l2cap_disconn_req req;
@@ -1033,14 +1196,14 @@ static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *c
         }
 
         if (chan->chan_type == L2CAP_CHAN_CONN_FIX_A2MP) {
-                __l2cap_state_change(chan, BT_DISCONN);
+                l2cap_state_change(chan, BT_DISCONN);
                 return;
         }
 
         req.dcid = cpu_to_le16(chan->dcid);
         req.scid = cpu_to_le16(chan->scid);
-        l2cap_send_cmd(conn, l2cap_get_ident(conn),
-                        L2CAP_DISCONN_REQ, sizeof(req), &req);
+        l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_DISCONN_REQ,
+                       sizeof(req), &req);
 
         lock_sock(sk);
         __l2cap_state_change(chan, BT_DISCONN);
@@ -1069,20 +1232,20 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
 
                 if (chan->state == BT_CONNECT) {
                         if (!l2cap_chan_check_security(chan) ||
-                                        !__l2cap_no_conn_pending(chan)) {
+                            !__l2cap_no_conn_pending(chan)) {
                                 l2cap_chan_unlock(chan);
                                 continue;
                         }
 
                         if (!l2cap_mode_supported(chan->mode, conn->feat_mask)
-                                        && test_bit(CONF_STATE2_DEVICE,
+                            && test_bit(CONF_STATE2_DEVICE,
                                         &chan->conf_state)) {
                                 l2cap_chan_close(chan, ECONNRESET);
                                 l2cap_chan_unlock(chan);
                                 continue;
                         }
 
-                        l2cap_send_conn_req(chan);
+                        l2cap_start_connection(chan);
 
                 } else if (chan->state == BT_CONNECT2) {
                         struct l2cap_conn_rsp rsp;
@@ -1094,11 +1257,9 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
                                 lock_sock(sk);
                                 if (test_bit(BT_SK_DEFER_SETUP,
                                              &bt_sk(sk)->flags)) {
-                                        struct sock *parent = bt_sk(sk)->parent;
                                         rsp.result = __constant_cpu_to_le16(L2CAP_CR_PEND);
                                         rsp.status = __constant_cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
-                                        if (parent)
-                                                parent->sk_data_ready(parent, 0);
+                                        chan->ops->defer(chan);
 
                                 } else {
                                         __l2cap_state_change(chan, BT_CONFIG);
@@ -1112,17 +1273,17 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
                         }
 
                         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
-                                                        sizeof(rsp), &rsp);
+                                       sizeof(rsp), &rsp);
 
                         if (test_bit(CONF_REQ_SENT, &chan->conf_state) ||
-                                        rsp.result != L2CAP_CR_SUCCESS) {
+                            rsp.result != L2CAP_CR_SUCCESS) {
                                 l2cap_chan_unlock(chan);
                                 continue;
                         }
 
                         set_bit(CONF_REQ_SENT, &chan->conf_state);
                         l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                                l2cap_build_conf_req(chan, buf), buf);
+                                       l2cap_build_conf_req(chan, buf), buf);
                         chan->num_conf_req++;
                 }
 
@@ -1204,8 +1365,6 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
         bacpy(&bt_sk(sk)->src, conn->src);
         bacpy(&bt_sk(sk)->dst, conn->dst);
 
-        bt_accept_enqueue(parent, sk);
-
         l2cap_chan_add(conn, chan);
 
         l2cap_chan_ready(chan);
@@ -1270,7 +1429,7 @@ static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
 
         list_for_each_entry(chan, &conn->chan_l, list) {
                 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags))
-                        __l2cap_chan_set_err(chan, err);
+                        l2cap_chan_set_err(chan, err);
         }
 
         mutex_unlock(&conn->chan_lock);
@@ -1279,7 +1438,7 @@ static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
 static void l2cap_info_timeout(struct work_struct *work)
 {
         struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
-                                                        info_timer.work);
+                                               info_timer.work);
 
         conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
         conn->info_ident = 0;
@@ -1333,7 +1492,7 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
 static void security_timeout(struct work_struct *work)
 {
         struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
-                                                security_timer.work);
+                                               security_timer.work);
 
         BT_DBG("conn %p", conn);
 
@@ -1355,7 +1514,7 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
         if (!hchan)
                 return NULL;
 
-        conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
+        conn = kzalloc(sizeof(struct l2cap_conn), GFP_KERNEL);
         if (!conn) {
                 hci_chan_del(hchan);
                 return NULL;
@@ -1367,10 +1526,22 @@ static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
 
         BT_DBG("hcon %p conn %p hchan %p", hcon, conn, hchan);
 
-        if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
-                conn->mtu = hcon->hdev->le_mtu;
-        else
+        switch (hcon->type) {
+        case AMP_LINK:
+                conn->mtu = hcon->hdev->block_mtu;
+                break;
+
+        case LE_LINK:
+                if (hcon->hdev->le_mtu) {
+                        conn->mtu = hcon->hdev->le_mtu;
+                        break;
+                }
+                /* fall through */
+
+        default:
                 conn->mtu = hcon->hdev->acl_mtu;
+                break;
+        }
 
         conn->src = &hcon->hdev->bdaddr;
         conn->dst = &hcon->dst;
@@ -1448,7 +1619,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
         __u8 auth_type;
         int err;
 
-        BT_DBG("%s -> %s (type %u) psm 0x%2.2x", batostr(src), batostr(dst),
+        BT_DBG("%pMR -> %pMR (type %u) psm 0x%2.2x", src, dst,
                dst_type, __le16_to_cpu(psm));
 
         hdev = hci_get_route(dst, src);
@@ -1461,7 +1632,7 @@ int l2cap_chan_connect(struct l2cap_chan *chan, __le16 psm, u16 cid,
 
         /* PSM must be odd and lsb of upper byte must be 0 */
         if ((__le16_to_cpu(psm) & 0x0101) != 0x0001 && !cid &&
-                                        chan->chan_type != L2CAP_CHAN_RAW) {
+            chan->chan_type != L2CAP_CHAN_RAW) {
                 err = -EINVAL;
                 goto done;
         }
@@ -1657,6 +1828,9 @@ static void l2cap_streaming_send(struct l2cap_chan *chan,
 
         BT_DBG("chan %p, skbs %p", chan, skbs);
 
+        if (__chan_is_moving(chan))
+                return;
+
         skb_queue_splice_tail_init(skbs, &chan->tx_q);
 
         while (!skb_queue_empty(&chan->tx_q)) {
@@ -1699,6 +1873,9 @@ static int l2cap_ertm_send(struct l2cap_chan *chan)
         if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
                 return 0;
 
+        if (__chan_is_moving(chan))
+                return 0;
+
         while (chan->tx_send_head &&
                chan->unacked_frames < chan->remote_tx_win &&
                chan->tx_state == L2CAP_TX_STATE_XMIT) {
@@ -1764,13 +1941,16 @@ static void l2cap_ertm_resend(struct l2cap_chan *chan)
         if (test_bit(CONN_REMOTE_BUSY, &chan->conn_state))
                 return;
 
+        if (__chan_is_moving(chan))
+                return;
+
         while (chan->retrans_list.head != L2CAP_SEQ_LIST_CLEAR) {
                 seq = l2cap_seq_list_pop(&chan->retrans_list);
 
                 skb = l2cap_ertm_seq_in_queue(&chan->tx_q, seq);
                 if (!skb) {
                         BT_DBG("Error: Can't retransmit seq %d, frame missing",
-                                seq);
+                               seq);
                         continue;
                 }
 
@@ -1795,9 +1975,9 @@ static void l2cap_ertm_resend(struct l2cap_chan *chan)
                         /* Cloned sk_buffs are read-only, so we need a
                          * writeable copy
                          */
-                        tx_skb = skb_copy(skb, GFP_ATOMIC);
+                        tx_skb = skb_copy(skb, GFP_KERNEL);
                 } else {
-                        tx_skb = skb_clone(skb, GFP_ATOMIC);
+                        tx_skb = skb_clone(skb, GFP_KERNEL);
                 }
 
                 if (!tx_skb) {
@@ -1855,7 +2035,7 @@ static void l2cap_retransmit_all(struct l2cap_chan *chan,
         if (chan->unacked_frames) {
                 skb_queue_walk(&chan->tx_q, skb) {
                         if (bt_cb(skb)->control.txseq == control->reqseq ||
-                                skb == chan->tx_send_head)
+                            skb == chan->tx_send_head)
                                 break;
                 }
 
@@ -2106,7 +2286,9 @@ static int l2cap_segment_sdu(struct l2cap_chan *chan,
         /* PDU size is derived from the HCI MTU */
         pdu_len = chan->conn->mtu;
 
-        pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
+        /* Constrain PDU size for BR/EDR connections */
+        if (!chan->hs_hcon)
+                pdu_len = min_t(size_t, pdu_len, L2CAP_BREDR_MAX_PAYLOAD);
 
         /* Adjust for largest possible L2CAP overhead. */
         if (chan->fcs)
@@ -2156,7 +2338,7 @@ static int l2cap_segment_sdu(struct l2cap_chan *chan,
 }
 
 int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
-                                                                u32 priority)
+                    u32 priority)
 {
         struct sk_buff *skb;
         int err;
@@ -2543,7 +2725,7 @@ static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
                 /* Don't send frame to the socket it came from */
                 if (skb->sk == sk)
                         continue;
-                nskb = skb_clone(skb, GFP_ATOMIC);
+                nskb = skb_clone(skb, GFP_KERNEL);
                 if (!nskb)
                         continue;
 
@@ -2569,7 +2751,7 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
         len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
         count = min_t(unsigned int, conn->mtu, len);
 
-        skb = bt_skb_alloc(count, GFP_ATOMIC);
+        skb = bt_skb_alloc(count, GFP_KERNEL);
         if (!skb)
                 return NULL;
 
@@ -2599,7 +2781,7 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
         while (len) {
                 count = min_t(unsigned int, conn->mtu, len);
 
-                *frag = bt_skb_alloc(count, GFP_ATOMIC);
+                *frag = bt_skb_alloc(count, GFP_KERNEL);
                 if (!*frag)
                         goto fail;
 
@@ -2618,7 +2800,8 @@ fail:
         return NULL;
 }
 
-static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
+static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,
+                                     unsigned long *val)
 {
         struct l2cap_conf_opt *opt = *ptr;
         int len;
@@ -2692,7 +2875,7 @@ static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
                 efs.msdu        = cpu_to_le16(chan->local_msdu);
                 efs.sdu_itime   = cpu_to_le32(chan->local_sdu_itime);
                 efs.acc_lat     = __constant_cpu_to_le32(L2CAP_DEFAULT_ACC_LAT);
-                efs.flush_to    = __constant_cpu_to_le32(L2CAP_DEFAULT_FLUSH_TO);
+                efs.flush_to    = __constant_cpu_to_le32(L2CAP_EFS_DEFAULT_FLUSH_TO);
                 break;
 
         case L2CAP_MODE_STREAMING:
@@ -2709,7 +2892,7 @@ static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
         }
 
         l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
-                                                        (unsigned long) &efs);
+                           (unsigned long) &efs);
 }
 
 static void l2cap_ack_timeout(struct work_struct *work)
@@ -2749,6 +2932,11 @@ int l2cap_ertm_init(struct l2cap_chan *chan)
 
         skb_queue_head_init(&chan->tx_q);
 
+        chan->local_amp_id = 0;
+        chan->move_id = 0;
+        chan->move_state = L2CAP_MOVE_STABLE;
+        chan->move_role = L2CAP_MOVE_ROLE_NONE;
+
         if (chan->mode != L2CAP_MODE_ERTM)
                 return 0;
 
@@ -2795,16 +2983,54 @@ static inline bool __l2cap_efs_supported(struct l2cap_chan *chan)
         return enable_hs && chan->conn->feat_mask & L2CAP_FEAT_EXT_FLOW;
 }
 
+static void __l2cap_set_ertm_timeouts(struct l2cap_chan *chan,
+                                      struct l2cap_conf_rfc *rfc)
+{
+        if (chan->local_amp_id && chan->hs_hcon) {
+                u64 ertm_to = chan->hs_hcon->hdev->amp_be_flush_to;
+
+                /* Class 1 devices have must have ERTM timeouts
+                 * exceeding the Link Supervision Timeout.  The
+                 * default Link Supervision Timeout for AMP
+                 * controllers is 10 seconds.
+                 *
+                 * Class 1 devices use 0xffffffff for their
+                 * best-effort flush timeout, so the clamping logic
+                 * will result in a timeout that meets the above
+                 * requirement.  ERTM timeouts are 16-bit values, so
+                 * the maximum timeout is 65.535 seconds.
+                 */
+
+                /* Convert timeout to milliseconds and round */
+                ertm_to = DIV_ROUND_UP_ULL(ertm_to, 1000);
+
+                /* This is the recommended formula for class 2 devices
+                 * that start ERTM timers when packets are sent to the
+                 * controller.
+                 */
+                ertm_to = 3 * ertm_to + 500;
+
+                if (ertm_to > 0xffff)
+                        ertm_to = 0xffff;
+
+                rfc->retrans_timeout = cpu_to_le16((u16) ertm_to);
+                rfc->monitor_timeout = rfc->retrans_timeout;
+        } else {
+                rfc->retrans_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
+                rfc->monitor_timeout = __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
+        }
+}
+
 static inline void l2cap_txwin_setup(struct l2cap_chan *chan)
 {
         if (chan->tx_win > L2CAP_DEFAULT_TX_WINDOW &&
-                                                __l2cap_ews_supported(chan)) {
+            __l2cap_ews_supported(chan)) {
                 /* use extended control field */
                 set_bit(FLAG_EXT_CTRL, &chan->flags);
                 chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
         } else {
                 chan->tx_win = min_t(u16, chan->tx_win,
-                                                L2CAP_DEFAULT_TX_WINDOW);
+                                     L2CAP_DEFAULT_TX_WINDOW);
                 chan->tx_win_max = L2CAP_DEFAULT_TX_WINDOW;
         }
         chan->ack_win = chan->tx_win;
@@ -2844,7 +3070,7 @@ done:
         switch (chan->mode) {
         case L2CAP_MODE_BASIC:
                 if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
-                                !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
+                    !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
                         break;
 
                 rfc.mode            = L2CAP_MODE_BASIC;
@@ -2855,28 +3081,27 @@ done:
                 rfc.max_pdu_size    = 0;
 
                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-                                                        (unsigned long) &rfc);
+                                   (unsigned long) &rfc);
                 break;
 
         case L2CAP_MODE_ERTM:
                 rfc.mode            = L2CAP_MODE_ERTM;
                 rfc.max_transmit    = chan->max_tx;
-                rfc.retrans_timeout = 0;
-                rfc.monitor_timeout = 0;
+
+                __l2cap_set_ertm_timeouts(chan, &rfc);
 
                 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
-                                                L2CAP_EXT_HDR_SIZE -
-                                                L2CAP_SDULEN_SIZE -
-                                                L2CAP_FCS_SIZE);
+                             L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
+                             L2CAP_FCS_SIZE);
                 rfc.max_pdu_size = cpu_to_le16(size);
 
                 l2cap_txwin_setup(chan);
 
                 rfc.txwin_size = min_t(u16, chan->tx_win,
-                                                L2CAP_DEFAULT_TX_WINDOW);
+                                       L2CAP_DEFAULT_TX_WINDOW);
 
                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-                                                        (unsigned long) &rfc);
+                                   (unsigned long) &rfc);
 
                 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
                         l2cap_add_opt_efs(&ptr, chan);
@@ -2885,14 +3110,14 @@ done:
                         break;
 
                 if (chan->fcs == L2CAP_FCS_NONE ||
-                                test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
+                    test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
                         chan->fcs = L2CAP_FCS_NONE;
                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
                 }
 
                 if (test_bit(FLAG_EXT_CTRL, &chan->flags))
                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
-                                                                chan->tx_win);
+                                           chan->tx_win);
                 break;
 
         case L2CAP_MODE_STREAMING:
@@ -2904,13 +3129,12 @@ done:
                 rfc.monitor_timeout = 0;
 
                 size = min_t(u16, L2CAP_DEFAULT_MAX_PDU_SIZE, chan->conn->mtu -
-                                                L2CAP_EXT_HDR_SIZE -
-                                                L2CAP_SDULEN_SIZE -
-                                                L2CAP_FCS_SIZE);
+                             L2CAP_EXT_HDR_SIZE - L2CAP_SDULEN_SIZE -
+                             L2CAP_FCS_SIZE);
                 rfc.max_pdu_size = cpu_to_le16(size);
 
                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-                                                        (unsigned long) &rfc);
+                                   (unsigned long) &rfc);
 
                 if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
                         l2cap_add_opt_efs(&ptr, chan);
@@ -2919,7 +3143,7 @@ done:
                         break;
 
                 if (chan->fcs == L2CAP_FCS_NONE ||
-                                test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
+                    test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
                         chan->fcs = L2CAP_FCS_NONE;
                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
                 }
@@ -3011,7 +3235,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
         case L2CAP_MODE_ERTM:
                 if (!test_bit(CONF_STATE2_DEVICE, &chan->conf_state)) {
                         chan->mode = l2cap_select_mode(rfc.mode,
-                                        chan->conn->feat_mask);
+                                                       chan->conn->feat_mask);
                         break;
                 }
 
@@ -3036,8 +3260,8 @@ done:
                 if (chan->num_conf_rsp == 1)
                         return -ECONNREFUSED;
 
-                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-                                        sizeof(rfc), (unsigned long) &rfc);
+                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+                                   (unsigned long) &rfc);
         }
 
         if (result == L2CAP_CONF_SUCCESS) {
@@ -3054,8 +3278,8 @@ done:
 
                 if (remote_efs) {
                         if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
-                                        efs.stype != L2CAP_SERV_NOTRAFIC &&
-                                        efs.stype != chan->local_stype) {
+                            efs.stype != L2CAP_SERV_NOTRAFIC &&
+                            efs.stype != chan->local_stype) {
 
                                 result = L2CAP_CONF_UNACCEPT;
 
@@ -3063,8 +3287,8 @@ done:
                                         return -ECONNREFUSED;
 
                                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
-                                                        sizeof(efs),
-                                                        (unsigned long) &efs);
+                                                   sizeof(efs),
+                                                   (unsigned long) &efs);
                         } else {
                                 /* Send PENDING Conf Rsp */
                                 result = L2CAP_CONF_PENDING;
@@ -3087,51 +3311,45 @@ done:
                         chan->remote_max_tx = rfc.max_transmit;
 
                         size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
-                                                chan->conn->mtu -
-                                                L2CAP_EXT_HDR_SIZE -
-                                                L2CAP_SDULEN_SIZE -
-                                                L2CAP_FCS_SIZE);
+                                     chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
+                                     L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
                         rfc.max_pdu_size = cpu_to_le16(size);
                         chan->remote_mps = size;
 
-                        rfc.retrans_timeout =
-                                __constant_cpu_to_le16(L2CAP_DEFAULT_RETRANS_TO);
-                        rfc.monitor_timeout =
-                                __constant_cpu_to_le16(L2CAP_DEFAULT_MONITOR_TO);
+                        __l2cap_set_ertm_timeouts(chan, &rfc);
 
                         set_bit(CONF_MODE_DONE, &chan->conf_state);
 
                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-                                        sizeof(rfc), (unsigned long) &rfc);
+                                           sizeof(rfc), (unsigned long) &rfc);
 
                         if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
                                 chan->remote_id = efs.id;
                                 chan->remote_stype = efs.stype;
                                 chan->remote_msdu = le16_to_cpu(efs.msdu);
                                 chan->remote_flush_to =
-                                                le32_to_cpu(efs.flush_to);
+                                        le32_to_cpu(efs.flush_to);
                                 chan->remote_acc_lat =
-                                                le32_to_cpu(efs.acc_lat);
+                                        le32_to_cpu(efs.acc_lat);
                                 chan->remote_sdu_itime =
                                         le32_to_cpu(efs.sdu_itime);
                                 l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
-                                        sizeof(efs), (unsigned long) &efs);
+                                                   sizeof(efs),
+                                                   (unsigned long) &efs);
                         }
                         break;
 
                 case L2CAP_MODE_STREAMING:
                         size = min_t(u16, le16_to_cpu(rfc.max_pdu_size),
-                                                chan->conn->mtu -
-                                                L2CAP_EXT_HDR_SIZE -
-                                                L2CAP_SDULEN_SIZE -
-                                                L2CAP_FCS_SIZE);
+                                     chan->conn->mtu - L2CAP_EXT_HDR_SIZE -
+                                     L2CAP_SDULEN_SIZE - L2CAP_FCS_SIZE);
                         rfc.max_pdu_size = cpu_to_le16(size);
                         chan->remote_mps = size;
 
                         set_bit(CONF_MODE_DONE, &chan->conf_state);
 
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-                                        sizeof(rfc), (unsigned long) &rfc);
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+                                           (unsigned long) &rfc);
 
                         break;
 
@@ -3152,7 +3370,8 @@ done:
         return ptr - data;
 }
 
-static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
+static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
+                                void *data, u16 *result)
 {
         struct l2cap_conf_req *req = data;
         void *ptr = req->data;
@@ -3179,7 +3398,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
                 case L2CAP_CONF_FLUSH_TO:
                         chan->flush_to = val;
                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
-                                                        2, chan->flush_to);
+                                           2, chan->flush_to);
                         break;
 
                 case L2CAP_CONF_RFC:
@@ -3187,13 +3406,13 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
                                 memcpy(&rfc, (void *)val, olen);
 
                         if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
-                                                        rfc.mode != chan->mode)
+                            rfc.mode != chan->mode)
                                 return -ECONNREFUSED;
 
                         chan->fcs = 0;
 
                         l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-                                        sizeof(rfc), (unsigned long) &rfc);
+                                           sizeof(rfc), (unsigned long) &rfc);
                         break;
 
                 case L2CAP_CONF_EWS:
@@ -3207,12 +3426,12 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
                                 memcpy(&efs, (void *)val, olen);
 
                         if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
-                                        efs.stype != L2CAP_SERV_NOTRAFIC &&
-                                        efs.stype != chan->local_stype)
+                            efs.stype != L2CAP_SERV_NOTRAFIC &&
+                            efs.stype != chan->local_stype)
                                 return -ECONNREFUSED;
 
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
-                                        sizeof(efs), (unsigned long) &efs);
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+                                           (unsigned long) &efs);
                         break;
                 }
         }
@@ -3235,10 +3454,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
                         if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
                                 chan->local_msdu = le16_to_cpu(efs.msdu);
                                 chan->local_sdu_itime =
-                                                le32_to_cpu(efs.sdu_itime);
+                                        le32_to_cpu(efs.sdu_itime);
                                 chan->local_acc_lat = le32_to_cpu(efs.acc_lat);
                                 chan->local_flush_to =
-                                                le32_to_cpu(efs.flush_to);
+                                        le32_to_cpu(efs.flush_to);
                         }
                         break;
 
@@ -3253,7 +3472,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
         return ptr - data;
 }
 
-static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
+static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data,
+                                u16 result, u16 flags)
 {
         struct l2cap_conf_rsp *rsp = data;
         void *ptr = rsp->data;
@@ -3272,19 +3492,27 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
         struct l2cap_conn_rsp rsp;
         struct l2cap_conn *conn = chan->conn;
         u8 buf[128];
+        u8 rsp_code;
 
         rsp.scid   = cpu_to_le16(chan->dcid);
         rsp.dcid   = cpu_to_le16(chan->scid);
         rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
         rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
-        l2cap_send_cmd(conn, chan->ident,
-                                L2CAP_CONN_RSP, sizeof(rsp), &rsp);
+
+        if (chan->hs_hcon)
+                rsp_code = L2CAP_CREATE_CHAN_RSP;
+        else
+                rsp_code = L2CAP_CONN_RSP;
+
+        BT_DBG("chan %p rsp_code %u", chan, rsp_code);
+
+        l2cap_send_cmd(conn, chan->ident, rsp_code, sizeof(rsp), &rsp);
 
         if (test_and_set_bit(CONF_REQ_SENT, &chan->conf_state))
                 return;
 
         l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                        l2cap_build_conf_req(chan, buf), buf);
+                       l2cap_build_conf_req(chan, buf), buf);
         chan->num_conf_req++;
 }
 
@@ -3339,7 +3567,8 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
         }
 }
 
-static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+static inline int l2cap_command_rej(struct l2cap_conn *conn,
+                                    struct l2cap_cmd_hdr *cmd, u8 *data)
 {
         struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
 
@@ -3347,7 +3576,7 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
                 return 0;
 
         if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
-                                        cmd->ident == conn->info_ident) {
+            cmd->ident == conn->info_ident) {
                 cancel_delayed_work(&conn->info_timer);
 
                 conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
@@ -3359,7 +3588,9 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
         return 0;
 }
 
-static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
+                                        struct l2cap_cmd_hdr *cmd,
+                                        u8 *data, u8 rsp_code, u8 amp_id)
 {
         struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
         struct l2cap_conn_rsp rsp;
@@ -3386,7 +3617,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
 
         /* Check if the ACL is secure enough (if not SDP) */
         if (psm != __constant_cpu_to_le16(L2CAP_PSM_SDP) &&
-                                !hci_conn_check_link_mode(conn->hcon)) {
+            !hci_conn_check_link_mode(conn->hcon)) {
                 conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
                 result = L2CAP_CR_SEC_BLOCK;
                 goto response;
@@ -3410,8 +3641,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
         bacpy(&bt_sk(sk)->dst, conn->dst);
         chan->psm  = psm;
         chan->dcid = scid;
-
-        bt_accept_enqueue(parent, sk);
+        chan->local_amp_id = amp_id;
 
         __l2cap_chan_add(conn, chan);
 
@@ -3427,10 +3657,19 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
                                 __l2cap_state_change(chan, BT_CONNECT2);
                                 result = L2CAP_CR_PEND;
                                 status = L2CAP_CS_AUTHOR_PEND;
-                                parent->sk_data_ready(parent, 0);
+                                chan->ops->defer(chan);
                         } else {
-                                __l2cap_state_change(chan, BT_CONFIG);
-                                result = L2CAP_CR_SUCCESS;
+                                /* Force pending result for AMP controllers.
+                                 * The connection will succeed after the
+                                 * physical link is up.
+                                 */
+                                if (amp_id) {
+                                        __l2cap_state_change(chan, BT_CONNECT2);
+                                        result = L2CAP_CR_PEND;
+                                } else {
+                                        __l2cap_state_change(chan, BT_CONFIG);
+                                        result = L2CAP_CR_SUCCESS;
+                                }
                                 status = L2CAP_CS_NO_INFO;
                         }
                 } else {
@@ -3453,7 +3692,7 @@ sendresp:
         rsp.dcid   = cpu_to_le16(dcid);
         rsp.result = cpu_to_le16(result);
         rsp.status = cpu_to_le16(status);
-        l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
+        l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp);
 
         if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
                 struct l2cap_info_req info;
@@ -3464,23 +3703,31 @@ sendresp:
 
                 schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
 
-                l2cap_send_cmd(conn, conn->info_ident,
-                                        L2CAP_INFO_REQ, sizeof(info), &info);
+                l2cap_send_cmd(conn, conn->info_ident, L2CAP_INFO_REQ,
+                               sizeof(info), &info);
         }
 
         if (chan && !test_bit(CONF_REQ_SENT, &chan->conf_state) &&
-                                result == L2CAP_CR_SUCCESS) {
+            result == L2CAP_CR_SUCCESS) {
                 u8 buf[128];
                 set_bit(CONF_REQ_SENT, &chan->conf_state);
                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                        l2cap_build_conf_req(chan, buf), buf);
+                               l2cap_build_conf_req(chan, buf), buf);
                 chan->num_conf_req++;
         }
 
+        return chan;
+}
+
+static int l2cap_connect_req(struct l2cap_conn *conn,
+                             struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
         return 0;
 }
 
-static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+                                    struct l2cap_cmd_hdr *cmd, u8 *data)
 {
         struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
         u16 scid, dcid, result, status;
@@ -3494,7 +3741,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
         status = __le16_to_cpu(rsp->status);
 
         BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x",
-                                                dcid, scid, result, status);
+               dcid, scid, result, status);
 
         mutex_lock(&conn->chan_lock);
 
@@ -3527,7 +3774,7 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
                         break;
 
                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                        l2cap_build_conf_req(chan, req), req);
+                               l2cap_build_conf_req(chan, req), req);
                 chan->num_conf_req++;
                 break;
 
@@ -3559,7 +3806,25 @@ static inline void set_default_fcs(struct l2cap_chan *chan)
                 chan->fcs = L2CAP_FCS_CRC16;
 }
 
-static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
+                                    u8 ident, u16 flags)
+{
+        struct l2cap_conn *conn = chan->conn;
+
+        BT_DBG("conn %p chan %p ident %d flags 0x%4.4x", conn, chan, ident,
+               flags);
+
+        clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
+        set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
+
+        l2cap_send_cmd(conn, ident, L2CAP_CONF_RSP,
+                       l2cap_build_conf_rsp(chan, data,
+                                            L2CAP_CONF_SUCCESS, flags), data);
+}
+
+static inline int l2cap_config_req(struct l2cap_conn *conn,
+                                   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                   u8 *data)
 {
         struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
         u16 dcid, flags;
@@ -3584,7 +3849,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
                 rej.dcid = cpu_to_le16(chan->dcid);
 
                 l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
-                                sizeof(rej), &rej);
+                               sizeof(rej), &rej);
                 goto unlock;
         }
 
@@ -3592,8 +3857,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
         len = cmd_len - sizeof(*req);
         if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
-                                l2cap_build_conf_rsp(chan, rsp,
-                                        L2CAP_CONF_REJECT, flags), rsp);
+                               l2cap_build_conf_rsp(chan, rsp,
+                               L2CAP_CONF_REJECT, flags), rsp);
                 goto unlock;
         }
 
@@ -3604,8 +3869,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
         if (flags & L2CAP_CONF_FLAG_CONTINUATION) {
                 /* Incomplete config. Send empty response. */
                 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
-                                l2cap_build_conf_rsp(chan, rsp,
-                                        L2CAP_CONF_SUCCESS, flags), rsp);
+                               l2cap_build_conf_rsp(chan, rsp,
+                               L2CAP_CONF_SUCCESS, flags), rsp);
                 goto unlock;
         }
 
@@ -3616,6 +3881,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
                 goto unlock;
         }
 
+        chan->ident = cmd->ident;
         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
         chan->num_conf_rsp++;
 
@@ -3643,23 +3909,22 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
         if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
                 u8 buf[64];
                 l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                        l2cap_build_conf_req(chan, buf), buf);
+                               l2cap_build_conf_req(chan, buf), buf);
                 chan->num_conf_req++;
         }
 
         /* Got Conf Rsp PENDING from remote side and asume we sent
            Conf Rsp PENDING in the code above */
         if (test_bit(CONF_REM_CONF_PEND, &chan->conf_state) &&
-                        test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
+            test_bit(CONF_LOC_CONF_PEND, &chan->conf_state)) {
 
                 /* check compatibility */
 
-                clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
-                set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
-
-                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
-                                        l2cap_build_conf_rsp(chan, rsp,
-                                        L2CAP_CONF_SUCCESS, flags), rsp);
+                /* Send rsp for BR/EDR channel */
+                if (!chan->hs_hcon)
+                        l2cap_send_efs_conf_rsp(chan, rsp, cmd->ident, flags);
+                else
+                        chan->ident = cmd->ident;
         }
 
 unlock:
@@ -3667,7 +3932,8 @@ unlock:
         return err;
 }
 
-static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+static inline int l2cap_config_rsp(struct l2cap_conn *conn,
+                                   struct l2cap_cmd_hdr *cmd, u8 *data)
 {
         struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
         u16 scid, flags, result;
@@ -3699,20 +3965,21 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
                         char buf[64];
 
                         len = l2cap_parse_conf_rsp(chan, rsp->data, len,
-                                                                buf, &result);
+                                                   buf, &result);
                         if (len < 0) {
                                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
                                 goto done;
                         }
 
-                        /* check compatibility */
-
-                        clear_bit(CONF_LOC_CONF_PEND, &chan->conf_state);
-                        set_bit(CONF_OUTPUT_DONE, &chan->conf_state);
-
-                        l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
-                                                l2cap_build_conf_rsp(chan, buf,
-                                                L2CAP_CONF_SUCCESS, 0x0000), buf);
+                        if (!chan->hs_hcon) {
+                                l2cap_send_efs_conf_rsp(chan, buf, cmd->ident,
+                                                        0);
+                        } else {
+                                if (l2cap_check_efs(chan)) {
+                                        amp_create_logical_link(chan);
+                                        chan->ident = cmd->ident;
+                                }
+                        }
                 }
                 goto done;
 
@@ -3728,14 +3995,14 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr
                         /* throw out any old stored conf requests */
                         result = L2CAP_CONF_SUCCESS;
                         len = l2cap_parse_conf_rsp(chan, rsp->data, len,
-                                                                req, &result);
+                                                   req, &result);
                         if (len < 0) {
                                 l2cap_send_disconn_req(conn, chan, ECONNRESET);
                                 goto done;
                         }
 
                         l2cap_send_cmd(conn, l2cap_get_ident(conn),
-                                                L2CAP_CONF_REQ, len, req);
+                                       L2CAP_CONF_REQ, len, req);
                         chan->num_conf_req++;
                         if (result != L2CAP_CONF_SUCCESS)
                                 goto done;
@@ -3773,7 +4040,8 @@ done:
         return err;
 }
 
-static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
+                                       struct l2cap_cmd_hdr *cmd, u8 *data)
 {
         struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
         struct l2cap_disconn_rsp rsp;
@@ -3819,7 +4087,8 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
         return 0;
 }
 
-static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+                                       struct l2cap_cmd_hdr *cmd, u8 *data)
 {
         struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
         u16 dcid, scid;
@@ -3853,7 +4122,8 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
         return 0;
 }
 
-static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+static inline int l2cap_information_req(struct l2cap_conn *conn,
+                                        struct l2cap_cmd_hdr *cmd, u8 *data)
 {
         struct l2cap_info_req *req = (struct l2cap_info_req *) data;
         u16 type;
@@ -3870,14 +4140,14 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cm
                 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
                 if (!disable_ertm)
                         feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
-                                                         | L2CAP_FEAT_FCS;
+                                | L2CAP_FEAT_FCS;
                 if (enable_hs)
                         feat_mask |= L2CAP_FEAT_EXT_FLOW
-                                                | L2CAP_FEAT_EXT_WINDOW;
+                                | L2CAP_FEAT_EXT_WINDOW;
 
                 put_unaligned_le32(feat_mask, rsp->data);
-                l2cap_send_cmd(conn, cmd->ident,
-                                        L2CAP_INFO_RSP, sizeof(buf), buf);
+                l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
+                               buf);
         } else if (type == L2CAP_IT_FIXED_CHAN) {
                 u8 buf[12];
                 struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
@@ -3890,20 +4160,21 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cm
                 rsp->type   = __constant_cpu_to_le16(L2CAP_IT_FIXED_CHAN);
                 rsp->result = __constant_cpu_to_le16(L2CAP_IR_SUCCESS);
                 memcpy(rsp->data, l2cap_fixed_chan, sizeof(l2cap_fixed_chan));
-                l2cap_send_cmd(conn, cmd->ident,
-                                        L2CAP_INFO_RSP, sizeof(buf), buf);
+                l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(buf),
+                               buf);
         } else {
                 struct l2cap_info_rsp rsp;
                 rsp.type   = cpu_to_le16(type);
                 rsp.result = __constant_cpu_to_le16(L2CAP_IR_NOTSUPP);
-                l2cap_send_cmd(conn, cmd->ident,
-                                        L2CAP_INFO_RSP, sizeof(rsp), &rsp);
+                l2cap_send_cmd(conn, cmd->ident, L2CAP_INFO_RSP, sizeof(rsp),
+                               &rsp);
         }
 
         return 0;
 }
 
-static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+static inline int l2cap_information_rsp(struct l2cap_conn *conn,
+                                        struct l2cap_cmd_hdr *cmd, u8 *data)
 {
         struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
         u16 type, result;
@@ -3915,7 +4186,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
 
         /* L2CAP Info req/rsp are unbound to channels, add extra checks */
         if (cmd->ident != conn->info_ident ||
-                        conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
+            conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
                 return 0;
 
         cancel_delayed_work(&conn->info_timer);
@@ -3940,7 +4211,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
                         conn->info_ident = l2cap_get_ident(conn);
 
                         l2cap_send_cmd(conn, conn->info_ident,
-                                        L2CAP_INFO_REQ, sizeof(req), &req);
+                                       L2CAP_INFO_REQ, sizeof(req), &req);
                 } else {
                         conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
                         conn->info_ident = 0;
@@ -3961,12 +4232,14 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cm
         return 0;
 }
 
-static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
-                                        struct l2cap_cmd_hdr *cmd, u16 cmd_len,
-                                        void *data)
+static int l2cap_create_channel_req(struct l2cap_conn *conn,
+                                    struct l2cap_cmd_hdr *cmd,
+                                    u16 cmd_len, void *data)
 {
         struct l2cap_create_chan_req *req = data;
         struct l2cap_create_chan_rsp rsp;
+        struct l2cap_chan *chan;
+        struct hci_dev *hdev;
         u16 psm, scid;
 
         if (cmd_len != sizeof(*req))
@@ -3980,56 +4253,119 @@ static inline int l2cap_create_channel_req(struct l2cap_conn *conn,
 
         BT_DBG("psm 0x%2.2x, scid 0x%4.4x, amp_id %d", psm, scid, req->amp_id);
 
-        /* Placeholder: Always reject */
+        /* For controller id 0 make BR/EDR connection */
+        if (req->amp_id == HCI_BREDR_ID) {
+                l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
+                              req->amp_id);
+                return 0;
+        }
+
+        /* Validate AMP controller id */
+        hdev = hci_dev_get(req->amp_id);
+        if (!hdev)
+                goto error;
+
+        if (hdev->dev_type != HCI_AMP || !test_bit(HCI_UP, &hdev->flags)) {
+                hci_dev_put(hdev);
+                goto error;
+        }
+
+        chan = l2cap_connect(conn, cmd, data, L2CAP_CREATE_CHAN_RSP,
+                             req->amp_id);
+        if (chan) {
+                struct amp_mgr *mgr = conn->hcon->amp_mgr;
+                struct hci_conn *hs_hcon;
+
+                hs_hcon = hci_conn_hash_lookup_ba(hdev, AMP_LINK, conn->dst);
+                if (!hs_hcon) {
+                        hci_dev_put(hdev);
+                        return -EFAULT;
+                }
+
+                BT_DBG("mgr %p bredr_chan %p hs_hcon %p", mgr, chan, hs_hcon);
+
+                mgr->bredr_chan = chan;
+                chan->hs_hcon = hs_hcon;
+                chan->fcs = L2CAP_FCS_NONE;
+                conn->mtu = hdev->block_mtu;
+        }
+
+        hci_dev_put(hdev);
+
+        return 0;
+
+error:
         rsp.dcid = 0;
         rsp.scid = cpu_to_le16(scid);
-        rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
+        rsp.result = __constant_cpu_to_le16(L2CAP_CR_BAD_AMP);
         rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
 
         l2cap_send_cmd(conn, cmd->ident, L2CAP_CREATE_CHAN_RSP,
                        sizeof(rsp), &rsp);
 
-        return 0;
+        return -EFAULT;
 }
 
-static inline int l2cap_create_channel_rsp(struct l2cap_conn *conn,
-                                        struct l2cap_cmd_hdr *cmd, void *data)
+static void l2cap_send_move_chan_req(struct l2cap_chan *chan, u8 dest_amp_id)
 {
-        BT_DBG("conn %p", conn);
+        struct l2cap_move_chan_req req;
+        u8 ident;
+
+        BT_DBG("chan %p, dest_amp_id %d", chan, dest_amp_id);
 
-        return l2cap_connect_rsp(conn, cmd, data);
+        ident = l2cap_get_ident(chan->conn);
+        chan->ident = ident;
+
+        req.icid = cpu_to_le16(chan->scid);
+        req.dest_amp_id = dest_amp_id;
+
+        l2cap_send_cmd(chan->conn, ident, L2CAP_MOVE_CHAN_REQ, sizeof(req),
+                       &req);
+
+        __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
 }
 
-static void l2cap_send_move_chan_rsp(struct l2cap_conn *conn, u8 ident,
-                                     u16 icid, u16 result)
+static void l2cap_send_move_chan_rsp(struct l2cap_chan *chan, u16 result)
 {
         struct l2cap_move_chan_rsp rsp;
 
-        BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
+        BT_DBG("chan %p, result 0x%4.4x", chan, result);
 
-        rsp.icid = cpu_to_le16(icid);
+        rsp.icid = cpu_to_le16(chan->dcid);
         rsp.result = cpu_to_le16(result);
 
-        l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_RSP, sizeof(rsp), &rsp);
+        l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_RSP,
+                       sizeof(rsp), &rsp);
 }
 
-static void l2cap_send_move_chan_cfm(struct l2cap_conn *conn,
-                                     struct l2cap_chan *chan,
-                                     u16 icid, u16 result)
+static void l2cap_send_move_chan_cfm(struct l2cap_chan *chan, u16 result)
 {
         struct l2cap_move_chan_cfm cfm;
-        u8 ident;
 
-        BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
+        BT_DBG("chan %p, result 0x%4.4x", chan, result);
 
-        ident = l2cap_get_ident(conn);
-        if (chan)
-                chan->ident = ident;
+        chan->ident = l2cap_get_ident(chan->conn);
 
-        cfm.icid = cpu_to_le16(icid);
+        cfm.icid = cpu_to_le16(chan->scid);
         cfm.result = cpu_to_le16(result);
 
-        l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM, sizeof(cfm), &cfm);
+        l2cap_send_cmd(chan->conn, chan->ident, L2CAP_MOVE_CHAN_CFM,
+                       sizeof(cfm), &cfm);
+
+        __set_chan_timer(chan, L2CAP_MOVE_TIMEOUT);
+}
+
+static void l2cap_send_move_chan_cfm_icid(struct l2cap_conn *conn, u16 icid)
+{
+        struct l2cap_move_chan_cfm cfm;
+
+        BT_DBG("conn %p, icid 0x%4.4x", conn, icid);
+
+        cfm.icid = cpu_to_le16(icid);
+        cfm.result = __constant_cpu_to_le16(L2CAP_MC_UNCONFIRMED);
+
+        l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_MOVE_CHAN_CFM,
+                       sizeof(cfm), &cfm);
 }
 
 static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
@@ -4043,11 +4379,289 @@ static void l2cap_send_move_chan_cfm_rsp(struct l2cap_conn *conn, u8 ident,
         l2cap_send_cmd(conn, ident, L2CAP_MOVE_CHAN_CFM_RSP, sizeof(rsp), &rsp);
 }
 
+static void __release_logical_link(struct l2cap_chan *chan)
+{
+        chan->hs_hchan = NULL;
+        chan->hs_hcon = NULL;
+
+        /* Placeholder - release the logical link */
+}
+
+static void l2cap_logical_fail(struct l2cap_chan *chan)
+{
+        /* Logical link setup failed */
+        if (chan->state != BT_CONNECTED) {
+                /* Create channel failure, disconnect */
+                l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
+                return;
+        }
+
+        switch (chan->move_role) {
+        case L2CAP_MOVE_ROLE_RESPONDER:
+                l2cap_move_done(chan);
+                l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_SUPP);
+                break;
+        case L2CAP_MOVE_ROLE_INITIATOR:
+                if (chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_COMP ||
+                    chan->move_state == L2CAP_MOVE_WAIT_LOGICAL_CFM) {
+                        /* Remote has only sent pending or
+                         * success responses, clean up
+                         */
+                        l2cap_move_done(chan);
+                }
+
+                /* Other amp move states imply that the move
+                 * has already aborted
+                 */
+                l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
+                break;
+        }
+}
+
+static void l2cap_logical_finish_create(struct l2cap_chan *chan,
+                                        struct hci_chan *hchan)
+{
+        struct l2cap_conf_rsp rsp;
+
+        chan->hs_hchan = hchan;
+        chan->hs_hcon->l2cap_data = chan->conn;
+
+        l2cap_send_efs_conf_rsp(chan, &rsp, chan->ident, 0);
+
+        if (test_bit(CONF_INPUT_DONE, &chan->conf_state)) {
+                int err;
+
+                set_default_fcs(chan);
+
+                err = l2cap_ertm_init(chan);
+                if (err < 0)
+                        l2cap_send_disconn_req(chan->conn, chan, -err);
+                else
+                        l2cap_chan_ready(chan);
+        }
+}
+
+static void l2cap_logical_finish_move(struct l2cap_chan *chan,
+                                      struct hci_chan *hchan)
+{
+        chan->hs_hcon = hchan->conn;
+        chan->hs_hcon->l2cap_data = chan->conn;
+
+        BT_DBG("move_state %d", chan->move_state);
+
+        switch (chan->move_state) {
+        case L2CAP_MOVE_WAIT_LOGICAL_COMP:
+                /* Move confirm will be sent after a success
+                 * response is received
+                 */
+                chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
+                break;
+        case L2CAP_MOVE_WAIT_LOGICAL_CFM:
+                if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
+                        chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
+                } else if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
+                        chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
+                        l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
+                } else if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
+                        chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
+                        l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
+                }
+                break;
+        default:
+                /* Move was not in expected state, free the channel */
+                __release_logical_link(chan);
+
+                chan->move_state = L2CAP_MOVE_STABLE;
+        }
+}
+
+/* Call with chan locked */
+void l2cap_logical_cfm(struct l2cap_chan *chan, struct hci_chan *hchan,
+                       u8 status)
+{
+        BT_DBG("chan %p, hchan %p, status %d", chan, hchan, status);
+
+        if (status) {
+                l2cap_logical_fail(chan);
+                __release_logical_link(chan);
+                return;
+        }
+
+        if (chan->state != BT_CONNECTED) {
+                /* Ignore logical link if channel is on BR/EDR */
+                if (chan->local_amp_id)
+                        l2cap_logical_finish_create(chan, hchan);
+        } else {
+                l2cap_logical_finish_move(chan, hchan);
+        }
+}
+
+void l2cap_move_start(struct l2cap_chan *chan)
+{
+        BT_DBG("chan %p", chan);
+
+        if (chan->local_amp_id == HCI_BREDR_ID) {
+                if (chan->chan_policy != BT_CHANNEL_POLICY_AMP_PREFERRED)
+                        return;
+                chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
+                chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
+                /* Placeholder - start physical link setup */
+        } else {
+                chan->move_role = L2CAP_MOVE_ROLE_INITIATOR;
+                chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
+                chan->move_id = 0;
+                l2cap_move_setup(chan);
+                l2cap_send_move_chan_req(chan, 0);
+        }
+}
+
+static void l2cap_do_create(struct l2cap_chan *chan, int result,
+                            u8 local_amp_id, u8 remote_amp_id)
+{
+        BT_DBG("chan %p state %s %u -> %u", chan, state_to_string(chan->state),
+               local_amp_id, remote_amp_id);
+
+        chan->fcs = L2CAP_FCS_NONE;
+
+        /* Outgoing channel on AMP */
+        if (chan->state == BT_CONNECT) {
+                if (result == L2CAP_CR_SUCCESS) {
+                        chan->local_amp_id = local_amp_id;
+                        l2cap_send_create_chan_req(chan, remote_amp_id);
+                } else {
+                        /* Revert to BR/EDR connect */
+                        l2cap_send_conn_req(chan);
+                }
+
+                return;
+        }
+
+        /* Incoming channel on AMP */
+        if (__l2cap_no_conn_pending(chan)) {
+                struct l2cap_conn_rsp rsp;
+                char buf[128];
+                rsp.scid = cpu_to_le16(chan->dcid);
+                rsp.dcid = cpu_to_le16(chan->scid);
+
+                if (result == L2CAP_CR_SUCCESS) {
+                        /* Send successful response */
+                        rsp.result = __constant_cpu_to_le16(L2CAP_CR_SUCCESS);
+                        rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
+                } else {
+                        /* Send negative response */
+                        rsp.result = __constant_cpu_to_le16(L2CAP_CR_NO_MEM);
+                        rsp.status = __constant_cpu_to_le16(L2CAP_CS_NO_INFO);
+                }
+
+                l2cap_send_cmd(chan->conn, chan->ident, L2CAP_CREATE_CHAN_RSP,
+                               sizeof(rsp), &rsp);
+
+                if (result == L2CAP_CR_SUCCESS) {
+                        __l2cap_state_change(chan, BT_CONFIG);
+                        set_bit(CONF_REQ_SENT, &chan->conf_state);
+                        l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
+                                       L2CAP_CONF_REQ,
+                                       l2cap_build_conf_req(chan, buf), buf);
+                        chan->num_conf_req++;
+                }
+        }
+}
+
+static void l2cap_do_move_initiate(struct l2cap_chan *chan, u8 local_amp_id,
+                                   u8 remote_amp_id)
+{
+        l2cap_move_setup(chan);
+        chan->move_id = local_amp_id;
+        chan->move_state = L2CAP_MOVE_WAIT_RSP;
+
+        l2cap_send_move_chan_req(chan, remote_amp_id);
+}
+
+static void l2cap_do_move_respond(struct l2cap_chan *chan, int result)
+{
+        struct hci_chan *hchan = NULL;
+
+        /* Placeholder - get hci_chan for logical link */
+
+        if (hchan) {
+                if (hchan->state == BT_CONNECTED) {
+                        /* Logical link is ready to go */
+                        chan->hs_hcon = hchan->conn;
+                        chan->hs_hcon->l2cap_data = chan->conn;
+                        chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
+                        l2cap_send_move_chan_rsp(chan, L2CAP_MR_SUCCESS);
+
+                        l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
+                } else {
+                        /* Wait for logical link to be ready */
+                        chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
+                }
+        } else {
+                /* Logical link not available */
+                l2cap_send_move_chan_rsp(chan, L2CAP_MR_NOT_ALLOWED);
+        }
+}
+
+static void l2cap_do_move_cancel(struct l2cap_chan *chan, int result)
+{
+        if (chan->move_role == L2CAP_MOVE_ROLE_RESPONDER) {
+                u8 rsp_result;
+                if (result == -EINVAL)
+                        rsp_result = L2CAP_MR_BAD_ID;
+                else
+                        rsp_result = L2CAP_MR_NOT_ALLOWED;
+
+                l2cap_send_move_chan_rsp(chan, rsp_result);
+        }
+
+        chan->move_role = L2CAP_MOVE_ROLE_NONE;
+        chan->move_state = L2CAP_MOVE_STABLE;
+
+        /* Restart data transmission */
+        l2cap_ertm_send(chan);
+}
+
+/* Invoke with locked chan */
+void __l2cap_physical_cfm(struct l2cap_chan *chan, int result)
+{
+        u8 local_amp_id = chan->local_amp_id;
+        u8 remote_amp_id = chan->remote_amp_id;
+
+        BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
+               chan, result, local_amp_id, remote_amp_id);
+
+        if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
+                l2cap_chan_unlock(chan);
+                return;
+        }
+
+        if (chan->state != BT_CONNECTED) {
+                l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
+        } else if (result != L2CAP_MR_SUCCESS) {
+                l2cap_do_move_cancel(chan, result);
+        } else {
+                switch (chan->move_role) {
+                case L2CAP_MOVE_ROLE_INITIATOR:
+                        l2cap_do_move_initiate(chan, local_amp_id,
+                                               remote_amp_id);
+                        break;
+                case L2CAP_MOVE_ROLE_RESPONDER:
+                        l2cap_do_move_respond(chan, result);
+                        break;
+                default:
+                        l2cap_do_move_cancel(chan, result);
+                        break;
+                }
+        }
+}
+
 static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
                                          struct l2cap_cmd_hdr *cmd,
                                          u16 cmd_len, void *data)
 {
         struct l2cap_move_chan_req *req = data;
+        struct l2cap_move_chan_rsp rsp;
+        struct l2cap_chan *chan;
         u16 icid = 0;
         u16 result = L2CAP_MR_NOT_ALLOWED;
 
@@ -4061,15 +4675,206 @@ static inline int l2cap_move_channel_req(struct l2cap_conn *conn,
         if (!enable_hs)
                 return -EINVAL;
 
-        /* Placeholder: Always refuse */
-        l2cap_send_move_chan_rsp(conn, cmd->ident, icid, result);
+        chan = l2cap_get_chan_by_dcid(conn, icid);
+        if (!chan) {
+                rsp.icid = cpu_to_le16(icid);
+                rsp.result = __constant_cpu_to_le16(L2CAP_MR_NOT_ALLOWED);
+                l2cap_send_cmd(conn, cmd->ident, L2CAP_MOVE_CHAN_RSP,
+                               sizeof(rsp), &rsp);
+                return 0;
+        }
+
+        chan->ident = cmd->ident;
+
+        if (chan->scid < L2CAP_CID_DYN_START ||
+            chan->chan_policy == BT_CHANNEL_POLICY_BREDR_ONLY ||
+            (chan->mode != L2CAP_MODE_ERTM &&
+             chan->mode != L2CAP_MODE_STREAMING)) {
+                result = L2CAP_MR_NOT_ALLOWED;
+                goto send_move_response;
+        }
+
+        if (chan->local_amp_id == req->dest_amp_id) {
+                result = L2CAP_MR_SAME_ID;
+                goto send_move_response;
+        }
+
+        if (req->dest_amp_id) {
+                struct hci_dev *hdev;
+                hdev = hci_dev_get(req->dest_amp_id);
+                if (!hdev || hdev->dev_type != HCI_AMP ||
+                    !test_bit(HCI_UP, &hdev->flags)) {
+                        if (hdev)
+                                hci_dev_put(hdev);
+
+                        result = L2CAP_MR_BAD_ID;
+                        goto send_move_response;
+                }
+                hci_dev_put(hdev);
+        }
+
+        /* Detect a move collision.  Only send a collision response
+         * if this side has "lost", otherwise proceed with the move.
+         * The winner has the larger bd_addr.
+         */
+        if ((__chan_is_moving(chan) ||
+             chan->move_role != L2CAP_MOVE_ROLE_NONE) &&
+            bacmp(conn->src, conn->dst) > 0) {
+                result = L2CAP_MR_COLLISION;
+                goto send_move_response;
+        }
+
+        chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
+        l2cap_move_setup(chan);
+        chan->move_id = req->dest_amp_id;
+        icid = chan->dcid;
+
+        if (!req->dest_amp_id) {
+                /* Moving to BR/EDR */
+                if (test_bit(CONN_LOCAL_BUSY, &chan->conn_state)) {
+                        chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
+                        result = L2CAP_MR_PEND;
+                } else {
+                        chan->move_state = L2CAP_MOVE_WAIT_CONFIRM;
+                        result = L2CAP_MR_SUCCESS;
+                }
+        } else {
+                chan->move_state = L2CAP_MOVE_WAIT_PREPARE;
+                /* Placeholder - uncomment when amp functions are available */
+                /*amp_accept_physical(chan, req->dest_amp_id);*/
+                result = L2CAP_MR_PEND;
+        }
+
+send_move_response:
+        l2cap_send_move_chan_rsp(chan, result);
+
+        l2cap_chan_unlock(chan);
 
         return 0;
 }
 
-static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
-                                         struct l2cap_cmd_hdr *cmd,
-                                         u16 cmd_len, void *data)
+static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result)
+{
+        struct l2cap_chan *chan;
+        struct hci_chan *hchan = NULL;
+
+        chan = l2cap_get_chan_by_scid(conn, icid);
+        if (!chan) {
+                l2cap_send_move_chan_cfm_icid(conn, icid);
+                return;
+        }
+
+        __clear_chan_timer(chan);
+        if (result == L2CAP_MR_PEND)
+                __set_chan_timer(chan, L2CAP_MOVE_ERTX_TIMEOUT);
+
+        switch (chan->move_state) {
+        case L2CAP_MOVE_WAIT_LOGICAL_COMP:
+                /* Move confirm will be sent when logical link
+                 * is complete.
+                 */
+                chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
+                break;
+        case L2CAP_MOVE_WAIT_RSP_SUCCESS:
+                if (result == L2CAP_MR_PEND) {
+                        break;
+                } else if (test_bit(CONN_LOCAL_BUSY,
+                                    &chan->conn_state)) {
+                        chan->move_state = L2CAP_MOVE_WAIT_LOCAL_BUSY;
+                } else {
+                        /* Logical link is up or moving to BR/EDR,
+                         * proceed with move
+                         */
+                        chan->move_state = L2CAP_MOVE_WAIT_CONFIRM_RSP;
+                        l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
+                }
+                break;
+        case L2CAP_MOVE_WAIT_RSP:
+                /* Moving to AMP */
+                if (result == L2CAP_MR_SUCCESS) {
+                        /* Remote is ready, send confirm immediately
+                         * after logical link is ready
+                         */
+                        chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_CFM;
+                } else {
+                        /* Both logical link and move success
+                         * are required to confirm
+                         */
+                        chan->move_state = L2CAP_MOVE_WAIT_LOGICAL_COMP;
+                }
+
+                /* Placeholder - get hci_chan for logical link */
+                if (!hchan) {
+                        /* Logical link not available */
+                        l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
+                        break;
+                }
+
+                /* If the logical link is not yet connected, do not
+                 * send confirmation.
+                 */
+                if (hchan->state != BT_CONNECTED)
+                        break;
+
+                /* Logical link is already ready to go */
+
+                chan->hs_hcon = hchan->conn;
+                chan->hs_hcon->l2cap_data = chan->conn;
+
+                if (result == L2CAP_MR_SUCCESS) {
+                        /* Can confirm now */
+                        l2cap_send_move_chan_cfm(chan, L2CAP_MC_CONFIRMED);
+                } else {
+                        /* Now only need move success
+                         * to confirm
+                         */
+                        chan->move_state = L2CAP_MOVE_WAIT_RSP_SUCCESS;
+                }
+
+                l2cap_logical_cfm(chan, hchan, L2CAP_MR_SUCCESS);
+                break;
+        default:
+                /* Any other amp move state means the move failed. */
+                chan->move_id = chan->local_amp_id;
+                l2cap_move_done(chan);
+                l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
+        }
+
+        l2cap_chan_unlock(chan);
+}
+
+static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid,
+                            u16 result)
+{
+        struct l2cap_chan *chan;
+
+        chan = l2cap_get_chan_by_ident(conn, ident);
+        if (!chan) {
+                /* Could not locate channel, icid is best guess */
+                l2cap_send_move_chan_cfm_icid(conn, icid);
+                return;
+        }
+
+        __clear_chan_timer(chan);
+
+        if (chan->move_role == L2CAP_MOVE_ROLE_INITIATOR) {
+                if (result == L2CAP_MR_COLLISION) {
+                        chan->move_role = L2CAP_MOVE_ROLE_RESPONDER;
+                } else {
+                        /* Cleanup - cancel move */
+                        chan->move_id = chan->local_amp_id;
+                        l2cap_move_done(chan);
+                }
+        }
+
+        l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED);
+
+        l2cap_chan_unlock(chan);
+}
+
+static int l2cap_move_channel_rsp(struct l2cap_conn *conn,
+                                  struct l2cap_cmd_hdr *cmd,
+                                  u16 cmd_len, void *data)
 {
         struct l2cap_move_chan_rsp *rsp = data;
         u16 icid, result;
@@ -4082,17 +4887,20 @@ static inline int l2cap_move_channel_rsp(struct l2cap_conn *conn,
 
         BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
 
-        /* Placeholder: Always unconfirmed */
-        l2cap_send_move_chan_cfm(conn, NULL, icid, L2CAP_MC_UNCONFIRMED);
+        if (result == L2CAP_MR_SUCCESS || result == L2CAP_MR_PEND)
+                l2cap_move_continue(conn, icid, result);
+        else
+                l2cap_move_fail(conn, cmd->ident, icid, result);
 
         return 0;
 }
 
-static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
-                                             struct l2cap_cmd_hdr *cmd,
-                                             u16 cmd_len, void *data)
+static int l2cap_move_channel_confirm(struct l2cap_conn *conn,
+                                      struct l2cap_cmd_hdr *cmd,
+                                      u16 cmd_len, void *data)
 {
         struct l2cap_move_chan_cfm *cfm = data;
+        struct l2cap_chan *chan;
         u16 icid, result;
 
         if (cmd_len != sizeof(*cfm))
@@ -4103,8 +4911,29 @@ static inline int l2cap_move_channel_confirm(struct l2cap_conn *conn,
 
         BT_DBG("icid 0x%4.4x, result 0x%4.4x", icid, result);
 
+        chan = l2cap_get_chan_by_dcid(conn, icid);
+        if (!chan) {
+                /* Spec requires a response even if the icid was not found */
+                l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
+                return 0;
+        }
+
+        if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM) {
+                if (result == L2CAP_MC_CONFIRMED) {
+                        chan->local_amp_id = chan->move_id;
+                        if (!chan->local_amp_id)
+                                __release_logical_link(chan);
+                } else {
+                        chan->move_id = chan->local_amp_id;
+                }
+
+                l2cap_move_done(chan);
+        }
+
         l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid);
 
+        l2cap_chan_unlock(chan);
+
         return 0;
 }
 
@@ -4113,6 +4942,7 @@ static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
                                                  u16 cmd_len, void *data)
 {
         struct l2cap_move_chan_cfm_rsp *rsp = data;
+        struct l2cap_chan *chan;
         u16 icid;
 
         if (cmd_len != sizeof(*rsp))
@@ -4122,11 +4952,28 @@ static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
 
         BT_DBG("icid 0x%4.4x", icid);
 
+        chan = l2cap_get_chan_by_scid(conn, icid);
+        if (!chan)
+                return 0;
+
+        __clear_chan_timer(chan);
+
+        if (chan->move_state == L2CAP_MOVE_WAIT_CONFIRM_RSP) {
+                chan->local_amp_id = chan->move_id;
+
+                if (!chan->local_amp_id && chan->hs_hchan)
+                        __release_logical_link(chan);
+
+                l2cap_move_done(chan);
+        }
+
+        l2cap_chan_unlock(chan);
+
         return 0;
 }
 
 static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
-                                                        u16 to_multiplier)
+                                         u16 to_multiplier)
 {
         u16 max_latency;
 
@@ -4147,7 +4994,8 @@ static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
 }
 
 static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
-                                        struct l2cap_cmd_hdr *cmd, u8 *data)
+                                              struct l2cap_cmd_hdr *cmd,
+                                              u8 *data)
 {
         struct hci_conn *hcon = conn->hcon;
         struct l2cap_conn_param_update_req *req;
@@ -4169,7 +5017,7 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
         to_multiplier   = __le16_to_cpu(req->to_multiplier);
 
         BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
-                                                min, max, latency, to_multiplier);
+               min, max, latency, to_multiplier);
 
         memset(&rsp, 0, sizeof(rsp));
 
@@ -4180,7 +5028,7 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
                 rsp.result = __constant_cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
 
         l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
-                                                        sizeof(rsp), &rsp);
+                       sizeof(rsp), &rsp);
 
         if (!err)
                 hci_le_conn_update(hcon, min, max, latency, to_multiplier);
@@ -4189,7 +5037,8 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
 }
 
 static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
-                        struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+                                      struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+                                      u8 *data)
 {
         int err = 0;
 
@@ -4203,7 +5052,8 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
                 break;
 
         case L2CAP_CONN_RSP:
-                err = l2cap_connect_rsp(conn, cmd, data);
+        case L2CAP_CREATE_CHAN_RSP:
+                err = l2cap_connect_create_rsp(conn, cmd, data);
                 break;
 
         case L2CAP_CONF_REQ:
@@ -4241,10 +5091,6 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
                 err = l2cap_create_channel_req(conn, cmd, cmd_len, data);
                 break;
 
-        case L2CAP_CREATE_CHAN_RSP:
-                err = l2cap_create_channel_rsp(conn, cmd, data);
-                break;
-
         case L2CAP_MOVE_CHAN_REQ:
                 err = l2cap_move_channel_req(conn, cmd, cmd_len, data);
                 break;
@@ -4271,7 +5117,7 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
 }
 
 static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
-                                        struct l2cap_cmd_hdr *cmd, u8 *data)
+                                   struct l2cap_cmd_hdr *cmd, u8 *data)
 {
         switch (cmd->code) {
         case L2CAP_COMMAND_REJ:
@@ -4290,7 +5136,7 @@ static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
 }
 
 static inline void l2cap_sig_channel(struct l2cap_conn *conn,
-                                                        struct sk_buff *skb)
+                                     struct sk_buff *skb)
 {
         u8 *data = skb->data;
         int len = skb->len;
@@ -4307,7 +5153,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
 
                 cmd_len = le16_to_cpu(cmd.len);
 
-                BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
+                BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len,
+                       cmd.ident);
 
                 if (cmd_len > len || !cmd.ident) {
                         BT_DBG("corrupted command");
@@ -4326,7 +5173,8 @@ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
 
                         /* FIXME: Map err to a valid reason */
                         rej.reason = __constant_cpu_to_le16(L2CAP_REJ_NOT_UNDERSTOOD);
-                        l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
+                        l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ,
+                                       sizeof(rej), &rej);
                 }
 
                 data += cmd_len;
@@ -4391,8 +5239,8 @@ static void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
         }
 }
 
-static void append_skb_frag(struct sk_buff *skb,
-                        struct sk_buff *new_frag, struct sk_buff **last_frag)
+static void append_skb_frag(struct sk_buff *skb, struct sk_buff *new_frag,
+                            struct sk_buff **last_frag)
 {
         /* skb->len reflects data in skb as well as all fragments
          * skb->data_len reflects only data in fragments
@@ -4492,6 +5340,12 @@ static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
         return err;
 }
 
+static int l2cap_resegment(struct l2cap_chan *chan)
+{
+        /* Placeholder */
+        return 0;
+}
+
 void l2cap_chan_busy(struct l2cap_chan *chan, int busy)
 {
         u8 event;
@@ -4641,7 +5495,7 @@ static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
 
         if (chan->rx_state == L2CAP_RX_STATE_SREJ_SENT) {
                 if (__seq_offset(chan, txseq, chan->last_acked_seq) >=
-                                                                chan->tx_win) {
+                    chan->tx_win) {
                         /* See notes below regarding "double poll" and
                          * invalid packets.
                          */
@@ -4682,8 +5536,7 @@ static u8 l2cap_classify_txseq(struct l2cap_chan *chan, u16 txseq)
         }
 
         if (__seq_offset(chan, txseq, chan->last_acked_seq) <
-                __seq_offset(chan, chan->expected_tx_seq,
-                             chan->last_acked_seq)){
+            __seq_offset(chan, chan->expected_tx_seq, chan->last_acked_seq)) {
                 BT_DBG("Duplicate - expected_tx_seq later than txseq");
                 return L2CAP_TXSEQ_DUPLICATE;
         }
@@ -4808,8 +5661,8 @@ static int l2cap_rx_state_recv(struct l2cap_chan *chan,
                 if (control->final) {
                         clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
 
-                        if (!test_and_clear_bit(CONN_REJ_ACT,
-                                                &chan->conn_state)) {
+                        if (!test_and_clear_bit(CONN_REJ_ACT, &chan->conn_state) &&
+                            !__chan_is_moving(chan)) {
                                 control->final = 0;
                                 l2cap_retransmit_all(chan, control);
                         }
@@ -4998,6 +5851,96 @@ static int l2cap_rx_state_srej_sent(struct l2cap_chan *chan,
         return err;
 }
 
+static int l2cap_finish_move(struct l2cap_chan *chan)
+{
+        BT_DBG("chan %p", chan);
+
+        chan->rx_state = L2CAP_RX_STATE_RECV;
+
+        if (chan->hs_hcon)
+                chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
+        else
+                chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
+
+        return l2cap_resegment(chan);
+}
+
+static int l2cap_rx_state_wait_p(struct l2cap_chan *chan,
+                                 struct l2cap_ctrl *control,
+                                 struct sk_buff *skb, u8 event)
+{
+        int err;
+
+        BT_DBG("chan %p, control %p, skb %p, event %d", chan, control, skb,
+               event);
+
+        if (!control->poll)
+                return -EPROTO;
+
+        l2cap_process_reqseq(chan, control->reqseq);
+
+        if (!skb_queue_empty(&chan->tx_q))
+                chan->tx_send_head = skb_peek(&chan->tx_q);
+        else
+                chan->tx_send_head = NULL;
+
+        /* Rewind next_tx_seq to the point expected
+         * by the receiver.
+         */
+        chan->next_tx_seq = control->reqseq;
+        chan->unacked_frames = 0;
+
+        err = l2cap_finish_move(chan);
+        if (err)
+                return err;
+
+        set_bit(CONN_SEND_FBIT, &chan->conn_state);
+        l2cap_send_i_or_rr_or_rnr(chan);
+
+        if (event == L2CAP_EV_RECV_IFRAME)
+                return -EPROTO;
+
+        return l2cap_rx_state_recv(chan, control, NULL, event);
+}
+
+static int l2cap_rx_state_wait_f(struct l2cap_chan *chan,
+                                 struct l2cap_ctrl *control,
+                                 struct sk_buff *skb, u8 event)
+{
+        int err;
+
+        if (!control->final)
+                return -EPROTO;
+
+        clear_bit(CONN_REMOTE_BUSY, &chan->conn_state);
+
+        chan->rx_state = L2CAP_RX_STATE_RECV;
+        l2cap_process_reqseq(chan, control->reqseq);
+
+        if (!skb_queue_empty(&chan->tx_q))
+                chan->tx_send_head = skb_peek(&chan->tx_q);
+        else
+                chan->tx_send_head = NULL;
+
+        /* Rewind next_tx_seq to the point expected
+         * by the receiver.
+         */
+        chan->next_tx_seq = control->reqseq;
+        chan->unacked_frames = 0;
+
+        if (chan->hs_hcon)
+                chan->conn->mtu = chan->hs_hcon->hdev->block_mtu;
+        else
+                chan->conn->mtu = chan->conn->hcon->hdev->acl_mtu;
+
+        err = l2cap_resegment(chan);
+
+        if (!err)
+                err = l2cap_rx_state_recv(chan, control, skb, event);
+
+        return err;
+}
+
 static bool __valid_reqseq(struct l2cap_chan *chan, u16 reqseq)
 {
         /* Make sure reqseq is for a packet that has been sent but not acked */
@@ -5024,6 +5967,12 @@ static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
                         err = l2cap_rx_state_srej_sent(chan, control, skb,
                                                        event);
                         break;
+                case L2CAP_RX_STATE_WAIT_P:
+                        err = l2cap_rx_state_wait_p(chan, control, skb, event);
+                        break;
+                case L2CAP_RX_STATE_WAIT_F:
+                        err = l2cap_rx_state_wait_f(chan, control, skb, event);
+                        break;
                 default:
                         /* shut it down */
                         break;
@@ -5143,7 +6092,7 @@ static int l2cap_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
                        control->super);
 
                 if (len != 0) {
-                        BT_ERR("%d", len);
+                        BT_ERR("Trailing bytes: %d in sframe", len);
                         l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
                         goto drop;
                 }
@@ -5323,7 +6272,7 @@ int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
         int exact = 0, lm1 = 0, lm2 = 0;
         struct l2cap_chan *c;
 
-        BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
+        BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
 
         /* Find listening sockets and check their link_mode */
         read_lock(&chan_list_lock);
@@ -5353,15 +6302,15 @@ void l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
 {
         struct l2cap_conn *conn;
 
-        BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
+        BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
 
         if (!status) {
                 conn = l2cap_conn_add(hcon, status);
                 if (conn)
                         l2cap_conn_ready(conn);
-        } else
+        } else {
                 l2cap_conn_del(hcon, bt_to_errno(status));
-
+        }
 }
 
 int l2cap_disconn_ind(struct hci_conn *hcon)
@@ -5437,13 +6386,13 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
                         continue;
                 }
 
-                if (test_bit(CONF_CONNECT_PEND, &chan->conf_state)) {
+                if (!__l2cap_no_conn_pending(chan)) {
                         l2cap_chan_unlock(chan);
                         continue;
                 }
 
                 if (!status && (chan->state == BT_CONNECTED ||
-                                                chan->state == BT_CONFIG)) {
+                                chan->state == BT_CONFIG)) {
                         struct sock *sk = chan->sk;
 
                         clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
@@ -5456,7 +6405,7 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
 
                 if (chan->state == BT_CONNECT) {
                         if (!status) {
-                                l2cap_send_conn_req(chan);
+                                l2cap_start_connection(chan);
                         } else {
                                 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
                         }
@@ -5470,11 +6419,9 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
                         if (!status) {
                                 if (test_bit(BT_SK_DEFER_SETUP,
                                              &bt_sk(sk)->flags)) {
-                                        struct sock *parent = bt_sk(sk)->parent;
                                         res = L2CAP_CR_PEND;
                                         stat = L2CAP_CS_AUTHOR_PEND;
-                                        if (parent)
-                                                parent->sk_data_ready(parent, 0);
+                                        chan->ops->defer(chan);
                                 } else {
                                         __l2cap_state_change(chan, BT_CONFIG);
                                         res = L2CAP_CR_SUCCESS;
@@ -5494,7 +6441,7 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
                         rsp.result = cpu_to_le16(res);
                         rsp.status = cpu_to_le16(stat);
                         l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
-                                                        sizeof(rsp), &rsp);
+                                       sizeof(rsp), &rsp);
 
                         if (!test_bit(CONF_REQ_SENT, &chan->conf_state) &&
                             res == L2CAP_CR_SUCCESS) {
@@ -5519,6 +6466,12 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
 int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
 {
         struct l2cap_conn *conn = hcon->l2cap_data;
+        struct l2cap_hdr *hdr;
+        int len;
+
+        /* For AMP controller do not create l2cap conn */
+        if (!conn && hcon->hdev->dev_type != HCI_BREDR)
+                goto drop;
 
         if (!conn)
                 conn = l2cap_conn_add(hcon, 0);
@@ -5528,10 +6481,10 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
 
         BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
 
-        if (!(flags & ACL_CONT)) {
-                struct l2cap_hdr *hdr;
-                int len;
-
+        switch (flags) {
+        case ACL_START:
+        case ACL_START_NO_FLUSH:
+        case ACL_COMPLETE:
                 if (conn->rx_len) {
                         BT_ERR("Unexpected start frame (len %d)", skb->len);
                         kfree_skb(conn->rx_skb);
@@ -5560,20 +6513,22 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
 
                 if (skb->len > len) {
                         BT_ERR("Frame is too long (len %d, expected len %d)",
-                                skb->len, len);
+                               skb->len, len);
                         l2cap_conn_unreliable(conn, ECOMM);
                         goto drop;
                 }
 
                 /* Allocate skb for the complete frame (with header) */
-                conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
+                conn->rx_skb = bt_skb_alloc(len, GFP_KERNEL);
                 if (!conn->rx_skb)
                         goto drop;
 
                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
-                                                                skb->len);
+                                          skb->len);
                 conn->rx_len = len - skb->len;
-        } else {
+                break;
+
+        case ACL_CONT:
                 BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
 
                 if (!conn->rx_len) {
@@ -5584,7 +6539,7 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
 
                 if (skb->len > conn->rx_len) {
                         BT_ERR("Fragment is too long (len %d, expected %d)",
-                                        skb->len, conn->rx_len);
+                               skb->len, conn->rx_len);
                         kfree_skb(conn->rx_skb);
                         conn->rx_skb = NULL;
                         conn->rx_len = 0;
@@ -5593,7 +6548,7 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
                 }
 
                 skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
-                                                                skb->len);
+                                          skb->len);
                 conn->rx_len -= skb->len;
 
                 if (!conn->rx_len) {
@@ -5601,6 +6556,7 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
                         l2cap_recv_frame(conn, conn->rx_skb);
                         conn->rx_skb = NULL;
                 }
+                break;
         }
 
 drop:
@@ -5617,12 +6573,11 @@ static int l2cap_debugfs_show(struct seq_file *f, void *p)
         list_for_each_entry(c, &chan_list, global_l) {
                 struct sock *sk = c->sk;
 
-                seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
-                                        batostr(&bt_sk(sk)->src),
-                                        batostr(&bt_sk(sk)->dst),
-                                        c->state, __le16_to_cpu(c->psm),
-                                        c->scid, c->dcid, c->imtu, c->omtu,
-                                        c->sec_level, c->mode);
+                seq_printf(f, "%pMR %pMR %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
+                           &bt_sk(sk)->src, &bt_sk(sk)->dst,
+                           c->state, __le16_to_cpu(c->psm),
+                           c->scid, c->dcid, c->imtu, c->omtu,
+                           c->sec_level, c->mode);
         }
 
         read_unlock(&chan_list_lock);
@@ -5653,8 +6608,8 @@ int __init l2cap_init(void)
                 return err;
 
         if (bt_debugfs) {
-                l2cap_debugfs = debugfs_create_file("l2cap", 0444,
-                                        bt_debugfs, NULL, &l2cap_debugfs_fops);
+                l2cap_debugfs = debugfs_create_file("l2cap", 0444, bt_debugfs,
+                                                    NULL, &l2cap_debugfs_fops);
                 if (!l2cap_debugfs)
                         BT_ERR("Failed to create L2CAP debug file");
         }
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 083f2bf065d4..1bcfb8422fdc 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -40,7 +40,8 @@ static struct bt_sock_list l2cap_sk_list = {
 
 static const struct proto_ops l2cap_sock_ops;
 static void l2cap_sock_init(struct sock *sk, struct sock *parent);
-static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio);
+static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
+                                     int proto, gfp_t prio);
 
 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
 {
@@ -106,7 +107,8 @@ done:
         return err;
 }
 
-static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
+static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
+                              int alen, int flags)
 {
         struct sock *sk = sock->sk;
         struct l2cap_chan *chan = l2cap_pi(sk)->chan;
@@ -134,7 +136,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int al
         lock_sock(sk);
 
         err = bt_sock_wait_state(sk, BT_CONNECTED,
-                        sock_sndtimeo(sk, flags & O_NONBLOCK));
+                                 sock_sndtimeo(sk, flags & O_NONBLOCK));
 
         release_sock(sk);
 
@@ -185,7 +187,8 @@ done:
         return err;
 }
 
-static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
+static int l2cap_sock_accept(struct socket *sock, struct socket *newsock,
+                             int flags)
 {
         DECLARE_WAITQUEUE(wait, current);
         struct sock *sk = sock->sk, *nsk;
@@ -241,7 +244,8 @@ done:
         return err;
 }
 
-static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
+static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr,
+                              int *len, int peer)
 {
         struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
         struct sock *sk = sock->sk;
@@ -266,7 +270,8 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
         return 0;
 }
 
-static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
+static int l2cap_sock_getsockopt_old(struct socket *sock, int optname,
+                                     char __user *optval, int __user *optlen)
 {
         struct sock *sk = sock->sk;
         struct l2cap_chan *chan = l2cap_pi(sk)->chan;
@@ -309,7 +314,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
                         break;
                 case BT_SECURITY_HIGH:
                         opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
-                                                        L2CAP_LM_SECURE;
+                              L2CAP_LM_SECURE;
                         break;
                 default:
                         opt = 0;
@@ -353,7 +358,8 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
         return err;
 }
 
-static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
+static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname,
+                                 char __user *optval, int __user *optlen)
 {
         struct sock *sk = sock->sk;
         struct l2cap_chan *chan = l2cap_pi(sk)->chan;
@@ -377,19 +383,20 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
         switch (optname) {
         case BT_SECURITY:
                 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
-                                        chan->chan_type != L2CAP_CHAN_RAW) {
+                    chan->chan_type != L2CAP_CHAN_RAW) {
                         err = -EINVAL;
                         break;
                 }
 
                 memset(&sec, 0, sizeof(sec));
-                if (chan->conn)
+                if (chan->conn) {
                         sec.level = chan->conn->hcon->sec_level;
-                else
-                        sec.level = chan->sec_level;
 
-                if (sk->sk_state == BT_CONNECTED)
-                        sec.key_size = chan->conn->hcon->enc_key_size;
+                        if (sk->sk_state == BT_CONNECTED)
+                                sec.key_size = chan->conn->hcon->enc_key_size;
+                } else {
+                        sec.level = chan->sec_level;
+                }
 
                 len = min_t(unsigned int, len, sizeof(sec));
                 if (copy_to_user(optval, (char *) &sec, len))
@@ -411,14 +418,14 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
 
         case BT_FLUSHABLE:
                 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags),
-                                                (u32 __user *) optval))
+                             (u32 __user *) optval))
                         err = -EFAULT;
 
                 break;
 
         case BT_POWER:
                 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
-                                && sk->sk_type != SOCK_RAW) {
+                    && sk->sk_type != SOCK_RAW) {
                         err = -EINVAL;
                         break;
                 }
@@ -466,7 +473,8 @@ static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu)
         return true;
 }
 
-static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
+static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
+                                     char __user *optval, unsigned int optlen)
 {
         struct sock *sk = sock->sk;
         struct l2cap_chan *chan = l2cap_pi(sk)->chan;
@@ -529,6 +537,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
                 chan->fcs  = opts.fcs;
                 chan->max_tx = opts.max_tx;
                 chan->tx_win = opts.txwin_size;
+                chan->flush_to = opts.flush_to;
                 break;
 
         case L2CAP_LM:
@@ -564,7 +573,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __us
         return err;
 }
 
-static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
+static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+                                 char __user *optval, unsigned int optlen)
 {
         struct sock *sk = sock->sk;
         struct l2cap_chan *chan = l2cap_pi(sk)->chan;
@@ -587,7 +597,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
         switch (optname) {
         case BT_SECURITY:
                 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
-                                        chan->chan_type != L2CAP_CHAN_RAW) {
+                    chan->chan_type != L2CAP_CHAN_RAW) {
                         err = -EINVAL;
                         break;
                 }
@@ -601,7 +611,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
                 }
 
                 if (sec.level < BT_SECURITY_LOW ||
-                                        sec.level > BT_SECURITY_HIGH) {
+                    sec.level > BT_SECURITY_HIGH) {
                         err = -EINVAL;
                         break;
                 }
@@ -627,7 +637,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
 
                 /* or for ACL link */
                 } else if ((sk->sk_state == BT_CONNECT2 &&
-                           test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
+                            test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
                            sk->sk_state == BT_CONNECTED) {
                         if (!l2cap_chan_check_security(chan))
                                 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
@@ -684,7 +694,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
 
         case BT_POWER:
                 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
-                                        chan->chan_type != L2CAP_CHAN_RAW) {
+                    chan->chan_type != L2CAP_CHAN_RAW) {
                         err = -EINVAL;
                         break;
                 }
@@ -720,12 +730,17 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
                 }
 
                 if (chan->mode != L2CAP_MODE_ERTM &&
-                                chan->mode != L2CAP_MODE_STREAMING) {
+                    chan->mode != L2CAP_MODE_STREAMING) {
                         err = -EOPNOTSUPP;
                         break;
                 }
 
                 chan->chan_policy = (u8) opt;
+
+                if (sk->sk_state == BT_CONNECTED &&
+                    chan->move_role == L2CAP_MOVE_ROLE_NONE)
+                        l2cap_move_start(chan);
+
                 break;
 
         default:
@@ -737,7 +752,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
         return err;
 }
 
-static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
+static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
+                              struct msghdr *msg, size_t len)
 {
         struct sock *sk = sock->sk;
         struct l2cap_chan *chan = l2cap_pi(sk)->chan;
@@ -762,7 +778,8 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
         return err;
 }
 
-static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
+static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+                              struct msghdr *msg, size_t len, int flags)
 {
         struct sock *sk = sock->sk;
         struct l2cap_pinfo *pi = l2cap_pi(sk);
@@ -866,7 +883,7 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
 
                 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
                         err = bt_sock_wait_state(sk, BT_CLOSED,
-                                                        sk->sk_lingertime);
+                                                 sk->sk_lingertime);
         }
 
         if (!err && sk->sk_err)
@@ -930,7 +947,7 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
         }
 
         sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP,
-                                                                GFP_ATOMIC);
+                              GFP_ATOMIC);
         if (!sk)
                 return NULL;
 
@@ -938,6 +955,8 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
 
         l2cap_sock_init(sk, parent);
 
+        bt_accept_enqueue(parent, sk);
+
         return l2cap_pi(sk)->chan;
 }
 
@@ -1068,6 +1087,15 @@ static void l2cap_sock_ready_cb(struct l2cap_chan *chan)
         release_sock(sk);
 }
 
+static void l2cap_sock_defer_cb(struct l2cap_chan *chan)
+{
+        struct sock *sk = chan->data;
+        struct sock *parent = bt_sk(sk)->parent;
+
+        if (parent)
+                parent->sk_data_ready(parent, 0);
+}
+
 static struct l2cap_ops l2cap_chan_ops = {
         .name           = "L2CAP Socket Interface",
         .new_connection = l2cap_sock_new_connection_cb,
@@ -1076,6 +1104,7 @@ static struct l2cap_ops l2cap_chan_ops = {
         .teardown       = l2cap_sock_teardown_cb,
         .state_change   = l2cap_sock_state_change_cb,
         .ready          = l2cap_sock_ready_cb,
+        .defer          = l2cap_sock_defer_cb,
         .alloc_skb      = l2cap_sock_alloc_skb_cb,
 };
 
@@ -1083,7 +1112,8 @@ static void l2cap_sock_destruct(struct sock *sk)
 {
         BT_DBG("sk %p", sk);
 
-        l2cap_chan_put(l2cap_pi(sk)->chan);
+        if (l2cap_pi(sk)->chan)
+                l2cap_chan_put(l2cap_pi(sk)->chan);
         if (l2cap_pi(sk)->rx_busy_skb) {
                 kfree_skb(l2cap_pi(sk)->rx_busy_skb);
                 l2cap_pi(sk)->rx_busy_skb = NULL;
@@ -1159,7 +1189,8 @@ static struct proto l2cap_proto = {
         .obj_size       = sizeof(struct l2cap_pinfo)
 };
 
-static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
+static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
+                                     int proto, gfp_t prio)
 {
         struct sock *sk;
         struct l2cap_chan *chan;
@@ -1204,7 +1235,7 @@ static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
         sock->state = SS_UNCONNECTED;
 
         if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
-                        sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
+            sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
                 return -ESOCKTNOSUPPORT;
 
         if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
@@ -1261,7 +1292,8 @@ int __init l2cap_init_sockets(void)
                 goto error;
         }
 
-        err = bt_procfs_init(THIS_MODULE, &init_net, "l2cap", &l2cap_sk_list, NULL);
+        err = bt_procfs_init(THIS_MODULE, &init_net, "l2cap", &l2cap_sk_list,
+                             NULL);
         if (err < 0) {
                 BT_ERR("Failed to create L2CAP proc file");
                 bt_sock_unregister(BTPROTO_L2CAP);
diff --git a/net/bluetooth/lib.c b/net/bluetooth/lib.c
index e1c97527e16c..b3fbc73516c4 100644
--- a/net/bluetooth/lib.c
+++ b/net/bluetooth/lib.c
@@ -41,20 +41,6 @@ void baswap(bdaddr_t *dst, bdaddr_t *src)
 }
 EXPORT_SYMBOL(baswap);
 
-char *batostr(bdaddr_t *ba)
-{
-        static char str[2][18];
-        static int i = 1;
-
-        i ^= 1;
-        sprintf(str[i], "%2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X",
-                ba->b[5], ba->b[4], ba->b[3],
-                ba->b[2], ba->b[1], ba->b[0]);
-
-        return str[i];
-}
-EXPORT_SYMBOL(batostr);
-
 /* Bluetooth error codes to Unix errno mapping */
 int bt_to_errno(__u16 code)
 {
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index aa2ea0a8142c..142764aec2af 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -222,7 +222,7 @@ static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status)
 
         hdr = (void *) skb_put(skb, sizeof(*hdr));
 
-        hdr->opcode = cpu_to_le16(MGMT_EV_CMD_STATUS);
+        hdr->opcode = __constant_cpu_to_le16(MGMT_EV_CMD_STATUS);
         hdr->index = cpu_to_le16(index);
         hdr->len = cpu_to_le16(sizeof(*ev));
 
@@ -253,7 +253,7 @@ static int cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status,
 
         hdr = (void *) skb_put(skb, sizeof(*hdr));
 
-        hdr->opcode = cpu_to_le16(MGMT_EV_CMD_COMPLETE);
+        hdr->opcode = __constant_cpu_to_le16(MGMT_EV_CMD_COMPLETE);
         hdr->index = cpu_to_le16(index);
         hdr->len = cpu_to_le16(sizeof(*ev) + rp_len);
 
@@ -326,7 +326,7 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
         struct hci_dev *d;
         size_t rp_len;
         u16 count;
-        int i, err;
+        int err;
 
         BT_DBG("sock %p", sk);
 
@@ -347,9 +347,7 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
                 return -ENOMEM;
         }
 
-        rp->num_controllers = cpu_to_le16(count);
-
-        i = 0;
+        count = 0;
         list_for_each_entry(d, &hci_dev_list, list) {
                 if (test_bit(HCI_SETUP, &d->dev_flags))
                         continue;
@@ -357,10 +355,13 @@ static int read_index_list(struct sock *sk, struct hci_dev *hdev, void *data,
                 if (!mgmt_valid_hdev(d))
                         continue;
 
-                rp->index[i++] = cpu_to_le16(d->id);
+                rp->index[count++] = cpu_to_le16(d->id);
                 BT_DBG("Added hci%u", d->id);
         }
 
+        rp->num_controllers = cpu_to_le16(count);
+        rp_len = sizeof(*rp) + (2 * count);
+
         read_unlock(&hci_dev_list_lock);
 
         err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, 0, rp,
@@ -376,15 +377,15 @@ static u32 get_supported_settings(struct hci_dev *hdev)
         u32 settings = 0;
 
         settings |= MGMT_SETTING_POWERED;
-        settings |= MGMT_SETTING_CONNECTABLE;
-        settings |= MGMT_SETTING_FAST_CONNECTABLE;
-        settings |= MGMT_SETTING_DISCOVERABLE;
         settings |= MGMT_SETTING_PAIRABLE;
 
         if (lmp_ssp_capable(hdev))
                 settings |= MGMT_SETTING_SSP;
 
         if (lmp_bredr_capable(hdev)) {
+                settings |= MGMT_SETTING_CONNECTABLE;
+                settings |= MGMT_SETTING_FAST_CONNECTABLE;
+                settings |= MGMT_SETTING_DISCOVERABLE;
                 settings |= MGMT_SETTING_BREDR;
                 settings |= MGMT_SETTING_LINK_SECURITY;
         }
@@ -484,7 +485,7 @@ static void create_eir(struct hci_dev *hdev, u8 *data)
                 ptr += (name_len + 2);
         }
 
-        if (hdev->inq_tx_power) {
+        if (hdev->inq_tx_power != HCI_TX_POWER_INVALID) {
                 ptr[0] = 2;
                 ptr[1] = EIR_TX_POWER;
                 ptr[2] = (u8) hdev->inq_tx_power;
@@ -565,7 +566,7 @@ static int update_eir(struct hci_dev *hdev)
         if (!hdev_is_powered(hdev))
                 return 0;
 
-        if (!(hdev->features[6] & LMP_EXT_INQ))
+        if (!lmp_ext_inq_capable(hdev))
                 return 0;
 
         if (!test_bit(HCI_SSP_ENABLED, &hdev->dev_flags))
@@ -832,7 +833,7 @@ static int mgmt_event(u16 event, struct hci_dev *hdev, void *data, u16 data_len,
         if (hdev)
                 hdr->index = cpu_to_le16(hdev->id);
         else
-                hdr->index = cpu_to_le16(MGMT_INDEX_NONE);
+                hdr->index = __constant_cpu_to_le16(MGMT_INDEX_NONE);
         hdr->len = cpu_to_le16(data_len);
 
         if (data)
@@ -867,6 +868,10 @@ static int set_discoverable(struct sock *sk, struct hci_dev *hdev, void *data,
 
         BT_DBG("request for %s", hdev->name);
 
+        if (!lmp_bredr_capable(hdev))
+                return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
+                                 MGMT_STATUS_NOT_SUPPORTED);
+
         timeout = __le16_to_cpu(cp->timeout);
         if (!cp->val && timeout > 0)
                 return cmd_status(sk, hdev->id, MGMT_OP_SET_DISCOVERABLE,
@@ -962,6 +967,10 @@ static int set_connectable(struct sock *sk, struct hci_dev *hdev, void *data,
 
         BT_DBG("request for %s", hdev->name);
 
+        if (!lmp_bredr_capable(hdev))
+                return cmd_status(sk, hdev->id, MGMT_OP_SET_CONNECTABLE,
+                                  MGMT_STATUS_NOT_SUPPORTED);
+
         hci_dev_lock(hdev);
 
         if (!hdev_is_powered(hdev)) {
@@ -1060,6 +1069,10 @@ static int set_link_security(struct sock *sk, struct hci_dev *hdev, void *data,
 
         BT_DBG("request for %s", hdev->name);
 
+        if (!lmp_bredr_capable(hdev))
+                return cmd_status(sk, hdev->id, MGMT_OP_SET_LINK_SECURITY,
+                                  MGMT_STATUS_NOT_SUPPORTED);
+
         hci_dev_lock(hdev);
 
         if (!hdev_is_powered(hdev)) {
@@ -1213,7 +1226,7 @@ static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
         }
 
         val = !!cp->val;
-        enabled = !!(hdev->host_features[0] & LMP_HOST_LE);
+        enabled = !!lmp_host_le_capable(hdev);
 
         if (!hdev_is_powered(hdev) || val == enabled) {
                 bool changed = false;
@@ -1249,7 +1262,7 @@ static int set_le(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
 
         if (val) {
                 hci_cp.le = val;
-                hci_cp.simul = !!(hdev->features[6] & LMP_SIMUL_LE_BR);
+                hci_cp.simul = !!lmp_le_br_capable(hdev);
         }
 
         err = hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED, sizeof(hci_cp),
@@ -1366,6 +1379,7 @@ static int remove_uuid(struct sock *sk, struct hci_dev *hdev, void *data,
                         continue;
 
                 list_del(&match->list);
+                kfree(match);
                 found++;
         }
 
@@ -2594,6 +2608,10 @@ static int set_fast_connectable(struct sock *sk, struct hci_dev *hdev,
 
         BT_DBG("%s", hdev->name);
 
+        if (!lmp_bredr_capable(hdev))
+                return cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
+                                  MGMT_STATUS_NOT_SUPPORTED);
+
         if (!hdev_is_powered(hdev))
                 return cmd_status(sk, hdev->id, MGMT_OP_SET_FAST_CONNECTABLE,
                                   MGMT_STATUS_NOT_POWERED);
@@ -2871,6 +2889,21 @@ static void settings_rsp(struct pending_cmd *cmd, void *data)
         mgmt_pending_free(cmd);
 }
 
+static int set_bredr_scan(struct hci_dev *hdev)
+{
+        u8 scan = 0;
+
+        if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
+                scan |= SCAN_PAGE;
+        if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
+                scan |= SCAN_INQUIRY;
+
+        if (!scan)
+                return 0;
+
+        return hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
+}
+
 int mgmt_powered(struct hci_dev *hdev, u8 powered)
 {
         struct cmd_lookup match = { NULL, hdev };
@@ -2882,17 +2915,8 @@ int mgmt_powered(struct hci_dev *hdev, u8 powered)
         mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
 
         if (powered) {
-                u8 scan = 0;
-
-                if (test_bit(HCI_CONNECTABLE, &hdev->dev_flags))
-                        scan |= SCAN_PAGE;
-                if (test_bit(HCI_DISCOVERABLE, &hdev->dev_flags))
-                        scan |= SCAN_INQUIRY;
-
-                if (scan)
-                        hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
-
-                if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
+                if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags) &&
+                    !lmp_host_ssp_capable(hdev)) {
                         u8 ssp = 1;
 
                         hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, 1, &ssp);
@@ -2902,15 +2926,24 @@ int mgmt_powered(struct hci_dev *hdev, u8 powered)
                         struct hci_cp_write_le_host_supported cp;
 
                         cp.le = 1;
-                        cp.simul = !!(hdev->features[6] & LMP_SIMUL_LE_BR);
-
-                        hci_send_cmd(hdev, HCI_OP_WRITE_LE_HOST_SUPPORTED,
-                                     sizeof(cp), &cp);
+                        cp.simul = !!lmp_le_br_capable(hdev);
+
+                        /* Check first if we already have the right
+                         * host state (host features set)
+                         */
+                        if (cp.le != !!lmp_host_le_capable(hdev) ||
+                            cp.simul != !!lmp_host_le_br_capable(hdev))
+                                hci_send_cmd(hdev,
+                                             HCI_OP_WRITE_LE_HOST_SUPPORTED,
+                                             sizeof(cp), &cp);
                 }
 
-                update_class(hdev);
-                update_name(hdev, hdev->dev_name);
-                update_eir(hdev);
+                if (lmp_bredr_capable(hdev)) {
+                        set_bredr_scan(hdev);
+                        update_class(hdev);
+                        update_name(hdev, hdev->dev_name);
+                        update_eir(hdev);
+                }
         } else {
                 u8 status = MGMT_STATUS_NOT_POWERED;
                 mgmt_pending_foreach(0, hdev, cmd_status_rsp, &status);
@@ -3125,6 +3158,9 @@ int mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
         struct pending_cmd *cmd;
         int err;
 
+        mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
+                             hdev);
+
         cmd = mgmt_pending_find(MGMT_OP_DISCONNECT, hdev);
         if (!cmd)
                 return -ENOENT;
@@ -3137,8 +3173,6 @@ int mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
 
         mgmt_pending_remove(cmd);
 
-        mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
-                             hdev);
         return err;
 }
 
@@ -3358,7 +3392,7 @@ static int clear_eir(struct hci_dev *hdev)
 {
         struct hci_cp_write_eir cp;
 
-        if (!(hdev->features[6] & LMP_EXT_INQ))
+        if (!lmp_ext_inq_capable(hdev))
                 return 0;
 
         memset(hdev->eir, 0, sizeof(hdev->eir));
@@ -3490,7 +3524,12 @@ send_event:
                 err = mgmt_event(MGMT_EV_LOCAL_NAME_CHANGED, hdev, &ev,
                                  sizeof(ev), cmd ? cmd->sk : NULL);
 
-        update_eir(hdev);
+        /* EIR is taken care of separately when powering on the
+         * adapter so only update them here if this is a name change
+         * unrelated to power on.
+         */
+        if (!test_bit(HCI_INIT, &hdev->flags))
+                update_eir(hdev);
 
 failed:
         if (cmd)
@@ -3585,9 +3624,9 @@ int mgmt_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 link_type,
         ev->addr.type = link_to_bdaddr(link_type, addr_type);
         ev->rssi = rssi;
         if (cfm_name)
-                ev->flags |= cpu_to_le32(MGMT_DEV_FOUND_CONFIRM_NAME);
+                ev->flags |= __constant_cpu_to_le32(MGMT_DEV_FOUND_CONFIRM_NAME);
         if (!ssp)
-                ev->flags |= cpu_to_le32(MGMT_DEV_FOUND_LEGACY_PAIRING);
+                ev->flags |= __constant_cpu_to_le32(MGMT_DEV_FOUND_LEGACY_PAIRING);
 
         if (eir_len > 0)
                 memcpy(ev->eir, eir, eir_len);
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index c75107ef8920..201fdf737209 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -377,8 +377,8 @@ static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst,
         int err = 0;
         u8 dlci;
 
-        BT_DBG("dlc %p state %ld %s %s channel %d",
-                        d, d->state, batostr(src), batostr(dst), channel);
+        BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
+               d, d->state, src, dst, channel);
 
         if (channel < 1 || channel > 30)
                 return -EINVAL;
@@ -676,7 +676,7 @@ static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
         struct socket *sock;
         struct sock *sk;
 
-        BT_DBG("%s %s", batostr(src), batostr(dst));
+        BT_DBG("%pMR -> %pMR", src, dst);
 
         *err = rfcomm_l2sock_create(&sock);
         if (*err < 0)
@@ -709,7 +709,7 @@ static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
 
         bacpy(&addr.l2_bdaddr, dst);
         addr.l2_family = AF_BLUETOOTH;
-        addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
+        addr.l2_psm    = __constant_cpu_to_le16(RFCOMM_PSM);
         addr.l2_cid    = 0;
         *err = kernel_connect(sock, (struct sockaddr *) &addr, sizeof(addr), O_NONBLOCK);
         if (*err == 0 || *err == -EINPROGRESS)
@@ -1987,7 +1987,7 @@ static int rfcomm_add_listener(bdaddr_t *ba)
         /* Bind socket */
         bacpy(&addr.l2_bdaddr, ba);
         addr.l2_family = AF_BLUETOOTH;
-        addr.l2_psm    = cpu_to_le16(RFCOMM_PSM);
+        addr.l2_psm    = __constant_cpu_to_le16(RFCOMM_PSM);
         addr.l2_cid    = 0;
         err = kernel_bind(sock, (struct sockaddr *) &addr, sizeof(addr));
         if (err < 0) {
@@ -2125,11 +2125,10 @@ static int rfcomm_dlc_debugfs_show(struct seq_file *f, void *x)
                 list_for_each_entry(d, &s->dlcs, list) {
                         struct sock *sk = s->sock->sk;
 
-                        seq_printf(f, "%s %s %ld %d %d %d %d\n",
-                                                batostr(&bt_sk(sk)->src),
-                                                batostr(&bt_sk(sk)->dst),
-                                                d->state, d->dlci, d->mtu,
-                                                d->rx_credits, d->tx_credits);
+                        seq_printf(f, "%pMR %pMR %ld %d %d %d %d\n",
+                                   &bt_sk(sk)->src, &bt_sk(sk)->dst,
+                                   d->state, d->dlci, d->mtu,
+                                   d->rx_credits, d->tx_credits);
                 }
         }
 
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index b3226f3658cf..4ddef57d03a7 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -334,7 +334,7 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
         struct sock *sk = sock->sk;
         int err = 0;
 
-        BT_DBG("sk %p %s", sk, batostr(&sa->rc_bdaddr));
+        BT_DBG("sk %p %pMR", sk, &sa->rc_bdaddr);
 
         if (!addr || addr->sa_family != AF_BLUETOOTH)
                 return -EINVAL;
@@ -975,10 +975,9 @@ static int rfcomm_sock_debugfs_show(struct seq_file *f, void *p)
         read_lock(&rfcomm_sk_list.lock);
 
         sk_for_each(sk, node, &rfcomm_sk_list.head) {
-                seq_printf(f, "%s %s %d %d\n",
-                                batostr(&bt_sk(sk)->src),
-                                batostr(&bt_sk(sk)->dst),
-                                sk->sk_state, rfcomm_pi(sk)->channel);
+                seq_printf(f, "%pMR %pMR %d %d\n",
+                           &bt_sk(sk)->src, &bt_sk(sk)->dst,
+                           sk->sk_state, rfcomm_pi(sk)->channel);
         }
 
         read_unlock(&rfcomm_sk_list.lock);
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index ccc248791d50..bd6fd0f43d2b 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -166,7 +166,7 @@ static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
 static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
 {
         struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
-        return sprintf(buf, "%s\n", batostr(&dev->dst));
+        return sprintf(buf, "%pMR\n", &dev->dst);
 }
 
 static ssize_t show_channel(struct device *tty_dev, struct device_attribute *attr, char *buf)
@@ -663,8 +663,8 @@ static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
         if (!dev)
                 return -ENODEV;
 
-        BT_DBG("dev %p dst %s channel %d opened %d", dev, batostr(&dev->dst),
-                                dev->channel, dev->port.count);
+        BT_DBG("dev %p dst %pMR channel %d opened %d", dev, &dev->dst,
+               dev->channel, dev->port.count);
 
         spin_lock_irqsave(&dev->port.lock, flags);
         if (++dev->port.count > 1) {
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index dc42b917aaaf..450cdcd88e5c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -172,7 +172,7 @@ static int sco_connect(struct sock *sk)
         struct hci_dev  *hdev;
         int err, type;
 
-        BT_DBG("%s -> %s", batostr(src), batostr(dst));
+        BT_DBG("%pMR -> %pMR", src, dst);
 
         hdev = hci_get_route(dst, src);
         if (!hdev)
@@ -460,7 +460,7 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le
         struct sock *sk = sock->sk;
         int err = 0;
 
-        BT_DBG("sk %p %s", sk, batostr(&sa->sco_bdaddr));
+        BT_DBG("sk %p %pMR", sk, &sa->sco_bdaddr);
 
         if (!addr || addr->sa_family != AF_BLUETOOTH)
                 return -EINVAL;
@@ -893,7 +893,7 @@ int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
         struct hlist_node *node;
         int lm = 0;
 
-        BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
+        BT_DBG("hdev %s, bdaddr %pMR", hdev->name, bdaddr);
 
         /* Find listening sockets */
         read_lock(&sco_sk_list.lock);
@@ -914,7 +914,7 @@ int sco_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr)
 
 void sco_connect_cfm(struct hci_conn *hcon, __u8 status)
 {
-        BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
+        BT_DBG("hcon %p bdaddr %pMR status %d", hcon, &hcon->dst, status);
         if (!status) {
                 struct sco_conn *conn;
 
@@ -959,8 +959,8 @@ static int sco_debugfs_show(struct seq_file *f, void *p)
         read_lock(&sco_sk_list.lock);
 
         sk_for_each(sk, node, &sco_sk_list.head) {
-                seq_printf(f, "%s %s %d\n", batostr(&bt_sk(sk)->src),
-                           batostr(&bt_sk(sk)->dst), sk->sk_state);
+                seq_printf(f, "%pMR %pMR %d\n", &bt_sk(sk)->src,
+                           &bt_sk(sk)->dst, sk->sk_state);
         }
 
         read_unlock(&sco_sk_list.lock);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 8c225ef349cd..68a9587c9694 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -32,6 +32,8 @@
 
 #define SMP_TIMEOUT     msecs_to_jiffies(30000)
 
+#define AUTH_REQ_MASK   0x07
+
 static inline void swap128(u8 src[16], u8 dst[16])
 {
         int i;
@@ -165,7 +167,7 @@ static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
 
         lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
         lh->len = cpu_to_le16(sizeof(code) + dlen);
-        lh->cid = cpu_to_le16(L2CAP_CID_SMP);
+        lh->cid = __constant_cpu_to_le16(L2CAP_CID_SMP);
 
         memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
 
@@ -230,7 +232,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
                 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
                 req->init_key_dist = 0;
                 req->resp_key_dist = dist_keys;
-                req->auth_req = authreq;
+                req->auth_req = (authreq & AUTH_REQ_MASK);
                 return;
         }
 
@@ -239,7 +241,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn,
         rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
         rsp->init_key_dist = 0;
         rsp->resp_key_dist = req->resp_key_dist & dist_keys;
-        rsp->auth_req = authreq;
+        rsp->auth_req = (authreq & AUTH_REQ_MASK);
 }
 
 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
@@ -265,7 +267,7 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send)
 
         clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->hcon->flags);
         mgmt_auth_failed(conn->hcon->hdev, conn->dst, hcon->type,
-                         hcon->dst_type, reason);
+                         hcon->dst_type, HCI_ERROR_AUTH_FAILURE);
 
         cancel_delayed_work_sync(&conn->security_timer);
 
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index bcf02f608cbf..017a8bacfb27 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -429,6 +429,17 @@ static struct attribute_group netstat_group = {
         .name  = "statistics",
         .attrs  = netstat_attrs,
 };
+
+#if IS_ENABLED(CONFIG_WIRELESS_EXT) || IS_ENABLED(CONFIG_CFG80211)
+static struct attribute *wireless_attrs[] = {
+        NULL
+};
+
+static struct attribute_group wireless_group = {
+        .name = "wireless",
+        .attrs = wireless_attrs,
+};
+#endif
 #endif /* CONFIG_SYSFS */
 
 #ifdef CONFIG_RPS
@@ -1409,6 +1420,15 @@ int netdev_register_kobject(struct net_device *net)
                 groups++;
 
         *groups++ = &netstat_group;
+
+#if IS_ENABLED(CONFIG_WIRELESS_EXT) || IS_ENABLED(CONFIG_CFG80211)
+        if (net->ieee80211_ptr)
+                *groups++ = &wireless_group;
+#if IS_ENABLED(CONFIG_WIRELESS_EXT)
+        else if (net->wireless_handlers)
+                *groups++ = &wireless_group;
+#endif
+#endif
 #endif /* CONFIG_SYSFS */
 
         error = device_add(dev);
diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index 63af25458fda..b4ecf267a34b 100644
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -248,7 +248,7 @@ config MAC80211_MHWMP_DEBUG
           Do not select this option.
 
 config MAC80211_MESH_SYNC_DEBUG
-        bool "Verbose mesh mesh synchronization debugging"
+        bool "Verbose mesh synchronization debugging"
         depends on MAC80211_DEBUG_MENU
         depends on MAC80211_MESH
         ---help---
diff --git a/net/mac80211/Makefile b/net/mac80211/Makefile
index a7dd110faafa..4911202334d9 100644
--- a/net/mac80211/Makefile
+++ b/net/mac80211/Makefile
@@ -8,6 +8,7 @@ mac80211-y := \
         wpa.o \
         scan.o offchannel.o \
         ht.o agg-tx.o agg-rx.o \
+        vht.o \
         ibss.o \
         iface.o \
         rate.o \
diff --git a/net/mac80211/aes_cmac.c b/net/mac80211/aes_cmac.c
index a04752e91023..537488cbf941 100644
--- a/net/mac80211/aes_cmac.c
+++ b/net/mac80211/aes_cmac.c
@@ -10,6 +10,7 @@
 #include <linux/kernel.h>
 #include <linux/types.h>
 #include <linux/crypto.h>
+#include <linux/export.h>
 #include <linux/err.h>
 #include <crypto/aes.h>
 
@@ -126,3 +127,20 @@ void ieee80211_aes_cmac_key_free(struct crypto_cipher *tfm)
 {
         crypto_free_cipher(tfm);
 }
+
+void ieee80211_aes_cmac_calculate_k1_k2(struct ieee80211_key_conf *keyconf,
+                                        u8 *k1, u8 *k2)
+{
+        u8 l[AES_BLOCK_SIZE] = {};
+        struct ieee80211_key *key =
+                container_of(keyconf, struct ieee80211_key, conf);
+
+        crypto_cipher_encrypt_one(key->u.aes_cmac.tfm, l, l);
+
+        memcpy(k1, l, AES_BLOCK_SIZE);
+        gf_mulx(k1);
+
+        memcpy(k2, k1, AES_BLOCK_SIZE);
+        gf_mulx(k2);
+}
+EXPORT_SYMBOL(ieee80211_aes_cmac_calculate_k1_k2);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 05f3a313db88..c46d4ee1c298 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -372,10 +372,11 @@ static int ieee80211_config_default_mgmt_key(struct wiphy *wiphy,
 
 static void rate_idx_to_bitrate(struct rate_info *rate, struct sta_info *sta, int idx)
 {
+        enum ieee80211_band band = ieee80211_get_sdata_band(sta->sdata);
+
         if (!(rate->flags & RATE_INFO_FLAGS_MCS)) {
                 struct ieee80211_supported_band *sband;
-                sband = sta->local->hw.wiphy->bands[
-                                sta->local->oper_channel->band];
+                sband = sta->local->hw.wiphy->bands[band];
                 rate->legacy = sband->bitrates[idx].bitrate;
         } else
                 rate->mcs = idx;
@@ -532,6 +533,8 @@ static void ieee80211_get_et_stats(struct wiphy *wiphy,
                                    u64 *data)
 {
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_channel *channel;
         struct sta_info *sta;
         struct ieee80211_local *local = sdata->local;
         struct station_info sinfo;
@@ -607,19 +610,26 @@ static void ieee80211_get_et_stats(struct wiphy *wiphy,
 do_survey:
         i = STA_STATS_LEN - STA_STATS_SURVEY_LEN;
         /* Get survey stats for current channel */
-        q = 0;
-        while (true) {
-                survey.filled = 0;
-                if (drv_get_survey(local, q, &survey) != 0) {
-                        survey.filled = 0;
-                        break;
-                }
+        survey.filled = 0;
 
-                if (survey.channel &&
-                    (local->oper_channel->center_freq ==
-                     survey.channel->center_freq))
-                        break;
-                q++;
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (chanctx_conf)
+                channel = chanctx_conf->channel;
+        else
+                channel = NULL;
+        rcu_read_unlock();
+
+        if (channel) {
+                q = 0;
+                do {
+                        survey.filled = 0;
+                        if (drv_get_survey(local, q, &survey) != 0) {
+                                survey.filled = 0;
+                                break;
+                        }
+                        q++;
+                } while (channel != survey.channel);
         }
 
         if (survey.filled)
@@ -724,47 +734,42 @@ static int ieee80211_get_station(struct wiphy *wiphy, struct net_device *dev,
         return ret;
 }
 
-static int ieee80211_set_channel(struct wiphy *wiphy,
-                                 struct net_device *netdev,
-                                 struct ieee80211_channel *chan,
-                                 enum nl80211_channel_type channel_type)
+static int ieee80211_set_monitor_channel(struct wiphy *wiphy,
+                                         struct ieee80211_channel *chan,
+                                         enum nl80211_channel_type channel_type)
 {
         struct ieee80211_local *local = wiphy_priv(wiphy);
-        struct ieee80211_sub_if_data *sdata = NULL;
-
-        if (netdev)
-                sdata = IEEE80211_DEV_TO_SUB_IF(netdev);
-
-        switch (ieee80211_get_channel_mode(local, NULL)) {
-        case CHAN_MODE_HOPPING:
-                return -EBUSY;
-        case CHAN_MODE_FIXED:
-                if (local->oper_channel != chan ||
-                    (!sdata && local->_oper_channel_type != channel_type))
-                        return -EBUSY;
-                if (!sdata && local->_oper_channel_type == channel_type)
-                        return 0;
-                break;
-        case CHAN_MODE_UNDEFINED:
-                break;
-        }
-
-        if (!ieee80211_set_channel_type(local, sdata, channel_type))
-                return -EBUSY;
+        struct ieee80211_sub_if_data *sdata;
+        int ret = 0;
 
-        local->oper_channel = chan;
+        if (local->monitor_channel == chan &&
+            local->monitor_channel_type == channel_type)
+                return 0;
 
-        /* auto-detects changes */
-        ieee80211_hw_config(local, 0);
+        mutex_lock(&local->iflist_mtx);
+        if (local->use_chanctx) {
+                sdata = rcu_dereference_protected(
+                                local->monitor_sdata,
+                                lockdep_is_held(&local->iflist_mtx));
+                if (sdata) {
+                        ieee80211_vif_release_channel(sdata);
+                        ret = ieee80211_vif_use_channel(
+                                        sdata, chan, channel_type,
+                                        IEEE80211_CHANCTX_EXCLUSIVE);
+                }
+        } else if (local->open_count == local->monitors) {
+                local->_oper_channel = chan;
+                local->_oper_channel_type = channel_type;
+                ieee80211_hw_config(local, 0);
+        }
 
-        return 0;
-}
+        if (ret == 0) {
+                local->monitor_channel = chan;
+                local->monitor_channel_type = channel_type;
+        }
+        mutex_unlock(&local->iflist_mtx);
 
-static int ieee80211_set_monitor_channel(struct wiphy *wiphy,
-                                         struct ieee80211_channel *chan,
-                                         enum nl80211_channel_type channel_type)
-{
-        return ieee80211_set_channel(wiphy, NULL, chan, channel_type);
+        return ret;
 }
 
 static int ieee80211_set_probe_resp(struct ieee80211_sub_if_data *sdata,
@@ -879,8 +884,13 @@ static int ieee80211_start_ap(struct wiphy *wiphy, struct net_device *dev,
         if (old)
                 return -EALREADY;
 
-        err = ieee80211_set_channel(wiphy, dev, params->channel,
-                                    params->channel_type);
+        /* TODO: make hostapd tell us what it wants */
+        sdata->smps_mode = IEEE80211_SMPS_OFF;
+        sdata->needed_rx_chains = sdata->local->rx_chains;
+
+        err = ieee80211_vif_use_channel(sdata, params->channel,
+                                        params->channel_type,
+                                        IEEE80211_CHANCTX_SHARED);
         if (err)
                 return err;
 
@@ -912,6 +922,15 @@ static int ieee80211_start_ap(struct wiphy *wiphy, struct net_device *dev,
                 return err;
         changed |= err;
 
+        err = drv_start_ap(sdata->local, sdata);
+        if (err) {
+                old = rtnl_dereference(sdata->u.ap.beacon);
+                if (old)
+                        kfree_rcu(old, rcu_head);
+                RCU_INIT_POINTER(sdata->u.ap.beacon, NULL);
+                return err;
+        }
+
         ieee80211_bss_info_change_notify(sdata, changed);
 
         netif_carrier_on(dev);
@@ -943,26 +962,40 @@ static int ieee80211_change_beacon(struct wiphy *wiphy, struct net_device *dev,
 
 static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev)
 {
-        struct ieee80211_sub_if_data *sdata, *vlan;
-        struct beacon_data *old;
-
-        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_sub_if_data *vlan;
+        struct ieee80211_local *local = sdata->local;
+        struct beacon_data *old_beacon;
+        struct probe_resp *old_probe_resp;
 
-        old = rtnl_dereference(sdata->u.ap.beacon);
-        if (!old)
+        old_beacon = rtnl_dereference(sdata->u.ap.beacon);
+        if (!old_beacon)
                 return -ENOENT;
+        old_probe_resp = rtnl_dereference(sdata->u.ap.probe_resp);
 
+        /* turn off carrier for this interface and dependent VLANs */
         list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
                 netif_carrier_off(vlan->dev);
         netif_carrier_off(dev);
 
+        /* remove beacon and probe response */
         RCU_INIT_POINTER(sdata->u.ap.beacon, NULL);
+        RCU_INIT_POINTER(sdata->u.ap.probe_resp, NULL);
+        kfree_rcu(old_beacon, rcu_head);
+        if (old_probe_resp)
+                kfree_rcu(old_probe_resp, rcu_head);
 
-        kfree_rcu(old, rcu_head);
-
-        sta_info_flush(sdata->local, sdata);
+        sta_info_flush(local, sdata);
         ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON_ENABLED);
 
+        drv_stop_ap(sdata->local, sdata);
+
+        /* free all potentially still buffered bcast frames */
+        local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps.bc_buf);
+        skb_queue_purge(&sdata->u.ap.ps.bc_buf);
+
+        ieee80211_vif_release_channel(sdata);
+
         return 0;
 }
 
@@ -1019,9 +1052,10 @@ static int sta_apply_parameters(struct ieee80211_local *local,
         int i, j;
         struct ieee80211_supported_band *sband;
         struct ieee80211_sub_if_data *sdata = sta->sdata;
+        enum ieee80211_band band = ieee80211_get_sdata_band(sdata);
         u32 mask, set;
 
-        sband = local->hw.wiphy->bands[local->oper_channel->band];
+        sband = local->hw.wiphy->bands[band];
 
         mask = params->sta_flags_mask;
         set = params->sta_flags_set;
@@ -1136,7 +1170,7 @@ static int sta_apply_parameters(struct ieee80211_local *local,
                                         rates |= BIT(j);
                         }
                 }
-                sta->sta.supp_rates[local->oper_channel->band] = rates;
+                sta->sta.supp_rates[band] = rates;
         }
 
         if (params->ht_capa)
@@ -1144,6 +1178,11 @@ static int sta_apply_parameters(struct ieee80211_local *local,
                                                   params->ht_capa,
                                                   &sta->sta.ht_cap);
 
+        if (params->vht_capa)
+                ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
+                                                    params->vht_capa,
+                                                    &sta->sta.vht_cap);
+
         if (ieee80211_vif_is_mesh(&sdata->vif)) {
 #ifdef CONFIG_MAC80211_MESH
                 if (sdata->u.mesh.security & IEEE80211_MESH_SEC_SECURED)
@@ -1664,8 +1703,13 @@ static int ieee80211_join_mesh(struct wiphy *wiphy, struct net_device *dev,
         if (err)
                 return err;
 
-        err = ieee80211_set_channel(wiphy, dev, setup->channel,
-                                    setup->channel_type);
+        /* can mesh use other SMPS modes? */
+        sdata->smps_mode = IEEE80211_SMPS_OFF;
+        sdata->needed_rx_chains = sdata->local->rx_chains;
+
+        err = ieee80211_vif_use_channel(sdata, setup->channel,
+                                        setup->channel_type,
+                                        IEEE80211_CHANCTX_SHARED);
         if (err)
                 return err;
 
@@ -1679,6 +1723,7 @@ static int ieee80211_leave_mesh(struct wiphy *wiphy, struct net_device *dev)
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
         ieee80211_stop_mesh(sdata);
+        ieee80211_vif_release_channel(sdata);
 
         return 0;
 }
@@ -1688,10 +1733,14 @@ static int ieee80211_change_bss(struct wiphy *wiphy,
                                 struct net_device *dev,
                                 struct bss_parameters *params)
 {
-        struct ieee80211_sub_if_data *sdata;
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        enum ieee80211_band band;
         u32 changed = 0;
 
-        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        if (!rtnl_dereference(sdata->u.ap.beacon))
+                return -ENOENT;
+
+        band = ieee80211_get_sdata_band(sdata);
 
         if (params->use_cts_prot >= 0) {
                 sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
@@ -1704,7 +1753,7 @@ static int ieee80211_change_bss(struct wiphy *wiphy,
         }
 
         if (!sdata->vif.bss_conf.use_short_slot &&
-            sdata->local->oper_channel->band == IEEE80211_BAND_5GHZ) {
+            band == IEEE80211_BAND_5GHZ) {
                 sdata->vif.bss_conf.use_short_slot = true;
                 changed |= BSS_CHANGED_ERP_SLOT;
         }
@@ -1718,9 +1767,7 @@ static int ieee80211_change_bss(struct wiphy *wiphy,
         if (params->basic_rates) {
                 int i, j;
                 u32 rates = 0;
-                struct ieee80211_local *local = wiphy_priv(wiphy);
-                struct ieee80211_supported_band *sband =
-                        wiphy->bands[local->oper_channel->band];
+                struct ieee80211_supported_band *sband = wiphy->bands[band];
 
                 for (i = 0; i < params->basic_rates_len; i++) {
                         int rate = (params->basic_rates[i] & 0x7f) * 5;
@@ -1829,7 +1876,16 @@ static int ieee80211_scan(struct wiphy *wiphy,
                  * beaconing hasn't been configured yet
                  */
         case NL80211_IFTYPE_AP:
-                if (sdata->u.ap.beacon)
+                /*
+                 * If the scan has been forced (and the driver supports
+                 * forcing), don't care about being beaconing already.
+                 * This will create problems to the attached stations (e.g. all
+                 * the  frames sent while scanning on other channel will be
+                 * lost)
+                 */
+                if (sdata->u.ap.beacon &&
+                    (!(wiphy->features & NL80211_FEATURE_AP_SCAN) ||
+                     !(req->flags & NL80211_SCAN_FLAG_AP)))
                         return -EOPNOTSUPP;
                 break;
         default:
@@ -1872,20 +1928,6 @@ static int ieee80211_auth(struct wiphy *wiphy, struct net_device *dev,
 static int ieee80211_assoc(struct wiphy *wiphy, struct net_device *dev,
                            struct cfg80211_assoc_request *req)
 {
-        struct ieee80211_local *local = wiphy_priv(wiphy);
-        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-
-        switch (ieee80211_get_channel_mode(local, sdata)) {
-        case CHAN_MODE_HOPPING:
-                return -EBUSY;
-        case CHAN_MODE_FIXED:
-                if (local->oper_channel == req->bss->channel)
-                        break;
-                return -EBUSY;
-        case CHAN_MODE_UNDEFINED:
-                break;
-        }
-
         return ieee80211_mgd_assoc(IEEE80211_DEV_TO_SUB_IF(dev), req);
 }
 
@@ -1904,30 +1946,22 @@ static int ieee80211_disassoc(struct wiphy *wiphy, struct net_device *dev,
 static int ieee80211_join_ibss(struct wiphy *wiphy, struct net_device *dev,
                                struct cfg80211_ibss_params *params)
 {
-        struct ieee80211_local *local = wiphy_priv(wiphy);
-        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-
-        switch (ieee80211_get_channel_mode(local, sdata)) {
-        case CHAN_MODE_HOPPING:
-                return -EBUSY;
-        case CHAN_MODE_FIXED:
-                if (!params->channel_fixed)
-                        return -EBUSY;
-                if (local->oper_channel == params->channel)
-                        break;
-                return -EBUSY;
-        case CHAN_MODE_UNDEFINED:
-                break;
-        }
-
-        return ieee80211_ibss_join(sdata, params);
+        return ieee80211_ibss_join(IEEE80211_DEV_TO_SUB_IF(dev), params);
 }
 
 static int ieee80211_leave_ibss(struct wiphy *wiphy, struct net_device *dev)
 {
+        return ieee80211_ibss_leave(IEEE80211_DEV_TO_SUB_IF(dev));
+}
+
+static int ieee80211_set_mcast_rate(struct wiphy *wiphy, struct net_device *dev,
+                                    int rate[IEEE80211_NUM_BANDS])
+{
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-        return ieee80211_ibss_leave(sdata);
+        memcpy(sdata->vif.bss_conf.mcast_rate, rate, sizeof(rate));
+
+        return 0;
 }
 
 static int ieee80211_set_wiphy_params(struct wiphy *wiphy, u32 changed)
@@ -1968,41 +2002,65 @@ static int ieee80211_set_wiphy_params(struct wiphy *wiphy, u32 changed)
 }
 
 static int ieee80211_set_tx_power(struct wiphy *wiphy,
+                                  struct wireless_dev *wdev,
                                   enum nl80211_tx_power_setting type, int mbm)
 {
         struct ieee80211_local *local = wiphy_priv(wiphy);
-        struct ieee80211_channel *chan = local->oper_channel;
-        u32 changes = 0;
+        struct ieee80211_sub_if_data *sdata;
+
+        if (wdev) {
+                sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
+
+                switch (type) {
+                case NL80211_TX_POWER_AUTOMATIC:
+                        sdata->user_power_level = IEEE80211_UNSET_POWER_LEVEL;
+                        break;
+                case NL80211_TX_POWER_LIMITED:
+                case NL80211_TX_POWER_FIXED:
+                        if (mbm < 0 || (mbm % 100))
+                                return -EOPNOTSUPP;
+                        sdata->user_power_level = MBM_TO_DBM(mbm);
+                        break;
+                }
+
+                ieee80211_recalc_txpower(sdata);
+
+                return 0;
+        }
 
         switch (type) {
         case NL80211_TX_POWER_AUTOMATIC:
-                local->user_power_level = -1;
+                local->user_power_level = IEEE80211_UNSET_POWER_LEVEL;
                 break;
         case NL80211_TX_POWER_LIMITED:
-                if (mbm < 0 || (mbm % 100))
-                        return -EOPNOTSUPP;
-                local->user_power_level = MBM_TO_DBM(mbm);
-                break;
         case NL80211_TX_POWER_FIXED:
                 if (mbm < 0 || (mbm % 100))
                         return -EOPNOTSUPP;
-                /* TODO: move to cfg80211 when it knows the channel */
-                if (MBM_TO_DBM(mbm) > chan->max_power)
-                        return -EINVAL;
                 local->user_power_level = MBM_TO_DBM(mbm);
                 break;
         }
 
-        ieee80211_hw_config(local, changes);
+        mutex_lock(&local->iflist_mtx);
+        list_for_each_entry(sdata, &local->interfaces, list)
+                sdata->user_power_level = local->user_power_level;
+        list_for_each_entry(sdata, &local->interfaces, list)
+                ieee80211_recalc_txpower(sdata);
+        mutex_unlock(&local->iflist_mtx);
 
         return 0;
 }
 
-static int ieee80211_get_tx_power(struct wiphy *wiphy, int *dbm)
+static int ieee80211_get_tx_power(struct wiphy *wiphy,
+                                  struct wireless_dev *wdev,
+                                  int *dbm)
 {
         struct ieee80211_local *local = wiphy_priv(wiphy);
+        struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
 
-        *dbm = local->hw.conf.power_level;
+        if (!local->use_chanctx)
+                *dbm = local->hw.conf.power_level;
+        else
+                *dbm = sdata->vif.bss_conf.txpower;
 
         return 0;
 }
@@ -2067,13 +2125,12 @@ int __ieee80211_request_smps(struct ieee80211_sub_if_data *sdata,
 
         /*
          * If not associated, or current association is not an HT
-         * association, there's no need to send an action frame.
+         * association, there's no need to do anything, just store
+         * the new value until we associate.
          */
         if (!sdata->u.mgd.associated ||
-            sdata->vif.bss_conf.channel_type == NL80211_CHAN_NO_HT) {
-                ieee80211_recalc_smps(sdata->local);
+            sdata->vif.bss_conf.channel_type == NL80211_CHAN_NO_HT)
                 return 0;
-        }
 
         ap = sdata->u.mgd.associated->bssid;
 
@@ -2189,6 +2246,9 @@ static int ieee80211_start_roc_work(struct ieee80211_local *local,
 
         lockdep_assert_held(&local->mtx);
 
+        if (local->use_chanctx && !local->ops->remain_on_channel)
+                return -EOPNOTSUPP;
+
         roc = kzalloc(sizeof(*roc), GFP_KERNEL);
         if (!roc)
                 return -ENOMEM;
@@ -2332,13 +2392,22 @@ static int ieee80211_start_roc_work(struct ieee80211_local *local,
                 list_add_tail(&roc->list, &local->roc_list);
 
         /*
-         * cookie is either the roc (for normal roc)
+         * cookie is either the roc cookie (for normal roc)
          * or the SKB (for mgmt TX)
          */
-        if (txskb)
+        if (!txskb) {
+                /* local->mtx protects this */
+                local->roc_cookie_counter++;
+                roc->cookie = local->roc_cookie_counter;
+                /* wow, you wrapped 64 bits ... more likely a bug */
+                if (WARN_ON(roc->cookie == 0)) {
+                        roc->cookie = 1;
+                        local->roc_cookie_counter++;
+                }
+                *cookie = roc->cookie;
+        } else {
                 *cookie = (unsigned long)txskb;
-        else
-                *cookie = (unsigned long)roc;
+        }
 
         return 0;
 }
@@ -2373,7 +2442,7 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local,
                 struct ieee80211_roc_work *dep, *tmp2;
 
                 list_for_each_entry_safe(dep, tmp2, &roc->dependents, list) {
-                        if (!mgmt_tx && (unsigned long)dep != cookie)
+                        if (!mgmt_tx && dep->cookie != cookie)
                                 continue;
                         else if (mgmt_tx && dep->mgmt_tx_cookie != cookie)
                                 continue;
@@ -2385,7 +2454,7 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local,
                         return 0;
                 }
 
-                if (!mgmt_tx && (unsigned long)roc != cookie)
+                if (!mgmt_tx && roc->cookie != cookie)
                         continue;
                 else if (mgmt_tx && roc->mgmt_tx_cookie != cookie)
                         continue;
@@ -2515,10 +2584,20 @@ static int ieee80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
 
         /* Check if the operating channel is the requested channel */
         if (!need_offchan) {
-                need_offchan = chan != local->oper_channel;
-                if (channel_type_valid &&
-                    channel_type != local->_oper_channel_type)
+                struct ieee80211_chanctx_conf *chanctx_conf;
+
+                rcu_read_lock();
+                chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+
+                if (chanctx_conf) {
+                        need_offchan = chan != chanctx_conf->channel;
+                        if (channel_type_valid &&
+                            channel_type != chanctx_conf->channel_type)
+                                need_offchan = true;
+                } else {
                         need_offchan = true;
+                }
+                rcu_read_unlock();
         }
 
         if (need_offchan && !offchan) {
@@ -2594,6 +2673,9 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy,
                 else
                         local->probe_req_reg--;
 
+                if (!local->open_count)
+                        break;
+
                 ieee80211_queue_work(&local->hw, &local->reconfig_filter);
                 break;
         default:
@@ -2667,7 +2749,7 @@ static u16 ieee80211_get_tdls_sta_capab(struct ieee80211_sub_if_data *sdata)
         u16 capab;
 
         capab = 0;
-        if (local->oper_channel->band != IEEE80211_BAND_2GHZ)
+        if (ieee80211_get_sdata_band(sdata) != IEEE80211_BAND_2GHZ)
                 return capab;
 
         if (!(local->hw.flags & IEEE80211_HW_2GHZ_SHORT_SLOT_INCAPABLE))
@@ -2699,7 +2781,7 @@ ieee80211_prep_tdls_encap_data(struct wiphy *wiphy, struct net_device *dev,
                                u16 status_code, struct sk_buff *skb)
 {
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-        struct ieee80211_local *local = sdata->local;
+        enum ieee80211_band band = ieee80211_get_sdata_band(sdata);
         struct ieee80211_tdls_data *tf;
 
         tf = (void *)skb_put(skb, offsetof(struct ieee80211_tdls_data, u));
@@ -2719,10 +2801,8 @@ ieee80211_prep_tdls_encap_data(struct wiphy *wiphy, struct net_device *dev,
                 tf->u.setup_req.capability =
                         cpu_to_le16(ieee80211_get_tdls_sta_capab(sdata));
 
-                ieee80211_add_srates_ie(sdata, skb, false,
-                                        local->oper_channel->band);
-                ieee80211_add_ext_srates_ie(sdata, skb, false,
-                                            local->oper_channel->band);
+                ieee80211_add_srates_ie(sdata, skb, false, band);
+                ieee80211_add_ext_srates_ie(sdata, skb, false, band);
                 ieee80211_tdls_add_ext_capab(skb);
                 break;
         case WLAN_TDLS_SETUP_RESPONSE:
@@ -2735,10 +2815,8 @@ ieee80211_prep_tdls_encap_data(struct wiphy *wiphy, struct net_device *dev,
                 tf->u.setup_resp.capability =
                         cpu_to_le16(ieee80211_get_tdls_sta_capab(sdata));
 
-                ieee80211_add_srates_ie(sdata, skb, false,
-                                        local->oper_channel->band);
-                ieee80211_add_ext_srates_ie(sdata, skb, false,
-                                            local->oper_channel->band);
+                ieee80211_add_srates_ie(sdata, skb, false, band);
+                ieee80211_add_ext_srates_ie(sdata, skb, false, band);
                 ieee80211_tdls_add_ext_capab(skb);
                 break;
         case WLAN_TDLS_SETUP_CONFIRM:
@@ -2776,7 +2854,7 @@ ieee80211_prep_tdls_direct(struct wiphy *wiphy, struct net_device *dev,
                            u16 status_code, struct sk_buff *skb)
 {
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-        struct ieee80211_local *local = sdata->local;
+        enum ieee80211_band band = ieee80211_get_sdata_band(sdata);
         struct ieee80211_mgmt *mgmt;
 
         mgmt = (void *)skb_put(skb, 24);
@@ -2799,10 +2877,8 @@ ieee80211_prep_tdls_direct(struct wiphy *wiphy, struct net_device *dev,
                 mgmt->u.action.u.tdls_discover_resp.capability =
                         cpu_to_le16(ieee80211_get_tdls_sta_capab(sdata));
 
-                ieee80211_add_srates_ie(sdata, skb, false,
-                                        local->oper_channel->band);
-                ieee80211_add_ext_srates_ie(sdata, skb, false,
-                                            local->oper_channel->band);
+                ieee80211_add_srates_ie(sdata, skb, false, band);
+                ieee80211_add_ext_srates_ie(sdata, skb, false, band);
                 ieee80211_tdls_add_ext_capab(skb);
                 break;
         default:
@@ -2819,7 +2895,6 @@ static int ieee80211_tdls_mgmt(struct wiphy *wiphy, struct net_device *dev,
 {
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
         struct ieee80211_local *local = sdata->local;
-        struct ieee80211_tx_info *info;
         struct sk_buff *skb = NULL;
         bool send_direct;
         int ret;
@@ -2845,7 +2920,6 @@ static int ieee80211_tdls_mgmt(struct wiphy *wiphy, struct net_device *dev,
         if (!skb)
                 return -ENOMEM;
 
-        info = IEEE80211_SKB_CB(skb);
         skb_reserve(skb, local->hw.extra_tx_headroom);
 
         switch (action_code) {
@@ -2982,12 +3056,19 @@ static int ieee80211_probe_client(struct wiphy *wiphy, struct net_device *dev,
         bool qos;
         struct ieee80211_tx_info *info;
         struct sta_info *sta;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        enum ieee80211_band band;
 
         rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (WARN_ON(!chanctx_conf)) {
+                rcu_read_unlock();
+                return -EINVAL;
+        }
+        band = chanctx_conf->channel->band;
         sta = sta_info_get(sdata, peer);
         if (sta) {
                 qos = test_sta_flag(sta, WLAN_STA_WME);
-                rcu_read_unlock();
         } else {
                 rcu_read_unlock();
                 return -ENOLINK;
@@ -3005,8 +3086,10 @@ static int ieee80211_probe_client(struct wiphy *wiphy, struct net_device *dev,
         }
 
         skb = dev_alloc_skb(local->hw.extra_tx_headroom + size);
-        if (!skb)
+        if (!skb) {
+                rcu_read_unlock();
                 return -ENOMEM;
+        }
 
         skb->dev = dev;
 
@@ -3031,8 +3114,9 @@ static int ieee80211_probe_client(struct wiphy *wiphy, struct net_device *dev,
                 nullfunc->qos_ctrl = cpu_to_le16(7);
 
         local_bh_disable();
-        ieee80211_xmit(sdata, skb);
+        ieee80211_xmit(sdata, skb, band);
         local_bh_enable();
+        rcu_read_unlock();
 
         *cookie = (unsigned long) skb;
         return 0;
@@ -3042,10 +3126,19 @@ static struct ieee80211_channel *
 ieee80211_cfg_get_channel(struct wiphy *wiphy, struct wireless_dev *wdev,
                           enum nl80211_channel_type *type)
 {
-        struct ieee80211_local *local = wiphy_priv(wiphy);
+        struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_channel *chan = NULL;
+
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (chanctx_conf) {
+                *type = chanctx_conf->channel_type;
+                chan = chanctx_conf->channel;
+        }
+        rcu_read_unlock();
 
-        *type = local->_oper_channel_type;
-        return local->oper_channel;
+        return chan;
 }
 
 #ifdef CONFIG_PM
@@ -3100,6 +3193,7 @@ struct cfg80211_ops mac80211_config_ops = {
         .disassoc = ieee80211_disassoc,
         .join_ibss = ieee80211_join_ibss,
         .leave_ibss = ieee80211_leave_ibss,
+        .set_mcast_rate = ieee80211_set_mcast_rate,
         .set_wiphy_params = ieee80211_set_wiphy_params,
         .set_tx_power = ieee80211_set_tx_power,
         .get_tx_power = ieee80211_get_tx_power,
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 0bfc914ddd15..a2b06d40aebf 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -3,108 +3,10 @@
  */
 
 #include <linux/nl80211.h>
+#include <linux/export.h>
 #include <net/cfg80211.h>
 #include "ieee80211_i.h"
-
-static enum ieee80211_chan_mode
-__ieee80211_get_channel_mode(struct ieee80211_local *local,
-                             struct ieee80211_sub_if_data *ignore)
-{
-        struct ieee80211_sub_if_data *sdata;
-
-        lockdep_assert_held(&local->iflist_mtx);
-
-        list_for_each_entry(sdata, &local->interfaces, list) {
-                if (sdata == ignore)
-                        continue;
-
-                if (!ieee80211_sdata_running(sdata))
-                        continue;
-
-                switch (sdata->vif.type) {
-                case NL80211_IFTYPE_MONITOR:
-                        continue;
-                case NL80211_IFTYPE_STATION:
-                        if (!sdata->u.mgd.associated)
-                                continue;
-                        break;
-                case NL80211_IFTYPE_ADHOC:
-                        if (!sdata->u.ibss.ssid_len)
-                                continue;
-                        if (!sdata->u.ibss.fixed_channel)
-                                return CHAN_MODE_HOPPING;
-                        break;
-                case NL80211_IFTYPE_AP_VLAN:
-                        /* will also have _AP interface */
-                        continue;
-                case NL80211_IFTYPE_AP:
-                        if (!sdata->u.ap.beacon)
-                                continue;
-                        break;
-                case NL80211_IFTYPE_MESH_POINT:
-                        if (!sdata->wdev.mesh_id_len)
-                                continue;
-                        break;
-                default:
-                        break;
-                }
-
-                return CHAN_MODE_FIXED;
-        }
-
-        return CHAN_MODE_UNDEFINED;
-}
-
-enum ieee80211_chan_mode
-ieee80211_get_channel_mode(struct ieee80211_local *local,
-                           struct ieee80211_sub_if_data *ignore)
-{
-        enum ieee80211_chan_mode mode;
-
-        mutex_lock(&local->iflist_mtx);
-        mode = __ieee80211_get_channel_mode(local, ignore);
-        mutex_unlock(&local->iflist_mtx);
-
-        return mode;
-}
-
-static enum nl80211_channel_type
-ieee80211_get_superchan(struct ieee80211_local *local,
-                        struct ieee80211_sub_if_data *sdata)
-{
-        enum nl80211_channel_type superchan = NL80211_CHAN_NO_HT;
-        struct ieee80211_sub_if_data *tmp;
-
-        mutex_lock(&local->iflist_mtx);
-        list_for_each_entry(tmp, &local->interfaces, list) {
-                if (tmp == sdata)
-                        continue;
-
-                if (!ieee80211_sdata_running(tmp))
-                        continue;
-
-                switch (tmp->vif.bss_conf.channel_type) {
-                case NL80211_CHAN_NO_HT:
-                case NL80211_CHAN_HT20:
-                        if (superchan > tmp->vif.bss_conf.channel_type)
-                                break;
-
-                        superchan = tmp->vif.bss_conf.channel_type;
-                        break;
-                case NL80211_CHAN_HT40PLUS:
-                        WARN_ON(superchan == NL80211_CHAN_HT40MINUS);
-                        superchan = NL80211_CHAN_HT40PLUS;
-                        break;
-                case NL80211_CHAN_HT40MINUS:
-                        WARN_ON(superchan == NL80211_CHAN_HT40PLUS);
-                        superchan = NL80211_CHAN_HT40MINUS;
-                        break;
-                }
-        }
-        mutex_unlock(&local->iflist_mtx);
-
-        return superchan;
-}
+#include "driver-ops.h"
 
 static bool
 ieee80211_channel_types_are_compatible(enum nl80211_channel_type chantype1,
@@ -148,23 +50,352 @@ ieee80211_channel_types_are_compatible(enum nl80211_channel_type chantype1,
         return true;
 }
 
-bool ieee80211_set_channel_type(struct ieee80211_local *local,
-                                struct ieee80211_sub_if_data *sdata,
-                                enum nl80211_channel_type chantype)
+static void ieee80211_change_chantype(struct ieee80211_local *local,
+                                      struct ieee80211_chanctx *ctx,
+                                      enum nl80211_channel_type chantype)
 {
-        enum nl80211_channel_type superchan;
-        enum nl80211_channel_type compatchan;
+        if (chantype == ctx->conf.channel_type)
+                return;
 
-        superchan = ieee80211_get_superchan(local, sdata);
-        if (!ieee80211_channel_types_are_compatible(superchan, chantype,
-                                                    &compatchan))
-                return false;
+        ctx->conf.channel_type = chantype;
+        drv_change_chanctx(local, ctx, IEEE80211_CHANCTX_CHANGE_CHANNEL_TYPE);
 
-        local->_oper_channel_type = compatchan;
+        if (!local->use_chanctx) {
+                local->_oper_channel_type = chantype;
+                ieee80211_hw_config(local, 0);
+        }
+}
 
-        if (sdata)
-                sdata->vif.bss_conf.channel_type = chantype;
+static struct ieee80211_chanctx *
+ieee80211_find_chanctx(struct ieee80211_local *local,
+                       struct ieee80211_channel *channel,
+                       enum nl80211_channel_type channel_type,
+                       enum ieee80211_chanctx_mode mode)
+{
+        struct ieee80211_chanctx *ctx;
+        enum nl80211_channel_type compat_type;
 
-        return true;
+        lockdep_assert_held(&local->chanctx_mtx);
+
+        if (mode == IEEE80211_CHANCTX_EXCLUSIVE)
+                return NULL;
+        if (WARN_ON(!channel))
+                return NULL;
+
+        list_for_each_entry(ctx, &local->chanctx_list, list) {
+                compat_type = ctx->conf.channel_type;
+
+                if (ctx->mode == IEEE80211_CHANCTX_EXCLUSIVE)
+                        continue;
+                if (ctx->conf.channel != channel)
+                        continue;
+                if (!ieee80211_channel_types_are_compatible(ctx->conf.channel_type,
+                                                            channel_type,
+                                                            &compat_type))
+                        continue;
+
+                ieee80211_change_chantype(local, ctx, compat_type);
+
+                return ctx;
+        }
+
+        return NULL;
+}
+
+static struct ieee80211_chanctx *
+ieee80211_new_chanctx(struct ieee80211_local *local,
+                      struct ieee80211_channel *channel,
+                      enum nl80211_channel_type channel_type,
+                      enum ieee80211_chanctx_mode mode)
+{
+        struct ieee80211_chanctx *ctx;
+        int err;
+
+        lockdep_assert_held(&local->chanctx_mtx);
+
+        ctx = kzalloc(sizeof(*ctx) + local->hw.chanctx_data_size, GFP_KERNEL);
+        if (!ctx)
+                return ERR_PTR(-ENOMEM);
+
+        ctx->conf.channel = channel;
+        ctx->conf.channel_type = channel_type;
+        ctx->conf.rx_chains_static = 1;
+        ctx->conf.rx_chains_dynamic = 1;
+        ctx->mode = mode;
+
+        if (!local->use_chanctx) {
+                local->_oper_channel_type = channel_type;
+                local->_oper_channel = channel;
+                ieee80211_hw_config(local, 0);
+        } else {
+                err = drv_add_chanctx(local, ctx);
+                if (err) {
+                        kfree(ctx);
+                        return ERR_PTR(err);
+                }
+        }
+
+        list_add_rcu(&ctx->list, &local->chanctx_list);
+
+        return ctx;
+}
+
+static void ieee80211_free_chanctx(struct ieee80211_local *local,
+                                   struct ieee80211_chanctx *ctx)
+{
+        lockdep_assert_held(&local->chanctx_mtx);
+
+        WARN_ON_ONCE(ctx->refcount != 0);
+
+        if (!local->use_chanctx) {
+                local->_oper_channel_type = NL80211_CHAN_NO_HT;
+                ieee80211_hw_config(local, 0);
+        } else {
+                drv_remove_chanctx(local, ctx);
+        }
+
+        list_del_rcu(&ctx->list);
+        kfree_rcu(ctx, rcu_head);
+}
+
+static int ieee80211_assign_vif_chanctx(struct ieee80211_sub_if_data *sdata,
+                                        struct ieee80211_chanctx *ctx)
+{
+        struct ieee80211_local *local = sdata->local;
+        int ret;
+
+        lockdep_assert_held(&local->chanctx_mtx);
+
+        ret = drv_assign_vif_chanctx(local, sdata, ctx);
+        if (ret)
+                return ret;
+
+        rcu_assign_pointer(sdata->vif.chanctx_conf, &ctx->conf);
+        ctx->refcount++;
+
+        ieee80211_recalc_txpower(sdata);
+
+        return 0;
+}
+
+static enum nl80211_channel_type
+ieee80211_calc_chantype(struct ieee80211_local *local,
+                        struct ieee80211_chanctx *ctx)
+{
+        struct ieee80211_chanctx_conf *conf = &ctx->conf;
+        struct ieee80211_sub_if_data *sdata;
+        enum nl80211_channel_type result = NL80211_CHAN_NO_HT;
+
+        lockdep_assert_held(&local->chanctx_mtx);
+
+        rcu_read_lock();
+        list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+                if (!ieee80211_sdata_running(sdata))
+                        continue;
+                if (rcu_access_pointer(sdata->vif.chanctx_conf) != conf)
+                        continue;
+
+                WARN_ON_ONCE(!ieee80211_channel_types_are_compatible(
+                                        sdata->vif.bss_conf.channel_type,
+                                        result, &result));
+        }
+        rcu_read_unlock();
+
+        return result;
+}
+
+static void ieee80211_recalc_chanctx_chantype(struct ieee80211_local *local,
+                                              struct ieee80211_chanctx *ctx)
+{
+        enum nl80211_channel_type chantype;
+
+        lockdep_assert_held(&local->chanctx_mtx);
+
+        chantype = ieee80211_calc_chantype(local, ctx);
+        ieee80211_change_chantype(local, ctx, chantype);
+}
+
+static void ieee80211_unassign_vif_chanctx(struct ieee80211_sub_if_data *sdata,
+                                           struct ieee80211_chanctx *ctx)
+{
+        struct ieee80211_local *local = sdata->local;
+
+        lockdep_assert_held(&local->chanctx_mtx);
+
+        ctx->refcount--;
+        rcu_assign_pointer(sdata->vif.chanctx_conf, NULL);
+
+        drv_unassign_vif_chanctx(local, sdata, ctx);
+
+        if (ctx->refcount > 0) {
+                ieee80211_recalc_chanctx_chantype(sdata->local, ctx);
+                ieee80211_recalc_smps_chanctx(local, ctx);
+        }
+}
+
+static void __ieee80211_vif_release_channel(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_chanctx_conf *conf;
+        struct ieee80211_chanctx *ctx;
+
+        lockdep_assert_held(&local->chanctx_mtx);
+
+        conf = rcu_dereference_protected(sdata->vif.chanctx_conf,
+                                         lockdep_is_held(&local->chanctx_mtx));
+        if (!conf)
+                return;
+
+        ctx = container_of(conf, struct ieee80211_chanctx, conf);
+
+        ieee80211_unassign_vif_chanctx(sdata, ctx);
+        if (ctx->refcount == 0)
+                ieee80211_free_chanctx(local, ctx);
+}
+
+void ieee80211_recalc_smps_chanctx(struct ieee80211_local *local,
+                                   struct ieee80211_chanctx *chanctx)
+{
+        struct ieee80211_sub_if_data *sdata;
+        u8 rx_chains_static, rx_chains_dynamic;
+
+        lockdep_assert_held(&local->chanctx_mtx);
+
+        rx_chains_static = 1;
+        rx_chains_dynamic = 1;
+
+        rcu_read_lock();
+        list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+                u8 needed_static, needed_dynamic;
+
+                if (!ieee80211_sdata_running(sdata))
+                        continue;
+
+                if (rcu_access_pointer(sdata->vif.chanctx_conf) !=
+                                                &chanctx->conf)
+                        continue;
+
+                switch (sdata->vif.type) {
+                case NL80211_IFTYPE_P2P_DEVICE:
+                        continue;
+                case NL80211_IFTYPE_STATION:
+                        if (!sdata->u.mgd.associated)
+                                continue;
+                        break;
+                case NL80211_IFTYPE_AP_VLAN:
+                        continue;
+                case NL80211_IFTYPE_AP:
+                case NL80211_IFTYPE_ADHOC:
+                case NL80211_IFTYPE_WDS:
+                case NL80211_IFTYPE_MESH_POINT:
+                        break;
+                default:
+                        WARN_ON_ONCE(1);
+                }
+
+                switch (sdata->smps_mode) {
+                default:
+                        WARN_ONCE(1, "Invalid SMPS mode %d\n",
+                                  sdata->smps_mode);
+                        /* fall through */
+                case IEEE80211_SMPS_OFF:
+                        needed_static = sdata->needed_rx_chains;
+                        needed_dynamic = sdata->needed_rx_chains;
+                        break;
+                case IEEE80211_SMPS_DYNAMIC:
+                        needed_static = 1;
+                        needed_dynamic = sdata->needed_rx_chains;
+                        break;
+                case IEEE80211_SMPS_STATIC:
+                        needed_static = 1;
+                        needed_dynamic = 1;
+                        break;
+                }
+
+                rx_chains_static = max(rx_chains_static, needed_static);
+                rx_chains_dynamic = max(rx_chains_dynamic, needed_dynamic);
+        }
+        rcu_read_unlock();
+
+        if (!local->use_chanctx) {
+                if (rx_chains_static > 1)
+                        local->smps_mode = IEEE80211_SMPS_OFF;
+                else if (rx_chains_dynamic > 1)
+                        local->smps_mode = IEEE80211_SMPS_DYNAMIC;
+                else
+                        local->smps_mode = IEEE80211_SMPS_STATIC;
+                ieee80211_hw_config(local, 0);
+        }
+
+        if (rx_chains_static == chanctx->conf.rx_chains_static &&
+            rx_chains_dynamic == chanctx->conf.rx_chains_dynamic)
+                return;
+
+        chanctx->conf.rx_chains_static = rx_chains_static;
+        chanctx->conf.rx_chains_dynamic = rx_chains_dynamic;
+        drv_change_chanctx(local, chanctx, IEEE80211_CHANCTX_CHANGE_RX_CHAINS);
+}
+
+int ieee80211_vif_use_channel(struct ieee80211_sub_if_data *sdata,
+                              struct ieee80211_channel *channel,
+                              enum nl80211_channel_type channel_type,
+                              enum ieee80211_chanctx_mode mode)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_chanctx *ctx;
+        int ret;
+
+        WARN_ON(sdata->dev && netif_carrier_ok(sdata->dev));
+
+        mutex_lock(&local->chanctx_mtx);
+        __ieee80211_vif_release_channel(sdata);
+
+        ctx = ieee80211_find_chanctx(local, channel, channel_type, mode);
+        if (!ctx)
+                ctx = ieee80211_new_chanctx(local, channel, channel_type, mode);
+        if (IS_ERR(ctx)) {
+                ret = PTR_ERR(ctx);
+                goto out;
+        }
+
+        sdata->vif.bss_conf.channel_type = channel_type;
+
+        ret = ieee80211_assign_vif_chanctx(sdata, ctx);
+        if (ret) {
+                /* if assign fails refcount stays the same */
+                if (ctx->refcount == 0)
+                        ieee80211_free_chanctx(local, ctx);
+                goto out;
+        }
+
+        ieee80211_recalc_smps_chanctx(local, ctx);
+ out:
+        mutex_unlock(&local->chanctx_mtx);
+        return ret;
+}
+
+void ieee80211_vif_release_channel(struct ieee80211_sub_if_data *sdata)
+{
+        WARN_ON(sdata->dev && netif_carrier_ok(sdata->dev));
+
+        mutex_lock(&sdata->local->chanctx_mtx);
+        __ieee80211_vif_release_channel(sdata);
+        mutex_unlock(&sdata->local->chanctx_mtx);
+}
+
+void ieee80211_iter_chan_contexts_atomic(
+        struct ieee80211_hw *hw,
+        void (*iter)(struct ieee80211_hw *hw,
+                     struct ieee80211_chanctx_conf *chanctx_conf,
+                     void *data),
+        void *iter_data)
+{
+        struct ieee80211_local *local = hw_to_local(hw);
+        struct ieee80211_chanctx *ctx;
 
+        rcu_read_lock();
+        list_for_each_entry_rcu(ctx, &local->chanctx_list, list)
+                iter(hw, &ctx->conf, iter_data);
+        rcu_read_unlock();
 }
+EXPORT_SYMBOL_GPL(ieee80211_iter_chan_contexts_atomic);
diff --git a/net/mac80211/debugfs.h b/net/mac80211/debugfs.h
index 9be4e6d71d00..214ed4ecd739 100644
--- a/net/mac80211/debugfs.h
+++ b/net/mac80211/debugfs.h
@@ -2,9 +2,9 @@
 #define __MAC80211_DEBUGFS_H
 
 #ifdef CONFIG_MAC80211_DEBUGFS
-extern void debugfs_hw_add(struct ieee80211_local *local);
-extern int mac80211_format_buffer(char __user *userbuf, size_t count,
-                                  loff_t *ppos, char *fmt, ...);
+void debugfs_hw_add(struct ieee80211_local *local);
+int __printf(4, 5) mac80211_format_buffer(char __user *userbuf, size_t count,
+                                          loff_t *ppos, char *fmt, ...);
 #else
 static inline void debugfs_hw_add(struct ieee80211_local *local)
 {
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 6d5aec9418ee..ba9bd0ef119a 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -10,6 +10,7 @@
 #include <linux/kernel.h>
 #include <linux/device.h>
 #include <linux/if.h>
+#include <linux/if_ether.h>
 #include <linux/interrupt.h>
 #include <linux/netdevice.h>
 #include <linux/rtnetlink.h>
@@ -168,6 +169,29 @@ IEEE80211_IF_FILE(rc_rateidx_mcs_mask_5ghz,
 IEEE80211_IF_FILE(flags, flags, HEX);
 IEEE80211_IF_FILE(state, state, LHEX);
 IEEE80211_IF_FILE(channel_type, vif.bss_conf.channel_type, DEC);
+IEEE80211_IF_FILE(txpower, vif.bss_conf.txpower, DEC);
+IEEE80211_IF_FILE(ap_power_level, ap_power_level, DEC);
+IEEE80211_IF_FILE(user_power_level, user_power_level, DEC);
+
+static ssize_t
+ieee80211_if_fmt_hw_queues(const struct ieee80211_sub_if_data *sdata,
+                           char *buf, int buflen)
+{
+        int len;
+
+        len = scnprintf(buf, buflen, "AC queues: VO:%d VI:%d BE:%d BK:%d\n",
+                        sdata->vif.hw_queue[IEEE80211_AC_VO],
+                        sdata->vif.hw_queue[IEEE80211_AC_VI],
+                        sdata->vif.hw_queue[IEEE80211_AC_BE],
+                        sdata->vif.hw_queue[IEEE80211_AC_BK]);
+
+        if (sdata->vif.type == NL80211_IFTYPE_AP)
+                len += scnprintf(buf + len, buflen - len, "cab queue: %d\n",
+                                 sdata->vif.cab_queue);
+
+        return len;
+}
+__IEEE80211_IF_FILE(hw_queues, NULL);
 
 /* STA attributes */
 IEEE80211_IF_FILE(bssid, u.mgd.bssid, MAC);
@@ -217,7 +241,7 @@ static ssize_t ieee80211_if_fmt_smps(const struct ieee80211_sub_if_data *sdata,
 
         return snprintf(buf, buflen, "request: %s\nused: %s\n",
                         smps_modes[sdata->u.mgd.req_smps],
-                        smps_modes[sdata->u.mgd.ap_smps]);
+                        smps_modes[sdata->smps_mode]);
 }
 
 static ssize_t ieee80211_if_parse_smps(struct ieee80211_sub_if_data *sdata,
@@ -245,27 +269,6 @@ static ssize_t ieee80211_if_fmt_tkip_mic_test(
         return -EOPNOTSUPP;
 }
 
-static int hwaddr_aton(const char *txt, u8 *addr)
-{
-        int i;
-
-        for (i = 0; i < ETH_ALEN; i++) {
-                int a, b;
-
-                a = hex_to_bin(*txt++);
-                if (a < 0)
-                        return -1;
-                b = hex_to_bin(*txt++);
-                if (b < 0)
-                        return -1;
-                *addr++ = (a << 4) | b;
-                if (i < 5 && *txt++ != ':')
-                        return -1;
-        }
-
-        return 0;
-}
-
 static ssize_t ieee80211_if_parse_tkip_mic_test(
         struct ieee80211_sub_if_data *sdata, const char *buf, int buflen)
 {
@@ -275,13 +278,7 @@ static ssize_t ieee80211_if_parse_tkip_mic_test(
         struct ieee80211_hdr *hdr;
         __le16 fc;
 
-        /*
-         * Assume colon-delimited MAC address with possible white space
-         * following.
-         */
-        if (buflen < 3 * ETH_ALEN - 1)
-                return -EINVAL;
-        if (hwaddr_aton(buf, addr) < 0)
+        if (!mac_pton(buf, addr))
                 return -EINVAL;
 
         if (!ieee80211_sdata_running(sdata))
@@ -307,13 +304,16 @@ static ssize_t ieee80211_if_parse_tkip_mic_test(
         case NL80211_IFTYPE_STATION:
                 fc |= cpu_to_le16(IEEE80211_FCTL_TODS);
                 /* BSSID SA DA */
-                if (sdata->vif.bss_conf.bssid == NULL) {
+                mutex_lock(&sdata->u.mgd.mtx);
+                if (!sdata->u.mgd.associated) {
+                        mutex_unlock(&sdata->u.mgd.mtx);
                         dev_kfree_skb(skb);
                         return -ENOTCONN;
                 }
-                memcpy(hdr->addr1, sdata->vif.bss_conf.bssid, ETH_ALEN);
+                memcpy(hdr->addr1, sdata->u.mgd.associated->bssid, ETH_ALEN);
                 memcpy(hdr->addr2, sdata->vif.addr, ETH_ALEN);
                 memcpy(hdr->addr3, addr, ETH_ALEN);
+                mutex_unlock(&sdata->u.mgd.mtx);
                 break;
         default:
                 dev_kfree_skb(skb);
@@ -395,14 +395,14 @@ __IEEE80211_IF_FILE_W(uapsd_max_sp_len);
 
 /* AP attributes */
 IEEE80211_IF_FILE(num_mcast_sta, u.ap.num_mcast_sta, ATOMIC);
-IEEE80211_IF_FILE(num_sta_ps, u.ap.num_sta_ps, ATOMIC);
-IEEE80211_IF_FILE(dtim_count, u.ap.dtim_count, DEC);
+IEEE80211_IF_FILE(num_sta_ps, u.ap.ps.num_sta_ps, ATOMIC);
+IEEE80211_IF_FILE(dtim_count, u.ap.ps.dtim_count, DEC);
 
 static ssize_t ieee80211_if_fmt_num_buffered_multicast(
         const struct ieee80211_sub_if_data *sdata, char *buf, int buflen)
 {
         return scnprintf(buf, buflen, "%u\n",
-                         skb_queue_len(&sdata->u.ap.ps_bc_buf));
+                         skb_queue_len(&sdata->u.ap.ps.bc_buf));
 }
 __IEEE80211_IF_FILE(num_buffered_multicast, NULL);
 
@@ -443,7 +443,7 @@ static ssize_t ieee80211_if_parse_tsf(
                 }
                 ret = kstrtoull(buf, 10, &tsf);
                 if (ret < 0)
-                        return -EINVAL;
+                        return ret;
                 if (tsf_is_delta)
                         tsf = drv_get_tsf(local, sdata) + tsf_is_delta * tsf;
                 if (local->ops->set_tsf) {
@@ -471,7 +471,7 @@ IEEE80211_IF_FILE(dropped_frames_congestion,
                   u.mesh.mshstats.dropped_frames_congestion, DEC);
 IEEE80211_IF_FILE(dropped_frames_no_route,
                   u.mesh.mshstats.dropped_frames_no_route, DEC);
-IEEE80211_IF_FILE(estab_plinks, u.mesh.mshstats.estab_plinks, ATOMIC);
+IEEE80211_IF_FILE(estab_plinks, u.mesh.estab_plinks, ATOMIC);
 
 /* Mesh parameters */
 IEEE80211_IF_FILE(dot11MeshMaxRetries,
@@ -531,6 +531,7 @@ static void add_common_files(struct ieee80211_sub_if_data *sdata)
         DEBUGFS_ADD(rc_rateidx_mask_5ghz);
         DEBUGFS_ADD(rc_rateidx_mcs_mask_2ghz);
         DEBUGFS_ADD(rc_rateidx_mcs_mask_5ghz);
+        DEBUGFS_ADD(hw_queues);
 }
 
 static void add_sta_files(struct ieee80211_sub_if_data *sdata)
@@ -632,6 +633,9 @@ static void add_files(struct ieee80211_sub_if_data *sdata)
         DEBUGFS_ADD(flags);
         DEBUGFS_ADD(state);
         DEBUGFS_ADD(channel_type);
+        DEBUGFS_ADD(txpower);
+        DEBUGFS_ADD(user_power_level);
+        DEBUGFS_ADD(ap_power_level);
 
         if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
                 add_common_files(sdata);
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index da9003b20004..4dc2577886ff 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -871,4 +871,104 @@ static inline void drv_mgd_prepare_tx(struct ieee80211_local *local,
                 local->ops->mgd_prepare_tx(&local->hw, &sdata->vif);
         trace_drv_return_void(local);
 }
+
+static inline int drv_add_chanctx(struct ieee80211_local *local,
+                                  struct ieee80211_chanctx *ctx)
+{
+        int ret = -EOPNOTSUPP;
+
+        trace_drv_add_chanctx(local, ctx);
+        if (local->ops->add_chanctx)
+                ret = local->ops->add_chanctx(&local->hw, &ctx->conf);
+        trace_drv_return_int(local, ret);
+
+        return ret;
+}
+
+static inline void drv_remove_chanctx(struct ieee80211_local *local,
+                                      struct ieee80211_chanctx *ctx)
+{
+        trace_drv_remove_chanctx(local, ctx);
+        if (local->ops->remove_chanctx)
+                local->ops->remove_chanctx(&local->hw, &ctx->conf);
+        trace_drv_return_void(local);
+}
+
+static inline void drv_change_chanctx(struct ieee80211_local *local,
+                                      struct ieee80211_chanctx *ctx,
+                                      u32 changed)
+{
+        trace_drv_change_chanctx(local, ctx, changed);
+        if (local->ops->change_chanctx)
+                local->ops->change_chanctx(&local->hw, &ctx->conf, changed);
+        trace_drv_return_void(local);
+}
+
+static inline int drv_assign_vif_chanctx(struct ieee80211_local *local,
+                                         struct ieee80211_sub_if_data *sdata,
+                                         struct ieee80211_chanctx *ctx)
+{
+        int ret = 0;
+
+        check_sdata_in_driver(sdata);
+
+        trace_drv_assign_vif_chanctx(local, sdata, ctx);
+        if (local->ops->assign_vif_chanctx)
+                ret = local->ops->assign_vif_chanctx(&local->hw,
+                                                     &sdata->vif,
+                                                     &ctx->conf);
+        trace_drv_return_int(local, ret);
+
+        return ret;
+}
+
+static inline void drv_unassign_vif_chanctx(struct ieee80211_local *local,
+                                            struct ieee80211_sub_if_data *sdata,
+                                            struct ieee80211_chanctx *ctx)
+{
+        check_sdata_in_driver(sdata);
+
+        trace_drv_unassign_vif_chanctx(local, sdata, ctx);
+        if (local->ops->unassign_vif_chanctx)
+                local->ops->unassign_vif_chanctx(&local->hw,
+                                                 &sdata->vif,
+                                                 &ctx->conf);
+        trace_drv_return_void(local);
+}
+
+static inline int drv_start_ap(struct ieee80211_local *local,
+                               struct ieee80211_sub_if_data *sdata)
+{
+        int ret = 0;
+
+        check_sdata_in_driver(sdata);
+
+        trace_drv_start_ap(local, sdata, &sdata->vif.bss_conf);
+        if (local->ops->start_ap)
+                ret = local->ops->start_ap(&local->hw, &sdata->vif);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+
+static inline void drv_stop_ap(struct ieee80211_local *local,
+                               struct ieee80211_sub_if_data *sdata)
+{
+        check_sdata_in_driver(sdata);
+
+        trace_drv_stop_ap(local, sdata);
+        if (local->ops->stop_ap)
+                local->ops->stop_ap(&local->hw, &sdata->vif);
+        trace_drv_return_void(local);
+}
+
+static inline void drv_restart_complete(struct ieee80211_local *local)
+{
+        might_sleep();
+
+        trace_drv_restart_complete(local);
+        if (local->ops->restart_complete)
+                local->ops->restart_complete(&local->hw);
+        trace_drv_return_void(local);
+}
+
 #endif /* __MAC80211_DRIVER_OPS */
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 5f3620f0bc0a..67774b053535 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -26,7 +26,6 @@
 #include "rate.h"
 
 #define IEEE80211_SCAN_INTERVAL (2 * HZ)
-#define IEEE80211_SCAN_INTERVAL_SLOW (15 * HZ)
 #define IEEE80211_IBSS_JOIN_TIMEOUT (7 * HZ)
 
 #define IEEE80211_IBSS_MERGE_INTERVAL (30 * HZ)
@@ -39,7 +38,8 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
                                       const u8 *bssid, const int beacon_int,
                                       struct ieee80211_channel *chan,
                                       const u32 basic_rates,
-                                      const u16 capability, u64 tsf)
+                                      const u16 capability, u64 tsf,
+                                      bool creator)
 {
         struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
         struct ieee80211_local *local = sdata->local;
@@ -72,25 +72,27 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
         /* if merging, indicate to driver that we leave the old IBSS */
         if (sdata->vif.bss_conf.ibss_joined) {
                 sdata->vif.bss_conf.ibss_joined = false;
+                sdata->vif.bss_conf.ibss_creator = false;
                 netif_carrier_off(sdata->dev);
                 ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_IBSS);
         }
 
-        memcpy(ifibss->bssid, bssid, ETH_ALEN);
-
         sdata->drop_unencrypted = capability & WLAN_CAPABILITY_PRIVACY ? 1 : 0;
 
-        local->oper_channel = chan;
         channel_type = ifibss->channel_type;
         if (!cfg80211_can_beacon_sec_chan(local->hw.wiphy, chan, channel_type))
                 channel_type = NL80211_CHAN_HT20;
-        if (!ieee80211_set_channel_type(local, sdata, channel_type)) {
-                /* can only fail due to HT40+/- mismatch */
-                channel_type = NL80211_CHAN_HT20;
-                WARN_ON(!ieee80211_set_channel_type(local, sdata,
-                                                    NL80211_CHAN_HT20));
+
+        ieee80211_vif_release_channel(sdata);
+        if (ieee80211_vif_use_channel(sdata, chan, channel_type,
+                                      ifibss->fixed_channel ?
+                                        IEEE80211_CHANCTX_SHARED :
+                                        IEEE80211_CHANCTX_EXCLUSIVE)) {
+                sdata_info(sdata, "Failed to join IBSS, no channel context\n");
+                return;
         }
-        ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+
+        memcpy(ifibss->bssid, bssid, ETH_ALEN);
 
         sband = local->hw.wiphy->bands[chan->band];
 
@@ -197,6 +199,7 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
         bss_change |= BSS_CHANGED_HT;
         bss_change |= BSS_CHANGED_IBSS;
         sdata->vif.bss_conf.ibss_joined = true;
+        sdata->vif.bss_conf.ibss_creator = creator;
         ieee80211_bss_info_change_notify(sdata, bss_change);
 
         ieee80211_sta_def_wmm_params(sdata, sband->n_bitrates, supp_rates);
@@ -249,7 +252,8 @@ static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
                                   cbss->channel,
                                   basic_rates,
                                   cbss->capability,
-                                  cbss->tsf);
+                                  cbss->tsf,
+                                  false);
 }
 
 static struct sta_info *ieee80211_ibss_finish_sta(struct sta_info *sta,
@@ -279,7 +283,7 @@ static struct sta_info *ieee80211_ibss_finish_sta(struct sta_info *sta,
                 ibss_dbg(sdata,
                          "TX Auth SA=%pM DA=%pM BSSID=%pM (auth_transaction=1)\n",
                          sdata->vif.addr, addr, sdata->u.ibss.bssid);
-                ieee80211_send_auth(sdata, 1, WLAN_AUTH_OPEN, NULL, 0,
+                ieee80211_send_auth(sdata, 1, WLAN_AUTH_OPEN, 0, NULL, 0,
                                     addr, sdata->u.ibss.bssid, NULL, 0, 0);
         }
         return sta;
@@ -294,7 +298,8 @@ ieee80211_ibss_add_sta(struct ieee80211_sub_if_data *sdata,
         struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
         struct ieee80211_local *local = sdata->local;
         struct sta_info *sta;
-        int band = local->oper_channel->band;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        int band;
 
         /*
          * XXX: Consider removing the least recently used entry and
@@ -317,6 +322,13 @@ ieee80211_ibss_add_sta(struct ieee80211_sub_if_data *sdata,
                 return NULL;
         }
 
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (WARN_ON_ONCE(!chanctx_conf))
+                return NULL;
+        band = chanctx_conf->channel->band;
+        rcu_read_unlock();
+
         sta = sta_info_alloc(sdata, addr, GFP_KERNEL);
         if (!sta) {
                 rcu_read_lock();
@@ -389,7 +401,7 @@ static void ieee80211_rx_mgmt_auth_ibss(struct ieee80211_sub_if_data *sdata,
          * However, try to reply to authentication attempts if someone
          * has actually implemented this.
          */
-        ieee80211_send_auth(sdata, 2, WLAN_AUTH_OPEN, NULL, 0,
+        ieee80211_send_auth(sdata, 2, WLAN_AUTH_OPEN, 0, NULL, 0,
                             mgmt->sa, sdata->u.ibss.bssid, NULL, 0, 0);
 }
 
@@ -517,7 +529,8 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
                 goto put_bss;
 
         /* different channel */
-        if (cbss->channel != local->oper_channel)
+        if (sdata->u.ibss.fixed_channel &&
+            sdata->u.ibss.channel != cbss->channel)
                 goto put_bss;
 
         /* different SSID */
@@ -592,7 +605,8 @@ void ieee80211_ibss_rx_no_sta(struct ieee80211_sub_if_data *sdata,
         struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
         struct ieee80211_local *local = sdata->local;
         struct sta_info *sta;
-        int band = local->oper_channel->band;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        int band;
 
         /*
          * XXX: Consider removing the least recently used entry and
@@ -610,6 +624,15 @@ void ieee80211_ibss_rx_no_sta(struct ieee80211_sub_if_data *sdata,
         if (!ether_addr_equal(bssid, sdata->u.ibss.bssid))
                 return;
 
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (WARN_ON_ONCE(!chanctx_conf)) {
+                rcu_read_unlock();
+                return;
+        }
+        band = chanctx_conf->channel->band;
+        rcu_read_unlock();
+
         sta = sta_info_alloc(sdata, addr, GFP_ATOMIC);
         if (!sta)
                 return;
@@ -715,7 +738,7 @@ static void ieee80211_sta_create_ibss(struct ieee80211_sub_if_data *sdata)
 
         __ieee80211_sta_join_ibss(sdata, bssid, sdata->vif.bss_conf.beacon_int,
                                   ifibss->channel, ifibss->basic_rates,
-                                  capability, 0);
+                                  capability, 0, true);
 }
 
 /*
@@ -784,18 +807,8 @@ static void ieee80211_sta_find_ibss(struct ieee80211_sub_if_data *sdata)
                 int interval = IEEE80211_SCAN_INTERVAL;
 
                 if (time_after(jiffies, ifibss->ibss_join_req +
-                               IEEE80211_IBSS_JOIN_TIMEOUT)) {
-                        if (!(local->oper_channel->flags & IEEE80211_CHAN_NO_IBSS)) {
-                                ieee80211_sta_create_ibss(sdata);
-                                return;
-                        }
-                        sdata_info(sdata, "IBSS not allowed on %d MHz\n",
-                                   local->oper_channel->center_freq);
-
-                        /* No IBSS found - decrease scan interval and continue
-                         * scanning. */
-                        interval = IEEE80211_SCAN_INTERVAL_SLOW;
-                }
+                               IEEE80211_IBSS_JOIN_TIMEOUT))
+                        ieee80211_sta_create_ibss(sdata);
 
                 mod_timer(&ifibss->timer,
                           round_jiffies(jiffies + interval));
@@ -1086,17 +1099,6 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
         sdata->u.ibss.channel_type = params->channel_type;
         sdata->u.ibss.fixed_channel = params->channel_fixed;
 
-        /* fix ourselves to that channel now already */
-        if (params->channel_fixed) {
-                sdata->local->oper_channel = params->channel;
-                if (!ieee80211_set_channel_type(sdata->local, sdata,
-                                               params->channel_type)) {
-                        mutex_unlock(&sdata->u.ibss.mtx);
-                        kfree_skb(skb);
-                        return -EINVAL;
-                }
-        }
-
         if (params->ie) {
                 sdata->u.ibss.ie = kmemdup(params->ie, params->ie_len,
                                            GFP_KERNEL);
@@ -1108,7 +1110,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
         sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
         sdata->u.ibss.ibss_join_req = jiffies;
 
-        memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
+        memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len);
         sdata->u.ibss.ssid_len = params->ssid_len;
 
         mutex_unlock(&sdata->u.ibss.mtx);
@@ -1134,6 +1136,9 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
         changed |= BSS_CHANGED_HT;
         ieee80211_bss_info_change_notify(sdata, changed);
 
+        sdata->smps_mode = IEEE80211_SMPS_OFF;
+        sdata->needed_rx_chains = sdata->local->rx_chains;
+
         ieee80211_queue_work(&sdata->local->hw, &sdata->work);
 
         return 0;
@@ -1151,10 +1156,6 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
 
         mutex_lock(&sdata->u.ibss.mtx);
 
-        sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
-        memset(sdata->u.ibss.bssid, 0, ETH_ALEN);
-        sdata->u.ibss.ssid_len = 0;
-
         active_ibss = ieee80211_sta_active_ibss(sdata);
 
         if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) {
@@ -1175,6 +1176,10 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
                 }
         }
 
+        ifibss->state = IEEE80211_IBSS_MLME_SEARCH;
+        memset(ifibss->bssid, 0, ETH_ALEN);
+        ifibss->ssid_len = 0;
+
         sta_info_flush(sdata->local, sdata);
 
         spin_lock_bh(&ifibss->incomplete_lock);
@@ -1197,6 +1202,7 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
                                         lockdep_is_held(&sdata->u.ibss.mtx));
         RCU_INIT_POINTER(sdata->u.ibss.presp, NULL);
         sdata->vif.bss_conf.ibss_joined = false;
+        sdata->vif.bss_conf.ibss_creator = false;
         ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON_ENABLED |
                                                 BSS_CHANGED_IBSS);
         synchronize_rcu();
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 8c804550465b..74748896d77b 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -56,6 +56,9 @@ struct ieee80211_local;
 #define TU_TO_JIFFIES(x)        (usecs_to_jiffies((x) * 1024))
 #define TU_TO_EXP_TIME(x)       (jiffies + TU_TO_JIFFIES(x))
 
+/* power level hasn't been configured (or set to automatic) */
+#define IEEE80211_UNSET_POWER_LEVEL     INT_MIN
+
 /*
  * Some APs experience problems when working with U-APSD. Decrease the
  * probability of that happening by using legacy mode for all ACs but VO.
@@ -280,23 +283,27 @@ struct probe_resp {
         u8 data[0];
 };
 
-struct ieee80211_if_ap {
-        struct beacon_data __rcu *beacon;
-        struct probe_resp __rcu *probe_resp;
-
-        struct list_head vlans;
-
+struct ps_data {
         /* yes, this looks ugly, but guarantees that we can later use
          * bitmap_empty :)
          * NB: don't touch this bitmap, use sta_info_{set,clear}_tim_bit */
         u8 tim[sizeof(unsigned long) * BITS_TO_LONGS(IEEE80211_MAX_AID + 1)];
-        struct sk_buff_head ps_bc_buf;
+        struct sk_buff_head bc_buf;
         atomic_t num_sta_ps; /* number of stations in PS mode */
-        atomic_t num_mcast_sta; /* number of stations receiving multicast */
         int dtim_count;
         bool dtim_bc_mc;
 };
 
+struct ieee80211_if_ap {
+        struct beacon_data __rcu *beacon;
+        struct probe_resp __rcu *probe_resp;
+
+        struct list_head vlans;
+
+        struct ps_data ps;
+        atomic_t num_mcast_sta; /* number of stations receiving multicast */
+};
+
 struct ieee80211_if_wds {
         struct sta_info *sta;
         u8 remote_addr[ETH_ALEN];
@@ -316,7 +323,6 @@ struct mesh_stats {
         __u32 dropped_frames_ttl;       /* Not transmitted since mesh_ttl == 0*/
         __u32 dropped_frames_no_route;  /* Not transmitted, no route found */
         __u32 dropped_frames_congestion;/* Not forwarded due to congestion */
-        atomic_t estab_plinks;
 };
 
 #define PREQ_Q_F_START          0x1
@@ -350,7 +356,7 @@ struct ieee80211_roc_work {
 
         u32 duration, req_duration;
         struct sk_buff *frame;
-        u64 mgmt_tx_cookie;
+        u64 cookie, mgmt_tx_cookie;
 };
 
 /* flags used in struct ieee80211_if_managed.flags */
@@ -378,8 +384,9 @@ struct ieee80211_mgd_auth_data {
         u8 key_len, key_idx;
         bool done;
 
-        size_t ie_len;
-        u8 ie[];
+        u16 sae_trans, sae_status;
+        size_t data_len;
+        u8 data[];
 };
 
 struct ieee80211_mgd_assoc_data {
@@ -433,7 +440,6 @@ struct ieee80211_if_managed {
         bool powersave; /* powersave requested for this iface */
         bool broken_ap; /* AP is broken -- turn off powersave */
         enum ieee80211_smps_mode req_smps, /* requested smps mode */
-                                 ap_smps, /* smps mode AP thinks we're in */
                                  driver_smps_mode; /* smps mode request */
 
         struct work_struct request_smps_work;
@@ -467,6 +473,8 @@ struct ieee80211_if_managed {
 
         u8 use_4addr;
 
+        u8 p2p_noa_index;
+
         /* Signal strength from the last Beacon frame in the current BSS. */
         int last_beacon_signal;
 
@@ -599,6 +607,7 @@ struct ieee80211_if_mesh {
         int preq_queue_len;
         struct mesh_stats mshstats;
         struct mesh_config mshcfg;
+        atomic_t estab_plinks;
         u32 mesh_seqnum;
         bool accepting_plinks;
         int num_gates;
@@ -610,7 +619,7 @@ struct ieee80211_if_mesh {
                 IEEE80211_MESH_SEC_SECURED = 0x2,
         } security;
         /* Extensible Synchronization Framework */
-        struct ieee80211_mesh_sync_ops *sync_ops;
+        const struct ieee80211_mesh_sync_ops *sync_ops;
         s64 sync_offset_clockdrift_max;
         spinlock_t sync_offset_lock;
         bool adjusting_tbtt;
@@ -658,6 +667,30 @@ enum ieee80211_sdata_state_bits {
         SDATA_STATE_OFFCHANNEL,
 };
 
+/**
+ * enum ieee80211_chanctx_mode - channel context configuration mode
+ *
+ * @IEEE80211_CHANCTX_SHARED: channel context may be used by
+ *      multiple interfaces
+ * @IEEE80211_CHANCTX_EXCLUSIVE: channel context can be used
+ *      only by a single interface. This can be used for example for
+ *      non-fixed channel IBSS.
+ */
+enum ieee80211_chanctx_mode {
+        IEEE80211_CHANCTX_SHARED,
+        IEEE80211_CHANCTX_EXCLUSIVE
+};
+
+struct ieee80211_chanctx {
+        struct list_head list;
+        struct rcu_head rcu_head;
+
+        enum ieee80211_chanctx_mode mode;
+        int refcount;
+
+        struct ieee80211_chanctx_conf conf;
+};
+
 struct ieee80211_sub_if_data {
         struct list_head list;
 
@@ -704,11 +737,20 @@ struct ieee80211_sub_if_data {
 
         struct ieee80211_tx_queue_params tx_conf[IEEE80211_NUM_ACS];
 
+        /* used to reconfigure hardware SM PS */
+        struct work_struct recalc_smps;
+
         struct work_struct work;
         struct sk_buff_head skb_queue;
 
         bool arp_filter_state;
 
+        u8 needed_rx_chains;
+        enum ieee80211_smps_mode smps_mode;
+
+        int user_power_level; /* in dBm */
+        int ap_power_level; /* in dBm */
+
         /*
          * AP this belongs to: self in AP mode and
          * corresponding AP in VLAN mode, NULL for
@@ -749,6 +791,21 @@ struct ieee80211_sub_if_data *vif_to_sdata(struct ieee80211_vif *p)
         return container_of(p, struct ieee80211_sub_if_data, vif);
 }
 
+static inline enum ieee80211_band
+ieee80211_get_sdata_band(struct ieee80211_sub_if_data *sdata)
+{
+        enum ieee80211_band band = IEEE80211_BAND_2GHZ;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (!WARN_ON(!chanctx_conf))
+                band = chanctx_conf->channel->band;
+        rcu_read_unlock();
+
+        return band;
+}
+
 enum sdata_queue_type {
         IEEE80211_SDATA_QUEUE_TYPE_FRAME        = 0,
         IEEE80211_SDATA_QUEUE_AGG_START         = 1,
@@ -821,6 +878,7 @@ enum {
  * @SCAN_SUSPEND: Suspend the scan and go back to operating channel to
  *      send out data
  * @SCAN_RESUME: Resume the scan and scan the next channel
+ * @SCAN_ABORT: Abort the scan and go back to operating channel
  */
 enum mac80211_scan_state {
         SCAN_DECISION,
@@ -828,6 +886,7 @@ enum mac80211_scan_state {
         SCAN_SEND_PROBE,
         SCAN_SUSPEND,
         SCAN_RESUME,
+        SCAN_ABORT,
 };
 
 struct ieee80211_local {
@@ -858,15 +917,14 @@ struct ieee80211_local {
 
         bool wiphy_ciphers_allocated;
 
+        bool use_chanctx;
+
         /* protects the aggregated multicast list and filter calls */
         spinlock_t filter_lock;
 
         /* used for uploading changed mc list */
         struct work_struct reconfig_filter;
 
-        /* used to reconfigure hardware SM PS */
-        struct work_struct recalc_smps;
-
         /* aggregated multicast list */
         struct netdev_hw_addr_list mc_list;
 
@@ -903,6 +961,9 @@ struct ieee80211_local {
         /* wowlan is enabled -- don't reconfig on resume */
         bool wowlan;
 
+        /* number of RX chains the hardware has */
+        u8 rx_chains;
+
         int tx_headroom; /* required headroom for hardware/radiotap */
 
         /* Tasklet and skb queue to process calls from IRQ mode. All frames
@@ -980,13 +1041,19 @@ struct ieee80211_local {
         enum mac80211_scan_state next_scan_state;
         struct delayed_work scan_work;
         struct ieee80211_sub_if_data __rcu *scan_sdata;
+        struct ieee80211_channel *csa_channel;
+        /* For backward compatibility only -- do not use */
+        struct ieee80211_channel *_oper_channel;
         enum nl80211_channel_type _oper_channel_type;
-        struct ieee80211_channel *oper_channel, *csa_channel;
 
         /* Temporary remain-on-channel for off-channel operations */
         struct ieee80211_channel *tmp_channel;
         enum nl80211_channel_type tmp_channel_type;
 
+        /* channel contexts */
+        struct list_head chanctx_list;
+        struct mutex chanctx_mtx;
+
         /* SNMP counters */
         /* dot11CountersTable */
         u32 dot11TransmittedFragmentCount;
@@ -1058,8 +1125,7 @@ struct ieee80211_local {
         int dynamic_ps_user_timeout;
         bool disable_dynamic_ps;
 
-        int user_power_level; /* in dBm */
-        int ap_power_level; /* in dBm */
+        int user_power_level; /* in dBm, for all interfaces */
 
         enum ieee80211_smps_mode smps_mode;
 
@@ -1078,6 +1144,7 @@ struct ieee80211_local {
         struct list_head roc_list;
         struct work_struct hw_roc_start, hw_roc_done;
         unsigned long hw_roc_start_time;
+        u64 roc_cookie_counter;
 
         struct idr ack_status_frames;
         spinlock_t ack_status_lock;
@@ -1091,6 +1158,8 @@ struct ieee80211_local {
 
         /* virtual monitor interface */
         struct ieee80211_sub_if_data __rcu *monitor_sdata;
+        struct ieee80211_channel *monitor_channel;
+        enum nl80211_channel_type monitor_channel_type;
 };
 
 static inline struct ieee80211_sub_if_data *
@@ -1133,6 +1202,8 @@ struct ieee802_11_elems {
         u8 *wmm_param;
         struct ieee80211_ht_cap *ht_cap_elem;
         struct ieee80211_ht_operation *ht_operation;
+        struct ieee80211_vht_cap *vht_cap_elem;
+        struct ieee80211_vht_operation *vht_operation;
         struct ieee80211_meshconf_ie *mesh_config;
         u8 *mesh_id;
         u8 *peering;
@@ -1302,6 +1373,9 @@ void ieee80211_adjust_monitor_flags(struct ieee80211_sub_if_data *sdata,
 int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up);
 void ieee80211_sdata_stop(struct ieee80211_sub_if_data *sdata);
 
+bool __ieee80211_recalc_txpower(struct ieee80211_sub_if_data *sdata);
+void ieee80211_recalc_txpower(struct ieee80211_sub_if_data *sdata);
+
 static inline bool ieee80211_sdata_running(struct ieee80211_sub_if_data *sdata)
 {
         return test_bit(SDATA_STATE_RUNNING, &sdata->state);
@@ -1314,6 +1388,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
                                          struct net_device *dev);
 netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                                        struct net_device *dev);
+void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
+                              struct sk_buff_head *skbs);
 
 /* HT */
 void ieee80211_apply_htcap_overrides(struct ieee80211_sub_if_data *sdata,
@@ -1359,6 +1435,13 @@ void ieee80211_ba_session_work(struct work_struct *work);
 void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid);
 void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid);
 
+u8 ieee80211_mcs_to_chains(const struct ieee80211_mcs_info *mcs);
+
+/* VHT */
+void ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata,
+                                         struct ieee80211_supported_band *sband,
+                                         struct ieee80211_vht_cap *vht_cap_ie,
+                                         struct ieee80211_sta_vht_cap *vht_cap);
 /* Spectrum management */
 void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata,
                                        struct ieee80211_mgmt *mgmt,
@@ -1393,11 +1476,42 @@ void mac80211_ev_michael_mic_failure(struct ieee80211_sub_if_data *sdata, int ke
                                      gfp_t gfp);
 void ieee80211_set_wmm_default(struct ieee80211_sub_if_data *sdata,
                                bool bss_notify);
-void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb);
+void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb,
+                    enum ieee80211_band band);
+
+void __ieee80211_tx_skb_tid_band(struct ieee80211_sub_if_data *sdata,
+                                 struct sk_buff *skb, int tid,
+                                 enum ieee80211_band band);
+
+static inline void
+ieee80211_tx_skb_tid_band(struct ieee80211_sub_if_data *sdata,
+                          struct sk_buff *skb, int tid,
+                          enum ieee80211_band band)
+{
+        rcu_read_lock();
+        __ieee80211_tx_skb_tid_band(sdata, skb, tid, band);
+        rcu_read_unlock();
+}
 
-void ieee80211_tx_skb_tid(struct ieee80211_sub_if_data *sdata,
-                          struct sk_buff *skb, int tid);
-static void inline ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
+static inline void ieee80211_tx_skb_tid(struct ieee80211_sub_if_data *sdata,
+                                        struct sk_buff *skb, int tid)
+{
+        struct ieee80211_chanctx_conf *chanctx_conf;
+
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (WARN_ON(!chanctx_conf)) {
+                rcu_read_unlock();
+                kfree_skb(skb);
+                return;
+        }
+
+        __ieee80211_tx_skb_tid_band(sdata, skb, tid,
+                                    chanctx_conf->channel->band);
+        rcu_read_unlock();
+}
+
+static inline void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata,
                                     struct sk_buff *skb)
 {
         /* Send all internal mgmt frames on VO. Accordingly set TID to 7. */
@@ -1444,7 +1558,7 @@ static inline void ieee80211_add_pending_skbs(struct ieee80211_local *local,
 }
 
 void ieee80211_send_auth(struct ieee80211_sub_if_data *sdata,
-                         u16 transaction, u16 auth_alg,
+                         u16 transaction, u16 auth_alg, u16 status,
                          u8 *extra, size_t extra_len, const u8 *bssid,
                          const u8 *da, const u8 *key, u8 key_len, u8 key_idx);
 void ieee80211_send_deauth_disassoc(struct ieee80211_sub_if_data *sdata,
@@ -1464,7 +1578,7 @@ void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst,
                               const u8 *ssid, size_t ssid_len,
                               const u8 *ie, size_t ie_len,
                               u32 ratemask, bool directed, bool no_cck,
-                              struct ieee80211_channel *channel);
+                              struct ieee80211_channel *channel, bool scan);
 
 void ieee80211_sta_def_wmm_params(struct ieee80211_sub_if_data *sdata,
                                   const size_t supp_rates_len,
@@ -1474,7 +1588,7 @@ u32 ieee80211_sta_get_rates(struct ieee80211_local *local,
                             enum ieee80211_band band, u32 *basic_rates);
 int __ieee80211_request_smps(struct ieee80211_sub_if_data *sdata,
                              enum ieee80211_smps_mode smps_mode);
-void ieee80211_recalc_smps(struct ieee80211_local *local);
+void ieee80211_recalc_smps(struct ieee80211_sub_if_data *sdata);
 
 size_t ieee80211_ie_split(const u8 *ies, size_t ielen,
                           const u8 *ids, int n_ids, size_t offset);
@@ -1495,21 +1609,19 @@ int ieee80211_add_ext_srates_ie(struct ieee80211_sub_if_data *sdata,
                                 enum ieee80211_band band);
 
 /* channel management */
-enum ieee80211_chan_mode {
-        CHAN_MODE_UNDEFINED,
-        CHAN_MODE_HOPPING,
-        CHAN_MODE_FIXED,
-};
-
-enum ieee80211_chan_mode
-ieee80211_get_channel_mode(struct ieee80211_local *local,
-                           struct ieee80211_sub_if_data *ignore);
-bool ieee80211_set_channel_type(struct ieee80211_local *local,
-                                struct ieee80211_sub_if_data *sdata,
-                                enum nl80211_channel_type chantype);
 enum nl80211_channel_type
 ieee80211_ht_oper_to_channel_type(struct ieee80211_ht_operation *ht_oper);
 
+int __must_check
+ieee80211_vif_use_channel(struct ieee80211_sub_if_data *sdata,
+                          struct ieee80211_channel *channel,
+                          enum nl80211_channel_type channel_type,
+                          enum ieee80211_chanctx_mode mode);
+void ieee80211_vif_release_channel(struct ieee80211_sub_if_data *sdata);
+
+void ieee80211_recalc_smps_chanctx(struct ieee80211_local *local,
+                                   struct ieee80211_chanctx *chanctx);
+
 #ifdef CONFIG_MAC80211_NOINLINE
 #define debug_noinline noinline
 #else
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 6f8a73c64fb3..80ce90b29d9d 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -42,6 +42,41 @@
  * by either the RTNL, the iflist_mtx or RCU.
  */
 
+bool __ieee80211_recalc_txpower(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        int power;
+
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (!chanctx_conf) {
+                rcu_read_unlock();
+                return false;
+        }
+
+        power = chanctx_conf->channel->max_power;
+        rcu_read_unlock();
+
+        if (sdata->user_power_level != IEEE80211_UNSET_POWER_LEVEL)
+                power = min(power, sdata->user_power_level);
+
+        if (sdata->ap_power_level != IEEE80211_UNSET_POWER_LEVEL)
+                power = min(power, sdata->ap_power_level);
+
+        if (power != sdata->vif.bss_conf.txpower) {
+                sdata->vif.bss_conf.txpower = power;
+                ieee80211_hw_config(sdata->local, 0);
+                return true;
+        }
+
+        return false;
+}
+
+void ieee80211_recalc_txpower(struct ieee80211_sub_if_data *sdata)
+{
+        if (__ieee80211_recalc_txpower(sdata))
+                ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_TXPOWER);
+}
 
 static u32 ieee80211_idle_off(struct ieee80211_local *local,
                               const char *reason)
@@ -380,6 +415,15 @@ static int ieee80211_add_virtual_monitor(struct ieee80211_local *local)
                 goto out_unlock;
         }
 
+        ret = ieee80211_vif_use_channel(sdata, local->monitor_channel,
+                                        local->monitor_channel_type,
+                                        IEEE80211_CHANCTX_EXCLUSIVE);
+        if (ret) {
+                drv_remove_interface(local, sdata);
+                kfree(sdata);
+                goto out_unlock;
+        }
+
         rcu_assign_pointer(local->monitor_sdata, sdata);
  out_unlock:
         mutex_unlock(&local->iflist_mtx);
@@ -403,6 +447,8 @@ static void ieee80211_del_virtual_monitor(struct ieee80211_local *local)
         rcu_assign_pointer(local->monitor_sdata, NULL);
         synchronize_net();
 
+        ieee80211_vif_release_channel(sdata);
+
         drv_remove_interface(local, sdata);
 
         kfree(sdata);
@@ -665,7 +711,6 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
         struct sk_buff *skb, *tmp;
         u32 hw_reconf_flags = 0;
         int i;
-        enum nl80211_channel_type orig_ct;
 
         clear_bit(SDATA_STATE_RUNNING, &sdata->state);
 
@@ -729,34 +774,17 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
         del_timer_sync(&local->dynamic_ps_timer);
         cancel_work_sync(&local->dynamic_ps_enable_work);
 
+        cancel_work_sync(&sdata->recalc_smps);
+
         /* APs need special treatment */
         if (sdata->vif.type == NL80211_IFTYPE_AP) {
                 struct ieee80211_sub_if_data *vlan, *tmpsdata;
-                struct beacon_data *old_beacon =
-                        rtnl_dereference(sdata->u.ap.beacon);
-                struct probe_resp *old_probe_resp =
-                        rtnl_dereference(sdata->u.ap.probe_resp);
-
-                /* sdata_running will return false, so this will disable */
-                ieee80211_bss_info_change_notify(sdata,
-                                                 BSS_CHANGED_BEACON_ENABLED);
-
-                /* remove beacon and probe response */
-                RCU_INIT_POINTER(sdata->u.ap.beacon, NULL);
-                RCU_INIT_POINTER(sdata->u.ap.probe_resp, NULL);
-                synchronize_rcu();
-                kfree(old_beacon);
-                kfree(old_probe_resp);
 
                 /* down all dependent devices, that is VLANs */
                 list_for_each_entry_safe(vlan, tmpsdata, &sdata->u.ap.vlans,
                                          u.vlan.list)
                         dev_close(vlan->dev);
                 WARN_ON(!list_empty(&sdata->u.ap.vlans));
-
-                /* free all potentially still buffered bcast frames */
-                local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps_bc_buf);
-                skb_queue_purge(&sdata->u.ap.ps_bc_buf);
         } else if (sdata->vif.type == NL80211_IFTYPE_STATION) {
                 ieee80211_mgd_stop(sdata);
         }
@@ -837,14 +865,8 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                 hw_reconf_flags = 0;
         }
 
-        /* Re-calculate channel-type, in case there are multiple vifs
-         * on different channel types.
-         */
-        orig_ct = local->_oper_channel_type;
-        ieee80211_set_channel_type(local, NULL, NL80211_CHAN_NO_HT);
-
         /* do after stop to avoid reconfiguring when we stop anyway */
-        if (hw_reconf_flags || (orig_ct != local->_oper_channel_type))
+        if (hw_reconf_flags)
                 ieee80211_hw_config(local, hw_reconf_flags);
 
         spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
@@ -853,7 +875,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                         struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
                         if (info->control.vif == &sdata->vif) {
                                 __skb_unlink(skb, &local->pending[i]);
-                                dev_kfree_skb_irq(skb);
+                                ieee80211_free_txskb(&local->hw, skb);
                         }
                 }
         }
@@ -1121,6 +1143,13 @@ static void ieee80211_iface_work(struct work_struct *work)
         }
 }
 
+static void ieee80211_recalc_smps_work(struct work_struct *work)
+{
+        struct ieee80211_sub_if_data *sdata =
+                container_of(work, struct ieee80211_sub_if_data, recalc_smps);
+
+        ieee80211_recalc_smps(sdata);
+}
 
 /*
  * Helper function to initialise an interface to a specific type.
@@ -1149,6 +1178,7 @@ static void ieee80211_setup_sdata(struct ieee80211_sub_if_data *sdata,
 
         skb_queue_head_init(&sdata->skb_queue);
         INIT_WORK(&sdata->work, ieee80211_iface_work);
+        INIT_WORK(&sdata->recalc_smps, ieee80211_recalc_smps_work);
 
         switch (type) {
         case NL80211_IFTYPE_P2P_GO:
@@ -1157,7 +1187,7 @@ static void ieee80211_setup_sdata(struct ieee80211_sub_if_data *sdata,
                 sdata->vif.p2p = true;
                 /* fall through */
         case NL80211_IFTYPE_AP:
-                skb_queue_head_init(&sdata->u.ap.ps_bc_buf);
+                skb_queue_head_init(&sdata->u.ap.ps.bc_buf);
                 INIT_LIST_HEAD(&sdata->u.ap.vlans);
                 break;
         case NL80211_IFTYPE_P2P_CLIENT:
@@ -1282,11 +1312,6 @@ int ieee80211_if_change_type(struct ieee80211_sub_if_data *sdata,
         if (type == ieee80211_vif_type_p2p(&sdata->vif))
                 return 0;
 
-        /* Setting ad-hoc mode on non-IBSS channel is not supported. */
-        if (sdata->local->oper_channel->flags & IEEE80211_CHAN_NO_IBSS &&
-            type == NL80211_IFTYPE_ADHOC)
-                return -EOPNOTSUPP;
-
         if (ieee80211_sdata_running(sdata)) {
                 ret = ieee80211_runtime_change_iftype(sdata, type);
                 if (ret)
@@ -1298,9 +1323,6 @@ int ieee80211_if_change_type(struct ieee80211_sub_if_data *sdata,
         }
 
         /* reset some values that shouldn't be kept across type changes */
-        sdata->vif.bss_conf.basic_rates =
-                ieee80211_mandatory_rates(sdata->local,
-                        sdata->local->oper_channel->band);
         sdata->drop_unencrypted = 0;
         if (type == NL80211_IFTYPE_STATION)
                 sdata->u.mgd.use_4addr = false;
@@ -1523,6 +1545,9 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name,
 
         ieee80211_set_default_queues(sdata);
 
+        sdata->ap_power_level = IEEE80211_UNSET_POWER_LEVEL;
+        sdata->user_power_level = local->user_power_level;
+
         /* setup type-dependent data */
         ieee80211_setup_sdata(sdata, type);
 
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index c80c4490351c..da2f41610125 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -93,15 +93,15 @@ static void ieee80211_reconfig_filter(struct work_struct *work)
         ieee80211_configure_filter(local);
 }
 
-int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
+static u32 ieee80211_hw_conf_chan(struct ieee80211_local *local)
 {
+        struct ieee80211_sub_if_data *sdata;
         struct ieee80211_channel *chan;
-        int ret = 0;
+        u32 changed = 0;
         int power;
         enum nl80211_channel_type channel_type;
         u32 offchannel_flag;
-
-        might_sleep();
+        bool scanning = false;
 
         offchannel_flag = local->hw.conf.flags & IEEE80211_CONF_OFFCHANNEL;
         if (local->scan_channel) {
@@ -109,7 +109,7 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
                 /* If scanning on oper channel, use whatever channel-type
                  * is currently in use.
                  */
-                if (chan == local->oper_channel)
+                if (chan == local->_oper_channel)
                         channel_type = local->_oper_channel_type;
                 else
                         channel_type = NL80211_CHAN_NO_HT;
@@ -117,11 +117,11 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
                 chan = local->tmp_channel;
                 channel_type = local->tmp_channel_type;
         } else {
-                chan = local->oper_channel;
+                chan = local->_oper_channel;
                 channel_type = local->_oper_channel_type;
         }
 
-        if (chan != local->oper_channel ||
+        if (chan != local->_oper_channel ||
             channel_type != local->_oper_channel_type)
                 local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
         else
@@ -148,22 +148,39 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
                 changed |= IEEE80211_CONF_CHANGE_SMPS;
         }
 
-        if (test_bit(SCAN_SW_SCANNING, &local->scanning) ||
-            test_bit(SCAN_ONCHANNEL_SCANNING, &local->scanning) ||
-            test_bit(SCAN_HW_SCANNING, &local->scanning) ||
-            !local->ap_power_level)
-                power = chan->max_power;
-        else
-                power = min(chan->max_power, local->ap_power_level);
+        scanning = test_bit(SCAN_SW_SCANNING, &local->scanning) ||
+                   test_bit(SCAN_ONCHANNEL_SCANNING, &local->scanning) ||
+                   test_bit(SCAN_HW_SCANNING, &local->scanning);
+        power = chan->max_power;
 
-        if (local->user_power_level >= 0)
-                power = min(power, local->user_power_level);
+        rcu_read_lock();
+        list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+                if (!rcu_access_pointer(sdata->vif.chanctx_conf))
+                        continue;
+                power = min(power, sdata->vif.bss_conf.txpower);
+        }
+        rcu_read_unlock();
 
         if (local->hw.conf.power_level != power) {
                 changed |= IEEE80211_CONF_CHANGE_POWER;
                 local->hw.conf.power_level = power;
         }
 
+        return changed;
+}
+
+int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
+{
+        int ret = 0;
+
+        might_sleep();
+
+        if (!local->use_chanctx)
+                changed |= ieee80211_hw_conf_chan(local);
+        else
+                changed &= ~(IEEE80211_CONF_CHANGE_CHANNEL |
+                             IEEE80211_CONF_CHANGE_POWER);
+
         if (changed && local->open_count) {
                 ret = drv_config(local, changed);
                 /*
@@ -359,14 +376,6 @@ void ieee80211_restart_hw(struct ieee80211_hw *hw)
 }
 EXPORT_SYMBOL(ieee80211_restart_hw);
 
-static void ieee80211_recalc_smps_work(struct work_struct *work)
-{
-        struct ieee80211_local *local =
-                container_of(work, struct ieee80211_local, recalc_smps);
-
-        ieee80211_recalc_smps(local);
-}
-
 #ifdef CONFIG_INET
 static int ieee80211_ifa_changed(struct notifier_block *nb,
                                  unsigned long data, void *arg)
@@ -540,6 +549,7 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
         struct ieee80211_local *local;
         int priv_size, i;
         struct wiphy *wiphy;
+        bool use_chanctx;
 
         if (WARN_ON(!ops->tx || !ops->start || !ops->stop || !ops->config ||
                     !ops->add_interface || !ops->remove_interface ||
@@ -549,6 +559,14 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
         if (WARN_ON(ops->sta_state && (ops->sta_add || ops->sta_remove)))
                 return NULL;
 
+        /* check all or no channel context operations exist */
+        i = !!ops->add_chanctx + !!ops->remove_chanctx +
+            !!ops->change_chanctx + !!ops->assign_vif_chanctx +
+            !!ops->unassign_vif_chanctx;
+        if (WARN_ON(i != 0 && i != 5))
+                return NULL;
+        use_chanctx = i == 5;
+
         /* Ensure 32-byte alignment of our private data and hw private data.
          * We use the wiphy priv data for both our ieee80211_local and for
          * the driver's private data
@@ -584,8 +602,15 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
         if (ops->remain_on_channel)
                 wiphy->flags |= WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL;
 
-        wiphy->features = NL80211_FEATURE_SK_TX_STATUS |
-                          NL80211_FEATURE_HT_IBSS;
+        wiphy->features |= NL80211_FEATURE_SK_TX_STATUS |
+                           NL80211_FEATURE_SAE |
+                           NL80211_FEATURE_HT_IBSS |
+                           NL80211_FEATURE_VIF_TXPOWER;
+
+        if (!ops->hw_scan)
+                wiphy->features |= NL80211_FEATURE_LOW_PRIORITY_SCAN |
+                                   NL80211_FEATURE_AP_SCAN;
+
 
         if (!ops->set_key)
                 wiphy->flags |= WIPHY_FLAG_IBSS_RSN;
@@ -599,6 +624,7 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
         local->hw.priv = (char *)local + ALIGN(sizeof(*local), NETDEV_ALIGN);
 
         local->ops = ops;
+        local->use_chanctx = use_chanctx;
 
         /* set up some defaults */
         local->hw.queues = 1;
@@ -612,7 +638,7 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
         local->hw.radiotap_mcs_details = IEEE80211_RADIOTAP_MCS_HAVE_MCS |
                                          IEEE80211_RADIOTAP_MCS_HAVE_GI |
                                          IEEE80211_RADIOTAP_MCS_HAVE_BW;
-        local->user_power_level = -1;
+        local->user_power_level = IEEE80211_UNSET_POWER_LEVEL;
         wiphy->ht_capa_mod_mask = &mac80211_ht_capa_mod_mask;
 
         INIT_LIST_HEAD(&local->interfaces);
@@ -626,6 +652,9 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
         spin_lock_init(&local->filter_lock);
         spin_lock_init(&local->queue_stop_reason_lock);
 
+        INIT_LIST_HEAD(&local->chanctx_list);
+        mutex_init(&local->chanctx_mtx);
+
         /*
          * The rx_skb_queue is only accessed from tasklets,
          * but other SKB queues are used from within IRQ
@@ -641,7 +670,6 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
         INIT_WORK(&local->restart_work, ieee80211_restart_work);
 
         INIT_WORK(&local->reconfig_filter, ieee80211_reconfig_filter);
-        INIT_WORK(&local->recalc_smps, ieee80211_recalc_smps_work);
         local->smps_mode = IEEE80211_SMPS_OFF;
 
         INIT_WORK(&local->dynamic_ps_enable_work,
@@ -719,6 +747,25 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
         if ((hw->flags & IEEE80211_HW_SCAN_WHILE_IDLE) && !local->ops->hw_scan)
                 return -EINVAL;
 
+        if (!local->use_chanctx) {
+                for (i = 0; i < local->hw.wiphy->n_iface_combinations; i++) {
+                        const struct ieee80211_iface_combination *comb;
+
+                        comb = &local->hw.wiphy->iface_combinations[i];
+
+                        if (comb->num_different_channels > 1)
+                                return -EINVAL;
+                }
+        } else {
+                /*
+                 * WDS is currently prohibited when channel contexts are used
+                 * because there's no clear definition of which channel WDS
+                 * type interfaces use
+                 */
+                if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_WDS))
+                        return -EINVAL;
+        }
+
         /* Only HW csum features are currently compatible with mac80211 */
         feature_whitelist = NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM |
                             NETIF_F_HW_CSUM;
@@ -728,6 +775,8 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
         if (hw->max_report_rates == 0)
                 hw->max_report_rates = hw->max_rates;
 
+        local->rx_chains = 1;
+
         /*
          * generic code guarantees at least one band,
          * set this very early because much code assumes
@@ -743,18 +792,29 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                 sband = local->hw.wiphy->bands[band];
                 if (!sband)
                         continue;
-                if (!local->oper_channel) {
+                if (!local->use_chanctx && !local->_oper_channel) {
                         /* init channel we're on */
                         local->hw.conf.channel =
-                        local->oper_channel = &sband->channels[0];
+                        local->_oper_channel = &sband->channels[0];
                         local->hw.conf.channel_type = NL80211_CHAN_NO_HT;
                 }
+                if (!local->monitor_channel) {
+                        local->monitor_channel = &sband->channels[0];
+                        local->monitor_channel_type = NL80211_CHAN_NO_HT;
+                }
                 channels += sband->n_channels;
 
                 if (max_bitrates < sband->n_bitrates)
                         max_bitrates = sband->n_bitrates;
                 supp_ht = supp_ht || sband->ht_cap.ht_supported;
                 supp_vht = supp_vht || sband->vht_cap.vht_supported;
+
+                if (sband->ht_cap.ht_supported)
+                        local->rx_chains =
+                                max(ieee80211_mcs_to_chains(&sband->ht_cap.mcs),
+                                    local->rx_chains);
+
+                /* TODO: consider VHT for RX chains, hopefully it's the same */
         }
 
         local->int_scan_req = kzalloc(sizeof(*local->int_scan_req) +
@@ -778,19 +838,13 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
         hw->wiphy->interface_modes |= BIT(NL80211_IFTYPE_MONITOR);
         hw->wiphy->software_iftypes |= BIT(NL80211_IFTYPE_MONITOR);
 
-        /*
-         * mac80211 doesn't support more than 1 channel, and also not more
-         * than one IBSS interface
-         */
+        /* mac80211 doesn't support more than one IBSS interface right now */
         for (i = 0; i < hw->wiphy->n_iface_combinations; i++) {
                 const struct ieee80211_iface_combination *c;
                 int j;
 
                 c = &hw->wiphy->iface_combinations[i];
 
-                if (c->num_different_channels > 1)
-                        return -EINVAL;
-
                 for (j = 0; j < c->n_limits; j++)
                         if ((c->limits[j].types & BIT(NL80211_IFTYPE_ADHOC)) &&
                             c->limits[j].max > 1)
@@ -832,7 +886,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
 
         if (supp_vht)
                 local->scan_ies_len +=
-                        2 + sizeof(struct ieee80211_vht_capabilities);
+                        2 + sizeof(struct ieee80211_vht_cap);
 
         if (!local->ops->hw_scan) {
                 /* For hw_scan, driver needs to set these up. */
@@ -871,8 +925,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                                 local->hw.wiphy->cipher_suites,
                                 sizeof(u32) * local->hw.wiphy->n_cipher_suites,
                                 GFP_KERNEL);
-                        if (!suites)
-                                return -ENOMEM;
+                        if (!suites) {
+                                result = -ENOMEM;
+                                goto fail_wiphy_register;
+                        }
                         for (r = 0; r < local->hw.wiphy->n_cipher_suites; r++) {
                                 u32 suite = local->hw.wiphy->cipher_suites[r];
                                 if (suite == WLAN_CIPHER_SUITE_WEP40 ||
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index ff0296c7bab8..a350cab4b339 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -97,7 +97,7 @@ bool mesh_matches_local(struct ieee80211_sub_if_data *sdata,
              (ifmsh->mesh_auth_id == ie->mesh_config->meshconf_auth)))
                 goto mismatch;
 
-        ieee80211_sta_get_rates(local, ie, local->oper_channel->band,
+        ieee80211_sta_get_rates(local, ie, ieee80211_get_sdata_band(sdata),
                                 &basic_rates);
 
         if (sdata->vif.bss_conf.basic_rates != basic_rates)
@@ -264,7 +264,7 @@ mesh_add_meshconf_ie(struct sk_buff *skb, struct ieee80211_sub_if_data *sdata)
         /* Authentication Protocol identifier */
         *pos++ = ifmsh->mesh_auth_id;
         /* Mesh Formation Info - number of neighbors */
-        neighbors = atomic_read(&ifmsh->mshstats.estab_plinks);
+        neighbors = atomic_read(&ifmsh->estab_plinks);
         /* Number of neighbor mesh STAs or 15 whichever is smaller */
         neighbors = (neighbors > 15) ? 15 : neighbors;
         *pos++ = neighbors << 1;
@@ -355,12 +355,22 @@ int mesh_add_ds_params_ie(struct sk_buff *skb,
 {
         struct ieee80211_local *local = sdata->local;
         struct ieee80211_supported_band *sband;
-        struct ieee80211_channel *chan = local->oper_channel;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_channel *chan;
         u8 *pos;
 
         if (skb_tailroom(skb) < 3)
                 return -ENOMEM;
 
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (WARN_ON(!chanctx_conf)) {
+                rcu_read_unlock();
+                return -EINVAL;
+        }
+        chan = chanctx_conf->channel;
+        rcu_read_unlock();
+
         sband = local->hw.wiphy->bands[chan->band];
         if (sband->band == IEEE80211_BAND_2GHZ) {
                 pos = skb_put(skb, 2 + 1);
@@ -376,10 +386,11 @@ int mesh_add_ht_cap_ie(struct sk_buff *skb,
                        struct ieee80211_sub_if_data *sdata)
 {
         struct ieee80211_local *local = sdata->local;
+        enum ieee80211_band band = ieee80211_get_sdata_band(sdata);
         struct ieee80211_supported_band *sband;
         u8 *pos;
 
-        sband = local->hw.wiphy->bands[local->oper_channel->band];
+        sband = local->hw.wiphy->bands[band];
         if (!sband->ht_cap.ht_supported ||
             sdata->vif.bss_conf.channel_type == NL80211_CHAN_NO_HT)
                 return 0;
@@ -397,14 +408,26 @@ int mesh_add_ht_oper_ie(struct sk_buff *skb,
                         struct ieee80211_sub_if_data *sdata)
 {
         struct ieee80211_local *local = sdata->local;
-        struct ieee80211_channel *channel = local->oper_channel;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_channel *channel;
         enum nl80211_channel_type channel_type =
-                                sdata->vif.bss_conf.channel_type;
-        struct ieee80211_supported_band *sband =
-                                local->hw.wiphy->bands[channel->band];
-        struct ieee80211_sta_ht_cap *ht_cap = &sband->ht_cap;
+                sdata->vif.bss_conf.channel_type;
+        struct ieee80211_supported_band *sband;
+        struct ieee80211_sta_ht_cap *ht_cap;
         u8 *pos;
 
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (WARN_ON(!chanctx_conf)) {
+                rcu_read_unlock();
+                return -EINVAL;
+        }
+        channel = chanctx_conf->channel;
+        rcu_read_unlock();
+
+        sband = local->hw.wiphy->bands[channel->band];
+        ht_cap = &sband->ht_cap;
+
         if (!ht_cap->ht_supported || channel_type == NL80211_CHAN_NO_HT)
                 return 0;
 
@@ -610,7 +633,7 @@ void ieee80211_start_mesh(struct ieee80211_sub_if_data *sdata)
         sdata->vif.bss_conf.beacon_int = MESH_DEFAULT_BEACON_INTERVAL;
         sdata->vif.bss_conf.basic_rates =
                 ieee80211_mandatory_rates(sdata->local,
-                                          sdata->local->oper_channel->band);
+                                          ieee80211_get_sdata_band(sdata));
         ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON |
                                                 BSS_CHANGED_BEACON_ENABLED |
                                                 BSS_CHANGED_HT |
@@ -680,8 +703,10 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
         ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
                                &elems);
 
-        /* ignore beacons from secure mesh peers if our security is off */
-        if (elems.rsn_len && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE)
+        /* ignore non-mesh or secure / unsecure mismatch */
+        if ((!elems.mesh_id || !elems.mesh_config) ||
+            (elems.rsn && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) ||
+            (!elems.rsn && sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE))
                 return;
 
         if (elems.ds_params && elems.ds_params_len == 1)
@@ -694,8 +719,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
         if (!channel || channel->flags & IEEE80211_CHAN_DISABLED)
                 return;
 
-        if (elems.mesh_id && elems.mesh_config &&
-            mesh_matches_local(sdata, &elems))
+        if (mesh_matches_local(sdata, &elems))
                 mesh_neighbour_update(sdata, mgmt->sa, &elems);
 
         if (ifmsh->sync_ops)
diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index 25d0f17dec71..9285f3f67e66 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -256,7 +256,7 @@ void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata);
 void ieee80211_start_mesh(struct ieee80211_sub_if_data *sdata);
 void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata);
 void ieee80211_mesh_root_setup(struct ieee80211_if_mesh *ifmsh);
-struct ieee80211_mesh_sync_ops *ieee80211_mesh_sync_ops_get(u8 method);
+const struct ieee80211_mesh_sync_ops *ieee80211_mesh_sync_ops_get(u8 method);
 
 /* Mesh paths */
 int mesh_nexthop_lookup(struct sk_buff *skb,
@@ -324,7 +324,7 @@ extern int mesh_allocated;
 static inline int mesh_plink_free_count(struct ieee80211_sub_if_data *sdata)
 {
         return sdata->u.mesh.mshcfg.dot11MeshMaxPeerLinks -
-               atomic_read(&sdata->u.mesh.mshstats.estab_plinks);
+               atomic_read(&sdata->u.mesh.estab_plinks);
 }
 
 static inline bool mesh_plink_availables(struct ieee80211_sub_if_data *sdata)
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index 3ab34d816897..234fe755968b 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -50,14 +50,14 @@ static int mesh_plink_frame_tx(struct ieee80211_sub_if_data *sdata,
 static inline
 u32 mesh_plink_inc_estab_count(struct ieee80211_sub_if_data *sdata)
 {
-        atomic_inc(&sdata->u.mesh.mshstats.estab_plinks);
+        atomic_inc(&sdata->u.mesh.estab_plinks);
         return mesh_accept_plinks_update(sdata);
 }
 
 static inline
 u32 mesh_plink_dec_estab_count(struct ieee80211_sub_if_data *sdata)
 {
-        atomic_dec(&sdata->u.mesh.mshstats.estab_plinks);
+        atomic_dec(&sdata->u.mesh.estab_plinks);
         return mesh_accept_plinks_update(sdata);
 }
 
@@ -252,6 +252,8 @@ static int mesh_plink_frame_tx(struct ieee80211_sub_if_data *sdata,
         mgmt->u.action.u.self_prot.action_code = action;
 
         if (action != WLAN_SP_MESH_PEERING_CLOSE) {
+                enum ieee80211_band band = ieee80211_get_sdata_band(sdata);
+
                 /* capability info */
                 pos = skb_put(skb, 2);
                 memset(pos, 0, 2);
@@ -260,10 +262,8 @@ static int mesh_plink_frame_tx(struct ieee80211_sub_if_data *sdata,
                         pos = skb_put(skb, 2);
                         memcpy(pos + 2, &plid, 2);
                 }
-                if (ieee80211_add_srates_ie(sdata, skb, true,
-                                            local->oper_channel->band) ||
-                    ieee80211_add_ext_srates_ie(sdata, skb, true,
-                                                local->oper_channel->band) ||
+                if (ieee80211_add_srates_ie(sdata, skb, true, band) ||
+                    ieee80211_add_ext_srates_ie(sdata, skb, true, band) ||
                     mesh_add_rsn_ie(skb, sdata) ||
                     mesh_add_meshid_ie(skb, sdata) ||
                     mesh_add_meshconf_ie(skb, sdata))
@@ -343,7 +343,7 @@ static struct sta_info *mesh_peer_init(struct ieee80211_sub_if_data *sdata,
                                        struct ieee802_11_elems *elems)
 {
         struct ieee80211_local *local = sdata->local;
-        enum ieee80211_band band = local->oper_channel->band;
+        enum ieee80211_band band = ieee80211_get_sdata_band(sdata);
         struct ieee80211_supported_band *sband;
         u32 rates, basic_rates = 0;
         struct sta_info *sta;
diff --git a/net/mac80211/mesh_sync.c b/net/mac80211/mesh_sync.c
index a16b7b4b1e02..407c8705e10d 100644
--- a/net/mac80211/mesh_sync.c
+++ b/net/mac80211/mesh_sync.c
@@ -234,49 +234,7 @@ static void mesh_sync_offset_adjust_tbtt(struct ieee80211_sub_if_data *sdata)
         spin_unlock_bh(&ifmsh->sync_offset_lock);
 }
 
-static const u8 *mesh_get_vendor_oui(struct ieee80211_sub_if_data *sdata)
-{
-        struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
-        u8 offset;
-
-        if (!ifmsh->ie || !ifmsh->ie_len)
-                return NULL;
-
-        offset = ieee80211_ie_split_vendor(ifmsh->ie,
-                                        ifmsh->ie_len, 0);
-
-        if (!offset)
-                return NULL;
-
-        return ifmsh->ie + offset + 2;
-}
-
-static void mesh_sync_vendor_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
-                                   u16 stype,
-                                   struct ieee80211_mgmt *mgmt,
-                                   struct ieee802_11_elems *elems,
-                                   struct ieee80211_rx_status *rx_status)
-{
-        const u8 *oui;
-
-        WARN_ON(sdata->u.mesh.mesh_sp_id != IEEE80211_SYNC_METHOD_VENDOR);
-        msync_dbg(sdata, "called mesh_sync_vendor_rx_bcn_presp\n");
-        oui = mesh_get_vendor_oui(sdata);
-        /*  here you would implement the vendor offset tracking for this oui */
-}
-
-static void mesh_sync_vendor_adjust_tbtt(struct ieee80211_sub_if_data *sdata)
-{
-        const u8 *oui;
-
-        WARN_ON(sdata->u.mesh.mesh_sp_id != IEEE80211_SYNC_METHOD_VENDOR);
-        msync_dbg(sdata, "called mesh_sync_vendor_adjust_tbtt\n");
-        oui = mesh_get_vendor_oui(sdata);
-        /*  here you would implement the vendor tsf adjustment for this oui */
-}
-
-/* global variable */
-static struct sync_method sync_methods[] = {
+static const struct sync_method sync_methods[] = {
         {
                 .method = IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET,
                 .ops = {
@@ -284,18 +242,11 @@ static struct sync_method sync_methods[] = {
                         .adjust_tbtt = &mesh_sync_offset_adjust_tbtt,
                 }
         },
-        {
-                .method = IEEE80211_SYNC_METHOD_VENDOR,
-                .ops = {
-                        .rx_bcn_presp = &mesh_sync_vendor_rx_bcn_presp,
-                        .adjust_tbtt = &mesh_sync_vendor_adjust_tbtt,
-                }
-        },
 };
 
-struct ieee80211_mesh_sync_ops *ieee80211_mesh_sync_ops_get(u8 method)
+const struct ieee80211_mesh_sync_ops *ieee80211_mesh_sync_ops_get(u8 method)
 {
-        struct ieee80211_mesh_sync_ops *ops = NULL;
+        const struct ieee80211_mesh_sync_ops *ops = NULL;
         u8 i;
 
         for (i = 0 ; i < ARRAY_SIZE(sync_methods); ++i) {
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index e714ed8bb198..61614461e089 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -178,20 +178,30 @@ static u32 ieee80211_config_ht_tx(struct ieee80211_sub_if_data *sdata,
 {
         struct ieee80211_local *local = sdata->local;
         struct ieee80211_supported_band *sband;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_channel *chan;
         struct sta_info *sta;
         u32 changed = 0;
         u16 ht_opmode;
         bool disable_40 = false;
 
-        sband = local->hw.wiphy->bands[local->oper_channel->band];
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (WARN_ON(!chanctx_conf)) {
+                rcu_read_unlock();
+                return 0;
+        }
+        chan = chanctx_conf->channel;
+        rcu_read_unlock();
+        sband = local->hw.wiphy->bands[chan->band];
 
         switch (sdata->vif.bss_conf.channel_type) {
         case NL80211_CHAN_HT40PLUS:
-                if (local->oper_channel->flags & IEEE80211_CHAN_NO_HT40PLUS)
+                if (chan->flags & IEEE80211_CHAN_NO_HT40PLUS)
                         disable_40 = true;
                 break;
         case NL80211_CHAN_HT40MINUS:
-                if (local->oper_channel->flags & IEEE80211_CHAN_NO_HT40MINUS)
+                if (chan->flags & IEEE80211_CHAN_NO_HT40MINUS)
                         disable_40 = true;
                 break;
         default:
@@ -343,7 +353,7 @@ static void ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
         cap = vht_cap.cap;
 
         /* reserve and fill IE */
-        pos = skb_put(skb, sizeof(struct ieee80211_vht_capabilities) + 2);
+        pos = skb_put(skb, sizeof(struct ieee80211_vht_cap) + 2);
         ieee80211_ie_build_vht_cap(pos, &vht_cap, cap);
 }
 
@@ -359,11 +369,21 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
         int i, count, rates_len, supp_rates_len;
         u16 capab;
         struct ieee80211_supported_band *sband;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_channel *chan;
         u32 rates = 0;
 
         lockdep_assert_held(&ifmgd->mtx);
 
-        sband = local->hw.wiphy->bands[local->oper_channel->band];
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (WARN_ON(!chanctx_conf)) {
+                rcu_read_unlock();
+                return;
+        }
+        chan = chanctx_conf->channel;
+        rcu_read_unlock();
+        sband = local->hw.wiphy->bands[chan->band];
 
         if (assoc_data->supp_rates_len) {
                 /*
@@ -392,7 +412,7 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
                         4 + /* power capability */
                         2 + 2 * sband->n_channels + /* supported channels */
                         2 + sizeof(struct ieee80211_ht_cap) + /* HT */
-                        2 + sizeof(struct ieee80211_vht_capabilities) + /* VHT */
+                        2 + sizeof(struct ieee80211_vht_cap) + /* VHT */
                         assoc_data->ie_len + /* extra IEs */
                         9, /* WMM */
                         GFP_KERNEL);
@@ -485,7 +505,7 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
                 *pos++ = WLAN_EID_PWR_CAPABILITY;
                 *pos++ = 2;
                 *pos++ = 0; /* min tx power */
-                *pos++ = local->oper_channel->max_power; /* max tx power */
+                *pos++ = chan->max_power; /* max tx power */
 
                 /* 2. supported channels */
                 /* TODO: get this in reg domain format */
@@ -523,7 +543,7 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
 
         if (!(ifmgd->flags & IEEE80211_STA_DISABLE_11N))
                 ieee80211_add_ht_ie(sdata, skb, assoc_data->ap_ht_param,
-                                    sband, local->oper_channel, ifmgd->ap_smps);
+                                    sband, chan, sdata->smps_mode);
 
         if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
                 ieee80211_add_vht_ie(sdata, skb, sband);
@@ -657,18 +677,18 @@ static void ieee80211_chswitch_work(struct work_struct *work)
         if (!ifmgd->associated)
                 goto out;
 
-        sdata->local->oper_channel = sdata->local->csa_channel;
+        sdata->local->_oper_channel = sdata->local->csa_channel;
         if (!sdata->local->ops->channel_switch) {
                 /* call "hw_config" only if doing sw channel switch */
                 ieee80211_hw_config(sdata->local,
                         IEEE80211_CONF_CHANGE_CHANNEL);
         } else {
                 /* update the device channel directly */
-                sdata->local->hw.conf.channel = sdata->local->oper_channel;
+                sdata->local->hw.conf.channel = sdata->local->_oper_channel;
         }
 
         /* XXX: shouldn't really modify cfg80211-owned data! */
-        ifmgd->associated->channel = sdata->local->oper_channel;
+        ifmgd->associated->channel = sdata->local->_oper_channel;
 
         /* XXX: wait for a beacon first? */
         ieee80211_wake_queues_by_reason(&sdata->local->hw,
@@ -680,11 +700,8 @@ static void ieee80211_chswitch_work(struct work_struct *work)
 
 void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success)
 {
-        struct ieee80211_sub_if_data *sdata;
-        struct ieee80211_if_managed *ifmgd;
-
-        sdata = vif_to_sdata(vif);
-        ifmgd = &sdata->u.mgd;
+        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
 
         trace_api_chswitch_done(sdata, success);
         if (!success) {
@@ -723,6 +740,7 @@ void ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
         struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
         int new_freq = ieee80211_channel_to_frequency(sw_elem->new_ch_num,
                                                       cbss->channel->band);
+        struct ieee80211_chanctx *chanctx;
 
         ASSERT_MGD_MTX(ifmgd);
 
@@ -748,10 +766,34 @@ void ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                 return;
         }
 
-        sdata->local->csa_channel = new_ch;
-
         ifmgd->flags |= IEEE80211_STA_CSA_RECEIVED;
 
+        if (sdata->local->use_chanctx) {
+                sdata_info(sdata,
+                           "not handling channel switch with channel contexts\n");
+                ieee80211_queue_work(&sdata->local->hw,
+                                     &ifmgd->csa_connection_drop_work);
+        }
+
+        mutex_lock(&sdata->local->chanctx_mtx);
+        if (WARN_ON(!rcu_access_pointer(sdata->vif.chanctx_conf))) {
+                mutex_unlock(&sdata->local->chanctx_mtx);
+                return;
+        }
+        chanctx = container_of(rcu_access_pointer(sdata->vif.chanctx_conf),
+                               struct ieee80211_chanctx, conf);
+        if (chanctx->refcount > 1) {
+                sdata_info(sdata,
+                           "channel switch with multiple interfaces on the same channel, disconnecting\n");
+                ieee80211_queue_work(&sdata->local->hw,
+                                     &ifmgd->csa_connection_drop_work);
+                mutex_unlock(&sdata->local->chanctx_mtx);
+                return;
+        }
+        mutex_unlock(&sdata->local->chanctx_mtx);
+
+        sdata->local->csa_channel = new_ch;
+
         if (sw_elem->mode)
                 ieee80211_stop_queues_by_reason(&sdata->local->hw,
                                 IEEE80211_QUEUE_STOP_REASON_CSA);
@@ -778,10 +820,10 @@ void ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                                          cbss->beacon_interval));
 }
 
-static void ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
-                                        struct ieee80211_channel *channel,
-                                        const u8 *country_ie, u8 country_ie_len,
-                                        const u8 *pwr_constr_elem)
+static u32 ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
+                                       struct ieee80211_channel *channel,
+                                       const u8 *country_ie, u8 country_ie_len,
+                                       const u8 *pwr_constr_elem)
 {
         struct ieee80211_country_ie_triplet *triplet;
         int chan = ieee80211_frequency_to_channel(channel->center_freq);
@@ -790,7 +832,7 @@ static void ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
 
         /* Invalid IE */
         if (country_ie_len % 2 || country_ie_len < IEEE80211_COUNTRY_IE_MIN_LEN)
-                return;
+                return 0;
 
         triplet = (void *)(country_ie + 3);
         country_ie_len -= 3;
@@ -831,19 +873,21 @@ static void ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
         }
 
         if (!have_chan_pwr)
-                return;
+                return 0;
 
         new_ap_level = max_t(int, 0, chan_pwr - *pwr_constr_elem);
 
-        if (sdata->local->ap_power_level == new_ap_level)
-                return;
+        if (sdata->ap_power_level == new_ap_level)
+                return 0;
 
         sdata_info(sdata,
                    "Limiting TX power to %d (%d - %d) dBm as advertised by %pM\n",
                    new_ap_level, chan_pwr, *pwr_constr_elem,
                    sdata->u.mgd.bssid);
-        sdata->local->ap_power_level = new_ap_level;
-        ieee80211_hw_config(sdata->local, 0);
+        sdata->ap_power_level = new_ap_level;
+        if (__ieee80211_recalc_txpower(sdata))
+                return BSS_CHANGED_TXPOWER;
+        return 0;
 }
 
 void ieee80211_enable_dyn_ps(struct ieee80211_vif *vif)
@@ -1280,7 +1324,7 @@ static u32 ieee80211_handle_bss_capability(struct ieee80211_sub_if_data *sdata,
         }
 
         use_short_slot = !!(capab & WLAN_CAPABILITY_SHORT_SLOT_TIME);
-        if (sdata->local->oper_channel->band == IEEE80211_BAND_5GHZ)
+        if (ieee80211_get_sdata_band(sdata) == IEEE80211_BAND_5GHZ)
                 use_short_slot = true;
 
         if (use_protection != bss_conf->use_cts_prot) {
@@ -1321,6 +1365,22 @@ static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
 
         sdata->u.mgd.flags |= IEEE80211_STA_RESET_SIGNAL_AVE;
 
+        if (sdata->vif.p2p) {
+                u8 noa[2];
+                int ret;
+
+                ret = cfg80211_get_p2p_attr(cbss->information_elements,
+                                            cbss->len_information_elements,
+                                            IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
+                                            noa, sizeof(noa));
+                if (ret >= 2) {
+                        bss_conf->p2p_oppps = noa[1] & 0x80;
+                        bss_conf->p2p_ctwindow = noa[1] & 0x7f;
+                        bss_info_changed |= BSS_CHANGED_P2P_PS;
+                        sdata->u.mgd.p2p_noa_index = noa[0];
+                }
+        }
+
         /* just to be sure */
         ieee80211_stop_poll(sdata);
 
@@ -1350,7 +1410,7 @@ static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
         ieee80211_recalc_ps(local, -1);
         mutex_unlock(&local->iflist_mtx);
 
-        ieee80211_recalc_smps(local);
+        ieee80211_recalc_smps(sdata);
         ieee80211_recalc_ps_vif(sdata);
 
         netif_tx_start_all_queues(sdata->dev);
@@ -1443,11 +1503,14 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
         changed |= BSS_CHANGED_ASSOC;
         sdata->vif.bss_conf.assoc = false;
 
+        sdata->vif.bss_conf.p2p_ctwindow = 0;
+        sdata->vif.bss_conf.p2p_oppps = false;
+
         /* on the next assoc, re-program HT parameters */
         memset(&ifmgd->ht_capa, 0, sizeof(ifmgd->ht_capa));
         memset(&ifmgd->ht_capa_mask, 0, sizeof(ifmgd->ht_capa_mask));
 
-        local->ap_power_level = 0;
+        sdata->ap_power_level = IEEE80211_UNSET_POWER_LEVEL;
 
         del_timer_sync(&local->dynamic_ps_timer);
         cancel_work_sync(&local->dynamic_ps_enable_work);
@@ -1465,9 +1528,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
         changed |= BSS_CHANGED_BSSID | BSS_CHANGED_HT;
         ieee80211_bss_info_change_notify(sdata, changed);
 
-        /* channel(_type) changes are handled by ieee80211_hw_config */
-        WARN_ON(!ieee80211_set_channel_type(local, sdata, NL80211_CHAN_NO_HT));
-        ieee80211_hw_config(local, 0);
+        ieee80211_vif_release_channel(sdata);
 
         /* disassociated - set to defaults now */
         ieee80211_set_wmm_default(sdata, false);
@@ -1589,7 +1650,7 @@ static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
 
                 ieee80211_send_probe_req(sdata, dst, ssid + 2, ssid_len, NULL,
                                          0, (u32) -1, true, false,
-                                         ifmgd->associated->channel);
+                                         ifmgd->associated->channel, false);
         }
 
         ifmgd->probe_timeout = jiffies + msecs_to_jiffies(probe_wait_ms);
@@ -1692,8 +1753,7 @@ struct sk_buff *ieee80211_ap_probereq_get(struct ieee80211_hw *hw,
                 ssid_len = ssid[1];
 
         skb = ieee80211_build_probe_req(sdata, cbss->bssid,
-                                        (u32) -1,
-                                        sdata->local->oper_channel,
+                                        (u32) -1, cbss->channel,
                                         ssid + 2, ssid_len,
                                         NULL, 0, true);
 
@@ -1804,6 +1864,7 @@ static void ieee80211_destroy_auth_data(struct ieee80211_sub_if_data *sdata,
 
                 memset(sdata->u.mgd.bssid, 0, ETH_ALEN);
                 ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
+                ieee80211_vif_release_channel(sdata);
         }
 
         cfg80211_put_bss(auth_data->bss);
@@ -1824,7 +1885,7 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
                 return;
         auth_data->expected_transaction = 4;
         drv_mgd_prepare_tx(sdata->local, sdata);
-        ieee80211_send_auth(sdata, 3, auth_data->algorithm,
+        ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
                             elems.challenge - 2, elems.challenge_len + 2,
                             auth_data->bss->bssid, auth_data->bss->bssid,
                             auth_data->key, auth_data->key_len,
@@ -1858,8 +1919,13 @@ ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
         status_code = le16_to_cpu(mgmt->u.auth.status_code);
 
         if (auth_alg != ifmgd->auth_data->algorithm ||
-            auth_transaction != ifmgd->auth_data->expected_transaction)
+            auth_transaction != ifmgd->auth_data->expected_transaction) {
+                sdata_info(sdata, "%pM unexpected authentication state: alg %d (expected %d) transact %d (expected %d)\n",
+                           mgmt->sa, auth_alg, ifmgd->auth_data->algorithm,
+                           auth_transaction,
+                           ifmgd->auth_data->expected_transaction);
                 return RX_MGMT_NONE;
+        }
 
         if (status_code != WLAN_STATUS_SUCCESS) {
                 sdata_info(sdata, "%pM denied authentication (status %d)\n",
@@ -1872,6 +1938,7 @@ ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
         case WLAN_AUTH_OPEN:
         case WLAN_AUTH_LEAP:
         case WLAN_AUTH_FT:
+        case WLAN_AUTH_SAE:
                 break;
         case WLAN_AUTH_SHARED_KEY:
                 if (ifmgd->auth_data->expected_transaction != 4) {
@@ -1891,6 +1958,15 @@ ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
         ifmgd->auth_data->timeout = jiffies + IEEE80211_AUTH_WAIT_ASSOC;
         run_again(ifmgd, ifmgd->auth_data->timeout);
 
+        if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
+            ifmgd->auth_data->expected_transaction != 2) {
+                /*
+                 * Report auth frame to user space for processing since another
+                 * round of Authentication frames is still needed.
+                 */
+                return RX_MGMT_CFG80211_RX_AUTH;
+        }
+
         /* move station state to auth */
         mutex_lock(&sdata->local->sta_mtx);
         sta = sta_info_get(sdata, bssid);
@@ -2030,6 +2106,7 @@ static void ieee80211_destroy_assoc_data(struct ieee80211_sub_if_data *sdata,
 
                 memset(sdata->u.mgd.bssid, 0, ETH_ALEN);
                 ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
+                ieee80211_vif_release_channel(sdata);
         }
 
         kfree(assoc_data);
@@ -2091,7 +2168,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
                 return false;
         }
 
-        sband = local->hw.wiphy->bands[local->oper_channel->band];
+        sband = local->hw.wiphy->bands[ieee80211_get_sdata_band(sdata)];
 
         if (elems.ht_cap_elem && !(ifmgd->flags & IEEE80211_STA_DISABLE_11N))
                 ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,
@@ -2100,6 +2177,11 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
         sta->supports_40mhz =
                 sta->sta.ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40;
 
+        if (elems.vht_cap_elem && !(ifmgd->flags & IEEE80211_STA_DISABLE_VHT))
+                ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
+                                                    elems.vht_cap_elem,
+                                                    &sta->sta.vht_cap);
+
         rate_control_rate_init(sta);
 
         if (ifmgd->flags & IEEE80211_STA_MFP_ENABLED)
@@ -2369,8 +2451,10 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
         size_t baselen;
         struct ieee802_11_elems elems;
         struct ieee80211_local *local = sdata->local;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_channel *chan;
         u32 changed = 0;
-        bool erp_valid, directed_tim = false;
+        bool erp_valid;
         u8 erp_value = 0;
         u32 ncrc;
         u8 *bssid;
@@ -2382,8 +2466,19 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
         if (baselen > len)
                 return;
 
-        if (rx_status->freq != local->oper_channel->center_freq)
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (!chanctx_conf) {
+                rcu_read_unlock();
                 return;
+        }
+
+        if (rx_status->freq != chanctx_conf->channel->center_freq) {
+                rcu_read_unlock();
+                return;
+        }
+        chan = chanctx_conf->channel;
+        rcu_read_unlock();
 
         if (ifmgd->assoc_data && !ifmgd->assoc_data->have_beacon &&
             ether_addr_equal(mgmt->bssid, ifmgd->assoc_data->bss->bssid)) {
@@ -2490,11 +2585,10 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
                                           len - baselen, &elems,
                                           care_about_ies, ncrc);
 
-        if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)
-                directed_tim = ieee80211_check_tim(elems.tim, elems.tim_len,
-                                                   ifmgd->aid);
-
         if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) {
+                bool directed_tim = ieee80211_check_tim(elems.tim,
+                                                        elems.tim_len,
+                                                        ifmgd->aid);
                 if (directed_tim) {
                         if (local->hw.conf.dynamic_ps_timeout > 0) {
                                 if (local->hw.conf.flags & IEEE80211_CONF_PS) {
@@ -2519,6 +2613,27 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
                 }
         }
 
+        if (sdata->vif.p2p) {
+                u8 noa[2];
+                int ret;
+
+                ret = cfg80211_get_p2p_attr(mgmt->u.beacon.variable,
+                                            len - baselen,
+                                            IEEE80211_P2P_ATTR_ABSENCE_NOTICE,
+                                            noa, sizeof(noa));
+                if (ret >= 2 && sdata->u.mgd.p2p_noa_index != noa[0]) {
+                        bss_conf->p2p_oppps = noa[1] & 0x80;
+                        bss_conf->p2p_ctwindow = noa[1] & 0x7f;
+                        changed |= BSS_CHANGED_P2P_PS;
+                        sdata->u.mgd.p2p_noa_index = noa[0];
+                        /*
+                         * make sure we update all information, the CRC
+                         * mechanism doesn't look at P2P attributes.
+                         */
+                        ifmgd->beacon_crc_valid = false;
+                }
+        }
+
         if (ncrc == ifmgd->beacon_crc && ifmgd->beacon_crc_valid)
                 return;
         ifmgd->beacon_crc = ncrc;
@@ -2543,22 +2658,17 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
 
 
         if (elems.ht_cap_elem && elems.ht_operation && elems.wmm_param &&
-            !(ifmgd->flags & IEEE80211_STA_DISABLE_11N)) {
-                struct ieee80211_supported_band *sband;
-
-                sband = local->hw.wiphy->bands[local->oper_channel->band];
-
+            !(ifmgd->flags & IEEE80211_STA_DISABLE_11N))
                 changed |= ieee80211_config_ht_tx(sdata, elems.ht_operation,
                                                   bssid, true);
-        }
 
         if (elems.country_elem && elems.pwr_constr_elem &&
             mgmt->u.probe_resp.capab_info &
                                 cpu_to_le16(WLAN_CAPABILITY_SPECTRUM_MGMT))
-                ieee80211_handle_pwr_constr(sdata, local->oper_channel,
-                                            elems.country_elem,
-                                            elems.country_elem_len,
-                                            elems.pwr_constr_elem);
+                changed |= ieee80211_handle_pwr_constr(sdata, chan,
+                                                       elems.country_elem,
+                                                       elems.country_elem_len,
+                                                       elems.pwr_constr_elem);
 
         ieee80211_bss_info_change_notify(sdata, changed);
 }
@@ -2703,13 +2813,23 @@ static int ieee80211_probe_auth(struct ieee80211_sub_if_data *sdata)
         drv_mgd_prepare_tx(local, sdata);
 
         if (auth_data->bss->proberesp_ies) {
+                u16 trans = 1;
+                u16 status = 0;
+
                 sdata_info(sdata, "send auth to %pM (try %d/%d)\n",
                            auth_data->bss->bssid, auth_data->tries,
                            IEEE80211_AUTH_MAX_TRIES);
 
                 auth_data->expected_transaction = 2;
-                ieee80211_send_auth(sdata, 1, auth_data->algorithm,
-                                    auth_data->ie, auth_data->ie_len,
+
+                if (auth_data->algorithm == WLAN_AUTH_SAE) {
+                        trans = auth_data->sae_trans;
+                        status = auth_data->sae_status;
+                        auth_data->expected_transaction = trans;
+                }
+
+                ieee80211_send_auth(sdata, trans, auth_data->algorithm, status,
+                                    auth_data->data, auth_data->data_len,
                                     auth_data->bss->bssid,
                                     auth_data->bss->bssid, NULL, 0, 0);
         } else {
@@ -2728,7 +2848,7 @@ static int ieee80211_probe_auth(struct ieee80211_sub_if_data *sdata)
                  */
                 ieee80211_send_probe_req(sdata, NULL, ssidie + 2, ssidie[1],
                                          NULL, 0, (u32) -1, true, false,
-                                         auth_data->bss->channel);
+                                         auth_data->bss->channel, false);
         }
 
         auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
@@ -3099,39 +3219,57 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
                                    ht_cfreq, ht_oper->primary_chan,
                                    cbss->channel->band);
                         ht_oper = NULL;
+                } else {
+                        channel_type = NL80211_CHAN_HT20;
                 }
         }
 
-        if (ht_oper) {
+        if (ht_oper && sband->ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) {
+                /*
+                 * cfg80211 already verified that the channel itself can
+                 * be used, but it didn't check that we can do the right
+                 * HT type, so do that here as well. If HT40 isn't allowed
+                 * on this channel, disable 40 MHz operation.
+                 */
+                const u8 *ht_cap_ie;
+                const struct ieee80211_ht_cap *ht_cap;
+                u8 chains = 1;
+
                 channel_type = NL80211_CHAN_HT20;
 
-                if (sband->ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) {
-                        switch (ht_oper->ht_param &
-                                        IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
-                        case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
+                switch (ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
+                case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
+                        if (cbss->channel->flags & IEEE80211_CHAN_NO_HT40PLUS)
+                                ifmgd->flags |= IEEE80211_STA_DISABLE_40MHZ;
+                        else
                                 channel_type = NL80211_CHAN_HT40PLUS;
-                                break;
-                        case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
+                        break;
+                case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
+                        if (cbss->channel->flags & IEEE80211_CHAN_NO_HT40MINUS)
+                                ifmgd->flags |= IEEE80211_STA_DISABLE_40MHZ;
+                        else
                                 channel_type = NL80211_CHAN_HT40MINUS;
-                                break;
-                        }
+                        break;
                 }
-        }
 
-        if (!ieee80211_set_channel_type(local, sdata, channel_type)) {
-                /* can only fail due to HT40+/- mismatch */
-                channel_type = NL80211_CHAN_HT20;
-                sdata_info(sdata,
-                           "disabling 40 MHz due to multi-vif mismatch\n");
-                ifmgd->flags |= IEEE80211_STA_DISABLE_40MHZ;
-                WARN_ON(!ieee80211_set_channel_type(local, sdata,
-                                                    channel_type));
+                ht_cap_ie = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY,
+                                             cbss->information_elements,
+                                             cbss->len_information_elements);
+                if (ht_cap_ie && ht_cap_ie[1] >= sizeof(*ht_cap)) {
+                        ht_cap = (void *)(ht_cap_ie + 2);
+                        chains = ieee80211_mcs_to_chains(&ht_cap->mcs);
+                }
+                sdata->needed_rx_chains = min(chains, local->rx_chains);
+        } else {
+                sdata->needed_rx_chains = 1;
         }
 
-        local->oper_channel = cbss->channel;
-        ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+        /* will change later if needed */
+        sdata->smps_mode = IEEE80211_SMPS_OFF;
 
-        return 0;
+        ieee80211_vif_release_channel(sdata);
+        return ieee80211_vif_use_channel(sdata, cbss->channel, channel_type,
+                                         IEEE80211_CHANCTX_SHARED);
 }
 
 static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
@@ -3201,7 +3339,7 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
                 sdata->vif.bss_conf.basic_rates = basic_rates;
 
                 /* cf. IEEE 802.11 9.2.12 */
-                if (local->oper_channel->band == IEEE80211_BAND_2GHZ &&
+                if (cbss->channel->band == IEEE80211_BAND_2GHZ &&
                     have_higher_than_11mbit)
                         sdata->flags |= IEEE80211_SDATA_OPERATING_GMODE;
                 else
@@ -3263,19 +3401,33 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
         case NL80211_AUTHTYPE_NETWORK_EAP:
                 auth_alg = WLAN_AUTH_LEAP;
                 break;
+        case NL80211_AUTHTYPE_SAE:
+                auth_alg = WLAN_AUTH_SAE;
+                break;
         default:
                 return -EOPNOTSUPP;
         }
 
-        auth_data = kzalloc(sizeof(*auth_data) + req->ie_len, GFP_KERNEL);
+        auth_data = kzalloc(sizeof(*auth_data) + req->sae_data_len +
+                            req->ie_len, GFP_KERNEL);
         if (!auth_data)
                 return -ENOMEM;
 
         auth_data->bss = req->bss;
 
+        if (req->sae_data_len >= 4) {
+                __le16 *pos = (__le16 *) req->sae_data;
+                auth_data->sae_trans = le16_to_cpu(pos[0]);
+                auth_data->sae_status = le16_to_cpu(pos[1]);
+                memcpy(auth_data->data, req->sae_data + 4,
+                       req->sae_data_len - 4);
+                auth_data->data_len += req->sae_data_len - 4;
+        }
+
         if (req->ie && req->ie_len) {
-                memcpy(auth_data->ie, req->ie, req->ie_len);
-                auth_data->ie_len = req->ie_len;
+                memcpy(&auth_data->data[auth_data->data_len],
+                       req->ie, req->ie_len);
+                auth_data->data_len += req->ie_len;
         }
 
         if (req->key && req->key_len) {
@@ -3442,11 +3594,11 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
 
         if (ifmgd->req_smps == IEEE80211_SMPS_AUTOMATIC) {
                 if (ifmgd->powersave)
-                        ifmgd->ap_smps = IEEE80211_SMPS_DYNAMIC;
+                        sdata->smps_mode = IEEE80211_SMPS_DYNAMIC;
                 else
-                        ifmgd->ap_smps = IEEE80211_SMPS_OFF;
+                        sdata->smps_mode = IEEE80211_SMPS_OFF;
         } else
-                ifmgd->ap_smps = ifmgd->req_smps;
+                sdata->smps_mode = ifmgd->req_smps;
 
         assoc_data->capability = req->bss->capability;
         assoc_data->wmm = bss->wmm_used &&
@@ -3549,40 +3701,45 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
 {
         struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
         u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
+        bool tx = !req->local_state_change;
+        bool sent_frame = false;
 
         mutex_lock(&ifmgd->mtx);
 
-        if (ifmgd->auth_data) {
-                ieee80211_destroy_auth_data(sdata, false);
-                mutex_unlock(&ifmgd->mtx);
-                return 0;
-        }
-
         sdata_info(sdata,
                    "deauthenticating from %pM by local choice (reason=%d)\n",
                    req->bssid, req->reason_code);
 
-        if (ifmgd->associated &&
-            ether_addr_equal(ifmgd->associated->bssid, req->bssid)) {
-                ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
-                                       req->reason_code, true, frame_buf);
-        } else {
+        if (ifmgd->auth_data) {
                 drv_mgd_prepare_tx(sdata->local, sdata);
                 ieee80211_send_deauth_disassoc(sdata, req->bssid,
                                                IEEE80211_STYPE_DEAUTH,
-                                               req->reason_code, true,
+                                               req->reason_code, tx,
                                                frame_buf);
+                ieee80211_destroy_auth_data(sdata, false);
+                mutex_unlock(&ifmgd->mtx);
+
+                sent_frame = tx;
+                goto out;
         }
 
+        if (ifmgd->associated &&
+            ether_addr_equal(ifmgd->associated->bssid, req->bssid)) {
+                ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
+                                       req->reason_code, tx, frame_buf);
+                sent_frame = tx;
+        }
         mutex_unlock(&ifmgd->mtx);
 
-        __cfg80211_send_deauth(sdata->dev, frame_buf,
-                               IEEE80211_DEAUTH_FRAME_LEN);
-
+ out:
         mutex_lock(&sdata->local->mtx);
         ieee80211_recalc_idle(sdata->local);
         mutex_unlock(&sdata->local->mtx);
 
+        if (sent_frame)
+                __cfg80211_send_deauth(sdata->dev, frame_buf,
+                                       IEEE80211_DEAUTH_FRAME_LEN);
+
         return 0;
 }
 
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index 83608ac16780..0cd42d52880c 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -107,6 +107,9 @@ void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
 {
         struct ieee80211_sub_if_data *sdata;
 
+        if (WARN_ON(local->use_chanctx))
+                return;
+
         /*
          * notify the AP about us leaving the channel and stop all
          * STA interfaces.
@@ -145,6 +148,9 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
 {
         struct ieee80211_sub_if_data *sdata;
 
+        if (WARN_ON(local->use_chanctx))
+                return;
+
         mutex_lock(&local->iflist_mtx);
         list_for_each_entry(sdata, &local->interfaces, list) {
                 if (sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE)
@@ -193,11 +199,12 @@ void ieee80211_handle_roc_started(struct ieee80211_roc_work *roc)
 
         if (roc->mgmt_tx_cookie) {
                 if (!WARN_ON(!roc->frame)) {
-                        ieee80211_tx_skb(roc->sdata, roc->frame);
+                        ieee80211_tx_skb_tid_band(roc->sdata, roc->frame, 7,
+                                                  roc->chan->band);
                         roc->frame = NULL;
                 }
         } else {
-                cfg80211_ready_on_channel(&roc->sdata->wdev, (unsigned long)roc,
+                cfg80211_ready_on_channel(&roc->sdata->wdev, roc->cookie,
                                           roc->chan, roc->chan_type,
                                           roc->req_duration, GFP_KERNEL);
         }
@@ -313,9 +320,8 @@ void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc)
 
         if (!roc->mgmt_tx_cookie)
                 cfg80211_remain_on_channel_expired(&roc->sdata->wdev,
-                                                   (unsigned long)roc,
-                                                   roc->chan, roc->chan_type,
-                                                   GFP_KERNEL);
+                                                   roc->cookie, roc->chan,
+                                                   roc->chan_type, GFP_KERNEL);
 
         list_for_each_entry_safe(dep, tmp, &roc->dependents, list)
                 ieee80211_roc_notify_destroy(dep);
diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
index 5c572e7a1a71..0f1c434638bc 100644
--- a/net/mac80211/pm.c
+++ b/net/mac80211/pm.c
@@ -135,6 +135,12 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
                 ieee80211_bss_info_change_notify(sdata,
                         BSS_CHANGED_BEACON_ENABLED);
 
+                if (sdata->vif.type == NL80211_IFTYPE_AP &&
+                    rcu_access_pointer(sdata->u.ap.beacon))
+                        drv_stop_ap(local, sdata);
+
+                /* the interface is leaving the channel and is removed */
+                ieee80211_vif_release_channel(sdata);
                 drv_remove_interface(local, sdata);
         }
 
diff --git a/net/mac80211/rate.h b/net/mac80211/rate.h
index 10de668eb9f6..ec198ef6aa8a 100644
--- a/net/mac80211/rate.h
+++ b/net/mac80211/rate.h
@@ -52,11 +52,21 @@ static inline void rate_control_rate_init(struct sta_info *sta)
         struct ieee80211_sta *ista = &sta->sta;
         void *priv_sta = sta->rate_ctrl_priv;
         struct ieee80211_supported_band *sband;
+        struct ieee80211_chanctx_conf *chanctx_conf;
 
         if (!ref)
                 return;
 
-        sband = local->hw.wiphy->bands[local->oper_channel->band];
+        rcu_read_lock();
+
+        chanctx_conf = rcu_dereference(sta->sdata->vif.chanctx_conf);
+        if (WARN_ON(!chanctx_conf)) {
+                rcu_read_unlock();
+                return;
+        }
+
+        sband = local->hw.wiphy->bands[chanctx_conf->channel->band];
+        rcu_read_unlock();
 
         ref->ops->rate_init(ref->priv, sband, ista, priv_sta);
         set_sta_flag(sta, WLAN_STA_RATE_CONTROL);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 61c621e9273f..6ad330341b71 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -54,8 +54,7 @@ static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
         return skb;
 }
 
-static inline int should_drop_frame(struct sk_buff *skb,
-                                    int present_fcs_len)
+static inline int should_drop_frame(struct sk_buff *skb, int present_fcs_len)
 {
         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
@@ -130,15 +129,14 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
                             (1 << IEEE80211_RADIOTAP_RX_FLAGS));
         rthdr->it_len = cpu_to_le16(rtap_len);
 
-        pos = (unsigned char *)(rthdr+1);
+        pos = (unsigned char *)(rthdr + 1);
 
         /* the order of the following fields is important */
 
         /* IEEE80211_RADIOTAP_TSFT */
         if (status->flag & RX_FLAG_MACTIME_MPDU) {
                 put_unaligned_le64(status->mactime, pos);
-                rthdr->it_present |=
-                        cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
+                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
                 pos += 8;
         }
 
@@ -374,7 +372,6 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
         return origskb;
 }
 
-
 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
 {
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
@@ -481,8 +478,7 @@ static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
         struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
         struct ieee80211_mmie *mmie;
 
-        if (skb->len < 24 + sizeof(*mmie) ||
-            !is_multicast_ether_addr(hdr->da))
+        if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
                 return -1;
 
         if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
@@ -497,9 +493,7 @@ static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
         return le16_to_cpu(mmie->key_id);
 }
 
-
-static ieee80211_rx_result
-ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
+static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
 {
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
         char *dev_addr = rx->sdata->vif.addr;
@@ -507,7 +501,7 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
         if (ieee80211_is_data(hdr->frame_control)) {
                 if (is_multicast_ether_addr(hdr->addr1)) {
                         if (ieee80211_has_tods(hdr->frame_control) ||
-                                !ieee80211_has_fromds(hdr->frame_control))
+                            !ieee80211_has_fromds(hdr->frame_control))
                                 return RX_DROP_MONITOR;
                         if (ether_addr_equal(hdr->addr3, dev_addr))
                                 return RX_DROP_MONITOR;
@@ -531,10 +525,15 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
 
                 if (ieee80211_is_action(hdr->frame_control)) {
                         u8 category;
+
+                        /* make sure category field is present */
+                        if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
+                                return RX_DROP_MONITOR;
+
                         mgmt = (struct ieee80211_mgmt *)hdr;
                         category = mgmt->u.action.category;
                         if (category != WLAN_CATEGORY_MESH_ACTION &&
-                                category != WLAN_CATEGORY_SELF_PROTECTED)
+                            category != WLAN_CATEGORY_SELF_PROTECTED)
                                 return RX_DROP_MONITOR;
                         return RX_CONTINUE;
                 }
@@ -546,7 +545,6 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
                         return RX_CONTINUE;
 
                 return RX_DROP_MONITOR;
-
         }
 
         return RX_CONTINUE;
@@ -570,7 +568,6 @@ static inline u16 seq_sub(u16 sq1, u16 sq2)
         return (sq1 - sq2) & SEQ_MASK;
 }
 
-
 static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
                                             struct tid_ampdu_rx *tid_agg_rx,
                                             int index)
@@ -883,14 +880,16 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
                  */
                 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
                     ieee80211_is_data_present(hdr->frame_control)) {
-                        u16 ethertype;
-                        u8 *payload;
-
-                        payload = rx->skb->data +
-                                ieee80211_hdrlen(hdr->frame_control);
-                        ethertype = (payload[6] << 8) | payload[7];
-                        if (cpu_to_be16(ethertype) ==
-                            rx->sdata->control_port_protocol)
+                        unsigned int hdrlen;
+                        __be16 ethertype;
+
+                        hdrlen = ieee80211_hdrlen(hdr->frame_control);
+
+                        if (rx->skb->len < hdrlen + 8)
+                                return RX_DROP_MONITOR;
+
+                        skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
+                        if (ethertype == rx->sdata->control_port_protocol)
                                 return RX_CONTINUE;
                 }
 
@@ -1141,12 +1140,19 @@ ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
         return RX_CONTINUE;
 }
 
-static void ap_sta_ps_start(struct sta_info *sta)
+static void sta_ps_start(struct sta_info *sta)
 {
         struct ieee80211_sub_if_data *sdata = sta->sdata;
         struct ieee80211_local *local = sdata->local;
+        struct ps_data *ps;
 
-        atomic_inc(&sdata->bss->num_sta_ps);
+        if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
+            sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+                ps = &sdata->bss->ps;
+        else
+                return;
+
+        atomic_inc(&ps->num_sta_ps);
         set_sta_flag(sta, WLAN_STA_PS_STA);
         if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
                 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
@@ -1154,7 +1160,7 @@ static void ap_sta_ps_start(struct sta_info *sta)
                sta->sta.addr, sta->sta.aid);
 }
 
-static void ap_sta_ps_end(struct sta_info *sta)
+static void sta_ps_end(struct sta_info *sta)
 {
         ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
                sta->sta.addr, sta->sta.aid);
@@ -1181,9 +1187,9 @@ int ieee80211_sta_ps_transition(struct ieee80211_sta *sta, bool start)
                 return -EINVAL;
 
         if (start)
-                ap_sta_ps_start(sta_inf);
+                sta_ps_start(sta_inf);
         else
-                ap_sta_ps_end(sta_inf);
+                sta_ps_end(sta_inf);
 
         return 0;
 }
@@ -1335,10 +1341,10 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
                          */
                         if (ieee80211_is_data(hdr->frame_control) &&
                             !ieee80211_has_pm(hdr->frame_control))
-                                ap_sta_ps_end(sta);
+                                sta_ps_end(sta);
                 } else {
                         if (ieee80211_has_pm(hdr->frame_control))
-                                ap_sta_ps_start(sta);
+                                sta_ps_start(sta);
                 }
         }
 
@@ -1384,9 +1390,7 @@ ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
                          struct sk_buff **skb)
 {
         struct ieee80211_fragment_entry *entry;
-        int idx;
 
-        idx = sdata->fragment_next;
         entry = &sdata->fragments[sdata->fragment_next++];
         if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
                 sdata->fragment_next = 0;
@@ -1462,11 +1466,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
 
         hdr = (struct ieee80211_hdr *)rx->skb->data;
         fc = hdr->frame_control;
+
+        if (ieee80211_is_ctl(fc))
+                return RX_CONTINUE;
+
         sc = le16_to_cpu(hdr->seq_ctrl);
         frag = sc & IEEE80211_SCTL_FRAG;
 
         if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
-                   (rx->skb)->len < 24 ||
                    is_multicast_ether_addr(hdr->addr1))) {
                 /* not fragmented */
                 goto out;
@@ -1570,18 +1577,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
         return RX_CONTINUE;
 }
 
-static int
-ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
+static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
 {
-        if (unlikely(!rx->sta ||
-            !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
+        if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
                 return -EACCES;
 
         return 0;
 }
 
-static int
-ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
+static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
 {
         struct sk_buff *skb = rx->skb;
         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
@@ -1603,8 +1607,7 @@ ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
         return 0;
 }
 
-static int
-ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
+static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
 {
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
@@ -1889,6 +1892,20 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
 
         hdr = (struct ieee80211_hdr *) skb->data;
         hdrlen = ieee80211_hdrlen(hdr->frame_control);
+
+        /* make sure fixed part of mesh header is there, also checks skb len */
+        if (!pskb_may_pull(rx->skb, hdrlen + 6))
+                return RX_DROP_MONITOR;
+
+        mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
+
+        /* make sure full mesh header is there, also checks skb len */
+        if (!pskb_may_pull(rx->skb,
+                           hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
+                return RX_DROP_MONITOR;
+
+        /* reload pointers */
+        hdr = (struct ieee80211_hdr *) skb->data;
         mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
 
         /* frame is in RMC, don't forward */
@@ -1897,7 +1914,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
             mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
                 return RX_DROP_MONITOR;
 
-        if (!ieee80211_is_data(hdr->frame_control))
+        if (!ieee80211_is_data(hdr->frame_control) ||
+            !(status->rx_flags & IEEE80211_RX_RA_MATCH))
                 return RX_CONTINUE;
 
         if (!mesh_hdr->ttl)
@@ -1911,9 +1929,12 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
                 if (is_multicast_ether_addr(hdr->addr1)) {
                         mpp_addr = hdr->addr3;
                         proxied_addr = mesh_hdr->eaddr1;
-                } else {
+                } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
+                        /* has_a4 already checked in ieee80211_rx_mesh_check */
                         mpp_addr = hdr->addr4;
                         proxied_addr = mesh_hdr->eaddr2;
+                } else {
+                        return RX_DROP_MONITOR;
                 }
 
                 rcu_read_lock();
@@ -1941,12 +1962,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
         }
         skb_set_queue_mapping(skb, q);
 
-        if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
-                goto out;
-
         if (!--mesh_hdr->ttl) {
                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
-                return RX_DROP_MONITOR;
+                goto out;
         }
 
         if (!ifmsh->mshcfg.dot11MeshForwarding)
@@ -1973,7 +1991,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
         } else {
                 /* unable to resolve next hop */
                 mesh_path_error_tx(ifmsh->mshcfg.element_ttl, fwd_hdr->addr3,
-                                    0, reason, fwd_hdr->addr2, sdata);
+                                   0, reason, fwd_hdr->addr2, sdata);
                 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
                 kfree_skb(fwd_skb);
                 return RX_DROP_MONITOR;
@@ -2182,7 +2200,7 @@ ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
 
                 cfg80211_report_obss_beacon(rx->local->hw.wiphy,
                                             rx->skb->data, rx->skb->len,
-                                            status->freq, sig, GFP_ATOMIC);
+                                            status->freq, sig);
                 rx->flags |= IEEE80211_RX_BEACON_REPORTED;
         }
 
@@ -2353,6 +2371,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                 }
                 break;
         case WLAN_CATEGORY_SELF_PROTECTED:
+                if (len < (IEEE80211_MIN_ACTION_SIZE +
+                           sizeof(mgmt->u.action.u.self_prot.action_code)))
+                        break;
+
                 switch (mgmt->u.action.u.self_prot.action_code) {
                 case WLAN_SP_MESH_PEERING_OPEN:
                 case WLAN_SP_MESH_PEERING_CLOSE:
@@ -2371,10 +2393,14 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                 }
                 break;
         case WLAN_CATEGORY_MESH_ACTION:
+                if (len < (IEEE80211_MIN_ACTION_SIZE +
+                           sizeof(mgmt->u.action.u.mesh_action.action_code)))
+                        break;
+
                 if (!ieee80211_vif_is_mesh(&sdata->vif))
                         break;
                 if (mesh_action_is_path_sel(mgmt) &&
-                  (!mesh_path_sel_is_hwmp(sdata)))
+                    !mesh_path_sel_is_hwmp(sdata))
                         break;
                 goto queue;
         }
@@ -2430,7 +2456,6 @@ ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
                 return RX_QUEUED;
         }
 
-
         return RX_CONTINUE;
 }
 
@@ -2913,10 +2938,15 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
         if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
                 local->dot11ReceivedFragmentCount++;
 
-        if (ieee80211_is_mgmt(fc))
-                err = skb_linearize(skb);
-        else
+        if (ieee80211_is_mgmt(fc)) {
+                /* drop frame if too short for header */
+                if (skb->len < ieee80211_hdrlen(fc))
+                        err = -ENOBUFS;
+                else
+                        err = skb_linearize(skb);
+        } else {
                 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
+        }
 
         if (err) {
                 dev_kfree_skb(skb);
@@ -3010,8 +3040,7 @@ void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb)
 
         WARN_ON_ONCE(softirq_count() == 0);
 
-        if (WARN_ON(status->band < 0 ||
-                    status->band >= IEEE80211_NUM_BANDS))
+        if (WARN_ON(status->band >= IEEE80211_NUM_BANDS))
                 goto drop;
 
         sband = local->hw.wiphy->bands[status->band];
@@ -3056,8 +3085,7 @@ void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb)
                          * hardware error. The driver should catch hardware
                          * errors.
                          */
-                        if (WARN((status->rate_idx < 0 ||
-                                 status->rate_idx > 76),
+                        if (WARN(status->rate_idx > 76,
                                  "Rate marked as an HT rate but passed "
                                  "status->rate_idx is not "
                                  "an MCS index [0-76]: %d (0x%02x)\n",
@@ -3065,8 +3093,7 @@ void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb)
                                  status->rate_idx))
                                 goto drop;
                 } else {
-                        if (WARN_ON(status->rate_idx < 0 ||
-                                    status->rate_idx >= sband->n_bitrates))
+                        if (WARN_ON(status->rate_idx >= sband->n_bitrates))
                                 goto drop;
                         rate = &sband->bitrates[status->rate_idx];
                 }
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index c4cdbde24fd3..8e9bb168b73b 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -336,6 +336,10 @@ EXPORT_SYMBOL(ieee80211_scan_completed);
 
 static int ieee80211_start_sw_scan(struct ieee80211_local *local)
 {
+        /* Software scan is not supported in multi-channel cases */
+        if (local->use_chanctx)
+                return -EOPNOTSUPP;
+
         /*
          * Hardware/driver doesn't support hw_scan, so use software
          * scanning instead. First send a nullfunc frame with power save
@@ -417,7 +421,7 @@ static void ieee80211_scan_state_send_probe(struct ieee80211_local *local,
                         local->scan_req->ie, local->scan_req->ie_len,
                         local->scan_req->rates[band], false,
                         local->scan_req->no_cck,
-                        local->hw.conf.channel);
+                        local->hw.conf.channel, true);
 
         /*
          * After sending probe requests, wait for probe responses
@@ -462,6 +466,7 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata,
                         sizeof(*local->hw_scan_req) +
                         req->n_channels * sizeof(req->channels[0]);
                 local->hw_scan_req->ie = ies;
+                local->hw_scan_req->flags = req->flags;
 
                 local->hw_scan_band = 0;
 
@@ -480,7 +485,7 @@ static int __ieee80211_start_scan(struct ieee80211_sub_if_data *sdata,
         if (local->ops->hw_scan) {
                 __set_bit(SCAN_HW_SCANNING, &local->scanning);
         } else if ((req->n_channels == 1) &&
-                   (req->channels[0] == local->oper_channel)) {
+                   (req->channels[0] == local->_oper_channel)) {
                 /*
                  * If we are scanning only on the operating channel
                  * then we do not need to stop normal activities
@@ -562,6 +567,7 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
         unsigned long min_beacon_int = 0;
         struct ieee80211_sub_if_data *sdata;
         struct ieee80211_channel *next_chan;
+        enum mac80211_scan_state next_scan_state;
 
         /*
          * check if at least one STA interface is associated,
@@ -620,10 +626,18 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
                         usecs_to_jiffies(min_beacon_int * 1024) *
                         local->hw.conf.listen_interval);
 
-        if (associated && (!tx_empty || bad_latency || listen_int_exceeded))
-                local->next_scan_state = SCAN_SUSPEND;
-        else
-                local->next_scan_state = SCAN_SET_CHANNEL;
+        if (associated && !tx_empty) {
+                if (local->scan_req->flags & NL80211_SCAN_FLAG_LOW_PRIORITY)
+                        next_scan_state = SCAN_ABORT;
+                else
+                        next_scan_state = SCAN_SUSPEND;
+        } else if (associated && (bad_latency || listen_int_exceeded)) {
+                next_scan_state = SCAN_SUSPEND;
+        } else {
+                next_scan_state = SCAN_SET_CHANNEL;
+        }
+
+        local->next_scan_state = next_scan_state;
 
         *next_delay = 0;
 }
@@ -794,6 +808,9 @@ void ieee80211_scan_work(struct work_struct *work)
                 case SCAN_RESUME:
                         ieee80211_scan_state_resume(local, &next_delay);
                         break;
+                case SCAN_ABORT:
+                        aborted = true;
+                        goto out_complete;
                 }
         } while (next_delay == 0);
 
@@ -917,7 +934,7 @@ int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
                                        struct cfg80211_sched_scan_request *req)
 {
         struct ieee80211_local *local = sdata->local;
-        struct ieee80211_sched_scan_ies sched_scan_ies;
+        struct ieee80211_sched_scan_ies sched_scan_ies = {};
         int ret, i;
 
         mutex_lock(&local->mtx);
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 797dd36a220d..e9d57689c05f 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -98,6 +98,7 @@ static void free_sta_work(struct work_struct *wk)
         struct tid_ampdu_tx *tid_tx;
         struct ieee80211_sub_if_data *sdata = sta->sdata;
         struct ieee80211_local *local = sdata->local;
+        struct ps_data *ps;
 
         /*
          * At this point, when being called as call_rcu callback,
@@ -107,18 +108,22 @@ static void free_sta_work(struct work_struct *wk)
          */
 
         if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
-                BUG_ON(!sdata->bss);
+                if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
+                    sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+                        ps = &sdata->bss->ps;
+                else
+                        return;
 
                 clear_sta_flag(sta, WLAN_STA_PS_STA);
 
-                atomic_dec(&sdata->bss->num_sta_ps);
+                atomic_dec(&ps->num_sta_ps);
                 sta_info_recalc_tim(sta);
         }
 
         for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
                 local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]);
-                __skb_queue_purge(&sta->ps_tx_buf[ac]);
-                __skb_queue_purge(&sta->tx_filtered[ac]);
+                ieee80211_purge_tx_queue(&local->hw, &sta->ps_tx_buf[ac]);
+                ieee80211_purge_tx_queue(&local->hw, &sta->tx_filtered[ac]);
         }
 
 #ifdef CONFIG_MAC80211_MESH
@@ -141,7 +146,7 @@ static void free_sta_work(struct work_struct *wk)
                 tid_tx = rcu_dereference_raw(sta->ampdu_mlme.tid_tx[i]);
                 if (!tid_tx)
                         continue;
-                __skb_queue_purge(&tid_tx->pending);
+                ieee80211_purge_tx_queue(&local->hw, &tid_tx->pending);
                 kfree(tid_tx);
         }
 
@@ -502,22 +507,22 @@ int sta_info_insert(struct sta_info *sta)
         return err;
 }
 
-static inline void __bss_tim_set(struct ieee80211_if_ap *bss, u16 aid)
+static inline void __bss_tim_set(u8 *tim, u16 id)
 {
         /*
          * This format has been mandated by the IEEE specifications,
          * so this line may not be changed to use the __set_bit() format.
          */
-        bss->tim[aid / 8] |= (1 << (aid % 8));
+        tim[id / 8] |= (1 << (id % 8));
 }
 
-static inline void __bss_tim_clear(struct ieee80211_if_ap *bss, u16 aid)
+static inline void __bss_tim_clear(u8 *tim, u16 id)
 {
         /*
          * This format has been mandated by the IEEE specifications,
          * so this line may not be changed to use the __clear_bit() format.
          */
-        bss->tim[aid / 8] &= ~(1 << (aid % 8));
+        tim[id / 8] &= ~(1 << (id % 8));
 }
 
 static unsigned long ieee80211_tids_for_ac(int ac)
@@ -541,14 +546,23 @@ static unsigned long ieee80211_tids_for_ac(int ac)
 void sta_info_recalc_tim(struct sta_info *sta)
 {
         struct ieee80211_local *local = sta->local;
-        struct ieee80211_if_ap *bss = sta->sdata->bss;
+        struct ps_data *ps;
         unsigned long flags;
         bool indicate_tim = false;
         u8 ignore_for_tim = sta->sta.uapsd_queues;
         int ac;
+        u16 id;
+
+        if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
+            sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) {
+                if (WARN_ON_ONCE(!sta->sdata->bss))
+                        return;
 
-        if (WARN_ON_ONCE(!sta->sdata->bss))
+                ps = &sta->sdata->bss->ps;
+                id = sta->sta.aid;
+        } else {
                 return;
+        }
 
         /* No need to do anything if the driver does all */
         if (local->hw.flags & IEEE80211_HW_AP_LINK_PS)
@@ -587,9 +601,9 @@ void sta_info_recalc_tim(struct sta_info *sta)
         spin_lock_irqsave(&local->tim_lock, flags);
 
         if (indicate_tim)
-                __bss_tim_set(bss, sta->sta.aid);
+                __bss_tim_set(ps->tim, id);
         else
-                __bss_tim_clear(bss, sta->sta.aid);
+                __bss_tim_clear(ps->tim, id);
 
         if (local->ops->set_tim) {
                 local->tim_in_locked_section = true;
@@ -650,7 +664,7 @@ static bool sta_info_cleanup_expire_buffered_ac(struct ieee80211_local *local,
                  */
                 if (!skb)
                         break;
-                dev_kfree_skb(skb);
+                ieee80211_free_txskb(&local->hw, skb);
         }
 
         /*
@@ -679,7 +693,7 @@ static bool sta_info_cleanup_expire_buffered_ac(struct ieee80211_local *local,
                 local->total_ps_buffered--;
                 ps_dbg(sta->sdata, "Buffered frame expired (STA %pM)\n",
                        sta->sta.addr);
-                dev_kfree_skb(skb);
+                ieee80211_free_txskb(&local->hw, skb);
         }
 
         /*
@@ -893,8 +907,8 @@ void ieee80211_sta_expire(struct ieee80211_sub_if_data *sdata,
                         continue;
 
                 if (time_after(jiffies, sta->last_rx + exp_time)) {
-                        ibss_dbg(sdata, "expiring inactive STA %pM\n",
-                                 sta->sta.addr);
+                        sta_dbg(sta->sdata, "expiring inactive STA %pM\n",
+                                sta->sta.addr);
                         WARN_ON(__sta_info_destroy(sta));
                 }
         }
@@ -948,10 +962,17 @@ static void clear_sta_ps_flags(void *_sta)
 {
         struct sta_info *sta = _sta;
         struct ieee80211_sub_if_data *sdata = sta->sdata;
+        struct ps_data *ps;
+
+        if (sdata->vif.type == NL80211_IFTYPE_AP ||
+            sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+                ps = &sdata->bss->ps;
+        else
+                return;
 
         clear_sta_flag(sta, WLAN_STA_PS_DRIVER);
         if (test_and_clear_sta_flag(sta, WLAN_STA_PS_STA))
-                atomic_dec(&sdata->bss->num_sta_ps);
+                atomic_dec(&ps->num_sta_ps);
 }
 
 /* powersave support code */
@@ -961,6 +982,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
         struct ieee80211_local *local = sdata->local;
         struct sk_buff_head pending;
         int filtered = 0, buffered = 0, ac;
+        unsigned long flags;
 
         clear_sta_flag(sta, WLAN_STA_SP);
 
@@ -976,12 +998,16 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
         for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
                 int count = skb_queue_len(&pending), tmp;
 
+                spin_lock_irqsave(&sta->tx_filtered[ac].lock, flags);
                 skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);
+                spin_unlock_irqrestore(&sta->tx_filtered[ac].lock, flags);
                 tmp = skb_queue_len(&pending);
                 filtered += tmp - count;
                 count = tmp;
 
+                spin_lock_irqsave(&sta->ps_tx_buf[ac].lock, flags);
                 skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);
+                spin_unlock_irqrestore(&sta->ps_tx_buf[ac].lock, flags);
                 tmp = skb_queue_len(&pending);
                 buffered += tmp - count;
         }
@@ -1008,6 +1034,7 @@ static void ieee80211_send_null_response(struct ieee80211_sub_if_data *sdata,
         __le16 fc;
         bool qos = test_sta_flag(sta, WLAN_STA_WME);
         struct ieee80211_tx_info *info;
+        struct ieee80211_chanctx_conf *chanctx_conf;
 
         if (qos) {
                 fc = cpu_to_le16(IEEE80211_FTYPE_DATA |
@@ -1057,7 +1084,16 @@ static void ieee80211_send_null_response(struct ieee80211_sub_if_data *sdata,
 
         drv_allow_buffered_frames(local, sta, BIT(tid), 1, reason, false);
 
-        ieee80211_xmit(sdata, skb);
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (WARN_ON(!chanctx_conf)) {
+                rcu_read_unlock();
+                kfree_skb(skb);
+                return;
+        }
+
+        ieee80211_xmit(sdata, skb, chanctx_conf->channel->band);
+        rcu_read_unlock();
 }
 
 static void
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 3af0cc4130f1..ab63237107c8 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -189,30 +189,31 @@ static void ieee80211_frame_acked(struct sta_info *sta, struct sk_buff *skb)
         }
 
         if (ieee80211_is_action(mgmt->frame_control) &&
-            sdata->vif.type == NL80211_IFTYPE_STATION &&
             mgmt->u.action.category == WLAN_CATEGORY_HT &&
-            mgmt->u.action.u.ht_smps.action == WLAN_HT_ACTION_SMPS) {
+            mgmt->u.action.u.ht_smps.action == WLAN_HT_ACTION_SMPS &&
+            sdata->vif.type == NL80211_IFTYPE_STATION &&
+            ieee80211_sdata_running(sdata)) {
                 /*
                  * This update looks racy, but isn't -- if we come
                  * here we've definitely got a station that we're
                  * talking to, and on a managed interface that can
                  * only be the AP. And the only other place updating
-                 * this variable is before we're associated.
+                 * this variable in managed mode is before association.
                  */
                 switch (mgmt->u.action.u.ht_smps.smps_control) {
                 case WLAN_HT_SMPS_CONTROL_DYNAMIC:
-                        sta->sdata->u.mgd.ap_smps = IEEE80211_SMPS_DYNAMIC;
+                        sdata->smps_mode = IEEE80211_SMPS_DYNAMIC;
                         break;
                 case WLAN_HT_SMPS_CONTROL_STATIC:
-                        sta->sdata->u.mgd.ap_smps = IEEE80211_SMPS_STATIC;
+                        sdata->smps_mode = IEEE80211_SMPS_STATIC;
                         break;
                 case WLAN_HT_SMPS_CONTROL_DISABLED:
                 default: /* shouldn't happen since we don't send that */
-                        sta->sdata->u.mgd.ap_smps = IEEE80211_SMPS_OFF;
+                        sdata->smps_mode = IEEE80211_SMPS_OFF;
                         break;
                 }
 
-                ieee80211_queue_work(&local->hw, &local->recalc_smps);
+                ieee80211_queue_work(&local->hw, &sdata->recalc_smps);
         }
 }
 
@@ -324,6 +325,75 @@ static void ieee80211_add_tx_radiotap_header(struct ieee80211_supported_band
 
 }
 
+static void ieee80211_report_used_skb(struct ieee80211_local *local,
+                                      struct sk_buff *skb, bool dropped)
+{
+        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+        struct ieee80211_hdr *hdr = (void *)skb->data;
+        bool acked = info->flags & IEEE80211_TX_STAT_ACK;
+
+        if (dropped)
+                acked = false;
+
+        if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
+                struct ieee80211_sub_if_data *sdata = NULL;
+                struct ieee80211_sub_if_data *iter_sdata;
+                u64 cookie = (unsigned long)skb;
+
+                rcu_read_lock();
+
+                if (skb->dev) {
+                        list_for_each_entry_rcu(iter_sdata, &local->interfaces,
+                                                list) {
+                                if (!iter_sdata->dev)
+                                        continue;
+
+                                if (skb->dev == iter_sdata->dev) {
+                                        sdata = iter_sdata;
+                                        break;
+                                }
+                        }
+                } else {
+                        sdata = rcu_dereference(local->p2p_sdata);
+                }
+
+                if (!sdata)
+                        skb->dev = NULL;
+                else if (ieee80211_is_nullfunc(hdr->frame_control) ||
+                         ieee80211_is_qos_nullfunc(hdr->frame_control)) {
+                        cfg80211_probe_status(sdata->dev, hdr->addr1,
+                                              cookie, acked, GFP_ATOMIC);
+                } else {
+                        cfg80211_mgmt_tx_status(&sdata->wdev, cookie, skb->data,
+                                                skb->len, acked, GFP_ATOMIC);
+                }
+
+                rcu_read_unlock();
+        }
+
+        if (unlikely(info->ack_frame_id)) {
+                struct sk_buff *ack_skb;
+                unsigned long flags;
+
+                spin_lock_irqsave(&local->ack_status_lock, flags);
+                ack_skb = idr_find(&local->ack_status_frames,
+                                   info->ack_frame_id);
+                if (ack_skb)
+                        idr_remove(&local->ack_status_frames,
+                                   info->ack_frame_id);
+                spin_unlock_irqrestore(&local->ack_status_lock, flags);
+
+                if (ack_skb) {
+                        if (!dropped) {
+                                /* consumes ack_skb */
+                                skb_complete_wifi_ack(ack_skb, acked);
+                        } else {
+                                dev_kfree_skb_any(ack_skb);
+                        }
+                }
+        }
+}
+
 /*
  * Use a static threshold for now, best value to be determined
  * by testing ...
@@ -515,62 +585,7 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                                         msecs_to_jiffies(10));
         }
 
-        if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
-                u64 cookie = (unsigned long)skb;
-                bool found = false;
-
-                acked = info->flags & IEEE80211_TX_STAT_ACK;
-
-                rcu_read_lock();
-
-                list_for_each_entry_rcu(sdata, &local->interfaces, list) {
-                        if (!sdata->dev)
-                                continue;
-
-                        if (skb->dev != sdata->dev)
-                                continue;
-
-                        found = true;
-                        break;
-                }
-
-                if (!skb->dev) {
-                        sdata = rcu_dereference(local->p2p_sdata);
-                        if (sdata)
-                                found = true;
-                }
-
-                if (!found)
-                        skb->dev = NULL;
-                else if (ieee80211_is_nullfunc(hdr->frame_control) ||
-                         ieee80211_is_qos_nullfunc(hdr->frame_control)) {
-                        cfg80211_probe_status(sdata->dev, hdr->addr1,
-                                              cookie, acked, GFP_ATOMIC);
-                } else {
-                        cfg80211_mgmt_tx_status(&sdata->wdev, cookie, skb->data,
-                                                skb->len, acked, GFP_ATOMIC);
-                }
-
-                rcu_read_unlock();
-        }
-
-        if (unlikely(info->ack_frame_id)) {
-                struct sk_buff *ack_skb;
-                unsigned long flags;
-
-                spin_lock_irqsave(&local->ack_status_lock, flags);
-                ack_skb = idr_find(&local->ack_status_frames,
-                                   info->ack_frame_id);
-                if (ack_skb)
-                        idr_remove(&local->ack_status_frames,
-                                   info->ack_frame_id);
-                spin_unlock_irqrestore(&local->ack_status_lock, flags);
-
-                /* consumes ack_skb */
-                if (ack_skb)
-                        skb_complete_wifi_ack(ack_skb,
-                                info->flags & IEEE80211_TX_STAT_ACK);
-        }
+        ieee80211_report_used_skb(local, skb, false);
 
         /* this was a transmitted frame, but now we want to reuse it */
         skb_orphan(skb);
@@ -646,25 +661,17 @@ EXPORT_SYMBOL(ieee80211_report_low_ack);
 void ieee80211_free_txskb(struct ieee80211_hw *hw, struct sk_buff *skb)
 {
         struct ieee80211_local *local = hw_to_local(hw);
-        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
-
-        if (unlikely(info->ack_frame_id)) {
-                struct sk_buff *ack_skb;
-                unsigned long flags;
-
-                spin_lock_irqsave(&local->ack_status_lock, flags);
-                ack_skb = idr_find(&local->ack_status_frames,
-                                   info->ack_frame_id);
-                if (ack_skb)
-                        idr_remove(&local->ack_status_frames,
-                                   info->ack_frame_id);
-                spin_unlock_irqrestore(&local->ack_status_lock, flags);
-
-                /* consumes ack_skb */
-                if (ack_skb)
-                        dev_kfree_skb_any(ack_skb);
-        }
 
+        ieee80211_report_used_skb(local, skb, true);
         dev_kfree_skb_any(skb);
 }
 EXPORT_SYMBOL(ieee80211_free_txskb);
+
+void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
+                              struct sk_buff_head *skbs)
+{
+        struct sk_buff *skb;
+
+        while ((skb = __skb_dequeue(skbs)))
+                ieee80211_free_txskb(hw, skb);
+}
diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h
index 18d9c8a52e9e..758836c85a80 100644
--- a/net/mac80211/trace.h
+++ b/net/mac80211/trace.h
@@ -28,6 +28,20 @@
 #define VIF_PR_FMT      " vif:%s(%d%s)"
 #define VIF_PR_ARG      __get_str(vif_name), __entry->vif_type, __entry->p2p ? "/p2p" : ""
 
+#define CHANCTX_ENTRY   __field(int, freq)                                      \
+                        __field(int, chantype)                                  \
+                        __field(u8, rx_chains_static)                           \
+                        __field(u8, rx_chains_dynamic)
+#define CHANCTX_ASSIGN  __entry->freq = ctx->conf.channel->center_freq;         \
+                        __entry->chantype = ctx->conf.channel_type;             \
+                        __entry->rx_chains_static = ctx->conf.rx_chains_static; \
+                        __entry->rx_chains_dynamic = ctx->conf.rx_chains_dynamic
+#define CHANCTX_PR_FMT  " freq:%d MHz chantype:%d chains:%d/%d"
+#define CHANCTX_PR_ARG  __entry->freq, __entry->chantype,                       \
+                        __entry->rx_chains_static, __entry->rx_chains_dynamic
+
+
+
 /*
  * Tracing for driver callbacks.
  */
@@ -301,20 +315,36 @@ TRACE_EVENT(drv_bss_info_changed,
         TP_STRUCT__entry(
                 LOCAL_ENTRY
                 VIF_ENTRY
+                __field(u32, changed)
                 __field(bool, assoc)
+                __field(bool, ibss_joined)
+                __field(bool, ibss_creator)
                 __field(u16, aid)
                 __field(bool, cts)
                 __field(bool, shortpre)
                 __field(bool, shortslot)
+                __field(bool, enable_beacon)
                 __field(u8, dtimper)
                 __field(u16, bcnint)
                 __field(u16, assoc_cap)
                 __field(u64, sync_tsf)
                 __field(u32, sync_device_ts)
                 __field(u32, basic_rates)
-                __field(u32, changed)
-                __field(bool, enable_beacon)
+                __array(int, mcast_rate, IEEE80211_NUM_BANDS)
                 __field(u16, ht_operation_mode)
+                __field(s32, cqm_rssi_thold);
+                __field(s32, cqm_rssi_hyst);
+                __field(u32, channel_type);
+                __dynamic_array(u32, arp_addr_list, info->arp_addr_cnt);
+                __field(bool, arp_filter_enabled);
+                __field(bool, qos);
+                __field(bool, idle);
+                __field(bool, ps);
+                __dynamic_array(u8, ssid, info->ssid_len);
+                __field(bool, hidden_ssid);
+                __field(int, txpower)
+                __field(u8, p2p_ctwindow)
+                __field(bool, p2p_oppps)
         ),
 
         TP_fast_assign(
@@ -323,17 +353,35 @@ TRACE_EVENT(drv_bss_info_changed,
                 __entry->changed = changed;
                 __entry->aid = info->aid;
                 __entry->assoc = info->assoc;
+                __entry->ibss_joined = info->ibss_joined;
+                __entry->ibss_creator = info->ibss_creator;
                 __entry->shortpre = info->use_short_preamble;
                 __entry->cts = info->use_cts_prot;
                 __entry->shortslot = info->use_short_slot;
+                __entry->enable_beacon = info->enable_beacon;
                 __entry->dtimper = info->dtim_period;
                 __entry->bcnint = info->beacon_int;
                 __entry->assoc_cap = info->assoc_capability;
                 __entry->sync_tsf = info->sync_tsf;
                 __entry->sync_device_ts = info->sync_device_ts;
                 __entry->basic_rates = info->basic_rates;
-                __entry->enable_beacon = info->enable_beacon;
+                memcpy(__entry->mcast_rate, info->mcast_rate,
+                       sizeof(__entry->mcast_rate));
                 __entry->ht_operation_mode = info->ht_operation_mode;
+                __entry->cqm_rssi_thold = info->cqm_rssi_thold;
+                __entry->cqm_rssi_hyst = info->cqm_rssi_hyst;
+                __entry->channel_type = info->channel_type;
+                memcpy(__get_dynamic_array(arp_addr_list), info->arp_addr_list,
+                       sizeof(u32) * info->arp_addr_cnt);
+                __entry->arp_filter_enabled = info->arp_filter_enabled;
+                __entry->qos = info->qos;
+                __entry->idle = info->idle;
+                __entry->ps = info->ps;
+                memcpy(__get_dynamic_array(ssid), info->ssid, info->ssid_len);
+                __entry->hidden_ssid = info->hidden_ssid;
+                __entry->txpower = info->txpower;
+                __entry->p2p_ctwindow = info->p2p_ctwindow;
+                __entry->p2p_oppps = info->p2p_oppps;
         ),
 
         TP_printk(
@@ -1001,34 +1049,6 @@ DEFINE_EVENT(local_only_evt, drv_cancel_remain_on_channel,
         TP_ARGS(local)
 );
 
-TRACE_EVENT(drv_offchannel_tx,
-        TP_PROTO(struct ieee80211_local *local, struct sk_buff *skb,
-                 struct ieee80211_channel *chan,
-                 enum nl80211_channel_type channel_type,
-                 unsigned int wait),
-
-        TP_ARGS(local, skb, chan, channel_type, wait),
-
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-                __field(int, center_freq)
-                __field(int, channel_type)
-                __field(unsigned int, wait)
-        ),
-
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-                __entry->center_freq = chan->center_freq;
-                __entry->channel_type = channel_type;
-                __entry->wait = wait;
-        ),
-
-        TP_printk(
-                LOCAL_PR_FMT " freq:%dMHz, wait:%dms",
-                LOCAL_PR_ARG, __entry->center_freq, __entry->wait
-        )
-);
-
 TRACE_EVENT(drv_set_ringparam,
         TP_PROTO(struct ieee80211_local *local, u32 tx, u32 rx),
 
@@ -1256,6 +1276,146 @@ DEFINE_EVENT(local_sdata_evt, drv_mgd_prepare_tx,
         TP_ARGS(local, sdata)
 );
 
+DECLARE_EVENT_CLASS(local_chanctx,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_chanctx *ctx),
+
+        TP_ARGS(local, ctx),
+
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                CHANCTX_ENTRY
+        ),
+
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                CHANCTX_ASSIGN;
+        ),
+
+        TP_printk(
+                LOCAL_PR_FMT CHANCTX_PR_FMT,
+                LOCAL_PR_ARG, CHANCTX_PR_ARG
+        )
+);
+
+DEFINE_EVENT(local_chanctx, drv_add_chanctx,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_chanctx *ctx),
+        TP_ARGS(local, ctx)
+);
+
+DEFINE_EVENT(local_chanctx, drv_remove_chanctx,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_chanctx *ctx),
+        TP_ARGS(local, ctx)
+);
+
+TRACE_EVENT(drv_change_chanctx,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_chanctx *ctx,
+                 u32 changed),
+
+        TP_ARGS(local, ctx, changed),
+
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                CHANCTX_ENTRY
+                __field(u32, changed)
+        ),
+
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                CHANCTX_ASSIGN;
+                __entry->changed = changed;
+        ),
+
+        TP_printk(
+                LOCAL_PR_FMT CHANCTX_PR_FMT " changed:%#x",
+                LOCAL_PR_ARG, CHANCTX_PR_ARG, __entry->changed
+        )
+);
+
+DECLARE_EVENT_CLASS(local_sdata_chanctx,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_chanctx *ctx),
+
+        TP_ARGS(local, sdata, ctx),
+
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                CHANCTX_ENTRY
+        ),
+
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                CHANCTX_ASSIGN;
+        ),
+
+        TP_printk(
+                LOCAL_PR_FMT VIF_PR_FMT CHANCTX_PR_FMT,
+                LOCAL_PR_ARG, VIF_PR_ARG, CHANCTX_PR_ARG
+        )
+);
+
+DEFINE_EVENT(local_sdata_chanctx, drv_assign_vif_chanctx,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_chanctx *ctx),
+        TP_ARGS(local, sdata, ctx)
+);
+
+DEFINE_EVENT(local_sdata_chanctx, drv_unassign_vif_chanctx,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_chanctx *ctx),
+        TP_ARGS(local, sdata, ctx)
+);
+
+TRACE_EVENT(drv_start_ap,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_bss_conf *info),
+
+        TP_ARGS(local, sdata, info),
+
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                __field(u8, dtimper)
+                __field(u16, bcnint)
+                __dynamic_array(u8, ssid, info->ssid_len);
+                __field(bool, hidden_ssid);
+        ),
+
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                __entry->dtimper = info->dtim_period;
+                __entry->bcnint = info->beacon_int;
+                memcpy(__get_dynamic_array(ssid), info->ssid, info->ssid_len);
+                __entry->hidden_ssid = info->hidden_ssid;
+        ),
+
+        TP_printk(
+                LOCAL_PR_FMT  VIF_PR_FMT,
+                LOCAL_PR_ARG, VIF_PR_ARG
+        )
+);
+
+DEFINE_EVENT(local_sdata_evt, drv_stop_ap,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata),
+        TP_ARGS(local, sdata)
+);
+
+DEFINE_EVENT(local_only_evt, drv_restart_complete,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
+
 /*
  * Tracing for API calls that drivers call.
  */
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index c9bf83f36657..04076250264b 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -324,22 +324,20 @@ static void purge_old_ps_buffers(struct ieee80211_local *local)
         struct ieee80211_sub_if_data *sdata;
         struct sta_info *sta;
 
-        /*
-         * virtual interfaces are protected by RCU
-         */
-        rcu_read_lock();
-
         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
-                struct ieee80211_if_ap *ap;
-                if (sdata->vif.type != NL80211_IFTYPE_AP)
+                struct ps_data *ps;
+
+                if (sdata->vif.type == NL80211_IFTYPE_AP)
+                        ps = &sdata->u.ap.ps;
+                else
                         continue;
-                ap = &sdata->u.ap;
-                skb = skb_dequeue(&ap->ps_bc_buf);
+
+                skb = skb_dequeue(&ps->bc_buf);
                 if (skb) {
                         purged++;
                         dev_kfree_skb(skb);
                 }
-                total += skb_queue_len(&ap->ps_bc_buf);
+                total += skb_queue_len(&ps->bc_buf);
         }
 
         /*
@@ -360,8 +358,6 @@ static void purge_old_ps_buffers(struct ieee80211_local *local)
                 }
         }
 
-        rcu_read_unlock();
-
         local->total_ps_buffered = total;
         ps_dbg_hw(&local->hw, "PS buffers full - purged %d frames\n", purged);
 }
@@ -371,6 +367,7 @@ ieee80211_tx_h_multicast_ps_buf(struct ieee80211_tx_data *tx)
 {
         struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
+        struct ps_data *ps;
 
         /*
          * broadcast/multicast frame
@@ -380,16 +377,24 @@ ieee80211_tx_h_multicast_ps_buf(struct ieee80211_tx_data *tx)
          * This is done either by the hardware or us.
          */
 
-        /* powersaving STAs only in AP/VLAN mode */
-        if (!tx->sdata->bss)
+        /* powersaving STAs currently only in AP/VLAN mode */
+        if (tx->sdata->vif.type == NL80211_IFTYPE_AP ||
+            tx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) {
+                if (!tx->sdata->bss)
+                        return TX_CONTINUE;
+
+                ps = &tx->sdata->bss->ps;
+        } else {
                 return TX_CONTINUE;
+        }
+
 
         /* no buffering for ordered frames */
         if (ieee80211_has_order(hdr->frame_control))
                 return TX_CONTINUE;
 
         /* no stations in PS mode */
-        if (!atomic_read(&tx->sdata->bss->num_sta_ps))
+        if (!atomic_read(&ps->num_sta_ps))
                 return TX_CONTINUE;
 
         info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM;
@@ -404,14 +409,14 @@ ieee80211_tx_h_multicast_ps_buf(struct ieee80211_tx_data *tx)
         if (tx->local->total_ps_buffered >= TOTAL_MAX_TX_BUFFER)
                 purge_old_ps_buffers(tx->local);
 
-        if (skb_queue_len(&tx->sdata->bss->ps_bc_buf) >= AP_MAX_BC_BUFFER) {
+        if (skb_queue_len(&ps->bc_buf) >= AP_MAX_BC_BUFFER) {
                 ps_dbg(tx->sdata,
                        "BC TX buffer full - dropping the oldest frame\n");
-                dev_kfree_skb(skb_dequeue(&tx->sdata->bss->ps_bc_buf));
+                dev_kfree_skb(skb_dequeue(&ps->bc_buf));
         } else
                 tx->local->total_ps_buffered++;
 
-        skb_queue_tail(&tx->sdata->bss->ps_bc_buf, tx->skb);
+        skb_queue_tail(&ps->bc_buf, tx->skb);
 
         return TX_QUEUED;
 }
@@ -951,7 +956,6 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx)
         fragnum = 0;
 
         skb_queue_walk(&tx->skbs, skb) {
-                int next_len;
                 const __le16 morefrags = cpu_to_le16(IEEE80211_FCTL_MOREFRAGS);
 
                 hdr = (void *)skb->data;
@@ -970,7 +974,6 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx)
                         info->flags &= ~IEEE80211_TX_CTL_RATE_CTRL_PROBE;
                 } else {
                         hdr->frame_control &= ~morefrags;
-                        next_len = 0;
                 }
                 hdr->seq_ctrl |= cpu_to_le16(fragnum & IEEE80211_SCTL_FRAG);
                 fragnum++;
@@ -1358,7 +1361,7 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx)
                 if (tx->skb)
                         ieee80211_free_txskb(&tx->local->hw, tx->skb);
                 else
-                        __skb_queue_purge(&tx->skbs);
+                        ieee80211_purge_tx_queue(&tx->local->hw, &tx->skbs);
                 return -1;
         } else if (unlikely(res == TX_QUEUED)) {
                 I802_DEBUG_INC(tx->local->tx_handlers_queued);
@@ -1372,7 +1375,8 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx)
  * Returns false if the frame couldn't be transmitted but was queued instead.
  */
 static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
-                         struct sk_buff *skb, bool txpending)
+                         struct sk_buff *skb, bool txpending,
+                         enum ieee80211_band band)
 {
         struct ieee80211_local *local = sdata->local;
         struct ieee80211_tx_data tx;
@@ -1386,20 +1390,18 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
                 return true;
         }
 
-        rcu_read_lock();
-
         /* initialises tx */
         led_len = skb->len;
         res_prepare = ieee80211_tx_prepare(sdata, &tx, skb);
 
         if (unlikely(res_prepare == TX_DROP)) {
                 ieee80211_free_txskb(&local->hw, skb);
-                goto out;
+                return true;
         } else if (unlikely(res_prepare == TX_QUEUED)) {
-                goto out;
+                return true;
         }
 
-        info->band = local->hw.conf.channel->band;
+        info->band = band;
 
         /* set up hw_queue value early */
         if (!(info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) ||
@@ -1410,8 +1412,7 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
         if (!invoke_tx_handlers(&tx))
                 result = __ieee80211_tx(local, &tx.skbs, led_len,
                                         tx.sta, txpending);
- out:
-        rcu_read_unlock();
+
         return result;
 }
 
@@ -1446,7 +1447,8 @@ static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
         return 0;
 }
 
-void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
+void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb,
+                    enum ieee80211_band band)
 {
         struct ieee80211_local *local = sdata->local;
         struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
@@ -1454,8 +1456,6 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
         int headroom;
         bool may_encrypt;
 
-        rcu_read_lock();
-
         may_encrypt = !(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT);
 
         headroom = local->tx_headroom;
@@ -1466,7 +1466,6 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
 
         if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) {
                 ieee80211_free_txskb(&local->hw, skb);
-                rcu_read_unlock();
                 return;
         }
 
@@ -1478,13 +1477,11 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
             !is_multicast_ether_addr(hdr->addr1) &&
             mesh_nexthop_resolve(skb, sdata)) {
                 /* skb queued: don't free */
-                rcu_read_unlock();
                 return;
         }
 
         ieee80211_set_qos_hdr(sdata, skb);
-        ieee80211_tx(sdata, skb, false);
-        rcu_read_unlock();
+        ieee80211_tx(sdata, skb, false, band);
 }
 
 static bool ieee80211_parse_tx_radiotap(struct sk_buff *skb)
@@ -1574,7 +1571,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
                                          struct net_device *dev)
 {
         struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
-        struct ieee80211_channel *chan = local->hw.conf.channel;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_channel *chan;
         struct ieee80211_radiotap_header *prthdr =
                 (struct ieee80211_radiotap_header *)skb->data;
         struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
@@ -1583,26 +1581,6 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
         u16 len_rthdr;
         int hdrlen;
 
-        /*
-         * Frame injection is not allowed if beaconing is not allowed
-         * or if we need radar detection. Beaconing is usually not allowed when
-         * the mode or operation (Adhoc, AP, Mesh) does not support DFS.
-         * Passive scan is also used in world regulatory domains where
-         * your country is not known and as such it should be treated as
-         * NO TX unless the channel is explicitly allowed in which case
-         * your current regulatory domain would not have the passive scan
-         * flag.
-         *
-         * Since AP mode uses monitor interfaces to inject/TX management
-         * frames we can make AP mode the exception to this rule once it
-         * supports radar detection as its implementation can deal with
-         * radar detection by itself. We can do that later by adding a
-         * monitor flag interfaces used for AP support.
-         */
-        if ((chan->flags & (IEEE80211_CHAN_NO_IBSS | IEEE80211_CHAN_RADAR |
-             IEEE80211_CHAN_PASSIVE_SCAN)))
-                goto fail;
-
         /* check for not even having the fixed radiotap header part */
         if (unlikely(skb->len < sizeof(struct ieee80211_radiotap_header)))
                 goto fail; /* too short to be possibly valid */
@@ -1688,11 +1666,45 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
                 }
         }
 
-        ieee80211_xmit(sdata, skb);
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        if (!chanctx_conf) {
+                tmp_sdata = rcu_dereference(local->monitor_sdata);
+                if (tmp_sdata)
+                        chanctx_conf =
+                                rcu_dereference(tmp_sdata->vif.chanctx_conf);
+        }
+        if (!chanctx_conf)
+                goto fail_rcu;
+
+        chan = chanctx_conf->channel;
+
+        /*
+         * Frame injection is not allowed if beaconing is not allowed
+         * or if we need radar detection. Beaconing is usually not allowed when
+         * the mode or operation (Adhoc, AP, Mesh) does not support DFS.
+         * Passive scan is also used in world regulatory domains where
+         * your country is not known and as such it should be treated as
+         * NO TX unless the channel is explicitly allowed in which case
+         * your current regulatory domain would not have the passive scan
+         * flag.
+         *
+         * Since AP mode uses monitor interfaces to inject/TX management
+         * frames we can make AP mode the exception to this rule once it
+         * supports radar detection as its implementation can deal with
+         * radar detection by itself. We can do that later by adding a
+         * monitor flag interfaces used for AP support.
+         */
+        if ((chan->flags & (IEEE80211_CHAN_NO_IBSS | IEEE80211_CHAN_RADAR |
+                            IEEE80211_CHAN_PASSIVE_SCAN)))
+                goto fail_rcu;
+
+        ieee80211_xmit(sdata, skb, chan->band);
         rcu_read_unlock();
 
         return NETDEV_TX_OK;
 
+fail_rcu:
+        rcu_read_unlock();
 fail:
         dev_kfree_skb(skb);
         return NETDEV_TX_OK; /* meaning, we dealt with the skb */
@@ -1734,6 +1746,9 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
         bool multicast;
         u32 info_flags = 0;
         u16 info_id = 0;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_sub_if_data *ap_sdata;
+        enum ieee80211_band band;
 
         if (unlikely(skb->len < ETH_HLEN))
                 goto fail;
@@ -1743,9 +1758,10 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
         ethertype = (skb->data[12] << 8) | skb->data[13];
         fc = cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_DATA);
 
+        rcu_read_lock();
+
         switch (sdata->vif.type) {
         case NL80211_IFTYPE_AP_VLAN:
-                rcu_read_lock();
                 sta = rcu_dereference(sdata->u.vlan.sta);
                 if (sta) {
                         fc |= cpu_to_le16(IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS);
@@ -1758,7 +1774,12 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                         authorized = test_sta_flag(sta, WLAN_STA_AUTHORIZED);
                         wme_sta = test_sta_flag(sta, WLAN_STA_WME);
                 }
-                rcu_read_unlock();
+                ap_sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
+                                        u.ap);
+                chanctx_conf = rcu_dereference(ap_sdata->vif.chanctx_conf);
+                if (!chanctx_conf)
+                        goto fail_rcu;
+                band = chanctx_conf->channel->band;
                 if (sta)
                         break;
                 /* fall through */
@@ -1769,6 +1790,11 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                 memcpy(hdr.addr2, sdata->vif.addr, ETH_ALEN);
                 memcpy(hdr.addr3, skb->data + ETH_ALEN, ETH_ALEN);
                 hdrlen = 24;
+                if (sdata->vif.type == NL80211_IFTYPE_AP)
+                        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+                if (!chanctx_conf)
+                        goto fail_rcu;
+                band = chanctx_conf->channel->band;
                 break;
         case NL80211_IFTYPE_WDS:
                 fc |= cpu_to_le16(IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS);
@@ -1778,15 +1804,20 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                 memcpy(hdr.addr3, skb->data, ETH_ALEN);
                 memcpy(hdr.addr4, skb->data + ETH_ALEN, ETH_ALEN);
                 hdrlen = 30;
+                /*
+                 * This is the exception! WDS style interfaces are prohibited
+                 * when channel contexts are in used so this must be valid
+                 */
+                band = local->hw.conf.channel->band;
                 break;
 #ifdef CONFIG_MAC80211_MESH
         case NL80211_IFTYPE_MESH_POINT:
                 if (!sdata->u.mesh.mshcfg.dot11MeshTTL) {
                         /* Do not send frames with mesh_ttl == 0 */
                         sdata->u.mesh.mshstats.dropped_frames_ttl++;
-                        goto fail;
+                        goto fail_rcu;
                 }
-                rcu_read_lock();
+
                 if (!is_multicast_ether_addr(skb->data)) {
                         mpath = mesh_path_lookup(skb->data, sdata);
                         if (!mpath)
@@ -1803,7 +1834,6 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                     !(mppath && !ether_addr_equal(mppath->mpp, skb->data))) {
                         hdrlen = ieee80211_fill_mesh_addresses(&hdr, &fc,
                                         skb->data, skb->data + ETH_ALEN);
-                        rcu_read_unlock();
                         meshhdrlen = ieee80211_new_mesh_header(&mesh_hdr,
                                         sdata, NULL, NULL);
                 } else {
@@ -1819,7 +1849,6 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                                 mesh_da = mppath->mpp;
                         else if (mpath)
                                 mesh_da = mpath->dst;
-                        rcu_read_unlock();
 
                         hdrlen = ieee80211_fill_mesh_addresses(&hdr, &fc,
                                         mesh_da, sdata->vif.addr);
@@ -1839,13 +1868,16 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                                                         skb->data + ETH_ALEN);
 
                 }
+                chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+                if (!chanctx_conf)
+                        goto fail_rcu;
+                band = chanctx_conf->channel->band;
                 break;
 #endif
         case NL80211_IFTYPE_STATION:
                 if (sdata->wdev.wiphy->flags & WIPHY_FLAG_SUPPORTS_TDLS) {
                         bool tdls_peer = false;
 
-                        rcu_read_lock();
                         sta = sta_info_get(sdata, skb->data);
                         if (sta) {
                                 authorized = test_sta_flag(sta,
@@ -1856,7 +1888,6 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                                 tdls_auth = test_sta_flag(sta,
                                                 WLAN_STA_TDLS_PEER_AUTH);
                         }
-                        rcu_read_unlock();
 
                         /*
                          * If the TDLS link is enabled, send everything
@@ -1871,7 +1902,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                 if (tdls_direct) {
                         /* link during setup - throw out frames to peer */
                         if (!tdls_auth)
-                                goto fail;
+                                goto fail_rcu;
 
                         /* DA SA BSSID */
                         memcpy(hdr.addr1, skb->data, ETH_ALEN);
@@ -1896,6 +1927,10 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                         memcpy(hdr.addr3, skb->data, ETH_ALEN);
                         hdrlen = 24;
                 }
+                chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+                if (!chanctx_conf)
+                        goto fail_rcu;
+                band = chanctx_conf->channel->band;
                 break;
         case NL80211_IFTYPE_ADHOC:
                 /* DA SA BSSID */
@@ -1903,9 +1938,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                 memcpy(hdr.addr2, skb->data + ETH_ALEN, ETH_ALEN);
                 memcpy(hdr.addr3, sdata->u.ibss.bssid, ETH_ALEN);
                 hdrlen = 24;
+                chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+                if (!chanctx_conf)
+                        goto fail_rcu;
+                band = chanctx_conf->channel->band;
                 break;
         default:
-                goto fail;
+                goto fail_rcu;
         }
 
         /*
@@ -1915,13 +1954,11 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
          */
         multicast = is_multicast_ether_addr(hdr.addr1);
         if (!multicast) {
-                rcu_read_lock();
                 sta = sta_info_get(sdata, hdr.addr1);
                 if (sta) {
                         authorized = test_sta_flag(sta, WLAN_STA_AUTHORIZED);
                         wme_sta = test_sta_flag(sta, WLAN_STA_WME);
                 }
-                rcu_read_unlock();
         }
 
         /* For mesh, the use of the QoS header is mandatory */
@@ -1949,7 +1986,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
 
                 I802_DEBUG_INC(local->tx_handlers_drop_unauth_port);
 
-                goto fail;
+                goto fail_rcu;
         }
 
         if (unlikely(!multicast && skb->sk &&
@@ -2004,7 +2041,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                 kfree_skb(tmp_skb);
 
                 if (!skb)
-                        goto fail;
+                        goto fail_rcu;
         }
 
         hdr.frame_control = fc;
@@ -2052,7 +2089,8 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                 head_need = max_t(int, 0, head_need);
                 if (ieee80211_skb_resize(sdata, skb, head_need, true)) {
                         ieee80211_free_txskb(&local->hw, skb);
-                        return NETDEV_TX_OK;
+                        skb = NULL;
+                        goto fail_rcu;
                 }
         }
 
@@ -2104,10 +2142,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
         info->flags = info_flags;
         info->ack_frame_id = info_id;
 
-        ieee80211_xmit(sdata, skb);
+        ieee80211_xmit(sdata, skb, band);
+        rcu_read_unlock();
 
         return NETDEV_TX_OK;
 
+ fail_rcu:
+        rcu_read_unlock();
  fail:
         dev_kfree_skb(skb);
         return NETDEV_TX_OK;
@@ -2120,10 +2161,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
  */
 void ieee80211_clear_tx_pending(struct ieee80211_local *local)
 {
+        struct sk_buff *skb;
         int i;
 
-        for (i = 0; i < local->hw.queues; i++)
-                skb_queue_purge(&local->pending[i]);
+        for (i = 0; i < local->hw.queues; i++) {
+                while ((skb = skb_dequeue(&local->pending[i])) != NULL)
+                        ieee80211_free_txskb(&local->hw, skb);
+        }
 }
 
 /*
@@ -2139,11 +2183,18 @@ static bool ieee80211_tx_pending_skb(struct ieee80211_local *local,
         struct sta_info *sta;
         struct ieee80211_hdr *hdr;
         bool result;
+        struct ieee80211_chanctx_conf *chanctx_conf;
 
         sdata = vif_to_sdata(info->control.vif);
 
         if (info->flags & IEEE80211_TX_INTFL_NEED_TXPROCESSING) {
-                result = ieee80211_tx(sdata, skb, true);
+                chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+                if (unlikely(!chanctx_conf)) {
+                        dev_kfree_skb(skb);
+                        return true;
+                }
+                result = ieee80211_tx(sdata, skb, true,
+                                      chanctx_conf->channel->band);
         } else {
                 struct sk_buff_head skbs;
 
@@ -2211,9 +2262,8 @@ void ieee80211_tx_pending(unsigned long data)
 /* functions for drivers to get certain frames */
 
 static void ieee80211_beacon_add_tim(struct ieee80211_sub_if_data *sdata,
-                                     struct ieee80211_if_ap *bss,
-                                     struct sk_buff *skb,
-                                     struct beacon_data *beacon)
+                                     struct ps_data *ps,
+                                     struct sk_buff *skb)
 {
         u8 *pos, *tim;
         int aid0 = 0;
@@ -2221,27 +2271,27 @@ static void ieee80211_beacon_add_tim(struct ieee80211_sub_if_data *sdata,
 
         /* Generate bitmap for TIM only if there are any STAs in power save
          * mode. */
-        if (atomic_read(&bss->num_sta_ps) > 0)
+        if (atomic_read(&ps->num_sta_ps) > 0)
                 /* in the hope that this is faster than
                  * checking byte-for-byte */
-                have_bits = !bitmap_empty((unsigned long*)bss->tim,
+                have_bits = !bitmap_empty((unsigned long*)ps->tim,
                                           IEEE80211_MAX_AID+1);
 
-        if (bss->dtim_count == 0)
-                bss->dtim_count = sdata->vif.bss_conf.dtim_period - 1;
+        if (ps->dtim_count == 0)
+                ps->dtim_count = sdata->vif.bss_conf.dtim_period - 1;
         else
-                bss->dtim_count--;
+                ps->dtim_count--;
 
         tim = pos = (u8 *) skb_put(skb, 6);
         *pos++ = WLAN_EID_TIM;
         *pos++ = 4;
-        *pos++ = bss->dtim_count;
+        *pos++ = ps->dtim_count;
         *pos++ = sdata->vif.bss_conf.dtim_period;
 
-        if (bss->dtim_count == 0 && !skb_queue_empty(&bss->ps_bc_buf))
+        if (ps->dtim_count == 0 && !skb_queue_empty(&ps->bc_buf))
                 aid0 = 1;
 
-        bss->dtim_bc_mc = aid0 == 1;
+        ps->dtim_bc_mc = aid0 == 1;
 
         if (have_bits) {
                 /* Find largest even number N1 so that bits numbered 1 through
@@ -2249,14 +2299,14 @@ static void ieee80211_beacon_add_tim(struct ieee80211_sub_if_data *sdata,
                  * (N2 + 1) x 8 through 2007 are 0. */
                 n1 = 0;
                 for (i = 0; i < IEEE80211_MAX_TIM_LEN; i++) {
-                        if (bss->tim[i]) {
+                        if (ps->tim[i]) {
                                 n1 = i & 0xfe;
                                 break;
                         }
                 }
                 n2 = n1;
                 for (i = IEEE80211_MAX_TIM_LEN - 1; i >= n1; i--) {
-                        if (bss->tim[i]) {
+                        if (ps->tim[i]) {
                                 n2 = i;
                                 break;
                         }
@@ -2266,7 +2316,7 @@ static void ieee80211_beacon_add_tim(struct ieee80211_sub_if_data *sdata,
                 *pos++ = n1 | aid0;
                 /* Part Virt Bitmap */
                 skb_put(skb, n2 - n1);
-                memcpy(pos, bss->tim + n1, n2 - n1 + 1);
+                memcpy(pos, ps->tim + n1, n2 - n1 + 1);
 
                 tim[1] = n2 - n1 + 4;
         } else {
@@ -2283,16 +2333,16 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
         struct sk_buff *skb = NULL;
         struct ieee80211_tx_info *info;
         struct ieee80211_sub_if_data *sdata = NULL;
-        struct ieee80211_if_ap *ap = NULL;
-        struct beacon_data *beacon;
-        enum ieee80211_band band = local->oper_channel->band;
+        enum ieee80211_band band;
         struct ieee80211_tx_rate_control txrc;
+        struct ieee80211_chanctx_conf *chanctx_conf;
 
         rcu_read_lock();
 
         sdata = vif_to_sdata(vif);
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
 
-        if (!ieee80211_sdata_running(sdata))
+        if (!ieee80211_sdata_running(sdata) || !chanctx_conf)
                 goto out;
 
         if (tim_offset)
@@ -2301,8 +2351,9 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
                 *tim_length = 0;
 
         if (sdata->vif.type == NL80211_IFTYPE_AP) {
-                ap = &sdata->u.ap;
-                beacon = rcu_dereference(ap->beacon);
+                struct ieee80211_if_ap *ap = &sdata->u.ap;
+                struct beacon_data *beacon = rcu_dereference(ap->beacon);
+
                 if (beacon) {
                         /*
                          * headroom, head length,
@@ -2326,14 +2377,12 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
                          * of the tim bitmap in mac80211 and the driver.
                          */
                         if (local->tim_in_locked_section) {
-                                ieee80211_beacon_add_tim(sdata, ap, skb,
-                                                         beacon);
+                                ieee80211_beacon_add_tim(sdata, &ap->ps, skb);
                         } else {
                                 unsigned long flags;
 
                                 spin_lock_irqsave(&local->tim_lock, flags);
-                                ieee80211_beacon_add_tim(sdata, ap, skb,
-                                                         beacon);
+                                ieee80211_beacon_add_tim(sdata, &ap->ps, skb);
                                 spin_unlock_irqrestore(&local->tim_lock, flags);
                         }
 
@@ -2409,6 +2458,8 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
                 *pos++ = WLAN_EID_SSID;
                 *pos++ = 0x0;
 
+                band = chanctx_conf->channel->band;
+
                 if (ieee80211_add_srates_ie(sdata, skb, true, band) ||
                     mesh_add_ds_params_ie(skb, sdata) ||
                     ieee80211_add_ext_srates_ie(sdata, skb, true, band) ||
@@ -2426,6 +2477,8 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
                 goto out;
         }
 
+        band = chanctx_conf->channel->band;
+
         info = IEEE80211_SKB_CB(skb);
 
         info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
@@ -2653,29 +2706,40 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
         struct sk_buff *skb = NULL;
         struct ieee80211_tx_data tx;
         struct ieee80211_sub_if_data *sdata;
-        struct ieee80211_if_ap *bss = NULL;
-        struct beacon_data *beacon;
+        struct ps_data *ps;
         struct ieee80211_tx_info *info;
+        struct ieee80211_chanctx_conf *chanctx_conf;
 
         sdata = vif_to_sdata(vif);
-        bss = &sdata->u.ap;
 
         rcu_read_lock();
-        beacon = rcu_dereference(bss->beacon);
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+
+        if (!chanctx_conf)
+                goto out;
 
-        if (sdata->vif.type != NL80211_IFTYPE_AP || !beacon || !beacon->head)
+        if (sdata->vif.type == NL80211_IFTYPE_AP) {
+                struct beacon_data *beacon =
+                                rcu_dereference(sdata->u.ap.beacon);
+
+                if (!beacon || !beacon->head)
+                        goto out;
+
+                ps = &sdata->u.ap.ps;
+        } else {
                 goto out;
+        }
 
-        if (bss->dtim_count != 0 || !bss->dtim_bc_mc)
+        if (ps->dtim_count != 0 || !ps->dtim_bc_mc)
                 goto out; /* send buffered bc/mc only after DTIM beacon */
 
         while (1) {
-                skb = skb_dequeue(&bss->ps_bc_buf);
+                skb = skb_dequeue(&ps->bc_buf);
                 if (!skb)
                         goto out;
                 local->total_ps_buffered--;
 
-                if (!skb_queue_empty(&bss->ps_bc_buf) && skb->len >= 2) {
+                if (!skb_queue_empty(&ps->bc_buf) && skb->len >= 2) {
                         struct ieee80211_hdr *hdr =
                                 (struct ieee80211_hdr *) skb->data;
                         /* more buffered multicast/broadcast frames ==> set
@@ -2693,7 +2757,7 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
         info = IEEE80211_SKB_CB(skb);
 
         tx.flags |= IEEE80211_TX_PS_BUFFERED;
-        info->band = local->oper_channel->band;
+        info->band = chanctx_conf->channel->band;
 
         if (invoke_tx_handlers(&tx))
                 skb = NULL;
@@ -2704,8 +2768,9 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
 }
 EXPORT_SYMBOL(ieee80211_get_buffered_bc);
 
-void ieee80211_tx_skb_tid(struct ieee80211_sub_if_data *sdata,
-                          struct sk_buff *skb, int tid)
+void __ieee80211_tx_skb_tid_band(struct ieee80211_sub_if_data *sdata,
+                                 struct sk_buff *skb, int tid,
+                                 enum ieee80211_band band)
 {
         int ac = ieee802_1d_to_ac[tid & 7];
 
@@ -2722,6 +2787,6 @@ void ieee80211_tx_skb_tid(struct ieee80211_sub_if_data *sdata,
          * requirements are that we do not come into tx with bhs on.
          */
         local_bh_disable();
-        ieee80211_xmit(sdata, skb);
+        ieee80211_xmit(sdata, skb, band);
         local_bh_enable();
 }
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 22ca35054dd0..c4a60bfb9f14 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -406,7 +406,7 @@ void ieee80211_add_pending_skb(struct ieee80211_local *local,
         int queue = info->hw_queue;
 
         if (WARN_ON(!info->control.vif)) {
-                kfree_skb(skb);
+                ieee80211_free_txskb(&local->hw, skb);
                 return;
         }
 
@@ -431,7 +431,7 @@ void ieee80211_add_pending_skbs_fn(struct ieee80211_local *local,
                 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
 
                 if (WARN_ON(!info->control.vif)) {
-                        kfree_skb(skb);
+                        ieee80211_free_txskb(&local->hw, skb);
                         continue;
                 }
 
@@ -512,7 +512,7 @@ void ieee80211_wake_queues(struct ieee80211_hw *hw)
 EXPORT_SYMBOL(ieee80211_wake_queues);
 
 void ieee80211_iterate_active_interfaces(
-        struct ieee80211_hw *hw,
+        struct ieee80211_hw *hw, u32 iter_flags,
         void (*iterator)(void *data, u8 *mac,
                          struct ieee80211_vif *vif),
         void *data)
@@ -530,6 +530,9 @@ void ieee80211_iterate_active_interfaces(
                 default:
                         break;
                 }
+                if (!(iter_flags & IEEE80211_IFACE_ITER_RESUME_ALL) &&
+                    !(sdata->flags & IEEE80211_SDATA_IN_DRIVER))
+                        continue;
                 if (ieee80211_sdata_running(sdata))
                         iterator(data, sdata->vif.addr,
                                  &sdata->vif);
@@ -537,7 +540,9 @@ void ieee80211_iterate_active_interfaces(
 
         sdata = rcu_dereference_protected(local->monitor_sdata,
                                           lockdep_is_held(&local->iflist_mtx));
-        if (sdata)
+        if (sdata &&
+            (iter_flags & IEEE80211_IFACE_ITER_RESUME_ALL ||
+             sdata->flags & IEEE80211_SDATA_IN_DRIVER))
                 iterator(data, sdata->vif.addr, &sdata->vif);
 
         mutex_unlock(&local->iflist_mtx);
@@ -545,7 +550,7 @@ void ieee80211_iterate_active_interfaces(
 EXPORT_SYMBOL_GPL(ieee80211_iterate_active_interfaces);
 
 void ieee80211_iterate_active_interfaces_atomic(
-        struct ieee80211_hw *hw,
+        struct ieee80211_hw *hw, u32 iter_flags,
         void (*iterator)(void *data, u8 *mac,
                          struct ieee80211_vif *vif),
         void *data)
@@ -563,13 +568,18 @@ void ieee80211_iterate_active_interfaces_atomic(
                 default:
                         break;
                 }
+                if (!(iter_flags & IEEE80211_IFACE_ITER_RESUME_ALL) &&
+                    !(sdata->flags & IEEE80211_SDATA_IN_DRIVER))
+                        continue;
                 if (ieee80211_sdata_running(sdata))
                         iterator(data, sdata->vif.addr,
                                  &sdata->vif);
         }
 
         sdata = rcu_dereference(local->monitor_sdata);
-        if (sdata)
+        if (sdata &&
+            (iter_flags & IEEE80211_IFACE_ITER_RESUME_ALL ||
+             sdata->flags & IEEE80211_SDATA_IN_DRIVER))
                 iterator(data, sdata->vif.addr, &sdata->vif);
 
         rcu_read_unlock();
@@ -643,13 +653,41 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
                         break;
                 }
 
-                if (id != WLAN_EID_VENDOR_SPECIFIC &&
-                    id != WLAN_EID_QUIET &&
-                    test_bit(id, seen_elems)) {
-                        elems->parse_error = true;
-                        left -= elen;
-                        pos += elen;
-                        continue;
+                switch (id) {
+                case WLAN_EID_SSID:
+                case WLAN_EID_SUPP_RATES:
+                case WLAN_EID_FH_PARAMS:
+                case WLAN_EID_DS_PARAMS:
+                case WLAN_EID_CF_PARAMS:
+                case WLAN_EID_TIM:
+                case WLAN_EID_IBSS_PARAMS:
+                case WLAN_EID_CHALLENGE:
+                case WLAN_EID_RSN:
+                case WLAN_EID_ERP_INFO:
+                case WLAN_EID_EXT_SUPP_RATES:
+                case WLAN_EID_HT_CAPABILITY:
+                case WLAN_EID_HT_OPERATION:
+                case WLAN_EID_VHT_CAPABILITY:
+                case WLAN_EID_VHT_OPERATION:
+                case WLAN_EID_MESH_ID:
+                case WLAN_EID_MESH_CONFIG:
+                case WLAN_EID_PEER_MGMT:
+                case WLAN_EID_PREQ:
+                case WLAN_EID_PREP:
+                case WLAN_EID_PERR:
+                case WLAN_EID_RANN:
+                case WLAN_EID_CHANNEL_SWITCH:
+                case WLAN_EID_EXT_CHANSWITCH_ANN:
+                case WLAN_EID_COUNTRY:
+                case WLAN_EID_PWR_CONSTRAINT:
+                case WLAN_EID_TIMEOUT_INTERVAL:
+                        if (test_bit(id, seen_elems)) {
+                                elems->parse_error = true;
+                                left -= elen;
+                                pos += elen;
+                                continue;
+                        }
+                        break;
                 }
 
                 if (calc_crc && id < 64 && (filter & (1ULL << id)))
@@ -741,6 +779,18 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
                         else
                                 elem_parse_failed = true;
                         break;
+                case WLAN_EID_VHT_CAPABILITY:
+                        if (elen >= sizeof(struct ieee80211_vht_cap))
+                                elems->vht_cap_elem = (void *)pos;
+                        else
+                                elem_parse_failed = true;
+                        break;
+                case WLAN_EID_VHT_OPERATION:
+                        if (elen >= sizeof(struct ieee80211_vht_operation))
+                                elems->vht_operation = (void *)pos;
+                        else
+                                elem_parse_failed = true;
+                        break;
                 case WLAN_EID_MESH_ID:
                         elems->mesh_id = pos;
                         elems->mesh_id_len = elen;
@@ -809,7 +859,7 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
                 if (elem_parse_failed)
                         elems->parse_error = true;
                 else
-                        set_bit(id, seen_elems);
+                        __set_bit(id, seen_elems);
 
                 left -= elen;
                 pos += elen;
@@ -832,6 +882,7 @@ void ieee80211_set_wmm_default(struct ieee80211_sub_if_data *sdata,
 {
         struct ieee80211_local *local = sdata->local;
         struct ieee80211_tx_queue_params qparam;
+        struct ieee80211_chanctx_conf *chanctx_conf;
         int ac;
         bool use_11b, enable_qos;
         int aCWmin, aCWmax;
@@ -844,8 +895,12 @@ void ieee80211_set_wmm_default(struct ieee80211_sub_if_data *sdata,
 
         memset(&qparam, 0, sizeof(qparam));
 
-        use_11b = (local->oper_channel->band == IEEE80211_BAND_2GHZ) &&
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+        use_11b = (chanctx_conf &&
+                   chanctx_conf->channel->band == IEEE80211_BAND_2GHZ) &&
                  !(sdata->flags & IEEE80211_SDATA_OPERATING_GMODE);
+        rcu_read_unlock();
 
         /*
          * By default disable QoS in STA mode for old access points, which do
@@ -924,7 +979,7 @@ void ieee80211_sta_def_wmm_params(struct ieee80211_sub_if_data *sdata,
                                   const size_t supp_rates_len,
                                   const u8 *supp_rates)
 {
-        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_chanctx_conf *chanctx_conf;
         int i, have_higher_than_11mbit = 0;
 
         /* cf. IEEE 802.11 9.2.12 */
@@ -932,11 +987,16 @@ void ieee80211_sta_def_wmm_params(struct ieee80211_sub_if_data *sdata,
                 if ((supp_rates[i] & 0x7f) * 5 > 110)
                         have_higher_than_11mbit = 1;
 
-        if (local->oper_channel->band == IEEE80211_BAND_2GHZ &&
+        rcu_read_lock();
+        chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+
+        if (chanctx_conf &&
+            chanctx_conf->channel->band == IEEE80211_BAND_2GHZ &&
             have_higher_than_11mbit)
                 sdata->flags |= IEEE80211_SDATA_OPERATING_GMODE;
         else
                 sdata->flags &= ~IEEE80211_SDATA_OPERATING_GMODE;
+        rcu_read_unlock();
 
         ieee80211_set_wmm_default(sdata, true);
 }
@@ -968,7 +1028,7 @@ u32 ieee80211_mandatory_rates(struct ieee80211_local *local,
 }
 
 void ieee80211_send_auth(struct ieee80211_sub_if_data *sdata,
-                         u16 transaction, u16 auth_alg,
+                         u16 transaction, u16 auth_alg, u16 status,
                          u8 *extra, size_t extra_len, const u8 *da,
                          const u8 *bssid, const u8 *key, u8 key_len, u8 key_idx)
 {
@@ -993,7 +1053,7 @@ void ieee80211_send_auth(struct ieee80211_sub_if_data *sdata,
         memcpy(mgmt->bssid, bssid, ETH_ALEN);
         mgmt->u.auth.auth_alg = cpu_to_le16(auth_alg);
         mgmt->u.auth.auth_transaction = cpu_to_le16(transaction);
-        mgmt->u.auth.status_code = cpu_to_le16(0);
+        mgmt->u.auth.status_code = cpu_to_le16(status);
         if (extra)
                 memcpy(skb_put(skb, extra_len), extra, extra_len);
 
@@ -1206,7 +1266,7 @@ void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst,
                               const u8 *ssid, size_t ssid_len,
                               const u8 *ie, size_t ie_len,
                               u32 ratemask, bool directed, bool no_cck,
-                              struct ieee80211_channel *channel)
+                              struct ieee80211_channel *channel, bool scan)
 {
         struct sk_buff *skb;
 
@@ -1217,7 +1277,10 @@ void ieee80211_send_probe_req(struct ieee80211_sub_if_data *sdata, u8 *dst,
                 if (no_cck)
                         IEEE80211_SKB_CB(skb)->flags |=
                                 IEEE80211_TX_CTL_NO_CCK_RATE;
-                ieee80211_tx_skb(sdata, skb);
+                if (scan)
+                        ieee80211_tx_skb_tid_band(sdata, skb, 7, channel->band);
+                else
+                        ieee80211_tx_skb(sdata, skb);
         }
 }
 
@@ -1280,6 +1343,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
 {
         struct ieee80211_hw *hw = &local->hw;
         struct ieee80211_sub_if_data *sdata;
+        struct ieee80211_chanctx *ctx;
         struct sta_info *sta;
         int res, i;
 
@@ -1352,6 +1416,29 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                         res = drv_add_interface(local, sdata);
         }
 
+        /* add channel contexts */
+        mutex_lock(&local->chanctx_mtx);
+        list_for_each_entry(ctx, &local->chanctx_list, list)
+                WARN_ON(drv_add_chanctx(local, ctx));
+        mutex_unlock(&local->chanctx_mtx);
+
+        list_for_each_entry(sdata, &local->interfaces, list) {
+                struct ieee80211_chanctx_conf *ctx_conf;
+
+                if (!ieee80211_sdata_running(sdata))
+                        continue;
+
+                mutex_lock(&local->chanctx_mtx);
+                ctx_conf = rcu_dereference_protected(sdata->vif.chanctx_conf,
+                                lockdep_is_held(&local->chanctx_mtx));
+                if (ctx_conf) {
+                        ctx = container_of(ctx_conf, struct ieee80211_chanctx,
+                                           conf);
+                        drv_assign_vif_chanctx(local, sdata, ctx);
+                }
+                mutex_unlock(&local->chanctx_mtx);
+        }
+
         /* add STAs back */
         mutex_lock(&local->sta_mtx);
         list_for_each_entry(sta, &local->sta_list, list) {
@@ -1407,7 +1494,8 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                           BSS_CHANGED_BSSID |
                           BSS_CHANGED_CQM |
                           BSS_CHANGED_QOS |
-                          BSS_CHANGED_IDLE;
+                          BSS_CHANGED_IDLE |
+                          BSS_CHANGED_TXPOWER;
 
                 switch (sdata->vif.type) {
                 case NL80211_IFTYPE_STATION:
@@ -1424,9 +1512,13 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                 case NL80211_IFTYPE_AP:
                         changed |= BSS_CHANGED_SSID;
 
-                        if (sdata->vif.type == NL80211_IFTYPE_AP)
+                        if (sdata->vif.type == NL80211_IFTYPE_AP) {
                                 changed |= BSS_CHANGED_AP_PROBE_RESP;
 
+                                if (rcu_access_pointer(sdata->u.ap.beacon))
+                                        drv_start_ap(local, sdata);
+                        }
+
                         /* fall through */
                 case NL80211_IFTYPE_MESH_POINT:
                         changed |= BSS_CHANGED_BEACON |
@@ -1463,6 +1555,8 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                 list_for_each_entry(sdata, &local->interfaces, list) {
                         if (sdata->vif.type != NL80211_IFTYPE_STATION)
                                 continue;
+                        if (!sdata->u.mgd.associated)
+                                continue;
 
                         ieee80211_send_nullfunc(local, sdata, 0);
                 }
@@ -1523,8 +1617,10 @@ int ieee80211_reconfig(struct ieee80211_local *local)
          * If this is for hw restart things are still running.
          * We may want to change that later, however.
          */
-        if (!local->suspended)
+        if (!local->suspended) {
+                drv_restart_complete(local);
                 return 0;
+        }
 
 #ifdef CONFIG_PM
         /* first set suspended false, then resuming */
@@ -1587,68 +1683,24 @@ void ieee80211_resume_disconnect(struct ieee80211_vif *vif)
 }
 EXPORT_SYMBOL_GPL(ieee80211_resume_disconnect);
 
-static int check_mgd_smps(struct ieee80211_if_managed *ifmgd,
-                          enum ieee80211_smps_mode *smps_mode)
-{
-        if (ifmgd->associated) {
-                *smps_mode = ifmgd->ap_smps;
-
-                if (*smps_mode == IEEE80211_SMPS_AUTOMATIC) {
-                        if (ifmgd->powersave)
-                                *smps_mode = IEEE80211_SMPS_DYNAMIC;
-                        else
-                                *smps_mode = IEEE80211_SMPS_OFF;
-                }
-
-                return 1;
-        }
-
-        return 0;
-}
-
-void ieee80211_recalc_smps(struct ieee80211_local *local)
+void ieee80211_recalc_smps(struct ieee80211_sub_if_data *sdata)
 {
-        struct ieee80211_sub_if_data *sdata;
-        enum ieee80211_smps_mode smps_mode = IEEE80211_SMPS_OFF;
-        int count = 0;
-
-        mutex_lock(&local->iflist_mtx);
-
-        /*
-         * This function could be improved to handle multiple
-         * interfaces better, but right now it makes any
-         * non-station interfaces force SM PS to be turned
-         * off. If there are multiple station interfaces it
-         * could also use the best possible mode, e.g. if
-         * one is in static and the other in dynamic then
-         * dynamic is ok.
-         */
-
-        list_for_each_entry(sdata, &local->interfaces, list) {
-                if (!ieee80211_sdata_running(sdata))
-                        continue;
-                if (sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE)
-                        continue;
-                if (sdata->vif.type != NL80211_IFTYPE_STATION)
-                        goto set;
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_chanctx_conf *chanctx_conf;
+        struct ieee80211_chanctx *chanctx;
 
-                count += check_mgd_smps(&sdata->u.mgd, &smps_mode);
+        mutex_lock(&local->chanctx_mtx);
 
-                if (count > 1) {
-                        smps_mode = IEEE80211_SMPS_OFF;
-                        break;
-                }
-        }
+        chanctx_conf = rcu_dereference_protected(sdata->vif.chanctx_conf,
+                                        lockdep_is_held(&local->chanctx_mtx));
 
-        if (smps_mode == local->smps_mode)
+        if (WARN_ON_ONCE(!chanctx_conf))
                 goto unlock;
 
- set:
-        local->smps_mode = smps_mode;
-        /* changed flag is auto-detected for this */
-        ieee80211_hw_config(local, 0);
+        chanctx = container_of(chanctx_conf, struct ieee80211_chanctx, conf);
+        ieee80211_recalc_smps_chanctx(local, chanctx);
  unlock:
-        mutex_unlock(&local->iflist_mtx);
+        mutex_unlock(&local->chanctx_mtx);
 }
 
 static bool ieee80211_id_in_list(const u8 *ids, int n_ids, u8 id)
@@ -1788,8 +1840,8 @@ u8 *ieee80211_ie_build_vht_cap(u8 *pos, struct ieee80211_sta_vht_cap *vht_cap,
         __le32 tmp;
 
         *pos++ = WLAN_EID_VHT_CAPABILITY;
-        *pos++ = sizeof(struct ieee80211_vht_capabilities);
-        memset(pos, 0, sizeof(struct ieee80211_vht_capabilities));
+        *pos++ = sizeof(struct ieee80211_vht_cap);
+        memset(pos, 0, sizeof(struct ieee80211_vht_cap));
 
         /* capability flags */
         tmp = cpu_to_le32(cap);
@@ -1947,3 +1999,19 @@ int ieee80211_ave_rssi(struct ieee80211_vif *vif)
         return ifmgd->ave_beacon_signal;
 }
 EXPORT_SYMBOL_GPL(ieee80211_ave_rssi);
+
+u8 ieee80211_mcs_to_chains(const struct ieee80211_mcs_info *mcs)
+{
+        if (!mcs)
+                return 1;
+
+        /* TODO: consider rx_highest */
+
+        if (mcs->rx_mask[3])
+                return 4;
+        if (mcs->rx_mask[2])
+                return 3;
+        if (mcs->rx_mask[1])
+                return 2;
+        return 1;
+}
diff --git a/net/mac80211/vht.c b/net/mac80211/vht.c
new file mode 100644
index 000000000000..f311388aeedf
--- /dev/null
+++ b/net/mac80211/vht.c
@@ -0,0 +1,35 @@
+/*
+ * VHT handling
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/ieee80211.h>
+#include <linux/export.h>
+#include <net/mac80211.h>
+#include "ieee80211_i.h"
+
+
+void ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata,
+                                         struct ieee80211_supported_band *sband,
+                                         struct ieee80211_vht_cap *vht_cap_ie,
+                                         struct ieee80211_sta_vht_cap *vht_cap)
+{
+        if (WARN_ON_ONCE(!vht_cap))
+                return;
+
+        memset(vht_cap, 0, sizeof(*vht_cap));
+
+        if (!vht_cap_ie || !sband->vht_cap.vht_supported)
+                return;
+
+        vht_cap->vht_supported = true;
+
+        vht_cap->cap = le32_to_cpu(vht_cap_ie->vht_cap_info);
+
+        /* Copy peer MCS info, the driver might need them. */
+        memcpy(&vht_cap->vht_mcs, &vht_cap_ie->supp_mcs,
+               sizeof(struct ieee80211_vht_mcs_info));
+}
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index bdb53aba888e..8bd2f5c6a56e 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -106,7 +106,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
                 if (status->flag & RX_FLAG_MMIC_ERROR)
                         goto mic_fail;
 
-                if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key)
+                if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
+                    rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
                         goto update_iv;
 
                 return RX_CONTINUE;
@@ -545,14 +546,19 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
 
 static void bip_aad(struct sk_buff *skb, u8 *aad)
 {
+        __le16 mask_fc;
+        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
+
         /* BIP AAD: FC(masked) || A1 || A2 || A3 */
 
         /* FC type/subtype */
-        aad[0] = skb->data[0];
         /* Mask FC Retry, PwrMgt, MoreData flags to zero */
-        aad[1] = skb->data[1] & ~(BIT(4) | BIT(5) | BIT(6));
+        mask_fc = hdr->frame_control;
+        mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | IEEE80211_FCTL_PM |
+                                IEEE80211_FCTL_MOREDATA);
+        put_unaligned(mask_fc, (__le16 *) &aad[0]);
         /* A1 || A2 || A3 */
-        memcpy(aad + 2, skb->data + 4, 3 * ETH_ALEN);
+        memcpy(aad + 2, &hdr->addr1, 3 * ETH_ALEN);
 }
 
 
diff --git a/net/nfc/Kconfig b/net/nfc/Kconfig
index 8d8d9bc4b6ff..60c3bbb63e8e 100644
--- a/net/nfc/Kconfig
+++ b/net/nfc/Kconfig
@@ -3,8 +3,8 @@
 #
 
 menuconfig NFC
-        depends on NET && EXPERIMENTAL
-        tristate "NFC subsystem support (EXPERIMENTAL)"
+        depends on NET
+        tristate "NFC subsystem support"
         default n
         help
           Say Y here if you want to build support for NFC (Near field
diff --git a/net/nfc/core.c b/net/nfc/core.c
index 479bee36dc3e..aa64ea441676 100644
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -40,6 +40,9 @@
 int nfc_devlist_generation;
 DEFINE_MUTEX(nfc_devlist_mutex);
 
+/* NFC device ID bitmap */
+static DEFINE_IDA(nfc_index_ida);
+
 /**
  * nfc_dev_up - turn on the NFC device
  *
@@ -181,6 +184,7 @@ int nfc_stop_poll(struct nfc_dev *dev)
 
         dev->ops->stop_poll(dev);
         dev->polling = false;
+        dev->rf_mode = NFC_RF_NONE;
 
 error:
         device_unlock(&dev->dev);
@@ -194,7 +198,7 @@ static struct nfc_target *nfc_find_target(struct nfc_dev *dev, u32 target_idx)
         if (dev->n_targets == 0)
                 return NULL;
 
-        for (i = 0; i < dev->n_targets ; i++) {
+        for (i = 0; i < dev->n_targets; i++) {
                 if (dev->targets[i].idx == target_idx)
                         return &dev->targets[i];
         }
@@ -274,12 +278,14 @@ int nfc_dep_link_down(struct nfc_dev *dev)
         if (!rc) {
                 dev->dep_link_up = false;
                 dev->active_target = NULL;
+                dev->rf_mode = NFC_RF_NONE;
                 nfc_llcp_mac_is_down(dev);
                 nfc_genl_dep_link_down_event(dev);
         }
 
 error:
         device_unlock(&dev->dev);
+
         return rc;
 }
 
@@ -503,6 +509,7 @@ EXPORT_SYMBOL(nfc_tm_activated);
 int nfc_tm_deactivated(struct nfc_dev *dev)
 {
         dev->dep_link_up = false;
+        dev->rf_mode = NFC_RF_NONE;
 
         return nfc_genl_tm_deactivated(dev);
 }
@@ -697,6 +704,8 @@ static void nfc_check_pres_work(struct work_struct *work)
 
         if (dev->active_target && timer_pending(&dev->check_pres_timer) == 0) {
                 rc = dev->ops->check_presence(dev, dev->active_target);
+                if (rc == -EOPNOTSUPP)
+                        goto exit;
                 if (!rc) {
                         mod_timer(&dev->check_pres_timer, jiffies +
                                   msecs_to_jiffies(NFC_CHECK_PRES_FREQ_MS));
@@ -708,6 +717,7 @@ static void nfc_check_pres_work(struct work_struct *work)
                 }
         }
 
+exit:
         device_unlock(&dev->dev);
 }
 
@@ -753,7 +763,6 @@ struct nfc_dev *nfc_allocate_device(struct nfc_ops *ops,
                                     u32 supported_protocols,
                                     int tx_headroom, int tx_tailroom)
 {
-        static atomic_t dev_no = ATOMIC_INIT(0);
         struct nfc_dev *dev;
 
         if (!ops->start_poll || !ops->stop_poll || !ops->activate_target ||
@@ -767,11 +776,6 @@ struct nfc_dev *nfc_allocate_device(struct nfc_ops *ops,
         if (!dev)
                 return NULL;
 
-        dev->dev.class = &nfc_class;
-        dev->idx = atomic_inc_return(&dev_no) - 1;
-        dev_set_name(&dev->dev, "nfc%d", dev->idx);
-        device_initialize(&dev->dev);
-
         dev->ops = ops;
         dev->supported_protocols = supported_protocols;
         dev->tx_headroom = tx_headroom;
@@ -779,6 +783,7 @@ struct nfc_dev *nfc_allocate_device(struct nfc_ops *ops,
 
         nfc_genl_data_init(&dev->genl_data);
 
+        dev->rf_mode = NFC_RF_NONE;
 
         /* first generation must not be 0 */
         dev->targets_generation = 1;
@@ -806,6 +811,14 @@ int nfc_register_device(struct nfc_dev *dev)
 
         pr_debug("dev_name=%s\n", dev_name(&dev->dev));
 
+        dev->idx = ida_simple_get(&nfc_index_ida, 0, 0, GFP_KERNEL);
+        if (dev->idx < 0)
+                return dev->idx;
+
+        dev->dev.class = &nfc_class;
+        dev_set_name(&dev->dev, "nfc%d", dev->idx);
+        device_initialize(&dev->dev);
+
         mutex_lock(&nfc_devlist_mutex);
         nfc_devlist_generation++;
         rc = device_add(&dev->dev);
@@ -834,10 +847,12 @@ EXPORT_SYMBOL(nfc_register_device);
  */
 void nfc_unregister_device(struct nfc_dev *dev)
 {
-        int rc;
+        int rc, id;
 
         pr_debug("dev_name=%s\n", dev_name(&dev->dev));
 
+        id = dev->idx;
+
         mutex_lock(&nfc_devlist_mutex);
         nfc_devlist_generation++;
 
@@ -856,6 +871,8 @@ void nfc_unregister_device(struct nfc_dev *dev)
                 pr_debug("The userspace won't be notified that the device %s was removed\n",
                          dev_name(&dev->dev));
 
+        ida_simple_remove(&nfc_index_ida, id);
+
 }
 EXPORT_SYMBOL(nfc_unregister_device);
 
diff --git a/net/nfc/hci/command.c b/net/nfc/hci/command.c
index 71c6a7086b8f..7d99410e6c1a 100644
--- a/net/nfc/hci/command.c
+++ b/net/nfc/hci/command.c
@@ -257,16 +257,16 @@ static u8 nfc_hci_create_pipe(struct nfc_hci_dev *hdev, u8 dest_host,
         *result = nfc_hci_execute_cmd(hdev, NFC_HCI_ADMIN_PIPE,
                                       NFC_HCI_ADM_CREATE_PIPE,
                                       (u8 *) &params, sizeof(params), &skb);
-        if (*result == 0) {
-                resp = (struct hci_create_pipe_resp *)skb->data;
-                pipe = resp->pipe;
-                kfree_skb(skb);
+        if (*result < 0)
+                return NFC_HCI_INVALID_PIPE;
 
-                pr_debug("pipe created=%d\n", pipe);
+        resp = (struct hci_create_pipe_resp *)skb->data;
+        pipe = resp->pipe;
+        kfree_skb(skb);
 
-                return pipe;
-        } else
-                return NFC_HCI_INVALID_PIPE;
+        pr_debug("pipe created=%d\n", pipe);
+
+        return pipe;
 }
 
 static int nfc_hci_delete_pipe(struct nfc_hci_dev *hdev, u8 pipe)
@@ -279,8 +279,6 @@ static int nfc_hci_delete_pipe(struct nfc_hci_dev *hdev, u8 pipe)
 
 static int nfc_hci_clear_all_pipes(struct nfc_hci_dev *hdev)
 {
-        int r;
-
         u8 param[2];
 
         /* TODO: Find out what the identity reference data is
@@ -288,10 +286,8 @@ static int nfc_hci_clear_all_pipes(struct nfc_hci_dev *hdev)
 
         pr_debug("\n");
 
-        r = nfc_hci_execute_cmd(hdev, NFC_HCI_ADMIN_PIPE,
-                                NFC_HCI_ADM_CLEAR_ALL_PIPE, param, 2, NULL);
-
-        return 0;
+        return nfc_hci_execute_cmd(hdev, NFC_HCI_ADMIN_PIPE,
+                                   NFC_HCI_ADM_CLEAR_ALL_PIPE, param, 2, NULL);
 }
 
 int nfc_hci_disconnect_gate(struct nfc_hci_dev *hdev, u8 gate)
@@ -348,7 +344,7 @@ int nfc_hci_connect_gate(struct nfc_hci_dev *hdev, u8 dest_host, u8 dest_gate,
                 return -EADDRINUSE;
 
         if (pipe != NFC_HCI_INVALID_PIPE)
-                goto pipe_is_open;
+                goto open_pipe;
 
         switch (dest_gate) {
         case NFC_HCI_LINK_MGMT_GATE:
@@ -365,6 +361,7 @@ int nfc_hci_connect_gate(struct nfc_hci_dev *hdev, u8 dest_host, u8 dest_gate,
                 break;
         }
 
+open_pipe:
         r = nfc_hci_open_pipe(hdev, pipe);
         if (r < 0) {
                 if (pipe_created)
@@ -375,7 +372,6 @@ int nfc_hci_connect_gate(struct nfc_hci_dev *hdev, u8 dest_host, u8 dest_gate,
                 return r;
         }
 
-pipe_is_open:
         hdev->gate2pipe[dest_gate] = pipe;
 
         return 0;
diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c
index 5fbb6e40793e..7bea574d5934 100644
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -33,17 +33,20 @@
 /* Largest headroom needed for outgoing HCI commands */
 #define HCI_CMDS_HEADROOM 1
 
-static int nfc_hci_result_to_errno(u8 result)
+int nfc_hci_result_to_errno(u8 result)
 {
         switch (result) {
         case NFC_HCI_ANY_OK:
                 return 0;
+        case NFC_HCI_ANY_E_REG_PAR_UNKNOWN:
+                return -EOPNOTSUPP;
         case NFC_HCI_ANY_E_TIMEOUT:
                 return -ETIME;
         default:
                 return -1;
         }
 }
+EXPORT_SYMBOL(nfc_hci_result_to_errno);
 
 static void nfc_hci_msg_tx_work(struct work_struct *work)
 {
@@ -65,8 +68,9 @@ static void nfc_hci_msg_tx_work(struct work_struct *work)
                                                           -ETIME);
                         kfree(hdev->cmd_pending_msg);
                         hdev->cmd_pending_msg = NULL;
-                } else
+                } else {
                         goto exit;
+                }
         }
 
 next_msg:
@@ -166,7 +170,7 @@ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
         kfree_skb(skb);
 }
 
-static u32 nfc_hci_sak_to_protocol(u8 sak)
+u32 nfc_hci_sak_to_protocol(u8 sak)
 {
         switch (NFC_HCI_TYPE_A_SEL_PROT(sak)) {
         case NFC_HCI_TYPE_A_SEL_PROT_MIFARE:
@@ -181,8 +185,9 @@ static u32 nfc_hci_sak_to_protocol(u8 sak)
                 return 0xffffffff;
         }
 }
+EXPORT_SYMBOL(nfc_hci_sak_to_protocol);
 
-static int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate)
+int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate)
 {
         struct nfc_target *targets;
         struct sk_buff *atqa_skb = NULL;
@@ -263,7 +268,9 @@ static int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate)
                 break;
         }
 
-        targets->hci_reader_gate = gate;
+        /* if driver set the new gate, we will skip the old one */
+        if (targets->hci_reader_gate == 0x00)
+                targets->hci_reader_gate = gate;
 
         r = nfc_targets_found(hdev->ndev, targets, 1);
 
@@ -275,11 +282,18 @@ exit:
 
         return r;
 }
+EXPORT_SYMBOL(nfc_hci_target_discovered);
 
 void nfc_hci_event_received(struct nfc_hci_dev *hdev, u8 pipe, u8 event,
                             struct sk_buff *skb)
 {
         int r = 0;
+        u8 gate = nfc_hci_pipe2gate(hdev, pipe);
+
+        if (gate == 0xff) {
+                pr_err("Discarded event %x to unopened pipe %x\n", event, pipe);
+                goto exit;
+        }
 
         switch (event) {
         case NFC_HCI_EVT_TARGET_DISCOVERED:
@@ -303,12 +317,14 @@ void nfc_hci_event_received(struct nfc_hci_dev *hdev, u8 pipe, u8 event,
                         goto exit;
                 }
 
-                r = nfc_hci_target_discovered(hdev,
-                                              nfc_hci_pipe2gate(hdev, pipe));
+                r = nfc_hci_target_discovered(hdev, gate);
                 break;
         default:
-                /* TODO: Unknown events are hardware specific
-                 * pass them to the driver (needs a new hci_ops) */
+                if (hdev->ops->event_received) {
+                        hdev->ops->event_received(hdev, gate, event, skb);
+                        return;
+                }
+
                 break;
         }
 
@@ -410,6 +426,10 @@ static int hci_dev_version(struct nfc_hci_dev *hdev)
 
         r = nfc_hci_get_param(hdev, NFC_HCI_ID_MGMT_GATE,
                               NFC_HCI_ID_MGMT_VERSION_SW, &skb);
+        if (r == -EOPNOTSUPP) {
+                pr_info("Software/Hardware info not available\n");
+                return 0;
+        }
         if (r < 0)
                 return r;
 
@@ -527,7 +547,8 @@ static int hci_start_poll(struct nfc_dev *nfc_dev,
                 return hdev->ops->start_poll(hdev, im_protocols, tm_protocols);
         else
                 return nfc_hci_send_event(hdev, NFC_HCI_RF_READER_A_GATE,
-                                       NFC_HCI_EVT_READER_REQUESTED, NULL, 0);
+                                          NFC_HCI_EVT_READER_REQUESTED,
+                                          NULL, 0);
 }
 
 static void hci_stop_poll(struct nfc_dev *nfc_dev)
@@ -538,6 +559,28 @@ static void hci_stop_poll(struct nfc_dev *nfc_dev)
                            NFC_HCI_EVT_END_OPERATION, NULL, 0);
 }
 
+static int hci_dep_link_up(struct nfc_dev *nfc_dev, struct nfc_target *target,
+                                __u8 comm_mode, __u8 *gb, size_t gb_len)
+{
+        struct nfc_hci_dev *hdev = nfc_get_drvdata(nfc_dev);
+
+        if (hdev->ops->dep_link_up)
+                return hdev->ops->dep_link_up(hdev, target, comm_mode,
+                                                gb, gb_len);
+
+        return 0;
+}
+
+static int hci_dep_link_down(struct nfc_dev *nfc_dev)
+{
+        struct nfc_hci_dev *hdev = nfc_get_drvdata(nfc_dev);
+
+        if (hdev->ops->dep_link_down)
+                return hdev->ops->dep_link_down(hdev);
+
+        return 0;
+}
+
 static int hci_activate_target(struct nfc_dev *nfc_dev,
                                struct nfc_target *target, u32 protocol)
 {
@@ -586,8 +629,8 @@ static int hci_transceive(struct nfc_dev *nfc_dev, struct nfc_target *target,
         switch (target->hci_reader_gate) {
         case NFC_HCI_RF_READER_A_GATE:
         case NFC_HCI_RF_READER_B_GATE:
-                if (hdev->ops->data_exchange) {
-                        r = hdev->ops->data_exchange(hdev, target, skb, cb,
+                if (hdev->ops->im_transceive) {
+                        r = hdev->ops->im_transceive(hdev, target, skb, cb,
                                                      cb_context);
                         if (r <= 0)     /* handled */
                                 break;
@@ -604,14 +647,14 @@ static int hci_transceive(struct nfc_dev *nfc_dev, struct nfc_target *target,
                                            skb->len, hci_transceive_cb, hdev);
                 break;
         default:
-                if (hdev->ops->data_exchange) {
-                        r = hdev->ops->data_exchange(hdev, target, skb, cb,
+                if (hdev->ops->im_transceive) {
+                        r = hdev->ops->im_transceive(hdev, target, skb, cb,
                                                      cb_context);
                         if (r == 1)
                                 r = -ENOTSUPP;
-                }
-                else
+                } else {
                         r = -ENOTSUPP;
+                }
                 break;
         }
 
@@ -620,6 +663,16 @@ static int hci_transceive(struct nfc_dev *nfc_dev, struct nfc_target *target,
         return r;
 }
 
+static int hci_tm_send(struct nfc_dev *nfc_dev, struct sk_buff *skb)
+{
+        struct nfc_hci_dev *hdev = nfc_get_drvdata(nfc_dev);
+
+        if (hdev->ops->tm_send)
+                return hdev->ops->tm_send(hdev, skb);
+        else
+                return -ENOTSUPP;
+}
+
 static int hci_check_presence(struct nfc_dev *nfc_dev,
                               struct nfc_target *target)
 {
@@ -723,9 +776,12 @@ static struct nfc_ops hci_nfc_ops = {
         .dev_down = hci_dev_down,
         .start_poll = hci_start_poll,
         .stop_poll = hci_stop_poll,
+        .dep_link_up = hci_dep_link_up,
+        .dep_link_down = hci_dep_link_down,
         .activate_target = hci_activate_target,
         .deactivate_target = hci_deactivate_target,
         .im_transceive = hci_transceive,
+        .tm_send = hci_tm_send,
         .check_presence = hci_check_presence,
 };
 
@@ -848,7 +904,7 @@ void nfc_hci_driver_failure(struct nfc_hci_dev *hdev, int err)
 }
 EXPORT_SYMBOL(nfc_hci_driver_failure);
 
-void inline nfc_hci_recv_frame(struct nfc_hci_dev *hdev, struct sk_buff *skb)
+void nfc_hci_recv_frame(struct nfc_hci_dev *hdev, struct sk_buff *skb)
 {
         nfc_llc_rcv_from_drv(hdev->llc, skb);
 }
diff --git a/net/nfc/hci/llc.c b/net/nfc/hci/llc.c
index ae1205ded87f..fe5e966e5b88 100644
--- a/net/nfc/hci/llc.c
+++ b/net/nfc/hci/llc.c
@@ -72,7 +72,7 @@ int nfc_llc_register(const char *name, struct nfc_llc_ops *ops)
         llc_engine->ops = ops;
 
         INIT_LIST_HEAD(&llc_engine->entry);
-        list_add_tail (&llc_engine->entry, &llc_engines);
+        list_add_tail(&llc_engine->entry, &llc_engines);
 
         return 0;
 }
diff --git a/net/nfc/hci/llc_shdlc.c b/net/nfc/hci/llc_shdlc.c
index 01cbc72943cd..27b313befc35 100644
--- a/net/nfc/hci/llc_shdlc.c
+++ b/net/nfc/hci/llc_shdlc.c
@@ -634,9 +634,9 @@ static void llc_shdlc_sm_work(struct work_struct *work)
                         r = llc_shdlc_connect_initiate(shdlc);
                 else
                         r = -ETIME;
-                if (r < 0)
+                if (r < 0) {
                         llc_shdlc_connect_complete(shdlc, r);
-                else {
+                } else {
                         mod_timer(&shdlc->connect_timer, jiffies +
                                   msecs_to_jiffies(SHDLC_CONNECT_VALUE_MS));
 
@@ -682,9 +682,8 @@ static void llc_shdlc_sm_work(struct work_struct *work)
                         llc_shdlc_handle_send_queue(shdlc);
                 }
 
-                if (shdlc->hard_fault) {
+                if (shdlc->hard_fault)
                         shdlc->llc_failure(shdlc->hdev, shdlc->hard_fault);
-                }
                 break;
         default:
                 break;
diff --git a/net/nfc/llcp/Kconfig b/net/nfc/llcp/Kconfig
index fbf5e8150908..a1a41cd68255 100644
--- a/net/nfc/llcp/Kconfig
+++ b/net/nfc/llcp/Kconfig
@@ -1,6 +1,6 @@
 config NFC_LLCP
-       depends on NFC && EXPERIMENTAL
-       bool "NFC LLCP support (EXPERIMENTAL)"
+       depends on NFC
+       bool "NFC LLCP support"
        default n
        help
          Say Y here if you want to build support for a kernel NFC LLCP
diff --git a/net/nfc/llcp/commands.c b/net/nfc/llcp/commands.c
index c45ccd6c094c..df24be48d4da 100644
--- a/net/nfc/llcp/commands.c
+++ b/net/nfc/llcp/commands.c
@@ -261,7 +261,6 @@ int nfc_llcp_disconnect(struct nfc_llcp_sock *sock)
         struct sk_buff *skb;
         struct nfc_dev *dev;
         struct nfc_llcp_local *local;
-        u16 size = 0;
 
         pr_debug("Sending DISC\n");
 
@@ -273,17 +272,10 @@ int nfc_llcp_disconnect(struct nfc_llcp_sock *sock)
         if (dev == NULL)
                 return -ENODEV;
 
-        size += LLCP_HEADER_SIZE;
-        size += dev->tx_headroom + dev->tx_tailroom + NFC_HEADER_SIZE;
-
-        skb = alloc_skb(size, GFP_ATOMIC);
+        skb = llcp_allocate_pdu(sock, LLCP_PDU_DISC, 0);
         if (skb == NULL)
                 return -ENOMEM;
 
-        skb_reserve(skb, dev->tx_headroom + NFC_HEADER_SIZE);
-
-        skb = llcp_add_header(skb, sock->dsap, sock->ssap, LLCP_PDU_DISC);
-
         skb_queue_tail(&local->tx_queue, skb);
 
         return 0;
@@ -324,8 +316,7 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
         struct sk_buff *skb;
         u8 *service_name_tlv = NULL, service_name_tlv_length;
         u8 *miux_tlv = NULL, miux_tlv_length;
-        u8 *rw_tlv = NULL, rw_tlv_length, rw;
-        __be16 miux;
+        u8 *rw_tlv = NULL, rw_tlv_length;
         int err;
         u16 size = 0;
 
@@ -343,13 +334,11 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
                 size += service_name_tlv_length;
         }
 
-        miux = cpu_to_be16(LLCP_MAX_MIUX);
-        miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
+        miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
                                       &miux_tlv_length);
         size += miux_tlv_length;
 
-        rw = LLCP_MAX_RW;
-        rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
+        rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &local->rw, 0, &rw_tlv_length);
         size += rw_tlv_length;
 
         pr_debug("SKB size %d SN length %zu\n", size, sock->service_name_len);
@@ -386,8 +375,7 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
         struct nfc_llcp_local *local;
         struct sk_buff *skb;
         u8 *miux_tlv = NULL, miux_tlv_length;
-        u8 *rw_tlv = NULL, rw_tlv_length, rw;
-        __be16 miux;
+        u8 *rw_tlv = NULL, rw_tlv_length;
         int err;
         u16 size = 0;
 
@@ -397,13 +385,11 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
         if (local == NULL)
                 return -ENODEV;
 
-        miux = cpu_to_be16(LLCP_MAX_MIUX);
-        miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
+        miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
                                       &miux_tlv_length);
         size += miux_tlv_length;
 
-        rw = LLCP_MAX_RW;
-        rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
+        rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &local->rw, 0, &rw_tlv_length);
         size += rw_tlv_length;
 
         skb = llcp_allocate_pdu(sock, LLCP_PDU_CC, size);
@@ -428,6 +414,52 @@ error_tlv:
         return err;
 }
 
+int nfc_llcp_send_snl(struct nfc_llcp_local *local, u8 tid, u8 sap)
+{
+        struct sk_buff *skb;
+        struct nfc_dev *dev;
+        u8 *sdres_tlv = NULL, sdres_tlv_length, sdres[2];
+        u16 size = 0;
+
+        pr_debug("Sending SNL tid 0x%x sap 0x%x\n", tid, sap);
+
+        if (local == NULL)
+                return -ENODEV;
+
+        dev = local->dev;
+        if (dev == NULL)
+                return -ENODEV;
+
+        sdres[0] = tid;
+        sdres[1] = sap;
+        sdres_tlv = nfc_llcp_build_tlv(LLCP_TLV_SDRES, sdres, 0,
+                                       &sdres_tlv_length);
+        if (sdres_tlv == NULL)
+                return -ENOMEM;
+
+        size += LLCP_HEADER_SIZE;
+        size += dev->tx_headroom + dev->tx_tailroom + NFC_HEADER_SIZE;
+        size += sdres_tlv_length;
+
+        skb = alloc_skb(size, GFP_KERNEL);
+        if (skb == NULL) {
+                kfree(sdres_tlv);
+                return -ENOMEM;
+        }
+
+        skb_reserve(skb, dev->tx_headroom + NFC_HEADER_SIZE);
+
+        skb = llcp_add_header(skb, LLCP_SAP_SDP, LLCP_SAP_SDP, LLCP_PDU_SNL);
+
+        memcpy(skb_put(skb, sdres_tlv_length), sdres_tlv, sdres_tlv_length);
+
+        skb_queue_tail(&local->tx_queue, skb);
+
+        kfree(sdres_tlv);
+
+        return 0;
+}
+
 int nfc_llcp_send_dm(struct nfc_llcp_local *local, u8 ssap, u8 dsap, u8 reason)
 {
         struct sk_buff *skb;
@@ -496,6 +528,23 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
         if (local == NULL)
                 return -ENODEV;
 
+        /* Remote is ready but has not acknowledged our frames */
+        if((sock->remote_ready &&
+            skb_queue_len(&sock->tx_pending_queue) >= sock->rw &&
+            skb_queue_len(&sock->tx_queue) >= 2 * sock->rw)) {
+                pr_err("Pending queue is full %d frames\n",
+                       skb_queue_len(&sock->tx_pending_queue));
+                return -ENOBUFS;
+        }
+
+        /* Remote is not ready and we've been queueing enough frames */
+        if ((!sock->remote_ready &&
+             skb_queue_len(&sock->tx_queue) >= 2 * sock->rw)) {
+                pr_err("Tx queue is full %d frames\n",
+                       skb_queue_len(&sock->tx_queue));
+                return -ENOBUFS;
+        }
+
         msg_data = kzalloc(len, GFP_KERNEL);
         if (msg_data == NULL)
                 return -ENOMEM;
@@ -541,6 +590,63 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
         return len;
 }
 
+int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
+                           struct msghdr *msg, size_t len)
+{
+        struct sk_buff *pdu;
+        struct nfc_llcp_local *local;
+        size_t frag_len = 0, remaining_len;
+        u8 *msg_ptr, *msg_data;
+        int err;
+
+        pr_debug("Send UI frame len %zd\n", len);
+
+        local = sock->local;
+        if (local == NULL)
+                return -ENODEV;
+
+        msg_data = kzalloc(len, GFP_KERNEL);
+        if (msg_data == NULL)
+                return -ENOMEM;
+
+        if (memcpy_fromiovec(msg_data, msg->msg_iov, len)) {
+                kfree(msg_data);
+                return -EFAULT;
+        }
+
+        remaining_len = len;
+        msg_ptr = msg_data;
+
+        while (remaining_len > 0) {
+
+                frag_len = min_t(size_t, sock->miu, remaining_len);
+
+                pr_debug("Fragment %zd bytes remaining %zd",
+                         frag_len, remaining_len);
+
+                pdu = nfc_alloc_send_skb(sock->dev, &sock->sk, MSG_DONTWAIT,
+                                         frag_len + LLCP_HEADER_SIZE, &err);
+                if (pdu == NULL) {
+                        pr_err("Could not allocate PDU\n");
+                        continue;
+                }
+
+                pdu = llcp_add_header(pdu, dsap, ssap, LLCP_PDU_UI);
+
+                memcpy(skb_put(pdu, frag_len), msg_ptr, frag_len);
+
+                /* No need to check for the peer RW for UI frames */
+                skb_queue_tail(&local->tx_queue, pdu);
+
+                remaining_len -= frag_len;
+                msg_ptr += frag_len;
+        }
+
+        kfree(msg_data);
+
+        return len;
+}
+
 int nfc_llcp_send_rr(struct nfc_llcp_sock *sock)
 {
         struct sk_buff *skb;
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index cc10d073c338..2df87056c6df 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -45,12 +45,38 @@ void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *sk)
         write_unlock(&l->lock);
 }
 
+static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock)
+{
+        struct nfc_llcp_local *local = sock->local;
+        struct sk_buff *s, *tmp;
+
+        pr_debug("%p\n", &sock->sk);
+
+        skb_queue_purge(&sock->tx_queue);
+        skb_queue_purge(&sock->tx_pending_queue);
+        skb_queue_purge(&sock->tx_backlog_queue);
+
+        if (local == NULL)
+                return;
+
+        /* Search for local pending SKBs that are related to this socket */
+        skb_queue_walk_safe(&local->tx_queue, s, tmp) {
+                if (s->sk != &sock->sk)
+                        continue;
+
+                skb_unlink(s, &local->tx_queue);
+                kfree_skb(s);
+        }
+}
+
 static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen)
 {
         struct sock *sk;
         struct hlist_node *node, *tmp;
         struct nfc_llcp_sock *llcp_sock;
 
+        skb_queue_purge(&local->tx_queue);
+
         write_lock(&local->sockets.lock);
 
         sk_for_each_safe(sk, node, tmp, &local->sockets.head) {
@@ -58,6 +84,8 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen)
 
                 bh_lock_sock(sk);
 
+                nfc_llcp_socket_purge(llcp_sock);
+
                 if (sk->sk_state == LLCP_CONNECTED)
                         nfc_put_device(llcp_sock->dev);
 
@@ -65,7 +93,8 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen)
                         struct nfc_llcp_sock *lsk, *n;
                         struct sock *accept_sk;
 
-                        list_for_each_entry_safe(lsk, n, &llcp_sock->accept_queue,
+                        list_for_each_entry_safe(lsk, n,
+                                                 &llcp_sock->accept_queue,
                                                  accept_queue) {
                                 accept_sk = &lsk->sk;
                                 bh_lock_sock(accept_sk);
@@ -85,6 +114,16 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen)
                         }
                 }
 
+                /*
+                 * If we have a connection less socket bound, we keep it alive
+                 * if the device is still present.
+                 */
+                if (sk->sk_state == LLCP_BOUND && sk->sk_type == SOCK_DGRAM &&
+                    listen == true) {
+                        bh_unlock_sock(sk);
+                        continue;
+                }
+
                 sk->sk_state = LLCP_CLOSED;
 
                 bh_unlock_sock(sk);
@@ -134,7 +173,7 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
 {
         struct sock *sk;
         struct hlist_node *node;
-        struct nfc_llcp_sock *llcp_sock;
+        struct nfc_llcp_sock *llcp_sock, *tmp_sock;
 
         pr_debug("ssap dsap %d %d\n", ssap, dsap);
 
@@ -146,10 +185,12 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
         llcp_sock = NULL;
 
         sk_for_each(sk, node, &local->sockets.head) {
-                llcp_sock = nfc_llcp_sock(sk);
+                tmp_sock = nfc_llcp_sock(sk);
 
-                if (llcp_sock->ssap == ssap && llcp_sock->dsap == dsap)
+                if (tmp_sock->ssap == ssap && tmp_sock->dsap == dsap) {
+                        llcp_sock = tmp_sock;
                         break;
+                }
         }
 
         read_unlock(&local->sockets.lock);
@@ -249,7 +290,12 @@ struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
 
                 pr_debug("llcp sock %p\n", tmp_sock);
 
-                if (tmp_sock->sk.sk_state != LLCP_LISTEN)
+                if (tmp_sock->sk.sk_type == SOCK_STREAM &&
+                    tmp_sock->sk.sk_state != LLCP_LISTEN)
+                        continue;
+
+                if (tmp_sock->sk.sk_type == SOCK_DGRAM &&
+                    tmp_sock->sk.sk_state != LLCP_BOUND)
                         continue;
 
                 if (tmp_sock->service_name == NULL ||
@@ -421,10 +467,9 @@ static u8 nfc_llcp_reserve_sdp_ssap(struct nfc_llcp_local *local)
 static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
 {
         u8 *gb_cur, *version_tlv, version, version_length;
-        u8 *lto_tlv, lto, lto_length;
+        u8 *lto_tlv, lto_length;
         u8 *wks_tlv, wks_length;
         u8 *miux_tlv, miux_length;
-        __be16 miux;
         u8 gb_len = 0;
         int ret = 0;
 
@@ -433,9 +478,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
                                          1, &version_length);
         gb_len += version_length;
 
-        /* 1500 ms */
-        lto = 150;
-        lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &lto, 1, &lto_length);
+        lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, &lto_length);
         gb_len += lto_length;
 
         pr_debug("Local wks 0x%lx\n", local->local_wks);
@@ -443,8 +486,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
                                      &wks_length);
         gb_len += wks_length;
 
-        miux = cpu_to_be16(LLCP_MAX_MIUX);
-        miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
+        miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
                                       &miux_length);
         gb_len += miux_length;
 
@@ -610,7 +652,12 @@ static void nfc_llcp_tx_work(struct work_struct *work)
         if (skb != NULL) {
                 sk = skb->sk;
                 llcp_sock = nfc_llcp_sock(sk);
-                if (llcp_sock != NULL) {
+
+                if (llcp_sock == NULL && nfc_llcp_ptype(skb) == LLCP_PDU_I) {
+                        nfc_llcp_send_symm(local->dev);
+                } else {
+                        struct sk_buff *copy_skb = NULL;
+                        u8 ptype = nfc_llcp_ptype(skb);
                         int ret;
 
                         pr_debug("Sending pending skb\n");
@@ -618,24 +665,29 @@ static void nfc_llcp_tx_work(struct work_struct *work)
                                        DUMP_PREFIX_OFFSET, 16, 1,
                                        skb->data, skb->len, true);
 
+                        if (ptype == LLCP_PDU_I)
+                                copy_skb = skb_copy(skb, GFP_ATOMIC);
+
                         nfc_llcp_send_to_raw_sock(local, skb,
                                                   NFC_LLCP_DIRECTION_TX);
 
                         ret = nfc_data_exchange(local->dev, local->target_idx,
                                                 skb, nfc_llcp_recv, local);
 
-                        if (!ret && nfc_llcp_ptype(skb) == LLCP_PDU_I) {
-                                skb = skb_get(skb);
-                                skb_queue_tail(&llcp_sock->tx_pending_queue,
-                                               skb);
+                        if (ret) {
+                                kfree_skb(copy_skb);
+                                goto out;
                         }
-                } else {
-                        nfc_llcp_send_symm(local->dev);
+
+                        if (ptype == LLCP_PDU_I && copy_skb)
+                                skb_queue_tail(&llcp_sock->tx_pending_queue,
+                                               copy_skb);
                 }
         } else {
                 nfc_llcp_send_symm(local->dev);
         }
 
+out:
         mod_timer(&local->link_timer,
                   jiffies + msecs_to_jiffies(2 * local->remote_lto));
 }
@@ -704,6 +756,39 @@ static u8 *nfc_llcp_connect_sn(struct sk_buff *skb, size_t *sn_len)
         return NULL;
 }
 
+static void nfc_llcp_recv_ui(struct nfc_llcp_local *local,
+                             struct sk_buff *skb)
+{
+        struct nfc_llcp_sock *llcp_sock;
+        struct nfc_llcp_ui_cb *ui_cb;
+        u8 dsap, ssap;
+
+        dsap = nfc_llcp_dsap(skb);
+        ssap = nfc_llcp_ssap(skb);
+
+        ui_cb = nfc_llcp_ui_skb_cb(skb);
+        ui_cb->dsap = dsap;
+        ui_cb->ssap = ssap;
+
+        printk("%s %d %d\n", __func__, dsap, ssap);
+
+        pr_debug("%d %d\n", dsap, ssap);
+
+        /* We're looking for a bound socket, not a client one */
+        llcp_sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
+        if (llcp_sock == NULL || llcp_sock->sk.sk_type != SOCK_DGRAM)
+                return;
+
+        /* There is no sequence with UI frames */
+        skb_pull(skb, LLCP_HEADER_SIZE);
+        if (sock_queue_rcv_skb(&llcp_sock->sk, skb)) {
+                pr_err("receive queue is full\n");
+                skb_queue_head(&llcp_sock->tx_backlog_queue, skb);
+        }
+
+        nfc_llcp_sock_put(llcp_sock);
+}
+
 static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
                                   struct sk_buff *skb)
 {
@@ -823,9 +908,6 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
 fail:
         /* Send DM */
         nfc_llcp_send_dm(local, dsap, ssap, reason);
-
-        return;
-
 }
 
 int nfc_llcp_queue_i_frames(struct nfc_llcp_sock *sock)
@@ -953,6 +1035,9 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
 
         sk = &llcp_sock->sk;
         lock_sock(sk);
+
+        nfc_llcp_socket_purge(llcp_sock);
+
         if (sk->sk_state == LLCP_CLOSED) {
                 release_sock(sk);
                 nfc_llcp_sock_put(llcp_sock);
@@ -1027,7 +1112,7 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb)
         }
 
         if (llcp_sock == NULL) {
-                pr_err("Invalid DM\n");
+                pr_debug("Already closed\n");
                 return;
         }
 
@@ -1038,8 +1123,100 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb)
         sk->sk_state_change(sk);
 
         nfc_llcp_sock_put(llcp_sock);
+}
 
-        return;
+static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
+                              struct sk_buff *skb)
+{
+        struct nfc_llcp_sock *llcp_sock;
+        u8 dsap, ssap, *tlv, type, length, tid, sap;
+        u16 tlv_len, offset;
+        char *service_name;
+        size_t service_name_len;
+
+        dsap = nfc_llcp_dsap(skb);
+        ssap = nfc_llcp_ssap(skb);
+
+        pr_debug("%d %d\n", dsap, ssap);
+
+        if (dsap != LLCP_SAP_SDP || ssap != LLCP_SAP_SDP) {
+                pr_err("Wrong SNL SAP\n");
+                return;
+        }
+
+        tlv = &skb->data[LLCP_HEADER_SIZE];
+        tlv_len = skb->len - LLCP_HEADER_SIZE;
+        offset = 0;
+
+        while (offset < tlv_len) {
+                type = tlv[0];
+                length = tlv[1];
+
+                switch (type) {
+                case LLCP_TLV_SDREQ:
+                        tid = tlv[2];
+                        service_name = (char *) &tlv[3];
+                        service_name_len = length - 1;
+
+                        pr_debug("Looking for %.16s\n", service_name);
+
+                        if (service_name_len == strlen("urn:nfc:sn:sdp") &&
+                            !strncmp(service_name, "urn:nfc:sn:sdp",
+                                     service_name_len)) {
+                                sap = 1;
+                                goto send_snl;
+                        }
+
+                        llcp_sock = nfc_llcp_sock_from_sn(local, service_name,
+                                                          service_name_len);
+                        if (!llcp_sock) {
+                                sap = 0;
+                                goto send_snl;
+                        }
+
+                        /*
+                         * We found a socket but its ssap has not been reserved
+                         * yet. We need to assign it for good and send a reply.
+                         * The ssap will be freed when the socket is closed.
+                         */
+                        if (llcp_sock->ssap == LLCP_SDP_UNBOUND) {
+                                atomic_t *client_count;
+
+                                sap = nfc_llcp_reserve_sdp_ssap(local);
+
+                                pr_debug("Reserving %d\n", sap);
+
+                                if (sap == LLCP_SAP_MAX) {
+                                        sap = 0;
+                                        goto send_snl;
+                                }
+
+                                client_count =
+                                        &local->local_sdp_cnt[sap -
+                                                              LLCP_WKS_NUM_SAP];
+
+                                atomic_inc(client_count);
+
+                                llcp_sock->ssap = sap;
+                                llcp_sock->reserved_ssap = sap;
+                        } else {
+                                sap = llcp_sock->ssap;
+                        }
+
+                        pr_debug("%p %d\n", llcp_sock, sap);
+
+send_snl:
+                        nfc_llcp_send_snl(local, tid, sap);
+                        break;
+
+                default:
+                        pr_err("Invalid SNL tlv value 0x%x\n", type);
+                        break;
+                }
+
+                offset += length + 2;
+                tlv += length + 2;
+        }
 }
 
 static void nfc_llcp_rx_work(struct work_struct *work)
@@ -1072,6 +1249,11 @@ static void nfc_llcp_rx_work(struct work_struct *work)
                 pr_debug("SYMM\n");
                 break;
 
+        case LLCP_PDU_UI:
+                pr_debug("UI\n");
+                nfc_llcp_recv_ui(local, skb);
+                break;
+
         case LLCP_PDU_CONNECT:
                 pr_debug("CONNECT\n");
                 nfc_llcp_recv_connect(local, skb);
@@ -1092,6 +1274,11 @@ static void nfc_llcp_rx_work(struct work_struct *work)
                 nfc_llcp_recv_dm(local, skb);
                 break;
 
+        case LLCP_PDU_SNL:
+                pr_debug("SNL\n");
+                nfc_llcp_recv_snl(local, skb);
+                break;
+
         case LLCP_PDU_I:
         case LLCP_PDU_RR:
         case LLCP_PDU_RNR:
@@ -1104,8 +1291,6 @@ static void nfc_llcp_rx_work(struct work_struct *work)
         schedule_work(&local->tx_work);
         kfree_skb(local->rx_pending);
         local->rx_pending = NULL;
-
-        return;
 }
 
 void nfc_llcp_recv(void *data, struct sk_buff *skb, int err)
@@ -1121,8 +1306,6 @@ void nfc_llcp_recv(void *data, struct sk_buff *skb, int err)
         local->rx_pending = skb_get(skb);
         del_timer(&local->link_timer);
         schedule_work(&local->rx_work);
-
-        return;
 }
 
 int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb)
@@ -1205,12 +1388,16 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
         rwlock_init(&local->connecting_sockets.lock);
         rwlock_init(&local->raw_sockets.lock);
 
+        local->lto = 150; /* 1500 ms */
+        local->rw = LLCP_MAX_RW;
+        local->miux = cpu_to_be16(LLCP_MAX_MIUX);
+
         nfc_llcp_build_gb(local);
 
         local->remote_miu = LLCP_DEFAULT_MIU;
         local->remote_lto = LLCP_DEFAULT_LTO;
 
-        list_add(&llcp_devices, &local->list);
+        list_add(&local->list, &llcp_devices);
 
         return 0;
 }
diff --git a/net/nfc/llcp/llcp.h b/net/nfc/llcp/llcp.h
index fdb2d24e60bd..0d62366f8cc3 100644
--- a/net/nfc/llcp/llcp.h
+++ b/net/nfc/llcp/llcp.h
@@ -64,6 +64,9 @@ struct nfc_llcp_local {
         u32 target_idx;
         u8 rf_mode;
         u8 comm_mode;
+        u8 lto;
+        u8 rw;
+        __be16 miux;
         unsigned long local_wks;      /* Well known services */
         unsigned long local_sdp;      /* Local services  */
         unsigned long local_sap; /* Local SAPs, not available for discovery */
@@ -124,6 +127,13 @@ struct nfc_llcp_sock {
         struct sock *parent;
 };
 
+struct nfc_llcp_ui_cb {
+        __u8 dsap;
+        __u8 ssap;
+};
+
+#define nfc_llcp_ui_skb_cb(__skb) ((struct nfc_llcp_ui_cb *)&((__skb)->cb[0]))
+
 #define nfc_llcp_sock(sk) ((struct nfc_llcp_sock *) (sk))
 #define nfc_llcp_dev(sk)  (nfc_llcp_sock((sk))->dev)
 
@@ -209,10 +219,13 @@ int nfc_llcp_disconnect(struct nfc_llcp_sock *sock);
 int nfc_llcp_send_symm(struct nfc_dev *dev);
 int nfc_llcp_send_connect(struct nfc_llcp_sock *sock);
 int nfc_llcp_send_cc(struct nfc_llcp_sock *sock);
+int nfc_llcp_send_snl(struct nfc_llcp_local *local, u8 tid, u8 sap);
 int nfc_llcp_send_dm(struct nfc_llcp_local *local, u8 ssap, u8 dsap, u8 reason);
 int nfc_llcp_send_disconnect(struct nfc_llcp_sock *sock);
 int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
                           struct msghdr *msg, size_t len);
+int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
+                           struct msghdr *msg, size_t len);
 int nfc_llcp_send_rr(struct nfc_llcp_sock *sock);
 
 /* Socket API */
diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
index 63e4cdc92376..0fa1e92ceac8 100644
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -205,8 +205,8 @@ static int llcp_sock_listen(struct socket *sock, int backlog)
 
         lock_sock(sk);
 
-        if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
-            || sk->sk_state != LLCP_BOUND) {
+        if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM) ||
+            sk->sk_state != LLCP_BOUND) {
                 ret = -EBADFD;
                 goto error;
         }
@@ -608,6 +608,25 @@ static int llcp_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
 
         lock_sock(sk);
 
+        if (sk->sk_type == SOCK_DGRAM) {
+                struct sockaddr_nfc_llcp *addr =
+                        (struct sockaddr_nfc_llcp *)msg->msg_name;
+
+                if (msg->msg_namelen < sizeof(*addr)) {
+                        release_sock(sk);
+
+                        pr_err("Invalid socket address length %d\n",
+                               msg->msg_namelen);
+
+                        return -EINVAL;
+                }
+
+                release_sock(sk);
+
+                return nfc_llcp_send_ui_frame(llcp_sock, addr->dsap, addr->ssap,
+                                              msg, len);
+        }
+
         if (sk->sk_state != LLCP_CONNECTED) {
                 release_sock(sk);
                 return -ENOTCONN;
@@ -663,11 +682,28 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
                 return -EFAULT;
         }
 
+        if (sk->sk_type == SOCK_DGRAM && msg->msg_name) {
+                struct nfc_llcp_ui_cb *ui_cb = nfc_llcp_ui_skb_cb(skb);
+                struct sockaddr_nfc_llcp sockaddr;
+
+                pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap);
+
+                sockaddr.sa_family = AF_NFC;
+                sockaddr.nfc_protocol = NFC_PROTO_NFC_DEP;
+                sockaddr.dsap = ui_cb->dsap;
+                sockaddr.ssap = ui_cb->ssap;
+
+                memcpy(msg->msg_name, &sockaddr, sizeof(sockaddr));
+                msg->msg_namelen = sizeof(sockaddr);
+        }
+
         /* Mark read part of skb as used */
         if (!(flags & MSG_PEEK)) {
 
                 /* SOCK_STREAM: re-queue skb if it contains unreceived data */
-                if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_RAW) {
+                if (sk->sk_type == SOCK_STREAM ||
+                    sk->sk_type == SOCK_DGRAM ||
+                    sk->sk_type == SOCK_RAW) {
                         skb_pull(skb, copied);
                         if (skb->len) {
                                 skb_queue_head(&sk->sk_receive_queue, skb);
diff --git a/net/nfc/nci/Kconfig b/net/nfc/nci/Kconfig
index decdc49b26d8..6d69b5f0f19b 100644
--- a/net/nfc/nci/Kconfig
+++ b/net/nfc/nci/Kconfig
@@ -1,6 +1,6 @@
 config NFC_NCI
-        depends on NFC && EXPERIMENTAL
-        tristate "NCI protocol support (EXPERIMENTAL)"
+        depends on NFC
+        tristate "NCI protocol support"
         default n
         help
           NCI (NFC Controller Interface) is a communication protocol between
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index acf9abb7d99b..5f98dc1bf039 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -205,10 +205,10 @@ static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt)
         cmd.num_disc_configs = 0;
 
         if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
-            (protocols & NFC_PROTO_JEWEL_MASK
-             || protocols & NFC_PROTO_MIFARE_MASK
-             || protocols & NFC_PROTO_ISO14443_MASK
-             || protocols & NFC_PROTO_NFC_DEP_MASK)) {
+            (protocols & NFC_PROTO_JEWEL_MASK ||
+             protocols & NFC_PROTO_MIFARE_MASK ||
+             protocols & NFC_PROTO_ISO14443_MASK ||
+             protocols & NFC_PROTO_NFC_DEP_MASK)) {
                 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
                         NCI_NFC_A_PASSIVE_POLL_MODE;
                 cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
@@ -224,8 +224,8 @@ static void nci_rf_discover_req(struct nci_dev *ndev, unsigned long opt)
         }
 
         if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
-            (protocols & NFC_PROTO_FELICA_MASK
-             || protocols & NFC_PROTO_NFC_DEP_MASK)) {
+            (protocols & NFC_PROTO_FELICA_MASK ||
+             protocols & NFC_PROTO_NFC_DEP_MASK)) {
                 cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
                         NCI_NFC_F_PASSIVE_POLL_MODE;
                 cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
@@ -414,13 +414,13 @@ static int nci_set_local_general_bytes(struct nfc_dev *nfc_dev)
         struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
         struct nci_set_config_param param;
         __u8 local_gb[NFC_MAX_GT_LEN];
-        int i, rc = 0;
+        int i;
 
         param.val = nfc_get_local_general_bytes(nfc_dev, &param.len);
         if ((param.val == NULL) || (param.len == 0))
-                return rc;
+                return 0;
 
-        if (param.len > NCI_MAX_PARAM_LEN)
+        if (param.len > NFC_MAX_GT_LEN)
                 return -EINVAL;
 
         for (i = 0; i < param.len; i++)
@@ -429,10 +429,8 @@ static int nci_set_local_general_bytes(struct nfc_dev *nfc_dev)
         param.id = NCI_PN_ATR_REQ_GEN_BYTES;
         param.val = local_gb;
 
-        rc = nci_request(ndev, nci_set_config_req, (unsigned long)&param,
-                         msecs_to_jiffies(NCI_SET_CONFIG_TIMEOUT));
-
-        return rc;
+        return nci_request(ndev, nci_set_config_req, (unsigned long)&param,
+                           msecs_to_jiffies(NCI_SET_CONFIG_TIMEOUT));
 }
 
 static int nci_start_poll(struct nfc_dev *nfc_dev,
@@ -579,7 +577,6 @@ static void nci_deactivate_target(struct nfc_dev *nfc_dev,
         }
 }
 
-
 static int nci_dep_link_up(struct nfc_dev *nfc_dev, struct nfc_target *target,
                            __u8 comm_mode, __u8 *gb, size_t gb_len)
 {
@@ -806,8 +803,8 @@ int nci_recv_frame(struct sk_buff *skb)
 
         pr_debug("len %d\n", skb->len);
 
-        if (!ndev || (!test_bit(NCI_UP, &ndev->flags)
-                      && !test_bit(NCI_INIT, &ndev->flags))) {
+        if (!ndev || (!test_bit(NCI_UP, &ndev->flags) &&
+            !test_bit(NCI_INIT, &ndev->flags))) {
                 kfree_skb(skb);
                 return -ENXIO;
         }
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index c1b5285cbde7..3568ae16786d 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -29,6 +29,8 @@
 
 #include "nfc.h"
 
+#include "llcp/llcp.h"
+
 static struct genl_multicast_group nfc_genl_event_mcgrp = {
         .name = NFC_GENL_MCAST_EVENT_NAME,
 };
@@ -364,7 +366,8 @@ static int nfc_genl_send_device(struct sk_buff *msg, struct nfc_dev *dev,
         if (nla_put_string(msg, NFC_ATTR_DEVICE_NAME, nfc_device_name(dev)) ||
             nla_put_u32(msg, NFC_ATTR_DEVICE_INDEX, dev->idx) ||
             nla_put_u32(msg, NFC_ATTR_PROTOCOLS, dev->supported_protocols) ||
-            nla_put_u8(msg, NFC_ATTR_DEVICE_POWERED, dev->dev_up))
+            nla_put_u8(msg, NFC_ATTR_DEVICE_POWERED, dev->dev_up) ||
+            nla_put_u8(msg, NFC_ATTR_RF_MODE, dev->rf_mode))
                 goto nla_put_failure;
 
         return genlmsg_end(msg, hdr);
@@ -590,7 +593,7 @@ static int nfc_genl_start_poll(struct sk_buff *skb, struct genl_info *info)
         if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
             ((!info->attrs[NFC_ATTR_IM_PROTOCOLS] &&
               !info->attrs[NFC_ATTR_PROTOCOLS]) &&
-             !info->attrs[NFC_ATTR_TM_PROTOCOLS]))
+              !info->attrs[NFC_ATTR_TM_PROTOCOLS]))
                 return -EINVAL;
 
         idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
@@ -715,6 +718,146 @@ static int nfc_genl_dep_link_down(struct sk_buff *skb, struct genl_info *info)
         return rc;
 }
 
+static int nfc_genl_send_params(struct sk_buff *msg,
+                                struct nfc_llcp_local *local,
+                                u32 portid, u32 seq)
+{
+        void *hdr;
+
+        hdr = genlmsg_put(msg, portid, seq, &nfc_genl_family, 0,
+                          NFC_CMD_LLC_GET_PARAMS);
+        if (!hdr)
+                return -EMSGSIZE;
+
+        if (nla_put_u32(msg, NFC_ATTR_DEVICE_INDEX, local->dev->idx) ||
+            nla_put_u8(msg, NFC_ATTR_LLC_PARAM_LTO, local->lto) ||
+            nla_put_u8(msg, NFC_ATTR_LLC_PARAM_RW, local->rw) ||
+            nla_put_u16(msg, NFC_ATTR_LLC_PARAM_MIUX, be16_to_cpu(local->miux)))
+                goto nla_put_failure;
+
+        return genlmsg_end(msg, hdr);
+
+nla_put_failure:
+
+        genlmsg_cancel(msg, hdr);
+        return -EMSGSIZE;
+}
+
+static int nfc_genl_llc_get_params(struct sk_buff *skb, struct genl_info *info)
+{
+        struct nfc_dev *dev;
+        struct nfc_llcp_local *local;
+        int rc = 0;
+        struct sk_buff *msg = NULL;
+        u32 idx;
+
+        if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
+                return -EINVAL;
+
+        idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
+
+        dev = nfc_get_device(idx);
+        if (!dev)
+                return -ENODEV;
+
+        device_lock(&dev->dev);
+
+        local = nfc_llcp_find_local(dev);
+        if (!local) {
+                rc = -ENODEV;
+                goto exit;
+        }
+
+        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!msg) {
+                rc = -ENOMEM;
+                goto exit;
+        }
+
+        rc = nfc_genl_send_params(msg, local, info->snd_portid, info->snd_seq);
+
+exit:
+        device_unlock(&dev->dev);
+
+        nfc_put_device(dev);
+
+        if (rc < 0) {
+                if (msg)
+                        nlmsg_free(msg);
+
+                return rc;
+        }
+
+        return genlmsg_reply(msg, info);
+}
+
+static int nfc_genl_llc_set_params(struct sk_buff *skb, struct genl_info *info)
+{
+        struct nfc_dev *dev;
+        struct nfc_llcp_local *local;
+        u8 rw = 0;
+        u16 miux = 0;
+        u32 idx;
+        int rc = 0;
+
+        if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
+            (!info->attrs[NFC_ATTR_LLC_PARAM_LTO] &&
+             !info->attrs[NFC_ATTR_LLC_PARAM_RW] &&
+             !info->attrs[NFC_ATTR_LLC_PARAM_MIUX]))
+                return -EINVAL;
+
+        if (info->attrs[NFC_ATTR_LLC_PARAM_RW]) {
+                rw = nla_get_u8(info->attrs[NFC_ATTR_LLC_PARAM_RW]);
+
+                if (rw > LLCP_MAX_RW)
+                        return -EINVAL;
+        }
+
+        if (info->attrs[NFC_ATTR_LLC_PARAM_MIUX]) {
+                miux = nla_get_u16(info->attrs[NFC_ATTR_LLC_PARAM_MIUX]);
+
+                if (miux > LLCP_MAX_MIUX)
+                        return -EINVAL;
+        }
+
+        idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
+
+        dev = nfc_get_device(idx);
+        if (!dev)
+                return -ENODEV;
+
+        device_lock(&dev->dev);
+
+        local = nfc_llcp_find_local(dev);
+        if (!local) {
+                nfc_put_device(dev);
+                rc = -ENODEV;
+                goto exit;
+        }
+
+        if (info->attrs[NFC_ATTR_LLC_PARAM_LTO]) {
+                if (dev->dep_link_up) {
+                        rc = -EINPROGRESS;
+                        goto exit;
+                }
+
+                local->lto = nla_get_u8(info->attrs[NFC_ATTR_LLC_PARAM_LTO]);
+        }
+
+        if (info->attrs[NFC_ATTR_LLC_PARAM_RW])
+                local->rw = rw;
+
+        if (info->attrs[NFC_ATTR_LLC_PARAM_MIUX])
+                local->miux = cpu_to_be16(miux);
+
+exit:
+        device_unlock(&dev->dev);
+
+        nfc_put_device(dev);
+
+        return rc;
+}
+
 static struct genl_ops nfc_genl_ops[] = {
         {
                 .cmd = NFC_CMD_GET_DEVICE,
@@ -759,6 +902,16 @@ static struct genl_ops nfc_genl_ops[] = {
                 .done = nfc_genl_dump_targets_done,
                 .policy = nfc_genl_policy,
         },
+        {
+                .cmd = NFC_CMD_LLC_GET_PARAMS,
+                .doit = nfc_genl_llc_get_params,
+                .policy = nfc_genl_policy,
+        },
+        {
+                .cmd = NFC_CMD_LLC_SET_PARAMS,
+                .doit = nfc_genl_llc_set_params,
+                .policy = nfc_genl_policy,
+        },
 };
 
 
diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h
index c5e42b79a418..87d914d2876a 100644
--- a/net/nfc/nfc.h
+++ b/net/nfc/nfc.h
@@ -56,6 +56,7 @@ void nfc_llcp_unregister_device(struct nfc_dev *dev);
 int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len);
 u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len);
 int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb);
+struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev);
 int __init nfc_llcp_init(void);
 void nfc_llcp_exit(void);
 
@@ -97,6 +98,11 @@ static inline int nfc_llcp_data_received(struct nfc_dev *dev,
         return 0;
 }
 
+static inline struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev)
+{
+        return NULL;
+}
+
 static inline int nfc_llcp_init(void)
 {
         return 0;
diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
index 8b8a6a2b2bad..313bf1bc848a 100644
--- a/net/nfc/rawsock.c
+++ b/net/nfc/rawsock.c
@@ -256,7 +256,6 @@ static int rawsock_recvmsg(struct kiocb *iocb, struct socket *sock,
         return rc ? : copied;
 }
 
-
 static const struct proto_ops rawsock_ops = {
         .family         = PF_NFC,
         .owner          = THIS_MODULE,
diff --git a/net/wireless/Kconfig b/net/wireless/Kconfig
index fe4adb12b3ef..16d08b399210 100644
--- a/net/wireless/Kconfig
+++ b/net/wireless/Kconfig
@@ -140,14 +140,13 @@ config CFG80211_WEXT
           extensions with cfg80211-based drivers.
 
 config LIB80211
-        tristate "Common routines for IEEE802.11 drivers"
+        tristate
         default n
         help
           This options enables a library of common routines used
           by IEEE802.11 wireless LAN drivers.
 
-          Drivers should select this themselves if needed.  Say Y if
-          you want this built into your kernel.
+          Drivers should select this themselves if needed.
 
 config LIB80211_CRYPT_WEP
         tristate
diff --git a/net/wireless/Makefile b/net/wireless/Makefile
index 0f7e0d621ab0..a761670af31d 100644
--- a/net/wireless/Makefile
+++ b/net/wireless/Makefile
@@ -10,11 +10,13 @@ obj-$(CONFIG_WEXT_SPY) += wext-spy.o
 obj-$(CONFIG_WEXT_PRIV) += wext-priv.o
 
 cfg80211-y += core.o sysfs.o radiotap.o util.o reg.o scan.o nl80211.o
-cfg80211-y += mlme.o ibss.o sme.o chan.o ethtool.o mesh.o ap.o
+cfg80211-y += mlme.o ibss.o sme.o chan.o ethtool.o mesh.o ap.o trace.o
 cfg80211-$(CONFIG_CFG80211_DEBUGFS) += debugfs.o
 cfg80211-$(CONFIG_CFG80211_WEXT) += wext-compat.o wext-sme.o
 cfg80211-$(CONFIG_CFG80211_INTERNAL_REGDB) += regdb.o
 
+CFLAGS_trace.o := -I$(src)
+
 ccflags-y += -D__CHECK_ENDIAN__
 
 $(obj)/regdb.c: $(src)/db.txt $(src)/genregdb.awk
diff --git a/net/wireless/ap.c b/net/wireless/ap.c
index fcc60d8dbefa..324e8d851dc4 100644
--- a/net/wireless/ap.c
+++ b/net/wireless/ap.c
@@ -3,6 +3,7 @@
 #include <net/cfg80211.h>
 #include "nl80211.h"
 #include "core.h"
+#include "rdev-ops.h"
 
 
 static int __cfg80211_stop_ap(struct cfg80211_registered_device *rdev,
@@ -23,10 +24,11 @@ static int __cfg80211_stop_ap(struct cfg80211_registered_device *rdev,
         if (!wdev->beacon_interval)
                 return -ENOENT;
 
-        err = rdev->ops->stop_ap(&rdev->wiphy, dev);
+        err = rdev_stop_ap(rdev, dev);
         if (!err) {
                 wdev->beacon_interval = 0;
                 wdev->channel = NULL;
+                wdev->ssid_len = 0;
         }
 
         return err;
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index 2f876b9ee344..48febd2160ba 100644
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -9,6 +9,7 @@
 #include <linux/export.h>
 #include <net/cfg80211.h>
 #include "core.h"
+#include "rdev-ops.h"
 
 struct ieee80211_channel *
 rdev_freq_to_chan(struct cfg80211_registered_device *rdev,
@@ -52,6 +53,8 @@ bool cfg80211_can_beacon_sec_chan(struct wiphy *wiphy,
         struct ieee80211_channel *sec_chan;
         int diff;
 
+        trace_cfg80211_can_beacon_sec_chan(wiphy, chan, channel_type);
+
         switch (channel_type) {
         case NL80211_CHAN_HT40PLUS:
                 diff = 20;
@@ -60,20 +63,25 @@ bool cfg80211_can_beacon_sec_chan(struct wiphy *wiphy,
                 diff = -20;
                 break;
         default:
+                trace_cfg80211_return_bool(true);
                 return true;
         }
 
         sec_chan = ieee80211_get_channel(wiphy, chan->center_freq + diff);
-        if (!sec_chan)
+        if (!sec_chan) {
+                trace_cfg80211_return_bool(false);
                 return false;
+        }
 
         /* we'll need a DFS capability later */
         if (sec_chan->flags & (IEEE80211_CHAN_DISABLED |
                                IEEE80211_CHAN_PASSIVE_SCAN |
                                IEEE80211_CHAN_NO_IBSS |
-                               IEEE80211_CHAN_RADAR))
+                               IEEE80211_CHAN_RADAR)) {
+                trace_cfg80211_return_bool(false);
                 return false;
-
+        }
+        trace_cfg80211_return_bool(true);
         return true;
 }
 EXPORT_SYMBOL(cfg80211_can_beacon_sec_chan);
@@ -92,7 +100,7 @@ int cfg80211_set_monitor_channel(struct cfg80211_registered_device *rdev,
         if (!chan)
                 return -EINVAL;
 
-        return rdev->ops->set_monitor_channel(&rdev->wiphy, chan, chantype);
+        return rdev_set_monitor_channel(rdev, chan, chantype);
 }
 
 void
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 443d4d7deea2..14d990400354 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -26,6 +26,7 @@
 #include "debugfs.h"
 #include "wext-compat.h"
 #include "ethtool.h"
+#include "rdev-ops.h"
 
 /* name for sysfs, %d is appended */
 #define PHY_NAME "phy"
@@ -216,7 +217,7 @@ static void cfg80211_rfkill_poll(struct rfkill *rfkill, void *data)
 {
         struct cfg80211_registered_device *rdev = data;
 
-        rdev->ops->rfkill_poll(&rdev->wiphy);
+        rdev_rfkill_poll(rdev);
 }
 
 static int cfg80211_rfkill_set_block(void *data, bool blocked)
@@ -240,7 +241,7 @@ static int cfg80211_rfkill_set_block(void *data, bool blocked)
                 case NL80211_IFTYPE_P2P_DEVICE:
                         if (!wdev->p2p_started)
                                 break;
-                        rdev->ops->stop_p2p_device(&rdev->wiphy, wdev);
+                        rdev_stop_p2p_device(rdev, wdev);
                         wdev->p2p_started = false;
                         rdev->opencount--;
                         break;
@@ -325,6 +326,8 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
         mutex_init(&rdev->devlist_mtx);
         mutex_init(&rdev->sched_scan_mtx);
         INIT_LIST_HEAD(&rdev->wdev_list);
+        INIT_LIST_HEAD(&rdev->beacon_registrations);
+        spin_lock_init(&rdev->beacon_registrations_lock);
         spin_lock_init(&rdev->bss_lock);
         INIT_LIST_HEAD(&rdev->bss_list);
         INIT_WORK(&rdev->scan_done_wk, __cfg80211_scan_done);
@@ -370,6 +373,8 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
         rdev->wiphy.rts_threshold = (u32) -1;
         rdev->wiphy.coverage_class = 0;
 
+        rdev->wiphy.features = NL80211_FEATURE_SCAN_FLUSH;
+
         return &rdev->wiphy;
 }
 EXPORT_SYMBOL(wiphy_new);
@@ -526,8 +531,7 @@ int wiphy_register(struct wiphy *wiphy)
                 for (i = 0; i < sband->n_channels; i++) {
                         sband->channels[i].orig_flags =
                                 sband->channels[i].flags;
-                        sband->channels[i].orig_mag =
-                                sband->channels[i].max_antenna_gain;
+                        sband->channels[i].orig_mag = INT_MAX;
                         sband->channels[i].orig_mpwr =
                                 sband->channels[i].max_power;
                         sband->channels[i].band = band;
@@ -688,7 +692,7 @@ void wiphy_unregister(struct wiphy *wiphy)
         flush_work(&rdev->event_work);
 
         if (rdev->wowlan && rdev->ops->set_wakeup)
-                rdev->ops->set_wakeup(&rdev->wiphy, false);
+                rdev_set_wakeup(rdev, false);
         cfg80211_rdev_free_wowlan(rdev);
 }
 EXPORT_SYMBOL(wiphy_unregister);
@@ -696,10 +700,15 @@ EXPORT_SYMBOL(wiphy_unregister);
 void cfg80211_dev_free(struct cfg80211_registered_device *rdev)
 {
         struct cfg80211_internal_bss *scan, *tmp;
+        struct cfg80211_beacon_registration *reg, *treg;
         rfkill_destroy(rdev->rfkill);
         mutex_destroy(&rdev->mtx);
         mutex_destroy(&rdev->devlist_mtx);
         mutex_destroy(&rdev->sched_scan_mtx);
+        list_for_each_entry_safe(reg, treg, &rdev->beacon_registrations, list) {
+                list_del(&reg->list);
+                kfree(reg);
+        }
         list_for_each_entry_safe(scan, tmp, &rdev->bss_list, list)
                 cfg80211_put_bss(&scan->pub);
         kfree(rdev);
@@ -771,7 +780,7 @@ void cfg80211_unregister_wdev(struct wireless_dev *wdev)
         case NL80211_IFTYPE_P2P_DEVICE:
                 if (!wdev->p2p_started)
                         break;
-                rdev->ops->stop_p2p_device(&rdev->wiphy, wdev);
+                rdev_stop_p2p_device(rdev, wdev);
                 wdev->p2p_started = false;
                 rdev->opencount--;
                 break;
@@ -962,9 +971,8 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
                 if ((wdev->iftype == NL80211_IFTYPE_STATION ||
                      wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
                     rdev->ops->set_power_mgmt)
-                        if (rdev->ops->set_power_mgmt(wdev->wiphy, dev,
-                                                      wdev->ps,
-                                                      wdev->ps_timeout)) {
+                        if (rdev_set_power_mgmt(rdev, dev, wdev->ps,
+                                                wdev->ps_timeout)) {
                                 /* assume this means it's off */
                                 wdev->ps = false;
                         }
diff --git a/net/wireless/core.h b/net/wireless/core.h
index a343be4a52bd..e53831c876bb 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -55,7 +55,8 @@ struct cfg80211_registered_device {
         int opencount; /* also protected by devlist_mtx */
         wait_queue_head_t dev_wait;
 
-        u32 ap_beacons_nlportid;
+        struct list_head beacon_registrations;
+        spinlock_t beacon_registrations_lock;
 
         /* protected by RTNL only */
         int num_running_ifaces;
@@ -260,6 +261,10 @@ enum cfg80211_chan_mode {
         CHAN_MODE_EXCLUSIVE,
 };
 
+struct cfg80211_beacon_registration {
+        struct list_head list;
+        u32 nlportid;
+};
 
 /* free object */
 extern void cfg80211_dev_free(struct cfg80211_registered_device *rdev);
@@ -320,13 +325,15 @@ int __cfg80211_mlme_auth(struct cfg80211_registered_device *rdev,
                          const u8 *bssid,
                          const u8 *ssid, int ssid_len,
                          const u8 *ie, int ie_len,
-                         const u8 *key, int key_len, int key_idx);
+                         const u8 *key, int key_len, int key_idx,
+                         const u8 *sae_data, int sae_data_len);
 int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev,
                        struct net_device *dev, struct ieee80211_channel *chan,
                        enum nl80211_auth_type auth_type, const u8 *bssid,
                        const u8 *ssid, int ssid_len,
                        const u8 *ie, int ie_len,
-                       const u8 *key, int key_len, int key_idx);
+                       const u8 *key, int key_len, int key_idx,
+                       const u8 *sae_data, int sae_data_len);
 int __cfg80211_mlme_assoc(struct cfg80211_registered_device *rdev,
                           struct net_device *dev,
                           struct ieee80211_channel *chan,
diff --git a/net/wireless/ethtool.c b/net/wireless/ethtool.c
index 7eecdf40cf80..48c48ffafa1d 100644
--- a/net/wireless/ethtool.c
+++ b/net/wireless/ethtool.c
@@ -2,6 +2,7 @@
 #include <net/cfg80211.h>
 #include "core.h"
 #include "ethtool.h"
+#include "rdev-ops.h"
 
 static void cfg80211_get_drvinfo(struct net_device *dev,
                                         struct ethtool_drvinfo *info)
@@ -47,9 +48,8 @@ static void cfg80211_get_ringparam(struct net_device *dev,
         memset(rp, 0, sizeof(*rp));
 
         if (rdev->ops->get_ringparam)
-                rdev->ops->get_ringparam(wdev->wiphy,
-                                         &rp->tx_pending, &rp->tx_max_pending,
-                                         &rp->rx_pending, &rp->rx_max_pending);
+                rdev_get_ringparam(rdev, &rp->tx_pending, &rp->tx_max_pending,
+                                   &rp->rx_pending, &rp->rx_max_pending);
 }
 
 static int cfg80211_set_ringparam(struct net_device *dev,
@@ -62,8 +62,7 @@ static int cfg80211_set_ringparam(struct net_device *dev,
                 return -EINVAL;
 
         if (rdev->ops->set_ringparam)
-                return rdev->ops->set_ringparam(wdev->wiphy,
-                                                rp->tx_pending, rp->rx_pending);
+                return rdev_set_ringparam(rdev, rp->tx_pending, rp->rx_pending);
 
         return -ENOTSUPP;
 }
@@ -73,7 +72,7 @@ static int cfg80211_get_sset_count(struct net_device *dev, int sset)
         struct wireless_dev *wdev = dev->ieee80211_ptr;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
         if (rdev->ops->get_et_sset_count)
-                return rdev->ops->get_et_sset_count(wdev->wiphy, dev, sset);
+                return rdev_get_et_sset_count(rdev, dev, sset);
         return -EOPNOTSUPP;
 }
 
@@ -83,7 +82,7 @@ static void cfg80211_get_stats(struct net_device *dev,
         struct wireless_dev *wdev = dev->ieee80211_ptr;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
         if (rdev->ops->get_et_stats)
-                rdev->ops->get_et_stats(wdev->wiphy, dev, stats, data);
+                rdev_get_et_stats(rdev, dev, stats, data);
 }
 
 static void cfg80211_get_strings(struct net_device *dev, u32 sset, u8 *data)
@@ -91,7 +90,7 @@ static void cfg80211_get_strings(struct net_device *dev, u32 sset, u8 *data)
         struct wireless_dev *wdev = dev->ieee80211_ptr;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
         if (rdev->ops->get_et_strings)
-                rdev->ops->get_et_strings(wdev->wiphy, dev, sset, data);
+                rdev_get_et_strings(rdev, dev, sset, data);
 }
 
 const struct ethtool_ops cfg80211_ethtool_ops = {
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index ca5672f6ee2f..27941d5db72b 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -11,6 +11,7 @@
 #include <net/cfg80211.h>
 #include "wext-compat.h"
 #include "nl80211.h"
+#include "rdev-ops.h"
 
 
 void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid)
@@ -61,6 +62,8 @@ void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp)
         struct cfg80211_event *ev;
         unsigned long flags;
 
+        trace_cfg80211_ibss_joined(dev, bssid);
+
         CFG80211_DEV_WARN_ON(wdev->sme_state != CFG80211_SME_CONNECTING);
 
         ev = kzalloc(sizeof(*ev), gfp);
@@ -128,7 +131,7 @@ int __cfg80211_join_ibss(struct cfg80211_registered_device *rdev,
                 return err;
         }
 
-        err = rdev->ops->join_ibss(&rdev->wiphy, dev, params);
+        err = rdev_join_ibss(rdev, dev, params);
         if (err) {
                 wdev->connect_keys = NULL;
                 wdev->sme_state = CFG80211_SME_IDLE;
@@ -175,7 +178,7 @@ static void __cfg80211_clear_ibss(struct net_device *dev, bool nowext)
          */
         if (rdev->ops->del_key)
                 for (i = 0; i < 6; i++)
-                        rdev->ops->del_key(wdev->wiphy, dev, i, false, NULL);
+                        rdev_del_key(rdev, dev, i, false, NULL);
 
         if (wdev->current_bss) {
                 cfg80211_unhold_bss(wdev->current_bss);
@@ -211,7 +214,7 @@ int __cfg80211_leave_ibss(struct cfg80211_registered_device *rdev,
         if (!wdev->ssid_len)
                 return -ENOLINK;
 
-        err = rdev->ops->leave_ibss(&rdev->wiphy, dev);
+        err = rdev_leave_ibss(rdev, dev);
 
         if (err)
                 return err;
diff --git a/net/wireless/mesh.c b/net/wireless/mesh.c
index c384e77ff77a..966cfc4cd79d 100644
--- a/net/wireless/mesh.c
+++ b/net/wireless/mesh.c
@@ -3,6 +3,7 @@
 #include <net/cfg80211.h>
 #include "nl80211.h"
 #include "core.h"
+#include "rdev-ops.h"
 
 /* Default values, timeouts in ms */
 #define MESH_TTL                31
@@ -160,7 +161,7 @@ int __cfg80211_join_mesh(struct cfg80211_registered_device *rdev,
         if (err)
                 return err;
 
-        err = rdev->ops->join_mesh(&rdev->wiphy, dev, conf, setup);
+        err = rdev_join_mesh(rdev, dev, conf, setup);
         if (!err) {
                 memcpy(wdev->ssid, setup->mesh_id, setup->mesh_id_len);
                 wdev->mesh_id_len = setup->mesh_id_len;
@@ -220,9 +221,8 @@ int cfg80211_set_mesh_freq(struct cfg80211_registered_device *rdev,
                 if (err)
                         return err;
 
-                err = rdev->ops->libertas_set_mesh_channel(&rdev->wiphy,
-                                                           wdev->netdev,
-                                                           channel);
+                err = rdev_libertas_set_mesh_channel(rdev, wdev->netdev,
+                                                     channel);
                 if (!err)
                         wdev->channel = channel;
 
@@ -242,6 +242,7 @@ void cfg80211_notify_new_peer_candidate(struct net_device *dev,
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
 
+        trace_cfg80211_notify_new_peer_candidate(dev, macaddr);
         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
                 return;
 
@@ -267,7 +268,7 @@ static int __cfg80211_leave_mesh(struct cfg80211_registered_device *rdev,
         if (!wdev->mesh_id_len)
                 return -ENOTCONN;
 
-        err = rdev->ops->leave_mesh(&rdev->wiphy, dev);
+        err = rdev_leave_mesh(rdev, dev);
         if (!err) {
                 wdev->mesh_id_len = 0;
                 wdev->channel = NULL;
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 8016fee0752b..4bfd14f7c592 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -15,6 +15,8 @@
 #include <net/iw_handler.h>
 #include "core.h"
 #include "nl80211.h"
+#include "rdev-ops.h"
+
 
 void cfg80211_send_rx_auth(struct net_device *dev, const u8 *buf, size_t len)
 {
@@ -22,6 +24,7 @@ void cfg80211_send_rx_auth(struct net_device *dev, const u8 *buf, size_t len)
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_send_rx_auth(dev);
         wdev_lock(wdev);
 
         nl80211_send_rx_auth(rdev, dev, buf, len, GFP_KERNEL);
@@ -42,6 +45,7 @@ void cfg80211_send_rx_assoc(struct net_device *dev, struct cfg80211_bss *bss,
         u8 *ie = mgmt->u.assoc_resp.variable;
         int ieoffs = offsetof(struct ieee80211_mgmt, u.assoc_resp.variable);
 
+        trace_cfg80211_send_rx_assoc(dev, bss);
         wdev_lock(wdev);
 
         status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);
@@ -98,6 +102,7 @@ void __cfg80211_send_deauth(struct net_device *dev,
         const u8 *bssid = mgmt->bssid;
         bool was_current = false;
 
+        trace___cfg80211_send_deauth(dev);
         ASSERT_WDEV_LOCK(wdev);
 
         if (wdev->current_bss &&
@@ -147,6 +152,7 @@ void __cfg80211_send_disassoc(struct net_device *dev,
         u16 reason_code;
         bool from_ap;
 
+        trace___cfg80211_send_disassoc(dev);
         ASSERT_WDEV_LOCK(wdev);
 
         nl80211_send_disassoc(rdev, dev, buf, len, GFP_KERNEL);
@@ -188,6 +194,7 @@ void cfg80211_send_unprot_deauth(struct net_device *dev, const u8 *buf,
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_send_unprot_deauth(dev);
         nl80211_send_unprot_deauth(rdev, dev, buf, len, GFP_ATOMIC);
 }
 EXPORT_SYMBOL(cfg80211_send_unprot_deauth);
@@ -199,6 +206,7 @@ void cfg80211_send_unprot_disassoc(struct net_device *dev, const u8 *buf,
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_send_unprot_disassoc(dev);
         nl80211_send_unprot_disassoc(rdev, dev, buf, len, GFP_ATOMIC);
 }
 EXPORT_SYMBOL(cfg80211_send_unprot_disassoc);
@@ -209,6 +217,7 @@ void cfg80211_send_auth_timeout(struct net_device *dev, const u8 *addr)
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_send_auth_timeout(dev, addr);
         wdev_lock(wdev);
 
         nl80211_send_auth_timeout(rdev, dev, addr, GFP_KERNEL);
@@ -227,6 +236,7 @@ void cfg80211_send_assoc_timeout(struct net_device *dev, const u8 *addr)
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_send_assoc_timeout(dev, addr);
         wdev_lock(wdev);
 
         nl80211_send_assoc_timeout(rdev, dev, addr, GFP_KERNEL);
@@ -261,6 +271,7 @@ void cfg80211_michael_mic_failure(struct net_device *dev, const u8 *addr,
         }
 #endif
 
+        trace_cfg80211_michael_mic_failure(dev, addr, key_type, key_id, tsc);
         nl80211_michael_mic_failure(rdev, dev, addr, key_type, key_id, tsc, gfp);
 }
 EXPORT_SYMBOL(cfg80211_michael_mic_failure);
@@ -273,7 +284,8 @@ int __cfg80211_mlme_auth(struct cfg80211_registered_device *rdev,
                          const u8 *bssid,
                          const u8 *ssid, int ssid_len,
                          const u8 *ie, int ie_len,
-                         const u8 *key, int key_len, int key_idx)
+                         const u8 *key, int key_len, int key_idx,
+                         const u8 *sae_data, int sae_data_len)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
         struct cfg80211_auth_request req;
@@ -293,6 +305,8 @@ int __cfg80211_mlme_auth(struct cfg80211_registered_device *rdev,
 
         req.ie = ie;
         req.ie_len = ie_len;
+        req.sae_data = sae_data;
+        req.sae_data_len = sae_data_len;
         req.auth_type = auth_type;
         req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
                                    WLAN_CAPABILITY_ESS, WLAN_CAPABILITY_ESS);
@@ -307,7 +321,7 @@ int __cfg80211_mlme_auth(struct cfg80211_registered_device *rdev,
         if (err)
                 goto out;
 
-        err = rdev->ops->auth(&rdev->wiphy, dev, &req);
+        err = rdev_auth(rdev, dev, &req);
 
 out:
         cfg80211_put_bss(req.bss);
@@ -319,7 +333,8 @@ int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev,
                        enum nl80211_auth_type auth_type, const u8 *bssid,
                        const u8 *ssid, int ssid_len,
                        const u8 *ie, int ie_len,
-                       const u8 *key, int key_len, int key_idx)
+                       const u8 *key, int key_len, int key_idx,
+                       const u8 *sae_data, int sae_data_len)
 {
         int err;
 
@@ -327,7 +342,8 @@ int cfg80211_mlme_auth(struct cfg80211_registered_device *rdev,
         wdev_lock(dev->ieee80211_ptr);
         err = __cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
                                    ssid, ssid_len, ie, ie_len,
-                                   key, key_len, key_idx);
+                                   key, key_len, key_idx,
+                                   sae_data, sae_data_len);
         wdev_unlock(dev->ieee80211_ptr);
         mutex_unlock(&rdev->devlist_mtx);
 
@@ -410,7 +426,7 @@ int __cfg80211_mlme_assoc(struct cfg80211_registered_device *rdev,
         if (err)
                 goto out;
 
-        err = rdev->ops->assoc(&rdev->wiphy, dev, &req);
+        err = rdev_assoc(rdev, dev, &req);
 
 out:
         if (err) {
@@ -457,22 +473,16 @@ int __cfg80211_mlme_deauth(struct cfg80211_registered_device *rdev,
                 .reason_code = reason,
                 .ie = ie,
                 .ie_len = ie_len,
+                .local_state_change = local_state_change,
         };
 
         ASSERT_WDEV_LOCK(wdev);
 
-        if (local_state_change) {
-                if (wdev->current_bss &&
-                    ether_addr_equal(wdev->current_bss->pub.bssid, bssid)) {
-                        cfg80211_unhold_bss(wdev->current_bss);
-                        cfg80211_put_bss(&wdev->current_bss->pub);
-                        wdev->current_bss = NULL;
-                }
-
+        if (local_state_change && (!wdev->current_bss ||
+            !ether_addr_equal(wdev->current_bss->pub.bssid, bssid)))
                 return 0;
-        }
 
-        return rdev->ops->deauth(&rdev->wiphy, dev, &req);
+        return rdev_deauth(rdev, dev, &req);
 }
 
 int cfg80211_mlme_deauth(struct cfg80211_registered_device *rdev,
@@ -517,7 +527,7 @@ static int __cfg80211_mlme_disassoc(struct cfg80211_registered_device *rdev,
         else
                 return -ENOTCONN;
 
-        return rdev->ops->disassoc(&rdev->wiphy, dev, &req);
+        return rdev_disassoc(rdev, dev, &req);
 }
 
 int cfg80211_mlme_disassoc(struct cfg80211_registered_device *rdev,
@@ -558,7 +568,7 @@ void cfg80211_mlme_down(struct cfg80211_registered_device *rdev,
 
         memcpy(bssid, wdev->current_bss->pub.bssid, ETH_ALEN);
         req.bssid = bssid;
-        rdev->ops->deauth(&rdev->wiphy, dev, &req);
+        rdev_deauth(rdev, dev, &req);
 
         if (wdev->current_bss) {
                 cfg80211_unhold_bss(wdev->current_bss);
@@ -575,6 +585,8 @@ void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_ready_on_channel(wdev, cookie, chan, channel_type,
+                                        duration);
         nl80211_send_remain_on_channel(rdev, wdev, cookie, chan, channel_type,
                                        duration, gfp);
 }
@@ -588,6 +600,8 @@ void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan,
+                                                channel_type);
         nl80211_send_remain_on_channel_cancel(rdev, wdev, cookie, chan,
                                               channel_type, gfp);
 }
@@ -599,6 +613,7 @@ void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
         struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_new_sta(dev, mac_addr, sinfo);
         nl80211_send_sta_event(rdev, dev, mac_addr, sinfo, gfp);
 }
 EXPORT_SYMBOL(cfg80211_new_sta);
@@ -608,6 +623,7 @@ void cfg80211_del_sta(struct net_device *dev, const u8 *mac_addr, gfp_t gfp)
         struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_del_sta(dev, mac_addr);
         nl80211_send_sta_del_event(rdev, dev, mac_addr, gfp);
 }
 EXPORT_SYMBOL(cfg80211_del_sta);
@@ -688,7 +704,7 @@ int cfg80211_mlme_register_mgmt(struct wireless_dev *wdev, u32 snd_portid,
         list_add(&nreg->list, &wdev->mgmt_registrations);
 
         if (rdev->ops->mgmt_frame_register)
-                rdev->ops->mgmt_frame_register(wiphy, wdev, frame_type, true);
+                rdev_mgmt_frame_register(rdev, wdev, frame_type, true);
 
  out:
         spin_unlock_bh(&wdev->mgmt_registrations_lock);
@@ -711,8 +727,8 @@ void cfg80211_mlme_unregister_socket(struct wireless_dev *wdev, u32 nlportid)
                 if (rdev->ops->mgmt_frame_register) {
                         u16 frame_type = le16_to_cpu(reg->frame_type);
 
-                        rdev->ops->mgmt_frame_register(wiphy, wdev,
-                                                       frame_type, false);
+                        rdev_mgmt_frame_register(rdev, wdev,
+                                                 frame_type, false);
                 }
 
                 list_del(&reg->list);
@@ -838,10 +854,10 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
                 return -EINVAL;
 
         /* Transmit the Action frame as requested by user space */
-        return rdev->ops->mgmt_tx(&rdev->wiphy, wdev, chan, offchan,
-                                  channel_type, channel_type_valid,
-                                  wait, buf, len, no_cck, dont_wait_for_ack,
-                                  cookie);
+        return rdev_mgmt_tx(rdev, wdev, chan, offchan,
+                            channel_type, channel_type_valid,
+                            wait, buf, len, no_cck, dont_wait_for_ack,
+                            cookie);
 }
 
 bool cfg80211_rx_mgmt(struct wireless_dev *wdev, int freq, int sig_mbm,
@@ -860,10 +876,13 @@ bool cfg80211_rx_mgmt(struct wireless_dev *wdev, int freq, int sig_mbm,
                 cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE);
         u16 stype;
 
+        trace_cfg80211_rx_mgmt(wdev, freq, sig_mbm);
         stype = (le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE) >> 4;
 
-        if (!(stypes->rx & BIT(stype)))
+        if (!(stypes->rx & BIT(stype))) {
+                trace_cfg80211_return_bool(false);
                 return false;
+        }
 
         data = buf + ieee80211_hdrlen(mgmt->frame_control);
         data_len = len - ieee80211_hdrlen(mgmt->frame_control);
@@ -894,6 +913,7 @@ bool cfg80211_rx_mgmt(struct wireless_dev *wdev, int freq, int sig_mbm,
 
         spin_unlock_bh(&wdev->mgmt_registrations_lock);
 
+        trace_cfg80211_return_bool(result);
         return result;
 }
 EXPORT_SYMBOL(cfg80211_rx_mgmt);
@@ -904,6 +924,8 @@ void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
+
         /* Indicate TX status of the Action frame to user space */
         nl80211_send_mgmt_tx_status(rdev, wdev, cookie, buf, len, ack, gfp);
 }
@@ -917,6 +939,8 @@ void cfg80211_cqm_rssi_notify(struct net_device *dev,
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_cqm_rssi_notify(dev, rssi_event);
+
         /* Indicate roaming trigger event to user space */
         nl80211_send_cqm_rssi_notify(rdev, dev, rssi_event, gfp);
 }
@@ -929,6 +953,8 @@ void cfg80211_cqm_pktloss_notify(struct net_device *dev,
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
+
         /* Indicate roaming trigger event to user space */
         nl80211_send_cqm_pktloss_notify(rdev, dev, peer, num_packets, gfp);
 }
@@ -954,6 +980,7 @@ void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_gtk_rekey_notify(dev, bssid);
         nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
 }
 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
@@ -965,6 +992,7 @@ void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
         struct wiphy *wiphy = wdev->wiphy;
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
         nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
 }
 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
@@ -977,6 +1005,8 @@ void cfg80211_ch_switch_notify(struct net_device *dev, int freq,
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
         struct ieee80211_channel *chan;
 
+        trace_cfg80211_ch_switch_notify(dev, freq, type);
+
         wdev_lock(wdev);
 
         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
@@ -999,12 +1029,18 @@ bool cfg80211_rx_spurious_frame(struct net_device *dev,
                                 const u8 *addr, gfp_t gfp)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
+        bool ret;
+
+        trace_cfg80211_rx_spurious_frame(dev, addr);
 
         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
-                    wdev->iftype != NL80211_IFTYPE_P2P_GO))
+                    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
+                trace_cfg80211_return_bool(false);
                 return false;
-
-        return nl80211_unexpected_frame(dev, addr, gfp);
+        }
+        ret = nl80211_unexpected_frame(dev, addr, gfp);
+        trace_cfg80211_return_bool(ret);
+        return ret;
 }
 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
 
@@ -1012,12 +1048,18 @@ bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
                                         const u8 *addr, gfp_t gfp)
 {
         struct wireless_dev *wdev = dev->ieee80211_ptr;
+        bool ret;
+
+        trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
 
         if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
                     wdev->iftype != NL80211_IFTYPE_P2P_GO &&
-                    wdev->iftype != NL80211_IFTYPE_AP_VLAN))
+                    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
+                trace_cfg80211_return_bool(false);
                 return false;
-
-        return nl80211_unexpected_4addr_frame(dev, addr, gfp);
+        }
+        ret = nl80211_unexpected_4addr_frame(dev, addr, gfp);
+        trace_cfg80211_return_bool(ret);
+        return ret;
 }
 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 0418a6d5c1a6..c18b2fc9d492 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -22,8 +22,8 @@
 #include "core.h"
 #include "nl80211.h"
 #include "reg.h"
+#include "rdev-ops.h"
 
-static bool nl80211_valid_auth_type(enum nl80211_auth_type auth_type);
 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
                                    struct genl_info *info,
                                    struct cfg80211_crypto_settings *settings,
@@ -355,6 +355,9 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
         [NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
         [NL80211_ATTR_WDEV] = { .type = NLA_U64 },
         [NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
+        [NL80211_ATTR_SAE_DATA] = { .type = NLA_BINARY, },
+        [NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
+        [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
 };
 
 /* policy for the key attributes */
@@ -690,7 +693,7 @@ static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
 
 static struct cfg80211_cached_keys *
 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
-                       struct nlattr *keys)
+                       struct nlattr *keys, bool *no_ht)
 {
         struct key_parse parse;
         struct nlattr *key;
@@ -733,6 +736,12 @@ nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
                 result->params[parse.idx].key_len = parse.p.key_len;
                 result->params[parse.idx].key = result->data[parse.idx];
                 memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
+
+                if (parse.p.cipher == WLAN_CIPHER_SUITE_WEP40 ||
+                    parse.p.cipher == WLAN_CIPHER_SUITE_WEP104) {
+                        if (no_ht)
+                                *no_ht = true;
+                }
         }
 
         return result;
@@ -943,7 +952,7 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 portid, u32 seq, int flag
              dev->wiphy.available_antennas_rx) && dev->ops->get_antenna) {
                 u32 tx_ant = 0, rx_ant = 0;
                 int res;
-                res = dev->ops->get_antenna(&dev->wiphy, &tx_ant, &rx_ant);
+                res = rdev_get_antenna(dev, &tx_ant, &rx_ant);
                 if (!res) {
                         if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_TX,
                                         tx_ant) ||
@@ -1101,6 +1110,7 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 portid, u32 seq, int flag
                         goto nla_put_failure;
         }
         CMD(start_p2p_device, START_P2P_DEVICE);
+        CMD(set_mcast_rate, SET_MCAST_RATE);
 
 #ifdef CONFIG_NL80211_TESTMODE
         CMD(testmode_cmd, TESTMODE);
@@ -1457,7 +1467,7 @@ static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
                 return -EOPNOTSUPP;
 
         bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
-        return rdev->ops->set_wds_peer(wdev->wiphy, dev, bssid);
+        return rdev_set_wds_peer(rdev, dev, bssid);
 }
 
 
@@ -1507,10 +1517,8 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
                 result = 0;
 
                 mutex_lock(&rdev->mtx);
-        } else if (nl80211_can_set_dev_channel(netdev->ieee80211_ptr))
+        } else
                 wdev = netdev->ieee80211_ptr;
-        else
-                wdev = NULL;
 
         /*
          * end workaround code, by now the rdev is available
@@ -1562,24 +1570,29 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
                         if (result)
                                 goto bad_res;
 
-                        result = rdev->ops->set_txq_params(&rdev->wiphy,
-                                                           netdev,
-                                                           &txq_params);
+                        result = rdev_set_txq_params(rdev, netdev,
+                                                     &txq_params);
                         if (result)
                                 goto bad_res;
                 }
         }
 
         if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
-                result = __nl80211_set_channel(rdev, wdev, info);
+                result = __nl80211_set_channel(rdev,
+                                nl80211_can_set_dev_channel(wdev) ? wdev : NULL,
+                                info);
                 if (result)
                         goto bad_res;
         }
 
         if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
+                struct wireless_dev *txp_wdev = wdev;
                 enum nl80211_tx_power_setting type;
                 int idx, mbm = 0;
 
+                if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
+                        txp_wdev = NULL;
+
                 if (!rdev->ops->set_tx_power) {
                         result = -EOPNOTSUPP;
                         goto bad_res;
@@ -1599,7 +1612,7 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
                         mbm = nla_get_u32(info->attrs[idx]);
                 }
 
-                result = rdev->ops->set_tx_power(&rdev->wiphy, type, mbm);
+                result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
                 if (result)
                         goto bad_res;
         }
@@ -1628,7 +1641,7 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
                 tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
                 rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
 
-                result = rdev->ops->set_antenna(&rdev->wiphy, tx_ant, rx_ant);
+                result = rdev_set_antenna(rdev, tx_ant, rx_ant);
                 if (result)
                         goto bad_res;
         }
@@ -1713,7 +1726,7 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
                 if (changed & WIPHY_PARAM_COVERAGE_CLASS)
                         rdev->wiphy.coverage_class = coverage_class;
 
-                result = rdev->ops->set_wiphy_params(&rdev->wiphy, changed);
+                result = rdev_set_wiphy_params(rdev, changed);
                 if (result) {
                         rdev->wiphy.retry_short = old_retry_short;
                         rdev->wiphy.retry_long = old_retry_long;
@@ -1765,8 +1778,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
                 struct ieee80211_channel *chan;
                 enum nl80211_channel_type channel_type;
 
-                chan = rdev->ops->get_channel(&rdev->wiphy, wdev,
-                                              &channel_type);
+                chan = rdev_get_channel(rdev, wdev, &channel_type);
                 if (chan &&
                     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
                                  chan->center_freq) ||
@@ -1775,6 +1787,11 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
                         goto nla_put_failure;
         }
 
+        if (wdev->ssid_len) {
+                if (nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
+                        goto nla_put_failure;
+        }
+
         return genlmsg_end(msg, hdr);
 
  nla_put_failure:
@@ -2014,9 +2031,9 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
         err = parse_monitor_flags(type == NL80211_IFTYPE_MONITOR ?
                                   info->attrs[NL80211_ATTR_MNTR_FLAGS] : NULL,
                                   &flags);
-        wdev = rdev->ops->add_virtual_intf(&rdev->wiphy,
-                nla_data(info->attrs[NL80211_ATTR_IFNAME]),
-                type, err ? NULL : &flags, &params);
+        wdev = rdev_add_virtual_intf(rdev,
+                                nla_data(info->attrs[NL80211_ATTR_IFNAME]),
+                                type, err ? NULL : &flags, &params);
         if (IS_ERR(wdev)) {
                 nlmsg_free(msg);
                 return PTR_ERR(wdev);
@@ -2083,7 +2100,7 @@ static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
         if (!wdev->netdev)
                 info->user_ptr[1] = NULL;
 
-        return rdev->ops->del_virtual_intf(&rdev->wiphy, wdev);
+        return rdev_del_virtual_intf(rdev, wdev);
 }
 
 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
@@ -2100,7 +2117,7 @@ static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
 
         noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
 
-        return rdev->ops->set_noack_map(&rdev->wiphy, dev, noack_map);
+        return rdev_set_noack_map(rdev, dev, noack_map);
 }
 
 struct get_key_cookie {
@@ -2210,8 +2227,8 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
                 return -ENOENT;
 
-        err = rdev->ops->get_key(&rdev->wiphy, dev, key_idx, pairwise,
-                                 mac_addr, &cookie, get_key_callback);
+        err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
+                           get_key_callback);
 
         if (err)
                 goto free_msg;
@@ -2259,7 +2276,7 @@ static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
                 if (err)
                         goto out;
 
-                err = rdev->ops->set_default_key(&rdev->wiphy, dev, key.idx,
+                err = rdev_set_default_key(rdev, dev, key.idx,
                                                  key.def_uni, key.def_multi);
 
                 if (err)
@@ -2283,8 +2300,7 @@ static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
                 if (err)
                         goto out;
 
-                err = rdev->ops->set_default_mgmt_key(&rdev->wiphy,
-                                                      dev, key.idx);
+                err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
                 if (err)
                         goto out;
 
@@ -2340,9 +2356,9 @@ static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
         wdev_lock(dev->ieee80211_ptr);
         err = nl80211_key_allowed(dev->ieee80211_ptr);
         if (!err)
-                err = rdev->ops->add_key(&rdev->wiphy, dev, key.idx,
-                                         key.type == NL80211_KEYTYPE_PAIRWISE,
-                                         mac_addr, &key.p);
+                err = rdev_add_key(rdev, dev, key.idx,
+                                   key.type == NL80211_KEYTYPE_PAIRWISE,
+                                    mac_addr, &key.p);
         wdev_unlock(dev->ieee80211_ptr);
 
         return err;
@@ -2386,9 +2402,9 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
                 err = -ENOENT;
 
         if (!err)
-                err = rdev->ops->del_key(&rdev->wiphy, dev, key.idx,
-                                         key.type == NL80211_KEYTYPE_PAIRWISE,
-                                         mac_addr);
+                err = rdev_del_key(rdev, dev, key.idx,
+                                   key.type == NL80211_KEYTYPE_PAIRWISE,
+                                   mac_addr);
 
 #ifdef CONFIG_CFG80211_WEXT
         if (!err) {
@@ -2490,6 +2506,30 @@ static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
         return ret;
 }
 
+static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
+                                    enum nl80211_auth_type auth_type,
+                                    enum nl80211_commands cmd)
+{
+        if (auth_type > NL80211_AUTHTYPE_MAX)
+                return false;
+
+        switch (cmd) {
+        case NL80211_CMD_AUTHENTICATE:
+                if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
+                    auth_type == NL80211_AUTHTYPE_SAE)
+                        return false;
+                return true;
+        case NL80211_CMD_CONNECT:
+        case NL80211_CMD_START_AP:
+                /* SAE not supported yet */
+                if (auth_type == NL80211_AUTHTYPE_SAE)
+                        return false;
+                return true;
+        default:
+                return false;
+        }
+}
+
 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
 {
         struct cfg80211_registered_device *rdev = info->user_ptr[0];
@@ -2559,7 +2599,8 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
                 params.auth_type = nla_get_u32(
                         info->attrs[NL80211_ATTR_AUTH_TYPE]);
-                if (!nl80211_valid_auth_type(params.auth_type))
+                if (!nl80211_valid_auth_type(rdev, params.auth_type,
+                                             NL80211_CMD_START_AP))
                         return -EINVAL;
         } else
                 params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
@@ -2607,12 +2648,14 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
         if (err)
                 return err;
 
-        err = rdev->ops->start_ap(&rdev->wiphy, dev, &params);
+        err = rdev_start_ap(rdev, dev, &params);
         if (!err) {
                 wdev->preset_chan = params.channel;
                 wdev->preset_chantype = params.channel_type;
                 wdev->beacon_interval = params.beacon_interval;
                 wdev->channel = params.channel;
+                wdev->ssid_len = params.ssid_len;
+                memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
         }
         return err;
 }
@@ -2639,7 +2682,7 @@ static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
         if (err)
                 return err;
 
-        return rdev->ops->change_beacon(&rdev->wiphy, dev, &params);
+        return rdev_change_beacon(rdev, dev, &params);
 }
 
 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
@@ -2923,8 +2966,8 @@ static int nl80211_dump_station(struct sk_buff *skb,
 
         while (1) {
                 memset(&sinfo, 0, sizeof(sinfo));
-                err = dev->ops->dump_station(&dev->wiphy, netdev, sta_idx,
-                                             mac_addr, &sinfo);
+                err = rdev_dump_station(dev, netdev, sta_idx,
+                                        mac_addr, &sinfo);
                 if (err == -ENOENT)
                         break;
                 if (err)
@@ -2969,7 +3012,7 @@ static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
         if (!rdev->ops->get_station)
                 return -EOPNOTSUPP;
 
-        err = rdev->ops->get_station(&rdev->wiphy, dev, mac_addr, &sinfo);
+        err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
         if (err)
                 return err;
 
@@ -3146,7 +3189,7 @@ static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
 
         /* be aware of params.vlan when changing code here */
 
-        err = rdev->ops->change_station(&rdev->wiphy, dev, mac_addr, &params);
+        err = rdev_change_station(rdev, dev, mac_addr, &params);
 
         if (params.vlan)
                 dev_put(params.vlan);
@@ -3198,6 +3241,10 @@ static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
                 params.ht_capa =
                         nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
 
+        if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
+                params.vht_capa =
+                        nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
+
         if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
                 params.plink_action =
                     nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
@@ -3275,7 +3322,7 @@ static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
 
         /* be aware of params.vlan when changing code here */
 
-        err = rdev->ops->add_station(&rdev->wiphy, dev, mac_addr, &params);
+        err = rdev_add_station(rdev, dev, mac_addr, &params);
 
         if (params.vlan)
                 dev_put(params.vlan);
@@ -3300,7 +3347,7 @@ static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
         if (!rdev->ops->del_station)
                 return -EOPNOTSUPP;
 
-        return rdev->ops->del_station(&rdev->wiphy, dev, mac_addr);
+        return rdev_del_station(rdev, dev, mac_addr);
 }
 
 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
@@ -3382,8 +3429,8 @@ static int nl80211_dump_mpath(struct sk_buff *skb,
         }
 
         while (1) {
-                err = dev->ops->dump_mpath(&dev->wiphy, netdev, path_idx,
-                                           dst, next_hop, &pinfo);
+                err = rdev_dump_mpath(dev, netdev, path_idx, dst, next_hop,
+                                      &pinfo);
                 if (err == -ENOENT)
                         break;
                 if (err)
@@ -3430,7 +3477,7 @@ static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
                 return -EOPNOTSUPP;
 
-        err = rdev->ops->get_mpath(&rdev->wiphy, dev, dst, next_hop, &pinfo);
+        err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
         if (err)
                 return err;
 
@@ -3469,7 +3516,7 @@ static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
                 return -EOPNOTSUPP;
 
-        return rdev->ops->change_mpath(&rdev->wiphy, dev, dst, next_hop);
+        return rdev_change_mpath(rdev, dev, dst, next_hop);
 }
 
 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
@@ -3494,7 +3541,7 @@ static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
         if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
                 return -EOPNOTSUPP;
 
-        return rdev->ops->add_mpath(&rdev->wiphy, dev, dst, next_hop);
+        return rdev_add_mpath(rdev, dev, dst, next_hop);
 }
 
 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
@@ -3509,7 +3556,7 @@ static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
         if (!rdev->ops->del_mpath)
                 return -EOPNOTSUPP;
 
-        return rdev->ops->del_mpath(&rdev->wiphy, dev, dst);
+        return rdev_del_mpath(rdev, dev, dst);
 }
 
 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
@@ -3554,7 +3601,7 @@ static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
             dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
                 return -EOPNOTSUPP;
 
-        return rdev->ops->change_bss(&rdev->wiphy, dev, &params);
+        return rdev_change_bss(rdev, dev, &params);
 }
 
 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
@@ -3668,8 +3715,7 @@ static int nl80211_get_mesh_config(struct sk_buff *skb,
         if (!wdev->mesh_id_len)
                 memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
         else
-                err = rdev->ops->get_mesh_config(&rdev->wiphy, dev,
-                                                 &cur_params);
+                err = rdev_get_mesh_config(rdev, dev, &cur_params);
         wdev_unlock(wdev);
 
         if (err)
@@ -3971,8 +4017,7 @@ static int nl80211_update_mesh_config(struct sk_buff *skb,
                 err = -ENOLINK;
 
         if (!err)
-                err = rdev->ops->update_mesh_config(&rdev->wiphy, dev,
-                                                    mask, &cfg);
+                err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
 
         wdev_unlock(wdev);
 
@@ -4337,14 +4382,27 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
                 }
         }
 
+        if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
+                request->flags = nla_get_u32(
+                        info->attrs[NL80211_ATTR_SCAN_FLAGS]);
+                if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
+                     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
+                    ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
+                     !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
+                        err = -EOPNOTSUPP;
+                        goto out_free;
+                }
+        }
+
         request->no_cck =
                 nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
 
         request->wdev = wdev;
         request->wiphy = &rdev->wiphy;
+        request->scan_start = jiffies;
 
         rdev->scan_req = request;
-        err = rdev->ops->scan(&rdev->wiphy, request);
+        err = rdev_scan(rdev, request);
 
         if (!err) {
                 nl80211_send_scan_start(rdev, wdev);
@@ -4568,11 +4626,24 @@ static int nl80211_start_sched_scan(struct sk_buff *skb,
                        request->ie_len);
         }
 
+        if (info->attrs[NL80211_ATTR_SCAN_FLAGS]) {
+                request->flags = nla_get_u32(
+                        info->attrs[NL80211_ATTR_SCAN_FLAGS]);
+                if (((request->flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
+                     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
+                    ((request->flags & NL80211_SCAN_FLAG_FLUSH) &&
+                     !(wiphy->features & NL80211_FEATURE_SCAN_FLUSH))) {
+                        err = -EOPNOTSUPP;
+                        goto out_free;
+                }
+        }
+
         request->dev = dev;
         request->wiphy = &rdev->wiphy;
         request->interval = interval;
+        request->scan_start = jiffies;
 
-        err = rdev->ops->sched_scan_start(&rdev->wiphy, dev, request);
+        err = rdev_sched_scan_start(rdev, dev, request);
         if (!err) {
                 rdev->sched_scan_req = request;
                 nl80211_send_sched_scan(rdev, dev,
@@ -4815,8 +4886,7 @@ static int nl80211_dump_survey(struct sk_buff *skb,
         while (1) {
                 struct ieee80211_channel *chan;
 
-                res = dev->ops->dump_survey(&dev->wiphy, netdev, survey_idx,
-                                            &survey);
+                res = rdev_dump_survey(dev, netdev, survey_idx, &survey);
                 if (res == -ENOENT)
                         break;
                 if (res)
@@ -4852,11 +4922,6 @@ static int nl80211_dump_survey(struct sk_buff *skb,
         return res;
 }
 
-static bool nl80211_valid_auth_type(enum nl80211_auth_type auth_type)
-{
-        return auth_type <= NL80211_AUTHTYPE_MAX;
-}
-
 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
 {
         return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
@@ -4868,8 +4933,8 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
         struct cfg80211_registered_device *rdev = info->user_ptr[0];
         struct net_device *dev = info->user_ptr[1];
         struct ieee80211_channel *chan;
-        const u8 *bssid, *ssid, *ie = NULL;
-        int err, ssid_len, ie_len = 0;
+        const u8 *bssid, *ssid, *ie = NULL, *sae_data = NULL;
+        int err, ssid_len, ie_len = 0, sae_data_len = 0;
         enum nl80211_auth_type auth_type;
         struct key_parse key;
         bool local_state_change;
@@ -4945,9 +5010,23 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
         }
 
         auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
-        if (!nl80211_valid_auth_type(auth_type))
+        if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
+                return -EINVAL;
+
+        if (auth_type == NL80211_AUTHTYPE_SAE &&
+            !info->attrs[NL80211_ATTR_SAE_DATA])
                 return -EINVAL;
 
+        if (info->attrs[NL80211_ATTR_SAE_DATA]) {
+                if (auth_type != NL80211_AUTHTYPE_SAE)
+                        return -EINVAL;
+                sae_data = nla_data(info->attrs[NL80211_ATTR_SAE_DATA]);
+                sae_data_len = nla_len(info->attrs[NL80211_ATTR_SAE_DATA]);
+                /* need to include at least Auth Transaction and Status Code */
+                if (sae_data_len < 4)
+                        return -EINVAL;
+        }
+
         local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
 
         /*
@@ -4959,7 +5038,8 @@ static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
 
         return cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
                                   ssid, ssid_len, ie, ie_len,
-                                  key.p.key, key.p.key_len, key.idx);
+                                  key.p.key, key.p.key_len, key.idx,
+                                  sae_data, sae_data_len);
 }
 
 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
@@ -5339,10 +5419,18 @@ static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
                 return -EINVAL;
 
         if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
+                bool no_ht = false;
+
                 connkeys = nl80211_parse_connkeys(rdev,
-                                        info->attrs[NL80211_ATTR_KEYS]);
+                                          info->attrs[NL80211_ATTR_KEYS],
+                                          &no_ht);
                 if (IS_ERR(connkeys))
                         return PTR_ERR(connkeys);
+
+                if ((ibss.channel_type != NL80211_CHAN_NO_HT) && no_ht) {
+                        kfree(connkeys);
+                        return -EINVAL;
+                }
         }
 
         ibss.control_port =
@@ -5368,6 +5456,36 @@ static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
         return cfg80211_leave_ibss(rdev, dev, false);
 }
 
+static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct net_device *dev = info->user_ptr[1];
+        int mcast_rate[IEEE80211_NUM_BANDS];
+        u32 nla_rate;
+        int err;
+
+        if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
+            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
+                return -EOPNOTSUPP;
+
+        if (!rdev->ops->set_mcast_rate)
+                return -EOPNOTSUPP;
+
+        memset(mcast_rate, 0, sizeof(mcast_rate));
+
+        if (!info->attrs[NL80211_ATTR_MCAST_RATE])
+                return -EINVAL;
+
+        nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
+        if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
+                return -EINVAL;
+
+        err = rdev->ops->set_mcast_rate(&rdev->wiphy, dev, mcast_rate);
+
+        return err;
+}
+
+
 #ifdef CONFIG_NL80211_TESTMODE
 static struct genl_multicast_group nl80211_testmode_mcgrp = {
         .name = "testmode",
@@ -5384,7 +5502,7 @@ static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
         err = -EOPNOTSUPP;
         if (rdev->ops->testmode_cmd) {
                 rdev->testmode_info = info;
-                err = rdev->ops->testmode_cmd(&rdev->wiphy,
+                err = rdev_testmode_cmd(rdev,
                                 nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
                                 nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
                 rdev->testmode_info = NULL;
@@ -5466,8 +5584,7 @@ static int nl80211_testmode_dump(struct sk_buff *skb,
                         genlmsg_cancel(skb, hdr);
                         break;
                 }
-                err = rdev->ops->testmode_dump(&rdev->wiphy, skb, cb,
-                                               data, data_len);
+                err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
                 nla_nest_end(skb, tmdata);
 
                 if (err == -ENOBUFS || err == -ENOENT) {
@@ -5596,7 +5713,8 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
         if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
                 connect.auth_type =
                         nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
-                if (!nl80211_valid_auth_type(connect.auth_type))
+                if (!nl80211_valid_auth_type(rdev, connect.auth_type,
+                                             NL80211_CMD_CONNECT))
                         return -EINVAL;
         } else
                 connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
@@ -5642,7 +5760,7 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
 
         if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
                 connkeys = nl80211_parse_connkeys(rdev,
-                                        info->attrs[NL80211_ATTR_KEYS]);
+                                          info->attrs[NL80211_ATTR_KEYS], NULL);
                 if (IS_ERR(connkeys))
                         return PTR_ERR(connkeys);
         }
@@ -5771,7 +5889,7 @@ static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
         if (!rdev->ops->flush_pmksa)
                 return -EOPNOTSUPP;
 
-        return rdev->ops->flush_pmksa(&rdev->wiphy, dev);
+        return rdev_flush_pmksa(rdev, dev);
 }
 
 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
@@ -5798,10 +5916,10 @@ static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
         status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
         dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
 
-        return rdev->ops->tdls_mgmt(&rdev->wiphy, dev, peer, action_code,
-                                    dialog_token, status_code,
-                                    nla_data(info->attrs[NL80211_ATTR_IE]),
-                                    nla_len(info->attrs[NL80211_ATTR_IE]));
+        return rdev_tdls_mgmt(rdev, dev, peer, action_code,
+                              dialog_token, status_code,
+                              nla_data(info->attrs[NL80211_ATTR_IE]),
+                              nla_len(info->attrs[NL80211_ATTR_IE]));
 }
 
 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
@@ -5822,7 +5940,7 @@ static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
         operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
         peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
 
-        return rdev->ops->tdls_oper(&rdev->wiphy, dev, peer, operation);
+        return rdev_tdls_oper(rdev, dev, peer, operation);
 }
 
 static int nl80211_remain_on_channel(struct sk_buff *skb,
@@ -5877,8 +5995,8 @@ static int nl80211_remain_on_channel(struct sk_buff *skb,
                 goto free_msg;
         }
 
-        err = rdev->ops->remain_on_channel(&rdev->wiphy, wdev, chan,
-                                           channel_type, duration, &cookie);
+        err = rdev_remain_on_channel(rdev, wdev, chan, channel_type, duration,
+                                     &cookie);
 
         if (err)
                 goto free_msg;
@@ -5912,7 +6030,7 @@ static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
 
         cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
 
-        return rdev->ops->cancel_remain_on_channel(&rdev->wiphy, wdev, cookie);
+        return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
 }
 
 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
@@ -6055,7 +6173,7 @@ static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
                 }
         }
 
-        return rdev->ops->set_bitrate_mask(&rdev->wiphy, dev, NULL, &mask);
+        return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
 }
 
 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
@@ -6230,7 +6348,7 @@ static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *in
 
         cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
 
-        return rdev->ops->mgmt_tx_cancel_wait(&rdev->wiphy, wdev, cookie);
+        return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
 }
 
 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
@@ -6260,8 +6378,7 @@ static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
         if (state == wdev->ps)
                 return 0;
 
-        err = rdev->ops->set_power_mgmt(wdev->wiphy, dev, state,
-                                        wdev->ps_timeout);
+        err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
         if (!err)
                 wdev->ps = state;
         return err;
@@ -6341,8 +6458,7 @@ static int nl80211_set_cqm_txe(struct genl_info *info,
             wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
                 return -EOPNOTSUPP;
 
-        return rdev->ops->set_cqm_txe_config(wdev->wiphy, dev,
-                                             rate, pkts, intvl);
+        return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
 }
 
 static int nl80211_set_cqm_rssi(struct genl_info *info,
@@ -6364,8 +6480,7 @@ static int nl80211_set_cqm_rssi(struct genl_info *info,
             wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
                 return -EOPNOTSUPP;
 
-        return rdev->ops->set_cqm_rssi_config(wdev->wiphy, dev,
-                                              threshold, hysteresis);
+        return rdev_set_cqm_rssi_config(rdev, dev, threshold, hysteresis);
 }
 
 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
@@ -6690,7 +6805,7 @@ static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
 
  set_wakeup:
         if (rdev->ops->set_wakeup && prev_enabled != !!rdev->wowlan)
-                rdev->ops->set_wakeup(&rdev->wiphy, rdev->wowlan);
+                rdev_set_wakeup(rdev, rdev->wowlan);
 
         return 0;
  error:
@@ -6746,7 +6861,7 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
                 goto out;
         }
 
-        err = rdev->ops->set_rekey_data(&rdev->wiphy, dev, &rekey_data);
+        err = rdev_set_rekey_data(rdev, dev, &rekey_data);
  out:
         wdev_unlock(wdev);
         return err;
@@ -6805,7 +6920,7 @@ static int nl80211_probe_client(struct sk_buff *skb,
 
         addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
 
-        err = rdev->ops->probe_client(&rdev->wiphy, dev, addr, &cookie);
+        err = rdev_probe_client(rdev, dev, addr, &cookie);
         if (err)
                 goto free_msg;
 
@@ -6826,16 +6941,35 @@ static int nl80211_probe_client(struct sk_buff *skb,
 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
 {
         struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct cfg80211_beacon_registration *reg, *nreg;
+        int rv;
 
         if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
                 return -EOPNOTSUPP;
 
-        if (rdev->ap_beacons_nlportid)
-                return -EBUSY;
+        nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
+        if (!nreg)
+                return -ENOMEM;
 
-        rdev->ap_beacons_nlportid = info->snd_portid;
+        /* First, check if already registered. */
+        spin_lock_bh(&rdev->beacon_registrations_lock);
+        list_for_each_entry(reg, &rdev->beacon_registrations, list) {
+                if (reg->nlportid == info->snd_portid) {
+                        rv = -EALREADY;
+                        goto out_err;
+                }
+        }
+        /* Add it to the list */
+        nreg->nlportid = info->snd_portid;
+        list_add(&nreg->list, &rdev->beacon_registrations);
+
+        spin_unlock_bh(&rdev->beacon_registrations_lock);
 
         return 0;
+out_err:
+        spin_unlock_bh(&rdev->beacon_registrations_lock);
+        kfree(nreg);
+        return rv;
 }
 
 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
@@ -6859,7 +6993,7 @@ static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
         if (err)
                 return err;
 
-        err = rdev->ops->start_p2p_device(&rdev->wiphy, wdev);
+        err = rdev_start_p2p_device(rdev, wdev);
         if (err)
                 return err;
 
@@ -6885,7 +7019,7 @@ static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
         if (!wdev->p2p_started)
                 return 0;
 
-        rdev->ops->stop_p2p_device(&rdev->wiphy, wdev);
+        rdev_stop_p2p_device(rdev, wdev);
         wdev->p2p_started = false;
 
         mutex_lock(&rdev->devlist_mtx);
@@ -7552,6 +7686,14 @@ static struct genl_ops nl80211_ops[] = {
                 .internal_flags = NL80211_FLAG_NEED_WDEV_UP |
                                   NL80211_FLAG_NEED_RTNL,
         },
+        {
+                .cmd = NL80211_CMD_SET_MCAST_RATE,
+                .doit = nl80211_set_mcast_rate,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_NETDEV |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
 };
 
 static struct genl_multicast_group nl80211_mlme_mcgrp = {
@@ -7622,6 +7764,9 @@ static int nl80211_add_scan_req(struct sk_buff *msg,
             nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
                 goto nla_put_failure;
 
+        if (req->flags)
+                nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags);
+
         return 0;
  nla_put_failure:
         return -ENOBUFS;
@@ -8800,7 +8945,10 @@ void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
         void *hdr;
         int err;
 
+        trace_cfg80211_probe_status(dev, addr, cookie, acked);
+
         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+
         if (!msg)
                 return;
 
@@ -8835,41 +8983,46 @@ EXPORT_SYMBOL(cfg80211_probe_status);
 
 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
                                  const u8 *frame, size_t len,
-                                 int freq, int sig_dbm, gfp_t gfp)
+                                 int freq, int sig_dbm)
 {
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
         struct sk_buff *msg;
         void *hdr;
-        u32 nlportid = ACCESS_ONCE(rdev->ap_beacons_nlportid);
+        struct cfg80211_beacon_registration *reg;
 
-        if (!nlportid)
-                return;
+        trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
 
-        msg = nlmsg_new(len + 100, gfp);
-        if (!msg)
-                return;
+        spin_lock_bh(&rdev->beacon_registrations_lock);
+        list_for_each_entry(reg, &rdev->beacon_registrations, list) {
+                msg = nlmsg_new(len + 100, GFP_ATOMIC);
+                if (!msg) {
+                        spin_unlock_bh(&rdev->beacon_registrations_lock);
+                        return;
+                }
 
-        hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
-        if (!hdr) {
-                nlmsg_free(msg);
-                return;
-        }
+                hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
+                if (!hdr)
+                        goto nla_put_failure;
 
-        if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
-            (freq &&
-             nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
-            (sig_dbm &&
-             nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
-            nla_put(msg, NL80211_ATTR_FRAME, len, frame))
-                goto nla_put_failure;
+                if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
+                    (freq &&
+                     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
+                    (sig_dbm &&
+                     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
+                    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
+                        goto nla_put_failure;
 
-        genlmsg_end(msg, hdr);
+                genlmsg_end(msg, hdr);
 
-        genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
+                genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
+        }
+        spin_unlock_bh(&rdev->beacon_registrations_lock);
         return;
 
  nla_put_failure:
-        genlmsg_cancel(msg, hdr);
+        spin_unlock_bh(&rdev->beacon_registrations_lock);
+        if (hdr)
+                genlmsg_cancel(msg, hdr);
         nlmsg_free(msg);
 }
 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
@@ -8881,6 +9034,7 @@ static int nl80211_netlink_notify(struct notifier_block * nb,
         struct netlink_notify *notify = _notify;
         struct cfg80211_registered_device *rdev;
         struct wireless_dev *wdev;
+        struct cfg80211_beacon_registration *reg, *tmp;
 
         if (state != NETLINK_URELEASE)
                 return NOTIFY_DONE;
@@ -8890,8 +9044,17 @@ static int nl80211_netlink_notify(struct notifier_block * nb,
         list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
                 list_for_each_entry_rcu(wdev, &rdev->wdev_list, list)
                         cfg80211_mlme_unregister_socket(wdev, notify->portid);
-                if (rdev->ap_beacons_nlportid == notify->portid)
-                        rdev->ap_beacons_nlportid = 0;
+
+                spin_lock_bh(&rdev->beacon_registrations_lock);
+                list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
+                                         list) {
+                        if (reg->nlportid == notify->portid) {
+                                list_del(&reg->list);
+                                kfree(reg);
+                                break;
+                        }
+                }
+                spin_unlock_bh(&rdev->beacon_registrations_lock);
         }
 
         rcu_read_unlock();
diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h
new file mode 100644
index 000000000000..6e5fa659068d
--- /dev/null
+++ b/net/wireless/rdev-ops.h
@@ -0,0 +1,880 @@
+#ifndef __CFG80211_RDEV_OPS
+#define __CFG80211_RDEV_OPS
+
+#include <linux/rtnetlink.h>
+#include <net/cfg80211.h>
+#include "core.h"
+#include "trace.h"
+
+static inline int rdev_suspend(struct cfg80211_registered_device *rdev)
+{
+        int ret;
+        trace_rdev_suspend(&rdev->wiphy, rdev->wowlan);
+        ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_resume(struct cfg80211_registered_device *rdev)
+{
+        int ret;
+        trace_rdev_resume(&rdev->wiphy);
+        ret = rdev->ops->resume(&rdev->wiphy);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline void rdev_set_wakeup(struct cfg80211_registered_device *rdev,
+                                   bool enabled)
+{
+        trace_rdev_set_wakeup(&rdev->wiphy, enabled);
+        rdev->ops->set_wakeup(&rdev->wiphy, enabled);
+        trace_rdev_return_void(&rdev->wiphy);
+}
+
+static inline struct wireless_dev
+*rdev_add_virtual_intf(struct cfg80211_registered_device *rdev, char *name,
+                       enum nl80211_iftype type, u32 *flags,
+                       struct vif_params *params)
+{
+        struct wireless_dev *ret;
+        trace_rdev_add_virtual_intf(&rdev->wiphy, name, type);
+        ret = rdev->ops->add_virtual_intf(&rdev->wiphy, name, type, flags,
+                                          params);
+        trace_rdev_return_wdev(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_del_virtual_intf(struct cfg80211_registered_device *rdev,
+                      struct wireless_dev *wdev)
+{
+        int ret;
+        trace_rdev_del_virtual_intf(&rdev->wiphy, wdev);
+        ret = rdev->ops->del_virtual_intf(&rdev->wiphy, wdev);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_change_virtual_intf(struct cfg80211_registered_device *rdev,
+                         struct net_device *dev, enum nl80211_iftype type,
+                         u32 *flags, struct vif_params *params)
+{
+        int ret;
+        trace_rdev_change_virtual_intf(&rdev->wiphy, dev, type);
+        ret = rdev->ops->change_virtual_intf(&rdev->wiphy, dev, type, flags,
+                                             params);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_add_key(struct cfg80211_registered_device *rdev,
+                               struct net_device *netdev, u8 key_index,
+                               bool pairwise, const u8 *mac_addr,
+                               struct key_params *params)
+{
+        int ret;
+        trace_rdev_add_key(&rdev->wiphy, netdev, key_index, pairwise, mac_addr);
+        ret = rdev->ops->add_key(&rdev->wiphy, netdev, key_index, pairwise,
+                                  mac_addr, params);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_get_key(struct cfg80211_registered_device *rdev, struct net_device *netdev,
+             u8 key_index, bool pairwise, const u8 *mac_addr, void *cookie,
+             void (*callback)(void *cookie, struct key_params*))
+{
+        int ret;
+        trace_rdev_get_key(&rdev->wiphy, netdev, key_index, pairwise, mac_addr);
+        ret = rdev->ops->get_key(&rdev->wiphy, netdev, key_index, pairwise,
+                                  mac_addr, cookie, callback);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_del_key(struct cfg80211_registered_device *rdev,
+                               struct net_device *netdev, u8 key_index,
+                               bool pairwise, const u8 *mac_addr)
+{
+        int ret;
+        trace_rdev_del_key(&rdev->wiphy, netdev, key_index, pairwise, mac_addr);
+        ret = rdev->ops->del_key(&rdev->wiphy, netdev, key_index, pairwise,
+                                  mac_addr);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_set_default_key(struct cfg80211_registered_device *rdev,
+                     struct net_device *netdev, u8 key_index, bool unicast,
+                     bool multicast)
+{
+        int ret;
+        trace_rdev_set_default_key(&rdev->wiphy, netdev, key_index,
+                                   unicast, multicast);
+        ret = rdev->ops->set_default_key(&rdev->wiphy, netdev, key_index,
+                                          unicast, multicast);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_set_default_mgmt_key(struct cfg80211_registered_device *rdev,
+                          struct net_device *netdev, u8 key_index)
+{
+        int ret;
+        trace_rdev_set_default_mgmt_key(&rdev->wiphy, netdev, key_index);
+        ret = rdev->ops->set_default_mgmt_key(&rdev->wiphy, netdev,
+                                               key_index);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_start_ap(struct cfg80211_registered_device *rdev,
+                                struct net_device *dev,
+                                struct cfg80211_ap_settings *settings)
+{
+        int ret;
+        trace_rdev_start_ap(&rdev->wiphy, dev, settings);
+        ret = rdev->ops->start_ap(&rdev->wiphy, dev, settings);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_change_beacon(struct cfg80211_registered_device *rdev,
+                                     struct net_device *dev,
+                                     struct cfg80211_beacon_data *info)
+{
+        int ret;
+        trace_rdev_change_beacon(&rdev->wiphy, dev, info);
+        ret = rdev->ops->change_beacon(&rdev->wiphy, dev, info);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_stop_ap(struct cfg80211_registered_device *rdev,
+                               struct net_device *dev)
+{
+        int ret;
+        trace_rdev_stop_ap(&rdev->wiphy, dev);
+        ret = rdev->ops->stop_ap(&rdev->wiphy, dev);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_add_station(struct cfg80211_registered_device *rdev,
+                                   struct net_device *dev, u8 *mac,
+                                   struct station_parameters *params)
+{
+        int ret;
+        trace_rdev_add_station(&rdev->wiphy, dev, mac, params);
+        ret = rdev->ops->add_station(&rdev->wiphy, dev, mac, params);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_del_station(struct cfg80211_registered_device *rdev,
+                                   struct net_device *dev, u8 *mac)
+{
+        int ret;
+        trace_rdev_del_station(&rdev->wiphy, dev, mac);
+        ret = rdev->ops->del_station(&rdev->wiphy, dev, mac);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_change_station(struct cfg80211_registered_device *rdev,
+                                      struct net_device *dev, u8 *mac,
+                                      struct station_parameters *params)
+{
+        int ret;
+        trace_rdev_change_station(&rdev->wiphy, dev, mac, params);
+        ret = rdev->ops->change_station(&rdev->wiphy, dev, mac, params);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_get_station(struct cfg80211_registered_device *rdev,
+                                   struct net_device *dev, u8 *mac,
+                                   struct station_info *sinfo)
+{
+        int ret;
+        trace_rdev_get_station(&rdev->wiphy, dev, mac);
+        ret = rdev->ops->get_station(&rdev->wiphy, dev, mac, sinfo);
+        trace_rdev_return_int_station_info(&rdev->wiphy, ret, sinfo);
+        return ret;
+}
+
+static inline int rdev_dump_station(struct cfg80211_registered_device *rdev,
+                                    struct net_device *dev, int idx, u8 *mac,
+                                    struct station_info *sinfo)
+{
+        int ret;
+        trace_rdev_dump_station(&rdev->wiphy, dev, idx, mac);
+        ret = rdev->ops->dump_station(&rdev->wiphy, dev, idx, mac, sinfo);
+        trace_rdev_return_int_station_info(&rdev->wiphy, ret, sinfo);
+        return ret;
+}
+
+static inline int rdev_add_mpath(struct cfg80211_registered_device *rdev,
+                                 struct net_device *dev, u8 *dst, u8 *next_hop)
+{
+        int ret;
+        trace_rdev_add_mpath(&rdev->wiphy, dev, dst, next_hop);
+        ret = rdev->ops->add_mpath(&rdev->wiphy, dev, dst, next_hop);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_del_mpath(struct cfg80211_registered_device *rdev,
+                                 struct net_device *dev, u8 *dst)
+{
+        int ret;
+        trace_rdev_del_mpath(&rdev->wiphy, dev, dst);
+        ret = rdev->ops->del_mpath(&rdev->wiphy, dev, dst);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_change_mpath(struct cfg80211_registered_device *rdev,
+                                    struct net_device *dev, u8 *dst,
+                                    u8 *next_hop)
+{
+        int ret;
+        trace_rdev_change_mpath(&rdev->wiphy, dev, dst, next_hop);
+        ret = rdev->ops->change_mpath(&rdev->wiphy, dev, dst, next_hop);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_get_mpath(struct cfg80211_registered_device *rdev,
+                                 struct net_device *dev, u8 *dst, u8 *next_hop,
+                                 struct mpath_info *pinfo)
+{
+        int ret;
+        trace_rdev_get_mpath(&rdev->wiphy, dev, dst, next_hop);
+        ret = rdev->ops->get_mpath(&rdev->wiphy, dev, dst, next_hop, pinfo);
+        trace_rdev_return_int_mpath_info(&rdev->wiphy, ret, pinfo);
+        return ret;
+
+}
+
+static inline int rdev_dump_mpath(struct cfg80211_registered_device *rdev,
+                                  struct net_device *dev, int idx, u8 *dst,
+                                  u8 *next_hop, struct mpath_info *pinfo)
+
+{
+        int ret;
+        trace_rdev_dump_mpath(&rdev->wiphy, dev, idx, dst, next_hop);
+        ret = rdev->ops->dump_mpath(&rdev->wiphy, dev, idx, dst, next_hop,
+                                     pinfo);
+        trace_rdev_return_int_mpath_info(&rdev->wiphy, ret, pinfo);
+        return ret;
+}
+
+static inline int
+rdev_get_mesh_config(struct cfg80211_registered_device *rdev,
+                     struct net_device *dev, struct mesh_config *conf)
+{
+        int ret;
+        trace_rdev_get_mesh_config(&rdev->wiphy, dev);
+        ret = rdev->ops->get_mesh_config(&rdev->wiphy, dev, conf);
+        trace_rdev_return_int_mesh_config(&rdev->wiphy, ret, conf);
+        return ret;
+}
+
+static inline int
+rdev_update_mesh_config(struct cfg80211_registered_device *rdev,
+                        struct net_device *dev, u32 mask,
+                        const struct mesh_config *nconf)
+{
+        int ret;
+        trace_rdev_update_mesh_config(&rdev->wiphy, dev, mask, nconf);
+        ret = rdev->ops->update_mesh_config(&rdev->wiphy, dev, mask, nconf);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_join_mesh(struct cfg80211_registered_device *rdev,
+                                 struct net_device *dev,
+                                 const struct mesh_config *conf,
+                                 const struct mesh_setup *setup)
+{
+        int ret;
+        trace_rdev_join_mesh(&rdev->wiphy, dev, conf, setup);
+        ret = rdev->ops->join_mesh(&rdev->wiphy, dev, conf, setup);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+
+static inline int rdev_leave_mesh(struct cfg80211_registered_device *rdev,
+                                  struct net_device *dev)
+{
+        int ret;
+        trace_rdev_leave_mesh(&rdev->wiphy, dev);
+        ret = rdev->ops->leave_mesh(&rdev->wiphy, dev);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_change_bss(struct cfg80211_registered_device *rdev,
+                                  struct net_device *dev,
+                                  struct bss_parameters *params)
+
+{
+        int ret;
+        trace_rdev_change_bss(&rdev->wiphy, dev, params);
+        ret = rdev->ops->change_bss(&rdev->wiphy, dev, params);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_set_txq_params(struct cfg80211_registered_device *rdev,
+                                      struct net_device *dev,
+                                      struct ieee80211_txq_params *params)
+
+{
+        int ret;
+        trace_rdev_set_txq_params(&rdev->wiphy, dev, params);
+        ret = rdev->ops->set_txq_params(&rdev->wiphy, dev, params);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_libertas_set_mesh_channel(struct cfg80211_registered_device *rdev,
+                               struct net_device *dev,
+                               struct ieee80211_channel *chan)
+{
+        int ret;
+        trace_rdev_libertas_set_mesh_channel(&rdev->wiphy, dev, chan);
+        ret = rdev->ops->libertas_set_mesh_channel(&rdev->wiphy, dev, chan);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_set_monitor_channel(struct cfg80211_registered_device *rdev,
+                         struct ieee80211_channel *chan,
+                         enum nl80211_channel_type channel_type)
+{
+        int ret;
+        trace_rdev_set_monitor_channel(&rdev->wiphy, chan, channel_type);
+        ret = rdev->ops->set_monitor_channel(&rdev->wiphy, chan, channel_type);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_scan(struct cfg80211_registered_device *rdev,
+                            struct cfg80211_scan_request *request)
+{
+        int ret;
+        trace_rdev_scan(&rdev->wiphy, request);
+        ret = rdev->ops->scan(&rdev->wiphy, request);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_auth(struct cfg80211_registered_device *rdev,
+                            struct net_device *dev,
+                            struct cfg80211_auth_request *req)
+{
+        int ret;
+        trace_rdev_auth(&rdev->wiphy, dev, req);
+        ret = rdev->ops->auth(&rdev->wiphy, dev, req);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_assoc(struct cfg80211_registered_device *rdev,
+                             struct net_device *dev,
+                             struct cfg80211_assoc_request *req)
+{
+        int ret;
+        trace_rdev_assoc(&rdev->wiphy, dev, req);
+        ret = rdev->ops->assoc(&rdev->wiphy, dev, req);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_deauth(struct cfg80211_registered_device *rdev,
+                              struct net_device *dev,
+                              struct cfg80211_deauth_request *req)
+{
+        int ret;
+        trace_rdev_deauth(&rdev->wiphy, dev, req);
+        ret = rdev->ops->deauth(&rdev->wiphy, dev, req);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_disassoc(struct cfg80211_registered_device *rdev,
+                                struct net_device *dev,
+                                struct cfg80211_disassoc_request *req)
+{
+        int ret;
+        trace_rdev_disassoc(&rdev->wiphy, dev, req);
+        ret = rdev->ops->disassoc(&rdev->wiphy, dev, req);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_connect(struct cfg80211_registered_device *rdev,
+                               struct net_device *dev,
+                               struct cfg80211_connect_params *sme)
+{
+        int ret;
+        trace_rdev_connect(&rdev->wiphy, dev, sme);
+        ret = rdev->ops->connect(&rdev->wiphy, dev, sme);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_disconnect(struct cfg80211_registered_device *rdev,
+                                  struct net_device *dev, u16 reason_code)
+{
+        int ret;
+        trace_rdev_disconnect(&rdev->wiphy, dev, reason_code);
+        ret = rdev->ops->disconnect(&rdev->wiphy, dev, reason_code);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_join_ibss(struct cfg80211_registered_device *rdev,
+                                 struct net_device *dev,
+                                 struct cfg80211_ibss_params *params)
+{
+        int ret;
+        trace_rdev_join_ibss(&rdev->wiphy, dev, params);
+        ret = rdev->ops->join_ibss(&rdev->wiphy, dev, params);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_leave_ibss(struct cfg80211_registered_device *rdev,
+                                  struct net_device *dev)
+{
+        int ret;
+        trace_rdev_leave_ibss(&rdev->wiphy, dev);
+        ret = rdev->ops->leave_ibss(&rdev->wiphy, dev);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_set_wiphy_params(struct cfg80211_registered_device *rdev, u32 changed)
+{
+        int ret;
+        trace_rdev_set_wiphy_params(&rdev->wiphy, changed);
+        ret = rdev->ops->set_wiphy_params(&rdev->wiphy, changed);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_set_tx_power(struct cfg80211_registered_device *rdev,
+                                    struct wireless_dev *wdev,
+                                    enum nl80211_tx_power_setting type, int mbm)
+{
+        int ret;
+        trace_rdev_set_tx_power(&rdev->wiphy, wdev, type, mbm);
+        ret = rdev->ops->set_tx_power(&rdev->wiphy, wdev, type, mbm);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_get_tx_power(struct cfg80211_registered_device *rdev,
+                                    struct wireless_dev *wdev, int *dbm)
+{
+        int ret;
+        trace_rdev_get_tx_power(&rdev->wiphy, wdev);
+        ret = rdev->ops->get_tx_power(&rdev->wiphy, wdev, dbm);
+        trace_rdev_return_int_int(&rdev->wiphy, ret, *dbm);
+        return ret;
+}
+
+static inline int rdev_set_wds_peer(struct cfg80211_registered_device *rdev,
+                                    struct net_device *dev, const u8 *addr)
+{
+        int ret;
+        trace_rdev_set_wds_peer(&rdev->wiphy, dev, addr);
+        ret = rdev->ops->set_wds_peer(&rdev->wiphy, dev, addr);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline void rdev_rfkill_poll(struct cfg80211_registered_device *rdev)
+{
+        trace_rdev_rfkill_poll(&rdev->wiphy);
+        rdev->ops->rfkill_poll(&rdev->wiphy);
+        trace_rdev_return_void(&rdev->wiphy);
+}
+
+
+#ifdef CONFIG_NL80211_TESTMODE
+static inline int rdev_testmode_cmd(struct cfg80211_registered_device *rdev,
+                                    void *data, int len)
+{
+        int ret;
+        trace_rdev_testmode_cmd(&rdev->wiphy);
+        ret = rdev->ops->testmode_cmd(&rdev->wiphy, data, len);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_testmode_dump(struct cfg80211_registered_device *rdev,
+                                     struct sk_buff *skb,
+                                     struct netlink_callback *cb, void *data,
+                                     int len)
+{
+        int ret;
+        trace_rdev_testmode_dump(&rdev->wiphy);
+        ret = rdev->ops->testmode_dump(&rdev->wiphy, skb, cb, data, len);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+#endif
+
+static inline int
+rdev_set_bitrate_mask(struct cfg80211_registered_device *rdev,
+                      struct net_device *dev, const u8 *peer,
+                      const struct cfg80211_bitrate_mask *mask)
+{
+        int ret;
+        trace_rdev_set_bitrate_mask(&rdev->wiphy, dev, peer, mask);
+        ret = rdev->ops->set_bitrate_mask(&rdev->wiphy, dev, peer, mask);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_dump_survey(struct cfg80211_registered_device *rdev,
+                                   struct net_device *netdev, int idx,
+                                   struct survey_info *info)
+{
+        int ret;
+        trace_rdev_dump_survey(&rdev->wiphy, netdev, idx);
+        ret = rdev->ops->dump_survey(&rdev->wiphy, netdev, idx, info);
+        if (ret < 0)
+                trace_rdev_return_int(&rdev->wiphy, ret);
+        else
+                trace_rdev_return_int_survey_info(&rdev->wiphy, ret, info);
+        return ret;
+}
+
+static inline int rdev_set_pmksa(struct cfg80211_registered_device *rdev,
+                                 struct net_device *netdev,
+                                 struct cfg80211_pmksa *pmksa)
+{
+        int ret;
+        trace_rdev_set_pmksa(&rdev->wiphy, netdev, pmksa);
+        ret = rdev->ops->set_pmksa(&rdev->wiphy, netdev, pmksa);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_del_pmksa(struct cfg80211_registered_device *rdev,
+                                 struct net_device *netdev,
+                                 struct cfg80211_pmksa *pmksa)
+{
+        int ret;
+        trace_rdev_del_pmksa(&rdev->wiphy, netdev, pmksa);
+        ret = rdev->ops->del_pmksa(&rdev->wiphy, netdev, pmksa);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_flush_pmksa(struct cfg80211_registered_device *rdev,
+                                   struct net_device *netdev)
+{
+        int ret;
+        trace_rdev_flush_pmksa(&rdev->wiphy, netdev);
+        ret = rdev->ops->flush_pmksa(&rdev->wiphy, netdev);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_remain_on_channel(struct cfg80211_registered_device *rdev,
+                       struct wireless_dev *wdev,
+                       struct ieee80211_channel *chan,
+                       enum nl80211_channel_type channel_type,
+                       unsigned int duration, u64 *cookie)
+{
+        int ret;
+        trace_rdev_remain_on_channel(&rdev->wiphy, wdev, chan, channel_type,
+                                     duration);
+        ret = rdev->ops->remain_on_channel(&rdev->wiphy, wdev, chan,
+                                            channel_type, duration, cookie);
+        trace_rdev_return_int_cookie(&rdev->wiphy, ret, *cookie);
+        return ret;
+}
+
+static inline int
+rdev_cancel_remain_on_channel(struct cfg80211_registered_device *rdev,
+                              struct wireless_dev *wdev, u64 cookie)
+{
+        int ret;
+        trace_rdev_cancel_remain_on_channel(&rdev->wiphy, wdev, cookie);
+        ret = rdev->ops->cancel_remain_on_channel(&rdev->wiphy, wdev, cookie);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_mgmt_tx(struct cfg80211_registered_device *rdev,
+                               struct wireless_dev *wdev,
+                               struct ieee80211_channel *chan, bool offchan,
+                               enum nl80211_channel_type channel_type,
+                               bool channel_type_valid, unsigned int wait,
+                               const u8 *buf, size_t len, bool no_cck,
+                               bool dont_wait_for_ack, u64 *cookie)
+{
+        int ret;
+        trace_rdev_mgmt_tx(&rdev->wiphy, wdev, chan, offchan, channel_type,
+                           channel_type_valid, wait, no_cck, dont_wait_for_ack);
+        ret = rdev->ops->mgmt_tx(&rdev->wiphy, wdev, chan, offchan,
+                                  channel_type, channel_type_valid, wait, buf,
+                                  len, no_cck, dont_wait_for_ack, cookie);
+        trace_rdev_return_int_cookie(&rdev->wiphy, ret, *cookie);
+        return ret;
+}
+
+static inline int
+rdev_mgmt_tx_cancel_wait(struct cfg80211_registered_device *rdev,
+                         struct wireless_dev *wdev, u64 cookie)
+{
+        int ret;
+        trace_rdev_mgmt_tx_cancel_wait(&rdev->wiphy, wdev, cookie);
+        ret = rdev->ops->mgmt_tx_cancel_wait(&rdev->wiphy, wdev, cookie);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_set_power_mgmt(struct cfg80211_registered_device *rdev,
+                                      struct net_device *dev, bool enabled,
+                                      int timeout)
+{
+        int ret;
+        trace_rdev_set_power_mgmt(&rdev->wiphy, dev, enabled, timeout);
+        ret = rdev->ops->set_power_mgmt(&rdev->wiphy, dev, enabled, timeout);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_set_cqm_rssi_config(struct cfg80211_registered_device *rdev,
+                         struct net_device *dev, s32 rssi_thold, u32 rssi_hyst)
+{
+        int ret;
+        trace_rdev_set_cqm_rssi_config(&rdev->wiphy, dev, rssi_thold,
+                                       rssi_hyst);
+        ret = rdev->ops->set_cqm_rssi_config(&rdev->wiphy, dev, rssi_thold,
+                                       rssi_hyst);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_set_cqm_txe_config(struct cfg80211_registered_device *rdev,
+                        struct net_device *dev, u32 rate, u32 pkts, u32 intvl)
+{
+        int ret;
+        trace_rdev_set_cqm_txe_config(&rdev->wiphy, dev, rate, pkts, intvl);
+        ret = rdev->ops->set_cqm_txe_config(&rdev->wiphy, dev, rate, pkts,
+                                             intvl);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline void
+rdev_mgmt_frame_register(struct cfg80211_registered_device *rdev,
+                         struct wireless_dev *wdev, u16 frame_type, bool reg)
+{
+        trace_rdev_mgmt_frame_register(&rdev->wiphy, wdev , frame_type, reg);
+        rdev->ops->mgmt_frame_register(&rdev->wiphy, wdev , frame_type, reg);
+        trace_rdev_return_void(&rdev->wiphy);
+}
+
+static inline int rdev_set_antenna(struct cfg80211_registered_device *rdev,
+                                   u32 tx_ant, u32 rx_ant)
+{
+        int ret;
+        trace_rdev_set_antenna(&rdev->wiphy, tx_ant, rx_ant);
+        ret = rdev->ops->set_antenna(&rdev->wiphy, tx_ant, rx_ant);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_get_antenna(struct cfg80211_registered_device *rdev,
+                                   u32 *tx_ant, u32 *rx_ant)
+{
+        int ret;
+        trace_rdev_get_antenna(&rdev->wiphy);
+        ret = rdev->ops->get_antenna(&rdev->wiphy, tx_ant, rx_ant);
+        if (ret)
+                trace_rdev_return_int(&rdev->wiphy, ret);
+        else
+                trace_rdev_return_int_tx_rx(&rdev->wiphy, ret, *tx_ant,
+                                            *rx_ant);
+        return ret;
+}
+
+static inline int rdev_set_ringparam(struct cfg80211_registered_device *rdev,
+                                     u32 tx, u32 rx)
+{
+        int ret;
+        trace_rdev_set_ringparam(&rdev->wiphy, tx, rx);
+        ret = rdev->ops->set_ringparam(&rdev->wiphy, tx, rx);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline void rdev_get_ringparam(struct cfg80211_registered_device *rdev,
+                                      u32 *tx, u32 *tx_max, u32 *rx,
+                                      u32 *rx_max)
+{
+        trace_rdev_get_ringparam(&rdev->wiphy);
+        rdev->ops->get_ringparam(&rdev->wiphy, tx, tx_max, rx, rx_max);
+        trace_rdev_return_void_tx_rx(&rdev->wiphy, *tx, *tx_max, *rx, *rx_max);
+}
+
+static inline int
+rdev_sched_scan_start(struct cfg80211_registered_device *rdev,
+                      struct net_device *dev,
+                      struct cfg80211_sched_scan_request *request)
+{
+        int ret;
+        trace_rdev_sched_scan_start(&rdev->wiphy, dev, request);
+        ret = rdev->ops->sched_scan_start(&rdev->wiphy, dev, request);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_sched_scan_stop(struct cfg80211_registered_device *rdev,
+                                       struct net_device *dev)
+{
+        int ret;
+        trace_rdev_sched_scan_stop(&rdev->wiphy, dev);
+        ret = rdev->ops->sched_scan_stop(&rdev->wiphy, dev);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_set_rekey_data(struct cfg80211_registered_device *rdev,
+                                      struct net_device *dev,
+                                      struct cfg80211_gtk_rekey_data *data)
+{
+        int ret;
+        trace_rdev_set_rekey_data(&rdev->wiphy, dev);
+        ret = rdev->ops->set_rekey_data(&rdev->wiphy, dev, data);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_tdls_mgmt(struct cfg80211_registered_device *rdev,
+                                 struct net_device *dev, u8 *peer,
+                                 u8 action_code, u8 dialog_token,
+                                 u16 status_code, const u8 *buf, size_t len)
+{
+        int ret;
+        trace_rdev_tdls_mgmt(&rdev->wiphy, dev, peer, action_code,
+                             dialog_token, status_code, buf, len);
+        ret = rdev->ops->tdls_mgmt(&rdev->wiphy, dev, peer, action_code,
+                                   dialog_token, status_code, buf, len);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_tdls_oper(struct cfg80211_registered_device *rdev,
+                                 struct net_device *dev, u8 *peer,
+                                 enum nl80211_tdls_operation oper)
+{
+        int ret;
+        trace_rdev_tdls_oper(&rdev->wiphy, dev, peer, oper);
+        ret = rdev->ops->tdls_oper(&rdev->wiphy, dev, peer, oper);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int rdev_probe_client(struct cfg80211_registered_device *rdev,
+                                    struct net_device *dev, const u8 *peer,
+                                    u64 *cookie)
+{
+        int ret;
+        trace_rdev_probe_client(&rdev->wiphy, dev, peer);
+        ret = rdev->ops->probe_client(&rdev->wiphy, dev, peer, cookie);
+        trace_rdev_return_int_cookie(&rdev->wiphy, ret, *cookie);
+        return ret;
+}
+
+static inline int rdev_set_noack_map(struct cfg80211_registered_device *rdev,
+                                     struct net_device *dev, u16 noack_map)
+{
+        int ret;
+        trace_rdev_set_noack_map(&rdev->wiphy, dev, noack_map);
+        ret = rdev->ops->set_noack_map(&rdev->wiphy, dev, noack_map);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline int
+rdev_get_et_sset_count(struct cfg80211_registered_device *rdev,
+                       struct net_device *dev, int sset)
+{
+        int ret;
+        trace_rdev_get_et_sset_count(&rdev->wiphy, dev, sset);
+        ret = rdev->ops->get_et_sset_count(&rdev->wiphy, dev, sset);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline void rdev_get_et_stats(struct cfg80211_registered_device *rdev,
+                                     struct net_device *dev,
+                                     struct ethtool_stats *stats, u64 *data)
+{
+        trace_rdev_get_et_stats(&rdev->wiphy, dev);
+        rdev->ops->get_et_stats(&rdev->wiphy, dev, stats, data);
+        trace_rdev_return_void(&rdev->wiphy);
+}
+
+static inline void rdev_get_et_strings(struct cfg80211_registered_device *rdev,
+                                       struct net_device *dev, u32 sset,
+                                       u8 *data)
+{
+        trace_rdev_get_et_strings(&rdev->wiphy, dev, sset);
+        rdev->ops->get_et_strings(&rdev->wiphy, dev, sset, data);
+        trace_rdev_return_void(&rdev->wiphy);
+}
+
+static inline struct ieee80211_channel
+*rdev_get_channel(struct cfg80211_registered_device *rdev,
+                  struct wireless_dev *wdev, enum nl80211_channel_type *type)
+{
+        struct ieee80211_channel *ret;
+        trace_rdev_get_channel(&rdev->wiphy, wdev);
+        ret = rdev->ops->get_channel(&rdev->wiphy, wdev, type);
+        trace_rdev_return_channel(&rdev->wiphy, ret, *type);
+        return ret;
+}
+
+static inline int rdev_start_p2p_device(struct cfg80211_registered_device *rdev,
+                                        struct wireless_dev *wdev)
+{
+        int ret;
+
+        trace_rdev_start_p2p_device(&rdev->wiphy, wdev);
+        ret = rdev->ops->start_p2p_device(&rdev->wiphy, wdev);
+        trace_rdev_return_int(&rdev->wiphy, ret);
+        return ret;
+}
+
+static inline void rdev_stop_p2p_device(struct cfg80211_registered_device *rdev,
+                                        struct wireless_dev *wdev)
+{
+        trace_rdev_stop_p2p_device(&rdev->wiphy, wdev);
+        rdev->ops->stop_p2p_device(&rdev->wiphy, wdev);
+        trace_rdev_return_void(&rdev->wiphy);
+}                                       
+#endif /* __CFG80211_RDEV_OPS */
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 3b8cbbc214db..b75756b05af7 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -141,9 +141,8 @@ static const struct ieee80211_regdomain world_regdom = {
         .reg_rules = {
                 /* IEEE 802.11b/g, channels 1..11 */
                 REG_RULE(2412-10, 2462+10, 40, 6, 20, 0),
-                /* IEEE 802.11b/g, channels 12..13. No HT40
-                 * channel fits here. */
-                REG_RULE(2467-10, 2472+10, 20, 6, 20,
+                /* IEEE 802.11b/g, channels 12..13. */
+                REG_RULE(2467-10, 2472+10, 40, 6, 20,
                         NL80211_RRF_PASSIVE_SCAN |
                         NL80211_RRF_NO_IBSS),
                 /* IEEE 802.11 channel 14 - Only JP enables
@@ -908,7 +907,7 @@ static void handle_channel(struct wiphy *wiphy,
                         map_regdom_flags(reg_rule->flags) | bw_flags;
                 chan->max_antenna_gain = chan->orig_mag =
                         (int) MBI_TO_DBI(power_rule->max_antenna_gain);
-                chan->max_power = chan->orig_mpwr =
+                chan->max_reg_power = chan->max_power = chan->orig_mpwr =
                         (int) MBM_TO_DBM(power_rule->max_eirp);
                 return;
         }
@@ -1331,7 +1330,8 @@ static void handle_channel_custom(struct wiphy *wiphy,
 
         chan->flags |= map_regdom_flags(reg_rule->flags) | bw_flags;
         chan->max_antenna_gain = (int) MBI_TO_DBI(power_rule->max_antenna_gain);
-        chan->max_power = (int) MBM_TO_DBM(power_rule->max_eirp);
+        chan->max_reg_power = chan->max_power =
+                (int) MBM_TO_DBM(power_rule->max_eirp);
 }
 
 static void handle_band_custom(struct wiphy *wiphy, enum ieee80211_band band,
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 9730c9862bdc..7f97a087f452 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -17,9 +17,58 @@
 #include "core.h"
 #include "nl80211.h"
 #include "wext-compat.h"
+#include "rdev-ops.h"
 
 #define IEEE80211_SCAN_RESULT_EXPIRE    (30 * HZ)
 
+static void bss_release(struct kref *ref)
+{
+        struct cfg80211_internal_bss *bss;
+
+        bss = container_of(ref, struct cfg80211_internal_bss, ref);
+        if (bss->pub.free_priv)
+                bss->pub.free_priv(&bss->pub);
+
+        if (bss->beacon_ies_allocated)
+                kfree(bss->pub.beacon_ies);
+        if (bss->proberesp_ies_allocated)
+                kfree(bss->pub.proberesp_ies);
+
+        BUG_ON(atomic_read(&bss->hold));
+
+        kfree(bss);
+}
+
+/* must hold dev->bss_lock! */
+static void __cfg80211_unlink_bss(struct cfg80211_registered_device *dev,
+                                  struct cfg80211_internal_bss *bss)
+{
+        list_del_init(&bss->list);
+        rb_erase(&bss->rbn, &dev->bss_tree);
+        kref_put(&bss->ref, bss_release);
+}
+
+/* must hold dev->bss_lock! */
+static void __cfg80211_bss_expire(struct cfg80211_registered_device *dev,
+                                  unsigned long expire_time)
+{
+        struct cfg80211_internal_bss *bss, *tmp;
+        bool expired = false;
+
+        list_for_each_entry_safe(bss, tmp, &dev->bss_list, list) {
+                if (atomic_read(&bss->hold))
+                        continue;
+                if (!time_after(expire_time, bss->ts))
+                        continue;
+
+                __cfg80211_unlink_bss(dev, bss);
+                expired = true;
+        }
+
+        if (expired)
+                dev->bss_generation++;
+}
+
 void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, bool leak)
 {
         struct cfg80211_scan_request *request;
@@ -45,10 +94,17 @@ void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, bool leak)
         if (wdev->netdev)
                 cfg80211_sme_scan_done(wdev->netdev);
 
-        if (request->aborted)
+        if (request->aborted) {
                 nl80211_send_scan_aborted(rdev, wdev);
-        else
+        } else {
+                if (request->flags & NL80211_SCAN_FLAG_FLUSH) {
+                        /* flush entries from previous scans */
+                        spin_lock_bh(&rdev->bss_lock);
+                        __cfg80211_bss_expire(rdev, request->scan_start);
+                        spin_unlock_bh(&rdev->bss_lock);
+                }
                 nl80211_send_scan_done(rdev, wdev);
+        }
 
 #ifdef CONFIG_CFG80211_WEXT
         if (wdev->netdev && !request->aborted) {
@@ -89,6 +145,7 @@ void __cfg80211_scan_done(struct work_struct *wk)
 
 void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted)
 {
+        trace_cfg80211_scan_done(request, aborted);
         WARN_ON(request != wiphy_to_dev(request->wiphy)->scan_req);
 
         request->aborted = aborted;
@@ -99,22 +156,34 @@ EXPORT_SYMBOL(cfg80211_scan_done);
 void __cfg80211_sched_scan_results(struct work_struct *wk)
 {
         struct cfg80211_registered_device *rdev;
+        struct cfg80211_sched_scan_request *request;
 
         rdev = container_of(wk, struct cfg80211_registered_device,
                             sched_scan_results_wk);
 
+        request = rdev->sched_scan_req;
+
         mutex_lock(&rdev->sched_scan_mtx);
 
         /* we don't have sched_scan_req anymore if the scan is stopping */
-        if (rdev->sched_scan_req)
-                nl80211_send_sched_scan_results(rdev,
-                                                rdev->sched_scan_req->dev);
+        if (request) {
+                if (request->flags & NL80211_SCAN_FLAG_FLUSH) {
+                        /* flush entries from previous scans */
+                        spin_lock_bh(&rdev->bss_lock);
+                        __cfg80211_bss_expire(rdev, request->scan_start);
+                        spin_unlock_bh(&rdev->bss_lock);
+                        request->scan_start =
+                                jiffies + msecs_to_jiffies(request->interval);
+                }
+                nl80211_send_sched_scan_results(rdev, request->dev);
+        }
 
         mutex_unlock(&rdev->sched_scan_mtx);
 }
 
 void cfg80211_sched_scan_results(struct wiphy *wiphy)
 {
+        trace_cfg80211_sched_scan_results(wiphy);
         /* ignore if we're not scanning */
         if (wiphy_to_dev(wiphy)->sched_scan_req)
                 queue_work(cfg80211_wq,
@@ -126,6 +195,8 @@ void cfg80211_sched_scan_stopped(struct wiphy *wiphy)
 {
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
 
+        trace_cfg80211_sched_scan_stopped(wiphy);
+
         mutex_lock(&rdev->sched_scan_mtx);
         __cfg80211_stop_sched_scan(rdev, true);
         mutex_unlock(&rdev->sched_scan_mtx);
@@ -145,7 +216,7 @@ int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
         dev = rdev->sched_scan_req->dev;
 
         if (!driver_initiated) {
-                int err = rdev->ops->sched_scan_stop(&rdev->wiphy, dev);
+                int err = rdev_sched_scan_stop(rdev, dev);
                 if (err)
                         return err;
         }
@@ -158,24 +229,6 @@ int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
         return 0;
 }
 
-static void bss_release(struct kref *ref)
-{
-        struct cfg80211_internal_bss *bss;
-
-        bss = container_of(ref, struct cfg80211_internal_bss, ref);
-        if (bss->pub.free_priv)
-                bss->pub.free_priv(&bss->pub);
-
-        if (bss->beacon_ies_allocated)
-                kfree(bss->pub.beacon_ies);
-        if (bss->proberesp_ies_allocated)
-                kfree(bss->pub.proberesp_ies);
-
-        BUG_ON(atomic_read(&bss->hold));
-
-        kfree(bss);
-}
-
 /* must hold dev->bss_lock! */
 void cfg80211_bss_age(struct cfg80211_registered_device *dev,
                       unsigned long age_secs)
@@ -188,32 +241,9 @@ void cfg80211_bss_age(struct cfg80211_registered_device *dev,
         }
 }
 
-/* must hold dev->bss_lock! */
-static void __cfg80211_unlink_bss(struct cfg80211_registered_device *dev,
-                                  struct cfg80211_internal_bss *bss)
-{
-        list_del_init(&bss->list);
-        rb_erase(&bss->rbn, &dev->bss_tree);
-        kref_put(&bss->ref, bss_release);
-}
-
-/* must hold dev->bss_lock! */
 void cfg80211_bss_expire(struct cfg80211_registered_device *dev)
 {
-        struct cfg80211_internal_bss *bss, *tmp;
-        bool expired = false;
-
-        list_for_each_entry_safe(bss, tmp, &dev->bss_list, list) {
-                if (atomic_read(&bss->hold))
-                        continue;
-                if (!time_after(jiffies, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE))
-                        continue;
-                __cfg80211_unlink_bss(dev, bss);
-                expired = true;
-        }
-
-        if (expired)
-                dev->bss_generation++;
+        __cfg80211_bss_expire(dev, jiffies - IEEE80211_SCAN_RESULT_EXPIRE);
 }
 
 const u8 *cfg80211_find_ie(u8 eid, const u8 *ies, int len)
@@ -459,6 +489,9 @@ struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy,
         struct cfg80211_internal_bss *bss, *res = NULL;
         unsigned long now = jiffies;
 
+        trace_cfg80211_get_bss(wiphy, channel, bssid, ssid, ssid_len, capa_mask,
+                               capa_val);
+
         spin_lock_bh(&dev->bss_lock);
 
         list_for_each_entry(bss, &dev->bss_list, list) {
@@ -480,6 +513,7 @@ struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy,
         spin_unlock_bh(&dev->bss_lock);
         if (!res)
                 return NULL;
+        trace_cfg80211_return_bss(&res->pub);
         return &res->pub;
 }
 EXPORT_SYMBOL(cfg80211_get_bss);
@@ -792,6 +826,7 @@ cfg80211_inform_bss(struct wiphy *wiphy,
         if (res->pub.capability & WLAN_CAPABILITY_ESS)
                 regulatory_hint_found_beacon(wiphy, channel, gfp);
 
+        trace_cfg80211_return_bss(&res->pub);
         /* cfg80211_bss_update gives us a referenced result */
         return &res->pub;
 }
@@ -804,10 +839,13 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy,
                           s32 signal, gfp_t gfp)
 {
         struct cfg80211_internal_bss *res;
+
         size_t ielen = len - offsetof(struct ieee80211_mgmt,
                                       u.probe_resp.variable);
         size_t privsz;
 
+        trace_cfg80211_inform_bss_frame(wiphy, channel, mgmt, len, signal);
+
         if (WARN_ON(!mgmt))
                 return NULL;
 
@@ -861,6 +899,7 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy,
         if (res->pub.capability & WLAN_CAPABILITY_ESS)
                 regulatory_hint_found_beacon(wiphy, channel, gfp);
 
+        trace_cfg80211_return_bss(&res->pub);
         /* cfg80211_bss_update gives us a referenced result */
         return &res->pub;
 }
@@ -962,6 +1001,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
         creq->ssids = (void *)&creq->channels[n_channels];
         creq->n_channels = n_channels;
         creq->n_ssids = 1;
+        creq->scan_start = jiffies;
 
         /* translate "Scan on frequencies" request */
         i = 0;
@@ -1026,7 +1066,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
                         creq->rates[i] = (1 << wiphy->bands[i]->n_bitrates) - 1;
 
         rdev->scan_req = creq;
-        err = rdev->ops->scan(wiphy, creq);
+        err = rdev_scan(rdev, creq);
         if (err) {
                 rdev->scan_req = NULL;
                 /* creq will be freed below */
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 6f39cb808302..c7490027237d 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -16,6 +16,7 @@
 #include <net/rtnetlink.h>
 #include "nl80211.h"
 #include "reg.h"
+#include "rdev-ops.h"
 
 struct cfg80211_conn {
         struct cfg80211_connect_params params;
@@ -138,10 +139,11 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
 
         request->wdev = wdev;
         request->wiphy = &rdev->wiphy;
+        request->scan_start = jiffies;
 
         rdev->scan_req = request;
 
-        err = rdev->ops->scan(wdev->wiphy, request);
+        err = rdev_scan(rdev, request);
         if (!err) {
                 wdev->conn->state = CFG80211_CONN_SCANNING;
                 nl80211_send_scan_start(rdev, wdev);
@@ -179,7 +181,7 @@ static int cfg80211_conn_do_work(struct wireless_dev *wdev)
                                             params->ssid, params->ssid_len,
                                             NULL, 0,
                                             params->key, params->key_len,
-                                            params->key_idx);
+                                            params->key_idx, NULL, 0);
         case CFG80211_CONN_ASSOCIATE_NEXT:
                 BUG_ON(!rdev->ops->assoc);
                 wdev->conn->state = CFG80211_CONN_ASSOCIATING;
@@ -716,7 +718,7 @@ void __cfg80211_disconnected(struct net_device *dev, const u8 *ie,
          */
         if (rdev->ops->del_key)
                 for (i = 0; i < 6; i++)
-                        rdev->ops->del_key(wdev->wiphy, dev, i, false, NULL);
+                        rdev_del_key(rdev, dev, i, false, NULL);
 
 #ifdef CONFIG_CFG80211_WEXT
         memset(&wrqu, 0, sizeof(wrqu));
@@ -892,7 +894,7 @@ int __cfg80211_connect(struct cfg80211_registered_device *rdev,
         } else {
                 wdev->sme_state = CFG80211_SME_CONNECTING;
                 wdev->connect_keys = connkeys;
-                err = rdev->ops->connect(&rdev->wiphy, dev, connect);
+                err = rdev_connect(rdev, dev, connect);
                 if (err) {
                         wdev->connect_keys = NULL;
                         wdev->sme_state = CFG80211_SME_IDLE;
@@ -964,7 +966,7 @@ int __cfg80211_disconnect(struct cfg80211_registered_device *rdev,
                 if (err)
                         return err;
         } else {
-                err = rdev->ops->disconnect(&rdev->wiphy, dev, reason);
+                err = rdev_disconnect(rdev, dev, reason);
                 if (err)
                         return err;
         }
diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c
index ff574597a854..9bf6d5e32166 100644
--- a/net/wireless/sysfs.c
+++ b/net/wireless/sysfs.c
@@ -16,6 +16,7 @@
 #include <net/cfg80211.h>
 #include "sysfs.h"
 #include "core.h"
+#include "rdev-ops.h"
 
 static inline struct cfg80211_registered_device *dev_to_rdev(
         struct device *dev)
@@ -94,7 +95,7 @@ static int wiphy_suspend(struct device *dev, pm_message_t state)
         if (rdev->ops->suspend) {
                 rtnl_lock();
                 if (rdev->wiphy.registered)
-                        ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan);
+                        ret = rdev_suspend(rdev);
                 rtnl_unlock();
         }
 
@@ -114,7 +115,7 @@ static int wiphy_resume(struct device *dev)
         if (rdev->ops->resume) {
                 rtnl_lock();
                 if (rdev->wiphy.registered)
-                        ret = rdev->ops->resume(&rdev->wiphy);
+                        ret = rdev_resume(rdev);
                 rtnl_unlock();
         }
 
diff --git a/net/wireless/trace.c b/net/wireless/trace.c
new file mode 100644
index 000000000000..95f997fad755
--- /dev/null
+++ b/net/wireless/trace.c
@@ -0,0 +1,7 @@
+#include <linux/module.h>
+
+#ifndef __CHECKER__
+#define CREATE_TRACE_POINTS
+#include "trace.h"
+
+#endif
diff --git a/net/wireless/trace.h b/net/wireless/trace.h
new file mode 100644
index 000000000000..8e03c6382a8a
--- /dev/null
+++ b/net/wireless/trace.h
@@ -0,0 +1,2298 @@
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM cfg80211
+
+#if !defined(__RDEV_OPS_TRACE) || defined(TRACE_HEADER_MULTI_READ)
+#define __RDEV_OPS_TRACE
+
+#include <linux/tracepoint.h>
+
+#include <linux/rtnetlink.h>
+#include <net/cfg80211.h>
+#include "core.h"
+
+#define MAC_ENTRY(entry_mac) __array(u8, entry_mac, ETH_ALEN)
+#define MAC_ASSIGN(entry_mac, given_mac) do {                        \
+        if (given_mac)                                               \
+                memcpy(__entry->entry_mac, given_mac, ETH_ALEN);     \
+        else                                                         \
+                memset(__entry->entry_mac, 0, ETH_ALEN);             \
+        } while (0)
+#define MAC_PR_FMT "%pM"
+#define MAC_PR_ARG(entry_mac) (__entry->entry_mac)
+
+#define WIPHY_ENTRY MAC_ENTRY(wiphy_mac)
+#define WIPHY_ASSIGN MAC_ASSIGN(wiphy_mac, wiphy->perm_addr)
+#define WIPHY_PR_FMT "wiphy " MAC_PR_FMT
+#define WIPHY_PR_ARG MAC_PR_ARG(wiphy_mac)
+
+#define WDEV_ENTRY __field(u32, id)
+#define WDEV_ASSIGN (__entry->id) = (wdev ? wdev->identifier : 0)
+#define WDEV_PR_FMT ", wdev id: %u"
+#define WDEV_PR_ARG (__entry->id)
+
+#define NETDEV_ENTRY __array(char, name, IFNAMSIZ) \
+                     MAC_ENTRY(netdev_addr)        \
+                     __field(int, ifindex)
+#define NETDEV_ASSIGN                                          \
+        do {                                                   \
+                memcpy(__entry->name, netdev->name, IFNAMSIZ); \
+                MAC_ASSIGN(netdev_addr, netdev->dev_addr);     \
+                (__entry->ifindex) = (netdev->ifindex);        \
+        } while (0)
+#define NETDEV_PR_FMT ", netdev - name: %s, addr: " MAC_PR_FMT \
+                      ", intf index: %d"
+#define NETDEV_PR_ARG (__entry->name), MAC_PR_ARG(netdev_addr), \
+                      (__entry->ifindex)
+
+#define MESH_CFG_ENTRY __field(u16, dot11MeshRetryTimeout)                 \
+                       __field(u16, dot11MeshConfirmTimeout)               \
+                       __field(u16, dot11MeshHoldingTimeout)               \
+                       __field(u16, dot11MeshMaxPeerLinks)                 \
+                       __field(u8, dot11MeshMaxRetries)                    \
+                       __field(u8, dot11MeshTTL)                           \
+                       __field(u8, element_ttl)                            \
+                       __field(bool, auto_open_plinks)                     \
+                       __field(u32, dot11MeshNbrOffsetMaxNeighbor)         \
+                       __field(u8, dot11MeshHWMPmaxPREQretries)            \
+                       __field(u32, path_refresh_time)                     \
+                       __field(u32, dot11MeshHWMPactivePathTimeout)        \
+                       __field(u16, min_discovery_timeout)                 \
+                       __field(u16, dot11MeshHWMPpreqMinInterval)          \
+                       __field(u16, dot11MeshHWMPperrMinInterval)          \
+                       __field(u16, dot11MeshHWMPnetDiameterTraversalTime) \
+                       __field(u8, dot11MeshHWMPRootMode)                  \
+                       __field(u16, dot11MeshHWMPRannInterval)             \
+                       __field(bool, dot11MeshGateAnnouncementProtocol)    \
+                       __field(bool, dot11MeshForwarding)                  \
+                       __field(s32, rssi_threshold)                        \
+                       __field(u16, ht_opmode)                             \
+                       __field(u32, dot11MeshHWMPactivePathToRootTimeout)  \
+                       __field(u16, dot11MeshHWMProotInterval)             \
+                       __field(u16, dot11MeshHWMPconfirmationInterval)
+#define MESH_CFG_ASSIGN                                                       \
+        do {                                                                  \
+                __entry->dot11MeshRetryTimeout = conf->dot11MeshRetryTimeout; \
+                __entry->dot11MeshConfirmTimeout =                            \
+                                conf->dot11MeshConfirmTimeout;                \
+                __entry->dot11MeshHoldingTimeout =                            \
+                                conf->dot11MeshHoldingTimeout;                \
+                __entry->dot11MeshMaxPeerLinks = conf->dot11MeshMaxPeerLinks; \
+                __entry->dot11MeshMaxRetries = conf->dot11MeshMaxRetries;     \
+                __entry->dot11MeshTTL = conf->dot11MeshTTL;                   \
+                __entry->element_ttl = conf->element_ttl;                     \
+                __entry->auto_open_plinks = conf->auto_open_plinks;           \
+                __entry->dot11MeshNbrOffsetMaxNeighbor =                      \
+                                conf->dot11MeshNbrOffsetMaxNeighbor;          \
+                __entry->dot11MeshHWMPmaxPREQretries =                        \
+                                conf->dot11MeshHWMPmaxPREQretries;            \
+                __entry->path_refresh_time = conf->path_refresh_time;         \
+                __entry->dot11MeshHWMPactivePathTimeout =                     \
+                                conf->dot11MeshHWMPactivePathTimeout;         \
+                __entry->min_discovery_timeout = conf->min_discovery_timeout; \
+                __entry->dot11MeshHWMPpreqMinInterval =                       \
+                                conf->dot11MeshHWMPpreqMinInterval;           \
+                __entry->dot11MeshHWMPperrMinInterval =                       \
+                                conf->dot11MeshHWMPperrMinInterval;           \
+                __entry->dot11MeshHWMPnetDiameterTraversalTime =              \
+                                conf->dot11MeshHWMPnetDiameterTraversalTime;  \
+                __entry->dot11MeshHWMPRootMode = conf->dot11MeshHWMPRootMode; \
+                __entry->dot11MeshHWMPRannInterval =                          \
+                                conf->dot11MeshHWMPRannInterval;              \
+                __entry->dot11MeshGateAnnouncementProtocol =                  \
+                                conf->dot11MeshGateAnnouncementProtocol;      \
+                __entry->dot11MeshForwarding = conf->dot11MeshForwarding;     \
+                __entry->rssi_threshold = conf->rssi_threshold;               \
+                __entry->ht_opmode = conf->ht_opmode;                         \
+                __entry->dot11MeshHWMPactivePathToRootTimeout =               \
+                                conf->dot11MeshHWMPactivePathToRootTimeout;   \
+                __entry->dot11MeshHWMProotInterval =                          \
+                                conf->dot11MeshHWMProotInterval;              \
+                __entry->dot11MeshHWMPconfirmationInterval =                  \
+                                conf->dot11MeshHWMPconfirmationInterval;      \
+        } while (0)
+
+#define CHAN_ENTRY __field(enum ieee80211_band, band) \
+                   __field(u16, center_freq)
+#define CHAN_ASSIGN(chan)                                         \
+        do {                                                      \
+                if (chan) {                                       \
+                        __entry->band = chan->band;               \
+                        __entry->center_freq = chan->center_freq; \
+                } else {                                          \
+                        __entry->band = 0;                        \
+                        __entry->center_freq = 0;                 \
+                }                                                 \
+        } while (0)
+#define CHAN_PR_FMT ", band: %d, freq: %u"
+#define CHAN_PR_ARG __entry->band, __entry->center_freq
+
+#define SINFO_ENTRY __field(int, generation)        \
+                    __field(u32, connected_time)    \
+                    __field(u32, inactive_time)     \
+                    __field(u32, rx_bytes)          \
+                    __field(u32, tx_bytes)          \
+                    __field(u32, rx_packets)        \
+                    __field(u32, tx_packets)        \
+                    __field(u32, tx_retries)        \
+                    __field(u32, tx_failed)         \
+                    __field(u32, rx_dropped_misc)   \
+                    __field(u32, beacon_loss_count) \
+                    __field(u16, llid)              \
+                    __field(u16, plid)              \
+                    __field(u8, plink_state)
+#define SINFO_ASSIGN                                                   \
+        do {                                                           \
+                __entry->generation = sinfo->generation;               \
+                __entry->connected_time = sinfo->connected_time;       \
+                __entry->inactive_time = sinfo->inactive_time;         \
+                __entry->rx_bytes = sinfo->rx_bytes;                   \
+                __entry->tx_bytes = sinfo->tx_bytes;                   \
+                __entry->rx_packets = sinfo->rx_packets;               \
+                __entry->tx_packets = sinfo->tx_packets;               \
+                __entry->tx_retries = sinfo->tx_retries;               \
+                __entry->tx_failed = sinfo->tx_failed;                 \
+                __entry->rx_dropped_misc = sinfo->rx_dropped_misc;     \
+                __entry->beacon_loss_count = sinfo->beacon_loss_count; \
+                __entry->llid = sinfo->llid;                           \
+                __entry->plid = sinfo->plid;                           \
+                __entry->plink_state = sinfo->plink_state;             \
+        } while (0)
+
+#define BOOL_TO_STR(bo) (bo) ? "true" : "false"
+
+/*************************************************************
+ *                      rdev->ops traces                     *
+ *************************************************************/
+
+TRACE_EVENT(rdev_suspend,
+        TP_PROTO(struct wiphy *wiphy, struct cfg80211_wowlan *wow),
+        TP_ARGS(wiphy, wow),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(bool, any)
+                __field(bool, disconnect)
+                __field(bool, magic_pkt)
+                __field(bool, gtk_rekey_failure)
+                __field(bool, eap_identity_req)
+                __field(bool, four_way_handshake)
+                __field(bool, rfkill_release)
+                __field(bool, valid_wow)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                if (wow) {
+                        __entry->any = wow->any;
+                        __entry->disconnect = wow->disconnect;
+                        __entry->magic_pkt = wow->magic_pkt;
+                        __entry->gtk_rekey_failure = wow->gtk_rekey_failure;
+                        __entry->eap_identity_req = wow->eap_identity_req;
+                        __entry->four_way_handshake = wow->four_way_handshake;
+                        __entry->rfkill_release = wow->rfkill_release;
+                        __entry->valid_wow = true;
+                } else {
+                        __entry->valid_wow = false;
+                }
+        ),
+        TP_printk(WIPHY_PR_FMT ", wow%s - any: %d, disconnect: %d, "
+                  "magic pkt: %d, gtk rekey failure: %d, eap identify req: %d, "
+                  "four way handshake: %d, rfkill release: %d.",
+                  WIPHY_PR_ARG, __entry->valid_wow ? "" : "(Not configured!)",
+                  __entry->any, __entry->disconnect, __entry->magic_pkt,
+                  __entry->gtk_rekey_failure, __entry->eap_identity_req,
+                  __entry->four_way_handshake, __entry->rfkill_release)
+);
+
+TRACE_EVENT(rdev_return_int,
+        TP_PROTO(struct wiphy *wiphy, int ret),
+        TP_ARGS(wiphy, ret),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(int, ret)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->ret = ret;
+        ),
+        TP_printk(WIPHY_PR_FMT ", returned: %d", WIPHY_PR_ARG, __entry->ret)
+);
+
+TRACE_EVENT(rdev_scan,
+        TP_PROTO(struct wiphy *wiphy, struct cfg80211_scan_request *request),
+        TP_ARGS(wiphy, request),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+        ),
+        TP_printk(WIPHY_PR_FMT, WIPHY_PR_ARG)
+);
+
+DECLARE_EVENT_CLASS(wiphy_only_evt,
+        TP_PROTO(struct wiphy *wiphy),
+        TP_ARGS(wiphy),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+        ),
+        TP_printk(WIPHY_PR_FMT, WIPHY_PR_ARG)
+);
+
+DEFINE_EVENT(wiphy_only_evt, rdev_resume,
+        TP_PROTO(struct wiphy *wiphy),
+        TP_ARGS(wiphy)
+);
+
+DEFINE_EVENT(wiphy_only_evt, rdev_return_void,
+        TP_PROTO(struct wiphy *wiphy),
+        TP_ARGS(wiphy)
+);
+
+DEFINE_EVENT(wiphy_only_evt, rdev_get_ringparam,
+        TP_PROTO(struct wiphy *wiphy),
+        TP_ARGS(wiphy)
+);
+
+DEFINE_EVENT(wiphy_only_evt, rdev_get_antenna,
+        TP_PROTO(struct wiphy *wiphy),
+        TP_ARGS(wiphy)
+);
+
+DEFINE_EVENT(wiphy_only_evt, rdev_rfkill_poll,
+        TP_PROTO(struct wiphy *wiphy),
+        TP_ARGS(wiphy)
+);
+
+DECLARE_EVENT_CLASS(wiphy_enabled_evt,
+        TP_PROTO(struct wiphy *wiphy, bool enabled),
+        TP_ARGS(wiphy, enabled),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(bool, enabled)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->enabled = enabled;
+        ),
+        TP_printk(WIPHY_PR_FMT ", %senabled ",
+                  WIPHY_PR_ARG, __entry->enabled ? "" : "not ")
+);
+
+DEFINE_EVENT(wiphy_enabled_evt, rdev_set_wakeup,
+        TP_PROTO(struct wiphy *wiphy, bool enabled),
+        TP_ARGS(wiphy, enabled)
+);
+
+TRACE_EVENT(rdev_add_virtual_intf,
+        TP_PROTO(struct wiphy *wiphy, char *name, enum nl80211_iftype type),
+        TP_ARGS(wiphy, name, type),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __string(vir_intf_name, name ? name : "<noname>")
+                __field(enum nl80211_iftype, type)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __assign_str(vir_intf_name, name ? name : "<noname>");
+                __entry->type = type;
+        ),
+        TP_printk(WIPHY_PR_FMT ", virtual intf name: %s, type: %d",
+                  WIPHY_PR_ARG, __get_str(vir_intf_name), __entry->type)
+);
+
+DECLARE_EVENT_CLASS(wiphy_wdev_evt,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev),
+        TP_ARGS(wiphy, wdev),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                WDEV_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                WDEV_ASSIGN;
+        ),
+        TP_printk(WIPHY_PR_FMT WDEV_PR_FMT, WIPHY_PR_ARG, WDEV_PR_ARG)
+);
+
+DEFINE_EVENT(wiphy_wdev_evt, rdev_return_wdev,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev),
+        TP_ARGS(wiphy, wdev)
+);
+
+DEFINE_EVENT(wiphy_wdev_evt, rdev_del_virtual_intf,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev),
+        TP_ARGS(wiphy, wdev)
+);
+
+TRACE_EVENT(rdev_change_virtual_intf,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 enum nl80211_iftype type),
+        TP_ARGS(wiphy, netdev, type),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(enum nl80211_iftype, type)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->type = type;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", type: %d",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->type)
+);
+
+DECLARE_EVENT_CLASS(key_handle,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 key_index,
+                 bool pairwise, const u8 *mac_addr),
+        TP_ARGS(wiphy, netdev, key_index, pairwise, mac_addr),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(mac_addr)
+                __field(u8, key_index)
+                __field(bool, pairwise)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(mac_addr, mac_addr);
+                __entry->key_index = key_index;
+                __entry->pairwise = pairwise;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", key_index: %u, pairwise: %s, mac addr: " MAC_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->key_index,
+                  BOOL_TO_STR(__entry->pairwise), MAC_PR_ARG(mac_addr))
+);
+
+DEFINE_EVENT(key_handle, rdev_add_key,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 key_index,
+                 bool pairwise, const u8 *mac_addr),
+        TP_ARGS(wiphy, netdev, key_index, pairwise, mac_addr)
+);
+
+DEFINE_EVENT(key_handle, rdev_get_key,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 key_index,
+                 bool pairwise, const u8 *mac_addr),
+        TP_ARGS(wiphy, netdev, key_index, pairwise, mac_addr)
+);
+
+DEFINE_EVENT(key_handle, rdev_del_key,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 key_index,
+                 bool pairwise, const u8 *mac_addr),
+        TP_ARGS(wiphy, netdev, key_index, pairwise, mac_addr)
+);
+
+TRACE_EVENT(rdev_set_default_key,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 key_index,
+                 bool unicast, bool multicast),
+        TP_ARGS(wiphy, netdev, key_index, unicast, multicast),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(u8, key_index)
+                __field(bool, unicast)
+                __field(bool, multicast)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->key_index = key_index;
+                __entry->unicast = unicast;
+                __entry->multicast = multicast;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", key index: %u, unicast: %s, multicast: %s",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->key_index,
+                  BOOL_TO_STR(__entry->unicast),
+                  BOOL_TO_STR(__entry->multicast))
+);
+
+TRACE_EVENT(rdev_set_default_mgmt_key,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 key_index),
+        TP_ARGS(wiphy, netdev, key_index),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(u8, key_index)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->key_index = key_index;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", key index: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->key_index)
+);
+
+TRACE_EVENT(rdev_start_ap,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_ap_settings *settings),
+        TP_ARGS(wiphy, netdev, settings),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                CHAN_ENTRY
+                __field(int, beacon_interval)
+                __field(int, dtim_period)
+                __array(char, ssid, IEEE80211_MAX_SSID_LEN + 1)
+                __field(enum nl80211_hidden_ssid, hidden_ssid)
+                __field(u32, wpa_ver)
+                __field(bool, privacy)
+                __field(enum nl80211_auth_type, auth_type)
+                __field(int, inactivity_timeout)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                CHAN_ASSIGN(settings->channel);
+                __entry->beacon_interval = settings->beacon_interval;
+                __entry->dtim_period = settings->dtim_period;
+                __entry->hidden_ssid = settings->hidden_ssid;
+                __entry->wpa_ver = settings->crypto.wpa_versions;
+                __entry->privacy = settings->privacy;
+                __entry->auth_type = settings->auth_type;
+                __entry->inactivity_timeout = settings->inactivity_timeout;
+                memset(__entry->ssid, 0, IEEE80211_MAX_SSID_LEN + 1);
+                memcpy(__entry->ssid, settings->ssid, settings->ssid_len);
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", AP settings - ssid: %s, "
+                  CHAN_PR_FMT ", beacon interval: %d, dtim period: %d, "
+                  "hidden ssid: %d, wpa versions: %u, privacy: %s, "
+                  "auth type: %d, inactivity timeout: %d",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->ssid, CHAN_PR_ARG,
+                  __entry->beacon_interval, __entry->dtim_period,
+                  __entry->hidden_ssid, __entry->wpa_ver,
+                  BOOL_TO_STR(__entry->privacy), __entry->auth_type,
+                  __entry->inactivity_timeout)
+);
+
+TRACE_EVENT(rdev_change_beacon,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_beacon_data *info),
+        TP_ARGS(wiphy, netdev, info),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __dynamic_array(u8, head, info ? info->head_len : 0)
+                __dynamic_array(u8, tail, info ? info->tail_len : 0)
+                __dynamic_array(u8, beacon_ies, info ? info->beacon_ies_len : 0)
+                __dynamic_array(u8, proberesp_ies,
+                                info ? info->proberesp_ies_len : 0)
+                __dynamic_array(u8, assocresp_ies,
+                                info ? info->assocresp_ies_len : 0)
+                __dynamic_array(u8, probe_resp, info ? info->probe_resp_len : 0)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                if (info) {
+                        if (info->head)
+                                memcpy(__get_dynamic_array(head), info->head,
+                                       info->head_len);
+                        if (info->tail)
+                                memcpy(__get_dynamic_array(tail), info->tail,
+                                       info->tail_len);
+                        if (info->beacon_ies)
+                                memcpy(__get_dynamic_array(beacon_ies),
+                                       info->beacon_ies, info->beacon_ies_len);
+                        if (info->proberesp_ies)
+                                memcpy(__get_dynamic_array(proberesp_ies),
+                                       info->proberesp_ies,
+                                       info->proberesp_ies_len);
+                        if (info->assocresp_ies)
+                                memcpy(__get_dynamic_array(assocresp_ies),
+                                       info->assocresp_ies,
+                                       info->assocresp_ies_len);
+                        if (info->probe_resp)
+                                memcpy(__get_dynamic_array(probe_resp),
+                                       info->probe_resp, info->probe_resp_len);
+                }
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT, WIPHY_PR_ARG, NETDEV_PR_ARG)
+);
+
+DECLARE_EVENT_CLASS(wiphy_netdev_evt,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
+        TP_ARGS(wiphy, netdev),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT, WIPHY_PR_ARG, NETDEV_PR_ARG)
+);
+
+DEFINE_EVENT(wiphy_netdev_evt, rdev_stop_ap,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
+        TP_ARGS(wiphy, netdev)
+);
+
+DEFINE_EVENT(wiphy_netdev_evt, rdev_get_et_stats,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
+        TP_ARGS(wiphy, netdev)
+);
+
+DEFINE_EVENT(wiphy_netdev_evt, rdev_sched_scan_stop,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
+        TP_ARGS(wiphy, netdev)
+);
+
+DEFINE_EVENT(wiphy_netdev_evt, rdev_set_rekey_data,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
+        TP_ARGS(wiphy, netdev)
+);
+
+DEFINE_EVENT(wiphy_netdev_evt, rdev_get_mesh_config,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
+        TP_ARGS(wiphy, netdev)
+);
+
+DEFINE_EVENT(wiphy_netdev_evt, rdev_leave_mesh,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
+        TP_ARGS(wiphy, netdev)
+);
+
+DEFINE_EVENT(wiphy_netdev_evt, rdev_leave_ibss,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
+        TP_ARGS(wiphy, netdev)
+);
+
+DEFINE_EVENT(wiphy_netdev_evt, rdev_flush_pmksa,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev),
+        TP_ARGS(wiphy, netdev)
+);
+
+DECLARE_EVENT_CLASS(station_add_change,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 *mac,
+                 struct station_parameters *params),
+        TP_ARGS(wiphy, netdev, mac, params),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(sta_mac)
+                __field(u32, sta_flags_mask)
+                __field(u32, sta_flags_set)
+                __field(u32, sta_modify_mask)
+                __field(int, listen_interval)
+                __field(u16, aid)
+                __field(u8, plink_action)
+                __field(u8, plink_state)
+                __field(u8, uapsd_queues)
+                __array(u8, ht_capa, (int)sizeof(struct ieee80211_ht_cap))
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(sta_mac, mac);
+                __entry->sta_flags_mask = params->sta_flags_mask;
+                __entry->sta_flags_set = params->sta_flags_set;
+                __entry->sta_modify_mask = params->sta_modify_mask;
+                __entry->listen_interval = params->listen_interval;
+                __entry->aid = params->aid;
+                __entry->plink_action = params->plink_action;
+                __entry->plink_state = params->plink_state;
+                __entry->uapsd_queues = params->uapsd_queues;
+                memset(__entry->ht_capa, 0, sizeof(struct ieee80211_ht_cap));
+                if (params->ht_capa)
+                        memcpy(__entry->ht_capa, params->ht_capa,
+                               sizeof(struct ieee80211_ht_cap));
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", station mac: " MAC_PR_FMT
+                  ", station flags mask: %u, station flags set: %u, "
+                  "station modify mask: %u, listen interval: %d, aid: %u, "
+                  "plink action: %u, plink state: %u, uapsd queues: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(sta_mac),
+                  __entry->sta_flags_mask, __entry->sta_flags_set,
+                  __entry->sta_modify_mask, __entry->listen_interval,
+                  __entry->aid, __entry->plink_action, __entry->plink_state,
+                  __entry->uapsd_queues)
+);
+
+DEFINE_EVENT(station_add_change, rdev_add_station,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 *mac,
+                 struct station_parameters *params),
+        TP_ARGS(wiphy, netdev, mac, params)
+);
+
+DEFINE_EVENT(station_add_change, rdev_change_station,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 *mac,
+                 struct station_parameters *params),
+        TP_ARGS(wiphy, netdev, mac, params)
+);
+
+DECLARE_EVENT_CLASS(wiphy_netdev_mac_evt,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, const u8 *mac),
+        TP_ARGS(wiphy, netdev, mac),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(sta_mac)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(sta_mac, mac);
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", mac: " MAC_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(sta_mac))
+);
+
+DEFINE_EVENT(wiphy_netdev_mac_evt, rdev_del_station,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, const u8 *mac),
+        TP_ARGS(wiphy, netdev, mac)
+);
+
+DEFINE_EVENT(wiphy_netdev_mac_evt, rdev_get_station,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, const u8 *mac),
+        TP_ARGS(wiphy, netdev, mac)
+);
+
+DEFINE_EVENT(wiphy_netdev_mac_evt, rdev_del_mpath,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, const u8 *mac),
+        TP_ARGS(wiphy, netdev, mac)
+);
+
+DEFINE_EVENT(wiphy_netdev_mac_evt, rdev_set_wds_peer,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, const u8 *mac),
+        TP_ARGS(wiphy, netdev, mac)
+);
+
+TRACE_EVENT(rdev_dump_station,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, int idx,
+                 u8 *mac),
+        TP_ARGS(wiphy, netdev, idx, mac),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(sta_mac)
+                __field(int, idx)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(sta_mac, mac);
+                __entry->idx = idx;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", station mac: " MAC_PR_FMT ", idx: %d",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(sta_mac),
+                  __entry->idx)
+);
+
+TRACE_EVENT(rdev_return_int_station_info,
+        TP_PROTO(struct wiphy *wiphy, int ret, struct station_info *sinfo),
+        TP_ARGS(wiphy, ret, sinfo),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(int, ret)
+                SINFO_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->ret = ret;
+                SINFO_ASSIGN;
+        ),
+        TP_printk(WIPHY_PR_FMT ", returned %d" ,
+                  WIPHY_PR_ARG, __entry->ret)
+);
+
+DECLARE_EVENT_CLASS(mpath_evt,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 *dst,
+                 u8 *next_hop),
+        TP_ARGS(wiphy, netdev, dst, next_hop),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(dst)
+                MAC_ENTRY(next_hop)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(dst, dst);
+                MAC_ASSIGN(next_hop, next_hop);
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", destination: " MAC_PR_FMT ", next hop: " MAC_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(dst),
+                  MAC_PR_ARG(next_hop))
+);
+
+DEFINE_EVENT(mpath_evt, rdev_add_mpath,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 *dst,
+                 u8 *next_hop),
+        TP_ARGS(wiphy, netdev, dst, next_hop)
+);
+
+DEFINE_EVENT(mpath_evt, rdev_change_mpath,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 *dst,
+                 u8 *next_hop),
+        TP_ARGS(wiphy, netdev, dst, next_hop)
+);
+
+DEFINE_EVENT(mpath_evt, rdev_get_mpath,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u8 *dst,
+                 u8 *next_hop),
+        TP_ARGS(wiphy, netdev, dst, next_hop)
+);
+
+TRACE_EVENT(rdev_dump_mpath,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, int idx,
+                 u8 *dst, u8 *next_hop),
+        TP_ARGS(wiphy, netdev, idx, dst, next_hop),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(dst)
+                MAC_ENTRY(next_hop)
+                __field(int, idx)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(dst, dst);
+                MAC_ASSIGN(next_hop, next_hop);
+                __entry->idx = idx;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", index: %d, destination: "
+                  MAC_PR_FMT ", next hop: " MAC_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->idx, MAC_PR_ARG(dst),
+                  MAC_PR_ARG(next_hop))
+);
+
+TRACE_EVENT(rdev_return_int_mpath_info,
+        TP_PROTO(struct wiphy *wiphy, int ret, struct mpath_info *pinfo),
+        TP_ARGS(wiphy, ret, pinfo),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(int, ret)
+                __field(int, generation)
+                __field(u32, filled)
+                __field(u32, frame_qlen)
+                __field(u32, sn)
+                __field(u32, metric)
+                __field(u32, exptime)
+                __field(u32, discovery_timeout)
+                __field(u8, discovery_retries)
+                __field(u8, flags)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->ret = ret;
+                __entry->generation = pinfo->generation;
+                __entry->filled = pinfo->filled;
+                __entry->frame_qlen = pinfo->frame_qlen;
+                __entry->sn = pinfo->sn;
+                __entry->metric = pinfo->metric;
+                __entry->exptime = pinfo->exptime;
+                __entry->discovery_timeout = pinfo->discovery_timeout;
+                __entry->discovery_retries = pinfo->discovery_retries;
+                __entry->flags = pinfo->flags;
+        ),
+        TP_printk(WIPHY_PR_FMT ", returned %d. mpath info - generation: %d, "
+                  "filled: %u, frame qlen: %u, sn: %u, metric: %u, exptime: %u,"
+                  " discovery timeout: %u, discovery retries: %u, flags: %u",
+                  WIPHY_PR_ARG, __entry->ret, __entry->generation,
+                  __entry->filled, __entry->frame_qlen, __entry->sn,
+                  __entry->metric, __entry->exptime, __entry->discovery_timeout,
+                  __entry->discovery_retries, __entry->flags)
+);
+
+TRACE_EVENT(rdev_return_int_mesh_config,
+        TP_PROTO(struct wiphy *wiphy, int ret, struct mesh_config *conf),
+        TP_ARGS(wiphy, ret, conf),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                MESH_CFG_ENTRY
+                __field(int, ret)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                MESH_CFG_ASSIGN;
+                __entry->ret = ret;
+        ),
+        TP_printk(WIPHY_PR_FMT ", returned: %d",
+                  WIPHY_PR_ARG, __entry->ret)
+);
+
+TRACE_EVENT(rdev_update_mesh_config,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u32 mask,
+                 const struct mesh_config *conf),
+        TP_ARGS(wiphy, netdev, mask, conf),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MESH_CFG_ENTRY
+                __field(u32, mask)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MESH_CFG_ASSIGN;
+                __entry->mask = mask;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", mask: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->mask)
+);
+
+TRACE_EVENT(rdev_join_mesh,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 const struct mesh_config *conf,
+                 const struct mesh_setup *setup),
+        TP_ARGS(wiphy, netdev, conf, setup),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MESH_CFG_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MESH_CFG_ASSIGN;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG)
+);
+
+TRACE_EVENT(rdev_change_bss,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct bss_parameters *params),
+        TP_ARGS(wiphy, netdev, params),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(int, use_cts_prot)
+                __field(int, use_short_preamble)
+                __field(int, use_short_slot_time)
+                __field(int, ap_isolate)
+                __field(int, ht_opmode)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->use_cts_prot = params->use_cts_prot;
+                __entry->use_short_preamble = params->use_short_preamble;
+                __entry->use_short_slot_time = params->use_short_slot_time;
+                __entry->ap_isolate = params->ap_isolate;
+                __entry->ht_opmode = params->ht_opmode;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", use cts prot: %d, "
+                  "use short preamble: %d, use short slot time: %d, "
+                  "ap isolate: %d, ht opmode: %d",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->use_cts_prot,
+                  __entry->use_short_preamble, __entry->use_short_slot_time,
+                  __entry->ap_isolate, __entry->ht_opmode)
+);
+
+TRACE_EVENT(rdev_set_txq_params,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct ieee80211_txq_params *params),
+        TP_ARGS(wiphy, netdev, params),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(enum nl80211_ac, ac)
+                __field(u16, txop)
+                __field(u16, cwmin)
+                __field(u16, cwmax)
+                __field(u8, aifs)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->ac = params->ac;
+                __entry->txop = params->txop;
+                __entry->cwmin = params->cwmin;
+                __entry->cwmax = params->cwmax;
+                __entry->aifs = params->aifs;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", ac: %d, txop: %u, cwmin: %u, cwmax: %u, aifs: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->ac, __entry->txop,
+                  __entry->cwmin, __entry->cwmax, __entry->aifs)
+);
+
+TRACE_EVENT(rdev_libertas_set_mesh_channel,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct ieee80211_channel *chan),
+        TP_ARGS(wiphy, netdev, chan),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                CHAN_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                CHAN_ASSIGN(chan);
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT CHAN_PR_FMT, WIPHY_PR_ARG,
+                  NETDEV_PR_ARG, CHAN_PR_ARG)
+);
+
+TRACE_EVENT(rdev_set_monitor_channel,
+        TP_PROTO(struct wiphy *wiphy, struct ieee80211_channel *chan,
+                 enum nl80211_channel_type chan_type),
+        TP_ARGS(wiphy, chan, chan_type),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                CHAN_ENTRY
+                __field(enum nl80211_channel_type, chan_type)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                CHAN_ASSIGN(chan);
+                __entry->chan_type = chan_type;
+        ),
+        TP_printk(WIPHY_PR_FMT CHAN_PR_FMT ", channel type : %d",
+                  WIPHY_PR_ARG, CHAN_PR_ARG, __entry->chan_type)
+);
+
+TRACE_EVENT(rdev_auth,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_auth_request *req),
+        TP_ARGS(wiphy, netdev, req),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(bssid)
+                __field(enum nl80211_auth_type, auth_type)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                if (req->bss)
+                        MAC_ASSIGN(bssid, req->bss->bssid);
+                else
+                        memset(__entry->bssid, 0, ETH_ALEN);
+                __entry->auth_type = req->auth_type;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", auth type: %d, bssid: " MAC_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->auth_type,
+                  MAC_PR_ARG(bssid))
+);
+
+TRACE_EVENT(rdev_assoc,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_assoc_request *req),
+        TP_ARGS(wiphy, netdev, req),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(bssid)
+                MAC_ENTRY(prev_bssid)
+                __field(bool, use_mfp)
+                __field(u32, flags)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                if (req->bss)
+                        MAC_ASSIGN(bssid, req->bss->bssid);
+                else
+                        memset(__entry->bssid, 0, ETH_ALEN);
+                MAC_ASSIGN(prev_bssid, req->prev_bssid);
+                __entry->use_mfp = req->use_mfp;
+                __entry->flags = req->flags;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", bssid: " MAC_PR_FMT
+                  ", previous bssid: " MAC_PR_FMT ", use mfp: %s, flags: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(bssid),
+                  MAC_PR_ARG(prev_bssid), BOOL_TO_STR(__entry->use_mfp),
+                  __entry->flags)
+);
+
+TRACE_EVENT(rdev_deauth,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_deauth_request *req),
+        TP_ARGS(wiphy, netdev, req),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(bssid)
+                __field(u16, reason_code)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(bssid, req->bssid);
+                __entry->reason_code = req->reason_code;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", bssid: " MAC_PR_FMT ", reason: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(bssid),
+                  __entry->reason_code)
+);
+
+TRACE_EVENT(rdev_disassoc,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_disassoc_request *req),
+        TP_ARGS(wiphy, netdev, req),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(bssid)
+                __field(u16, reason_code)
+                __field(bool, local_state_change)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                if (req->bss)
+                        MAC_ASSIGN(bssid, req->bss->bssid);
+                else
+                        memset(__entry->bssid, 0, ETH_ALEN);
+                __entry->reason_code = req->reason_code;
+                __entry->local_state_change = req->local_state_change;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", bssid: " MAC_PR_FMT
+                  ", reason: %u, local state change: %s",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(bssid),
+                  __entry->reason_code,
+                  BOOL_TO_STR(__entry->local_state_change))
+);
+
+TRACE_EVENT(rdev_mgmt_tx_cancel_wait,
+        TP_PROTO(struct wiphy *wiphy,
+                 struct wireless_dev *wdev, u64 cookie),
+        TP_ARGS(wiphy, wdev, cookie),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                WDEV_ENTRY
+                __field(u64, cookie)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                WDEV_ASSIGN;
+                __entry->cookie = cookie;
+        ),
+        TP_printk(WIPHY_PR_FMT WDEV_PR_FMT ", cookie: %llu ",
+                  WIPHY_PR_ARG, WDEV_PR_ARG, __entry->cookie)
+);
+
+TRACE_EVENT(rdev_set_power_mgmt,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 bool enabled, int timeout),
+        TP_ARGS(wiphy, netdev, enabled, timeout),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(bool, enabled)
+                __field(int, timeout)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->enabled = enabled;
+                __entry->timeout = timeout;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", %senabled, timeout: %d ",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG,
+                  __entry->enabled ? "" : "not ", __entry->timeout)
+);
+
+TRACE_EVENT(rdev_connect,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_connect_params *sme),
+        TP_ARGS(wiphy, netdev, sme),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(bssid)
+                __array(char, ssid, IEEE80211_MAX_SSID_LEN + 1)
+                __field(enum nl80211_auth_type, auth_type)
+                __field(bool, privacy)
+                __field(u32, wpa_versions)
+                __field(u32, flags)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(bssid, sme->bssid);
+                memset(__entry->ssid, 0, IEEE80211_MAX_SSID_LEN + 1);
+                memcpy(__entry->ssid, sme->ssid, sme->ssid_len);
+                __entry->auth_type = sme->auth_type;
+                __entry->privacy = sme->privacy;
+                __entry->wpa_versions = sme->crypto.wpa_versions;
+                __entry->flags = sme->flags;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", bssid: " MAC_PR_FMT
+                  ", ssid: %s, auth type: %d, privacy: %s, wpa versions: %u, "
+                  "flags: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(bssid), __entry->ssid,
+                  __entry->auth_type, BOOL_TO_STR(__entry->privacy),
+                  __entry->wpa_versions, __entry->flags)
+);
+
+TRACE_EVENT(rdev_set_cqm_rssi_config,
+        TP_PROTO(struct wiphy *wiphy,
+                 struct net_device *netdev, s32 rssi_thold,
+                 u32 rssi_hyst),
+        TP_ARGS(wiphy, netdev, rssi_thold, rssi_hyst),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(s32, rssi_thold)
+                __field(u32, rssi_hyst)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->rssi_thold = rssi_thold;
+                __entry->rssi_hyst = rssi_hyst;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT
+                  ", rssi_thold: %d, rssi_hyst: %u ",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG,
+                 __entry->rssi_thold, __entry->rssi_hyst)
+);
+
+TRACE_EVENT(rdev_set_cqm_txe_config,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u32 rate,
+                 u32 pkts, u32 intvl),
+        TP_ARGS(wiphy, netdev, rate, pkts, intvl),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(u32, rate)
+                __field(u32, pkts)
+                __field(u32, intvl)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->rate = rate;
+                __entry->pkts = pkts;
+                __entry->intvl = intvl;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", rate: %u, packets: %u, interval: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->rate, __entry->pkts,
+                  __entry->intvl)
+);
+
+TRACE_EVENT(rdev_disconnect,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 u16 reason_code),
+        TP_ARGS(wiphy, netdev, reason_code),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(u16, reason_code)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->reason_code = reason_code;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", reason code: %u", WIPHY_PR_ARG,
+                  NETDEV_PR_ARG, __entry->reason_code)
+);
+
+TRACE_EVENT(rdev_join_ibss,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_ibss_params *params),
+        TP_ARGS(wiphy, netdev, params),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(bssid)
+                __array(char, ssid, IEEE80211_MAX_SSID_LEN + 1)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(bssid, params->bssid);
+                memset(__entry->ssid, 0, IEEE80211_MAX_SSID_LEN + 1);
+                memcpy(__entry->ssid, params->ssid, params->ssid_len);
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", bssid: " MAC_PR_FMT ", ssid: %s",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(bssid), __entry->ssid)
+);
+
+TRACE_EVENT(rdev_set_wiphy_params,
+        TP_PROTO(struct wiphy *wiphy, u32 changed),
+        TP_ARGS(wiphy, changed),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(u32, changed)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->changed = changed;
+        ),
+        TP_printk(WIPHY_PR_FMT ", changed: %u",
+                  WIPHY_PR_ARG, __entry->changed)
+);
+
+DEFINE_EVENT(wiphy_wdev_evt, rdev_get_tx_power,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev),
+        TP_ARGS(wiphy, wdev)
+);
+
+TRACE_EVENT(rdev_set_tx_power,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev,
+                 enum nl80211_tx_power_setting type, int mbm),
+        TP_ARGS(wiphy, wdev, type, mbm),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                WDEV_ENTRY
+                __field(enum nl80211_tx_power_setting, type)
+                __field(int, mbm)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                WDEV_ASSIGN;
+                __entry->type = type;
+                __entry->mbm = mbm;
+        ),
+        TP_printk(WIPHY_PR_FMT WDEV_PR_FMT ", type: %d, mbm: %d",
+                  WIPHY_PR_ARG, WDEV_PR_ARG,__entry->type, __entry->mbm)
+);
+
+TRACE_EVENT(rdev_return_int_int,
+        TP_PROTO(struct wiphy *wiphy, int func_ret, int func_fill),
+        TP_ARGS(wiphy, func_ret, func_fill),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(int, func_ret)
+                __field(int, func_fill)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->func_ret = func_ret;
+                __entry->func_fill = func_fill;
+        ),
+        TP_printk(WIPHY_PR_FMT ", function returns: %d, function filled: %d",
+                  WIPHY_PR_ARG, __entry->func_ret, __entry->func_fill)
+);
+
+#ifdef CONFIG_NL80211_TESTMODE
+TRACE_EVENT(rdev_testmode_cmd,
+        TP_PROTO(struct wiphy *wiphy),
+        TP_ARGS(wiphy),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+        ),
+        TP_printk(WIPHY_PR_FMT, WIPHY_PR_ARG)
+);
+
+TRACE_EVENT(rdev_testmode_dump,
+        TP_PROTO(struct wiphy *wiphy),
+        TP_ARGS(wiphy),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+        ),
+        TP_printk(WIPHY_PR_FMT, WIPHY_PR_ARG)
+);
+#endif /* CONFIG_NL80211_TESTMODE */
+
+TRACE_EVENT(rdev_set_bitrate_mask,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 const u8 *peer, const struct cfg80211_bitrate_mask *mask),
+        TP_ARGS(wiphy, netdev, peer, mask),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(peer)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(peer, peer);
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", peer: " MAC_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(peer))
+);
+
+TRACE_EVENT(rdev_mgmt_frame_register,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev,
+                 u16 frame_type, bool reg),
+        TP_ARGS(wiphy, wdev, frame_type, reg),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                WDEV_ENTRY
+                __field(u16, frame_type)
+                __field(bool, reg)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                WDEV_ASSIGN;
+                __entry->frame_type = frame_type;
+                __entry->reg = reg;
+        ),
+        TP_printk(WIPHY_PR_FMT WDEV_PR_FMT ", frame_type: %u, reg: %s ",
+                  WIPHY_PR_ARG, WDEV_PR_ARG, __entry->frame_type,
+                  __entry->reg ? "true" : "false")
+);
+
+TRACE_EVENT(rdev_return_int_tx_rx,
+        TP_PROTO(struct wiphy *wiphy, int ret, u32 tx, u32 rx),
+        TP_ARGS(wiphy, ret, tx, rx),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(int, ret)
+                __field(u32, tx)
+                __field(u32, rx)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->ret = ret;
+                __entry->tx = tx;
+                __entry->rx = rx;
+        ),
+        TP_printk(WIPHY_PR_FMT ", returned %d, tx: %u, rx: %u",
+                  WIPHY_PR_ARG, __entry->ret, __entry->tx, __entry->rx)
+);
+
+TRACE_EVENT(rdev_return_void_tx_rx,
+        TP_PROTO(struct wiphy *wiphy, u32 tx, u32 tx_max,
+                 u32 rx, u32 rx_max),
+        TP_ARGS(wiphy, tx, tx_max, rx, rx_max),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(u32, tx)
+                __field(u32, tx_max)
+                __field(u32, rx)
+                __field(u32, rx_max)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->tx = tx;
+                __entry->tx_max = tx_max;
+                __entry->rx = rx;
+                __entry->rx_max = rx_max;
+        ),
+        TP_printk(WIPHY_PR_FMT ", tx: %u, tx_max: %u, rx: %u, rx_max: %u ",
+                  WIPHY_PR_ARG, __entry->tx, __entry->tx_max, __entry->rx,
+                  __entry->rx_max)
+);
+
+DECLARE_EVENT_CLASS(tx_rx_evt,
+        TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx),
+        TP_ARGS(wiphy, rx, tx),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(u32, tx)
+                __field(u32, rx)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->tx = tx;
+                __entry->rx = rx;
+        ),
+        TP_printk(WIPHY_PR_FMT ", tx: %u, rx: %u ",
+                  WIPHY_PR_ARG, __entry->tx, __entry->rx)
+);
+
+DEFINE_EVENT(tx_rx_evt, rdev_set_ringparam,
+        TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx),
+        TP_ARGS(wiphy, rx, tx)
+);
+
+DEFINE_EVENT(tx_rx_evt, rdev_set_antenna,
+        TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx),
+        TP_ARGS(wiphy, rx, tx)
+);
+
+TRACE_EVENT(rdev_sched_scan_start,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_sched_scan_request *request),
+        TP_ARGS(wiphy, netdev, request),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG)
+);
+
+TRACE_EVENT(rdev_tdls_mgmt,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 u8 *peer, u8 action_code, u8 dialog_token,
+                 u16 status_code, const u8 *buf, size_t len),
+        TP_ARGS(wiphy, netdev, peer, action_code, dialog_token, status_code,
+                buf, len),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(peer)
+                __field(u8, action_code)
+                __field(u8, dialog_token)
+                __field(u16, status_code)
+                __dynamic_array(u8, buf, len)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(peer, peer);
+                __entry->action_code = action_code;
+                __entry->dialog_token = dialog_token;
+                __entry->status_code = status_code;
+                memcpy(__get_dynamic_array(buf), buf, len);
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT MAC_PR_FMT ", action_code: %u, "
+                  "dialog_token: %u, status_code: %u, buf: %#.2x ",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(peer),
+                  __entry->action_code, __entry->dialog_token,
+                  __entry->status_code, ((u8 *)__get_dynamic_array(buf))[0])
+);
+
+TRACE_EVENT(rdev_dump_survey,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, int idx),
+        TP_ARGS(wiphy, netdev, idx),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(int, idx)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->idx = idx;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", index: %d",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->idx)
+);
+
+TRACE_EVENT(rdev_return_int_survey_info,
+        TP_PROTO(struct wiphy *wiphy, int ret, struct survey_info *info),
+        TP_ARGS(wiphy, ret, info),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                CHAN_ENTRY
+                __field(int, ret)
+                __field(u64, channel_time)
+                __field(u64, channel_time_busy)
+                __field(u64, channel_time_ext_busy)
+                __field(u64, channel_time_rx)
+                __field(u64, channel_time_tx)
+                __field(u32, filled)
+                __field(s8, noise)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                CHAN_ASSIGN(info->channel);
+                __entry->ret = ret;
+                __entry->channel_time = info->channel_time;
+                __entry->channel_time_busy = info->channel_time_busy;
+                __entry->channel_time_ext_busy = info->channel_time_ext_busy;
+                __entry->channel_time_rx = info->channel_time_rx;
+                __entry->channel_time_tx = info->channel_time_tx;
+                __entry->filled = info->filled;
+                __entry->noise = info->noise;
+        ),
+        TP_printk(WIPHY_PR_FMT ", returned: %d, " CHAN_PR_FMT
+                  ", channel time: %llu, channel time busy: %llu, "
+                  "channel time extension busy: %llu, channel time rx: %llu, "
+                  "channel time tx: %llu, filled: %u, noise: %d",
+                  WIPHY_PR_ARG, __entry->ret, CHAN_PR_ARG,
+                  __entry->channel_time, __entry->channel_time_busy,
+                  __entry->channel_time_ext_busy, __entry->channel_time_rx,
+                  __entry->channel_time_tx, __entry->filled, __entry->noise)
+);
+
+TRACE_EVENT(rdev_tdls_oper,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 u8 *peer, enum nl80211_tdls_operation oper),
+        TP_ARGS(wiphy, netdev, peer, oper),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(peer)
+                __field(enum nl80211_tdls_operation, oper)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(peer, peer);
+                __entry->oper = oper;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT MAC_PR_FMT ", oper: %d",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(peer), __entry->oper)
+);
+
+DECLARE_EVENT_CLASS(rdev_pmksa,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_pmksa *pmksa),
+        TP_ARGS(wiphy, netdev, pmksa),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(bssid)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(bssid, pmksa->bssid);
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", bssid: " MAC_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(bssid))
+);
+
+TRACE_EVENT(rdev_probe_client,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 const u8 *peer),
+        TP_ARGS(wiphy, netdev, peer),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                MAC_ENTRY(peer)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(peer, peer);
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT MAC_PR_FMT,
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, MAC_PR_ARG(peer))
+);
+
+DEFINE_EVENT(rdev_pmksa, rdev_set_pmksa,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_pmksa *pmksa),
+        TP_ARGS(wiphy, netdev, pmksa)
+);
+
+DEFINE_EVENT(rdev_pmksa, rdev_del_pmksa,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 struct cfg80211_pmksa *pmksa),
+        TP_ARGS(wiphy, netdev, pmksa)
+);
+
+TRACE_EVENT(rdev_remain_on_channel,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev,
+                 struct ieee80211_channel *chan,
+                 enum nl80211_channel_type channel_type, unsigned int duration),
+        TP_ARGS(wiphy, wdev, chan, channel_type, duration),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                WDEV_ENTRY
+                CHAN_ENTRY
+                __field(enum nl80211_channel_type, channel_type)
+                __field(unsigned int, duration)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                WDEV_ASSIGN;
+                CHAN_ASSIGN(chan);
+                __entry->channel_type = channel_type;
+                __entry->duration = duration;
+        ),
+        TP_printk(WIPHY_PR_FMT WDEV_PR_FMT CHAN_PR_FMT ", channel type: %d, duration: %u",
+                  WIPHY_PR_ARG, WDEV_PR_ARG, CHAN_PR_ARG, __entry->channel_type,
+                  __entry->duration)
+);
+
+TRACE_EVENT(rdev_return_int_cookie,
+        TP_PROTO(struct wiphy *wiphy, int ret, u64 cookie),
+        TP_ARGS(wiphy, ret, cookie),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(int, ret)
+                __field(u64, cookie)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->ret = ret;
+                __entry->cookie = cookie;
+        ),
+        TP_printk(WIPHY_PR_FMT ", returned %d, cookie: %llu",
+                  WIPHY_PR_ARG, __entry->ret, __entry->cookie)
+);
+
+TRACE_EVENT(rdev_cancel_remain_on_channel,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev, u64 cookie),
+        TP_ARGS(wiphy, wdev, cookie),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                WDEV_ENTRY
+                __field(u64, cookie)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                WDEV_ASSIGN;
+                __entry->cookie = cookie;
+        ),
+        TP_printk(WIPHY_PR_FMT WDEV_PR_FMT ", cookie: %llu",
+                  WIPHY_PR_ARG, WDEV_PR_ARG, __entry->cookie)
+);
+
+TRACE_EVENT(rdev_mgmt_tx,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev,
+                 struct ieee80211_channel *chan, bool offchan,
+                 enum nl80211_channel_type channel_type,
+                 bool channel_type_valid, unsigned int wait, bool no_cck,
+                 bool dont_wait_for_ack),
+        TP_ARGS(wiphy, wdev, chan, offchan, channel_type, channel_type_valid,
+                wait, no_cck, dont_wait_for_ack),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                WDEV_ENTRY
+                CHAN_ENTRY
+                __field(bool, offchan)
+                __field(enum nl80211_channel_type, channel_type)
+                __field(bool, channel_type_valid)
+                __field(unsigned int, wait)
+                __field(bool, no_cck)
+                __field(bool, dont_wait_for_ack)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                WDEV_ASSIGN;
+                CHAN_ASSIGN(chan);
+                __entry->offchan = offchan;
+                __entry->channel_type = channel_type;
+                __entry->channel_type_valid = channel_type_valid;
+                __entry->wait = wait;
+                __entry->no_cck = no_cck;
+                __entry->dont_wait_for_ack = dont_wait_for_ack;
+        ),
+        TP_printk(WIPHY_PR_FMT WDEV_PR_FMT CHAN_PR_FMT ", offchan: %s, "
+                  "channel type: %d, channel type valid: %s, wait: %u, "
+                  "no cck: %s, dont wait for ack: %s",
+                  WIPHY_PR_ARG, WDEV_PR_ARG, CHAN_PR_ARG,
+                  BOOL_TO_STR(__entry->offchan), __entry->channel_type,
+                  BOOL_TO_STR(__entry->channel_type_valid), __entry->wait,
+                  BOOL_TO_STR(__entry->no_cck),
+                  BOOL_TO_STR(__entry->dont_wait_for_ack))
+);
+
+TRACE_EVENT(rdev_set_noack_map,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
+                 u16 noack_map),
+        TP_ARGS(wiphy, netdev, noack_map),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(u16, noack_map)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->noack_map = noack_map;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", noack_map: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->noack_map)
+);
+
+TRACE_EVENT(rdev_get_et_sset_count,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, int sset),
+        TP_ARGS(wiphy, netdev, sset),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(int, sset)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->sset = sset;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", sset: %d",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->sset)
+);
+
+TRACE_EVENT(rdev_get_et_strings,
+        TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, u32 sset),
+        TP_ARGS(wiphy, netdev, sset),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                NETDEV_ENTRY
+                __field(u32, sset)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                NETDEV_ASSIGN;
+                __entry->sset = sset;
+        ),
+        TP_printk(WIPHY_PR_FMT NETDEV_PR_FMT ", sset: %u",
+                  WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->sset)
+);
+
+DEFINE_EVENT(wiphy_wdev_evt, rdev_get_channel,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev),
+        TP_ARGS(wiphy, wdev)
+);
+
+TRACE_EVENT(rdev_return_channel,
+        TP_PROTO(struct wiphy *wiphy, struct ieee80211_channel *chan,
+                 enum nl80211_channel_type type),
+        TP_ARGS(wiphy, chan, type),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                CHAN_ENTRY
+                __field(enum nl80211_channel_type, type)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                CHAN_ASSIGN(chan);
+                __entry->type = type;
+        ),
+        TP_printk(WIPHY_PR_FMT CHAN_PR_FMT ", channel type: %d",
+                  WIPHY_PR_ARG, CHAN_PR_ARG, __entry->type)
+);
+
+DEFINE_EVENT(wiphy_wdev_evt, rdev_start_p2p_device,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev),
+        TP_ARGS(wiphy, wdev)
+);
+
+DEFINE_EVENT(wiphy_wdev_evt, rdev_stop_p2p_device,
+        TP_PROTO(struct wiphy *wiphy, struct wireless_dev *wdev),
+        TP_ARGS(wiphy, wdev)
+);
+
+/*************************************************************
+ *           cfg80211 exported functions traces              *
+ *************************************************************/
+
+TRACE_EVENT(cfg80211_return_bool,
+        TP_PROTO(bool ret),
+        TP_ARGS(ret),
+        TP_STRUCT__entry(
+                __field(bool, ret)
+        ),
+        TP_fast_assign(
+                __entry->ret = ret;
+        ),
+        TP_printk("returned %s", BOOL_TO_STR(__entry->ret))
+);
+
+DECLARE_EVENT_CLASS(cfg80211_netdev_mac_evt,
+        TP_PROTO(struct net_device *netdev, const u8 *macaddr),
+        TP_ARGS(netdev, macaddr),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                MAC_ENTRY(macaddr)
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(macaddr, macaddr);
+        ),
+        TP_printk(NETDEV_PR_FMT ", mac: " MAC_PR_FMT,
+                  NETDEV_PR_ARG, MAC_PR_ARG(macaddr))
+);
+
+DEFINE_EVENT(cfg80211_netdev_mac_evt, cfg80211_notify_new_peer_candidate,
+        TP_PROTO(struct net_device *netdev, const u8 *macaddr),
+        TP_ARGS(netdev, macaddr)
+);
+
+DECLARE_EVENT_CLASS(netdev_evt_only,
+        TP_PROTO(struct net_device *netdev),
+        TP_ARGS(netdev),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+        ),
+        TP_printk(NETDEV_PR_FMT , NETDEV_PR_ARG)
+);
+
+DEFINE_EVENT(netdev_evt_only, cfg80211_send_rx_auth,
+        TP_PROTO(struct net_device *netdev),
+        TP_ARGS(netdev)
+);
+
+TRACE_EVENT(cfg80211_send_rx_assoc,
+        TP_PROTO(struct net_device *netdev, struct cfg80211_bss *bss),
+        TP_ARGS(netdev, bss),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                MAC_ENTRY(bssid)
+                CHAN_ENTRY
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(bssid, bss->bssid);
+                CHAN_ASSIGN(bss->channel);
+        ),
+        TP_printk(NETDEV_PR_FMT MAC_PR_FMT CHAN_PR_FMT,
+                  NETDEV_PR_ARG, MAC_PR_ARG(bssid), CHAN_PR_ARG)
+);
+
+DEFINE_EVENT(netdev_evt_only, __cfg80211_send_deauth,
+        TP_PROTO(struct net_device *netdev),
+        TP_ARGS(netdev)
+);
+
+DEFINE_EVENT(netdev_evt_only, __cfg80211_send_disassoc,
+        TP_PROTO(struct net_device *netdev),
+        TP_ARGS(netdev)
+);
+
+DEFINE_EVENT(netdev_evt_only, cfg80211_send_unprot_deauth,
+        TP_PROTO(struct net_device *netdev),
+        TP_ARGS(netdev)
+);
+
+DEFINE_EVENT(netdev_evt_only, cfg80211_send_unprot_disassoc,
+        TP_PROTO(struct net_device *netdev),
+        TP_ARGS(netdev)
+);
+
+DECLARE_EVENT_CLASS(netdev_mac_evt,
+        TP_PROTO(struct net_device *netdev, const u8 *mac),
+        TP_ARGS(netdev, mac),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                MAC_ENTRY(mac)
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(mac, mac)
+        ),
+        TP_printk(NETDEV_PR_FMT ", mac: " MAC_PR_FMT,
+                  NETDEV_PR_ARG, MAC_PR_ARG(mac))
+);
+
+DEFINE_EVENT(netdev_mac_evt, cfg80211_send_auth_timeout,
+        TP_PROTO(struct net_device *netdev, const u8 *mac),
+        TP_ARGS(netdev, mac)
+);
+
+DEFINE_EVENT(netdev_mac_evt, cfg80211_send_assoc_timeout,
+        TP_PROTO(struct net_device *netdev, const u8 *mac),
+        TP_ARGS(netdev, mac)
+);
+
+TRACE_EVENT(cfg80211_michael_mic_failure,
+        TP_PROTO(struct net_device *netdev, const u8 *addr,
+                 enum nl80211_key_type key_type, int key_id, const u8 *tsc),
+        TP_ARGS(netdev, addr, key_type, key_id, tsc),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                MAC_ENTRY(addr)
+                __field(enum nl80211_key_type, key_type)
+                __field(int, key_id)
+                __array(u8, tsc, 6)
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(addr, addr);
+                __entry->key_type = key_type;
+                __entry->key_id = key_id;
+                memcpy(__entry->tsc, tsc, 6);
+        ),
+        TP_printk(NETDEV_PR_FMT MAC_PR_FMT ", key type: %d, key id: %d, tsc: %pm",
+                  NETDEV_PR_ARG, MAC_PR_ARG(addr), __entry->key_type,
+                  __entry->key_id, __entry->tsc)
+);
+
+TRACE_EVENT(cfg80211_ready_on_channel,
+        TP_PROTO(struct wireless_dev *wdev, u64 cookie,
+                 struct ieee80211_channel *chan,
+                 enum nl80211_channel_type channel_type, unsigned int duration),
+        TP_ARGS(wdev, cookie, chan, channel_type, duration),
+        TP_STRUCT__entry(
+                WDEV_ENTRY
+                __field(u64, cookie)
+                CHAN_ENTRY
+                __field(enum nl80211_channel_type, channel_type)
+                __field(unsigned int, duration)
+        ),
+        TP_fast_assign(
+                WDEV_ASSIGN;
+                __entry->cookie = cookie;
+                CHAN_ASSIGN(chan);
+                __entry->channel_type = channel_type;
+                __entry->duration = duration;
+        ),
+        TP_printk(WDEV_PR_FMT ", cookie: %llu, " CHAN_PR_FMT ", channel type: %d, duration: %u",
+                  WDEV_PR_ARG, __entry->cookie, CHAN_PR_ARG,
+                  __entry->channel_type, __entry->duration)
+);
+
+TRACE_EVENT(cfg80211_ready_on_channel_expired,
+        TP_PROTO(struct wireless_dev *wdev, u64 cookie,
+                 struct ieee80211_channel *chan,
+                 enum nl80211_channel_type channel_type),
+        TP_ARGS(wdev, cookie, chan, channel_type),
+        TP_STRUCT__entry(
+                WDEV_ENTRY
+                __field(u64, cookie)
+                CHAN_ENTRY
+                __field(enum nl80211_channel_type, channel_type)
+        ),
+        TP_fast_assign(
+                WDEV_ASSIGN;
+                __entry->cookie = cookie;
+                CHAN_ASSIGN(chan);
+                __entry->channel_type = channel_type;
+        ),
+        TP_printk(WDEV_PR_FMT ", cookie: %llu, " CHAN_PR_FMT ", channel type: %d",
+                  WDEV_PR_ARG, __entry->cookie, CHAN_PR_ARG,
+                  __entry->channel_type)
+);
+
+TRACE_EVENT(cfg80211_new_sta,
+        TP_PROTO(struct net_device *netdev, const u8 *mac_addr,
+                 struct station_info *sinfo),
+        TP_ARGS(netdev, mac_addr, sinfo),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                MAC_ENTRY(mac_addr)
+                SINFO_ENTRY
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(mac_addr, mac_addr);
+                SINFO_ASSIGN;
+        ),
+        TP_printk(NETDEV_PR_FMT MAC_PR_FMT,
+                  NETDEV_PR_ARG, MAC_PR_ARG(mac_addr))
+);
+
+DEFINE_EVENT(cfg80211_netdev_mac_evt, cfg80211_del_sta,
+        TP_PROTO(struct net_device *netdev, const u8 *macaddr),
+        TP_ARGS(netdev, macaddr)
+);
+
+TRACE_EVENT(cfg80211_rx_mgmt,
+        TP_PROTO(struct wireless_dev *wdev, int freq, int sig_mbm),
+        TP_ARGS(wdev, freq, sig_mbm),
+        TP_STRUCT__entry(
+                WDEV_ENTRY
+                __field(int, freq)
+                __field(int, sig_mbm)
+        ),
+        TP_fast_assign(
+                WDEV_ASSIGN;
+                __entry->freq = freq;
+                __entry->sig_mbm = sig_mbm;
+        ),
+        TP_printk(WDEV_PR_FMT ", freq: %d, sig mbm: %d",
+                  WDEV_PR_ARG, __entry->freq, __entry->sig_mbm)
+);
+
+TRACE_EVENT(cfg80211_mgmt_tx_status,
+        TP_PROTO(struct wireless_dev *wdev, u64 cookie, bool ack),
+        TP_ARGS(wdev, cookie, ack),
+        TP_STRUCT__entry(
+                WDEV_ENTRY
+                __field(u64, cookie)
+                __field(bool, ack)
+        ),
+        TP_fast_assign(
+                WDEV_ASSIGN;
+                __entry->cookie = cookie;
+                __entry->ack = ack;
+        ),
+        TP_printk(WDEV_PR_FMT", cookie: %llu, ack: %s",
+                  WDEV_PR_ARG, __entry->cookie, BOOL_TO_STR(__entry->ack))
+);
+
+TRACE_EVENT(cfg80211_cqm_rssi_notify,
+        TP_PROTO(struct net_device *netdev,
+                 enum nl80211_cqm_rssi_threshold_event rssi_event),
+        TP_ARGS(netdev, rssi_event),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                __field(enum nl80211_cqm_rssi_threshold_event, rssi_event)
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                __entry->rssi_event = rssi_event;
+        ),
+        TP_printk(NETDEV_PR_FMT ", rssi event: %d",
+                  NETDEV_PR_ARG, __entry->rssi_event)
+);
+
+TRACE_EVENT(cfg80211_can_beacon_sec_chan,
+        TP_PROTO(struct wiphy *wiphy, struct ieee80211_channel *channel,
+                 enum nl80211_channel_type channel_type),
+        TP_ARGS(wiphy, channel, channel_type),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                CHAN_ENTRY
+                __field(enum nl80211_channel_type, channel_type)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                CHAN_ASSIGN(channel);
+                __entry->channel_type = channel_type;
+        ),
+        TP_printk(WIPHY_PR_FMT CHAN_PR_FMT ", channel_type: %d",
+                  WIPHY_PR_ARG, CHAN_PR_ARG, __entry->channel_type)
+);
+
+TRACE_EVENT(cfg80211_ch_switch_notify,
+        TP_PROTO(struct net_device *netdev, int freq,
+                 enum nl80211_channel_type type),
+        TP_ARGS(netdev, freq, type),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                __field(int, freq)
+                __field(enum nl80211_channel_type, type)
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                __entry->freq = freq;
+                __entry->type = type;
+        ),
+        TP_printk(NETDEV_PR_FMT ", freq: %d, type: %d", NETDEV_PR_ARG,
+                  __entry->freq, __entry->type)
+);
+
+DECLARE_EVENT_CLASS(cfg80211_rx_evt,
+        TP_PROTO(struct net_device *netdev, const u8 *addr),
+        TP_ARGS(netdev, addr),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                MAC_ENTRY(addr)
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(addr, addr);
+        ),
+        TP_printk(NETDEV_PR_FMT MAC_PR_FMT, NETDEV_PR_ARG, MAC_PR_ARG(addr))
+);
+
+DEFINE_EVENT(cfg80211_rx_evt, cfg80211_ibss_joined,
+        TP_PROTO(struct net_device *netdev, const u8 *addr),
+        TP_ARGS(netdev, addr)
+);
+
+DEFINE_EVENT(cfg80211_rx_evt, cfg80211_rx_spurious_frame,
+        TP_PROTO(struct net_device *netdev, const u8 *addr),
+        TP_ARGS(netdev, addr)
+);
+
+DEFINE_EVENT(cfg80211_rx_evt, cfg80211_rx_unexpected_4addr_frame,
+        TP_PROTO(struct net_device *netdev, const u8 *addr),
+        TP_ARGS(netdev, addr)
+);
+
+TRACE_EVENT(cfg80211_probe_status,
+        TP_PROTO(struct net_device *netdev, const u8 *addr, u64 cookie,
+                 bool acked),
+        TP_ARGS(netdev, addr, cookie, acked),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                MAC_ENTRY(addr)
+                __field(u64, cookie)
+                __field(bool, acked)
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(addr, addr);
+                __entry->cookie = cookie;
+                __entry->acked = acked;
+        ),
+        TP_printk(NETDEV_PR_FMT MAC_PR_FMT ", cookie: %llu, acked: %s",
+                  NETDEV_PR_ARG, MAC_PR_ARG(addr), __entry->cookie,
+                  BOOL_TO_STR(__entry->acked))
+);
+
+TRACE_EVENT(cfg80211_cqm_pktloss_notify,
+        TP_PROTO(struct net_device *netdev, const u8 *peer, u32 num_packets),
+        TP_ARGS(netdev, peer, num_packets),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                MAC_ENTRY(peer)
+                __field(u32, num_packets)
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                MAC_ASSIGN(peer, peer);
+                __entry->num_packets = num_packets;
+        ),
+        TP_printk(NETDEV_PR_FMT ", peer: " MAC_PR_FMT ", num of lost packets: %u",
+                  NETDEV_PR_ARG, MAC_PR_ARG(peer), __entry->num_packets)
+);
+
+DEFINE_EVENT(cfg80211_netdev_mac_evt, cfg80211_gtk_rekey_notify,
+        TP_PROTO(struct net_device *netdev, const u8 *macaddr),
+        TP_ARGS(netdev, macaddr)
+);
+
+TRACE_EVENT(cfg80211_pmksa_candidate_notify,
+        TP_PROTO(struct net_device *netdev, int index, const u8 *bssid,
+                 bool preauth),
+        TP_ARGS(netdev, index, bssid, preauth),
+        TP_STRUCT__entry(
+                NETDEV_ENTRY
+                __field(int, index)
+                MAC_ENTRY(bssid)
+                __field(bool, preauth)
+        ),
+        TP_fast_assign(
+                NETDEV_ASSIGN;
+                __entry->index = index;
+                MAC_ASSIGN(bssid, bssid);
+                __entry->preauth = preauth;
+        ),
+        TP_printk(NETDEV_PR_FMT ", index:%d, bssid: " MAC_PR_FMT ", pre auth: %s",
+                  NETDEV_PR_ARG, __entry->index, MAC_PR_ARG(bssid),
+                  BOOL_TO_STR(__entry->preauth))
+);
+
+TRACE_EVENT(cfg80211_report_obss_beacon,
+        TP_PROTO(struct wiphy *wiphy, const u8 *frame, size_t len,
+                 int freq, int sig_dbm),
+        TP_ARGS(wiphy, frame, len, freq, sig_dbm),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                __field(int, freq)
+                __field(int, sig_dbm)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                __entry->freq = freq;
+                __entry->sig_dbm = sig_dbm;
+        ),
+        TP_printk(WIPHY_PR_FMT ", freq: %d, sig_dbm: %d",
+                  WIPHY_PR_ARG, __entry->freq, __entry->sig_dbm)
+);
+
+TRACE_EVENT(cfg80211_scan_done,
+        TP_PROTO(struct cfg80211_scan_request *request, bool aborted),
+        TP_ARGS(request, aborted),
+        TP_STRUCT__entry(
+                __field(u32, n_channels)
+                __dynamic_array(u8, ie, request ? request->ie_len : 0)
+                __array(u32, rates, IEEE80211_NUM_BANDS)
+                __field(u32, wdev_id)
+                MAC_ENTRY(wiphy_mac)
+                __field(bool, no_cck)
+                __field(bool, aborted)
+        ),
+        TP_fast_assign(
+                if (request) {
+                        memcpy(__get_dynamic_array(ie), request->ie,
+                               request->ie_len);
+                        memcpy(__entry->rates, request->rates,
+                               IEEE80211_NUM_BANDS);
+                        __entry->wdev_id = request->wdev ?
+                                        request->wdev->identifier : 0;
+                        if (request->wiphy)
+                                MAC_ASSIGN(wiphy_mac,
+                                           request->wiphy->perm_addr);
+                        __entry->no_cck = request->no_cck;
+                }
+                __entry->aborted = aborted;
+        ),
+        TP_printk("aborted: %s", BOOL_TO_STR(__entry->aborted))
+);
+
+DEFINE_EVENT(wiphy_only_evt, cfg80211_sched_scan_results,
+        TP_PROTO(struct wiphy *wiphy),
+        TP_ARGS(wiphy)
+);
+
+DEFINE_EVENT(wiphy_only_evt, cfg80211_sched_scan_stopped,
+        TP_PROTO(struct wiphy *wiphy),
+        TP_ARGS(wiphy)
+);
+
+TRACE_EVENT(cfg80211_get_bss,
+        TP_PROTO(struct wiphy *wiphy, struct ieee80211_channel *channel,
+                 const u8 *bssid, const u8 *ssid, size_t ssid_len,
+                 u16 capa_mask, u16 capa_val),
+        TP_ARGS(wiphy, channel, bssid, ssid, ssid_len, capa_mask, capa_val),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                CHAN_ENTRY
+                MAC_ENTRY(bssid)
+                __dynamic_array(u8, ssid, ssid_len)
+                __field(u16, capa_mask)
+                __field(u16, capa_val)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                CHAN_ASSIGN(channel);
+                MAC_ASSIGN(bssid, bssid);
+                memcpy(__get_dynamic_array(ssid), ssid, ssid_len);
+                __entry->capa_mask = capa_mask;
+                __entry->capa_val = capa_val;
+        ),
+        TP_printk(WIPHY_PR_FMT CHAN_PR_FMT MAC_PR_FMT ", buf: %#.2x, "
+                  "capa_mask: %d, capa_val: %u", WIPHY_PR_ARG, CHAN_PR_ARG,
+                  MAC_PR_ARG(bssid), ((u8 *)__get_dynamic_array(ssid))[0],
+                  __entry->capa_mask, __entry->capa_val)
+);
+
+TRACE_EVENT(cfg80211_inform_bss_frame,
+        TP_PROTO(struct wiphy *wiphy, struct ieee80211_channel *channel,
+                 struct ieee80211_mgmt *mgmt, size_t len,
+                 s32 signal),
+        TP_ARGS(wiphy, channel, mgmt, len, signal),
+        TP_STRUCT__entry(
+                WIPHY_ENTRY
+                CHAN_ENTRY
+                __dynamic_array(u8, mgmt, len)
+                __field(s32, signal)
+        ),
+        TP_fast_assign(
+                WIPHY_ASSIGN;
+                CHAN_ASSIGN(channel);
+                if (mgmt)
+                        memcpy(__get_dynamic_array(mgmt), mgmt, len);
+                __entry->signal = signal;
+        ),
+        TP_printk(WIPHY_PR_FMT CHAN_PR_FMT "signal: %d",
+                  WIPHY_PR_ARG, CHAN_PR_ARG, __entry->signal)
+);
+
+DECLARE_EVENT_CLASS(cfg80211_bss_evt,
+        TP_PROTO(struct cfg80211_bss *pub),
+        TP_ARGS(pub),
+        TP_STRUCT__entry(
+                MAC_ENTRY(bssid)
+                CHAN_ENTRY
+        ),
+        TP_fast_assign(
+                MAC_ASSIGN(bssid, pub->bssid);
+                CHAN_ASSIGN(pub->channel);
+        ),
+        TP_printk(MAC_PR_FMT CHAN_PR_FMT, MAC_PR_ARG(bssid), CHAN_PR_ARG)
+);
+
+DEFINE_EVENT(cfg80211_bss_evt, cfg80211_return_bss,
+        TP_PROTO(struct cfg80211_bss *pub),
+        TP_ARGS(pub)
+);
+
+TRACE_EVENT(cfg80211_return_uint,
+        TP_PROTO(unsigned int ret),
+        TP_ARGS(ret),
+        TP_STRUCT__entry(
+                __field(unsigned int, ret)
+        ),
+        TP_fast_assign(
+                __entry->ret = ret;
+        ),
+        TP_printk("ret: %d", __entry->ret)
+);
+
+TRACE_EVENT(cfg80211_return_u32,
+        TP_PROTO(u32 ret),
+        TP_ARGS(ret),
+        TP_STRUCT__entry(
+                __field(u32, ret)
+        ),
+        TP_fast_assign(
+                __entry->ret = ret;
+        ),
+        TP_printk("ret: %u", __entry->ret)
+);
+
+#endif /* !__RDEV_OPS_TRACE || TRACE_HEADER_MULTI_READ */
+
+#undef TRACE_INCLUDE_PATH
+#define TRACE_INCLUDE_PATH .
+#undef TRACE_INCLUDE_FILE
+#define TRACE_INCLUDE_FILE trace
+#include <trace/define_trace.h>
diff --git a/net/wireless/util.c b/net/wireless/util.c
index ef35f4ef2aa6..b99f01cda1f6 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -11,6 +11,8 @@
 #include <net/ip.h>
 #include <net/dsfield.h>
 #include "core.h"
+#include "rdev-ops.h"
+
 
 struct ieee80211_rate *
 ieee80211_get_response_rate(struct ieee80211_supported_band *sband,
@@ -309,23 +311,21 @@ unsigned int ieee80211_get_hdrlen_from_skb(const struct sk_buff *skb)
 }
 EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb);
 
-static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
+unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
 {
         int ae = meshhdr->flags & MESH_FLAGS_AE;
-        /* 7.1.3.5a.2 */
+        /* 802.11-2012, 8.2.4.7.3 */
         switch (ae) {
+        default:
         case 0:
                 return 6;
         case MESH_FLAGS_AE_A4:
                 return 12;
         case MESH_FLAGS_AE_A5_A6:
                 return 18;
-        case (MESH_FLAGS_AE_A4 | MESH_FLAGS_AE_A5_A6):
-                return 24;
-        default:
-                return 6;
         }
 }
+EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen);
 
 int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
                            enum nl80211_iftype iftype)
@@ -373,6 +373,8 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
                         /* make sure meshdr->flags is on the linear part */
                         if (!pskb_may_pull(skb, hdrlen + 1))
                                 return -1;
+                        if (meshdr->flags & MESH_FLAGS_AE_A4)
+                                return -1;
                         if (meshdr->flags & MESH_FLAGS_AE_A5_A6) {
                                 skb_copy_bits(skb, hdrlen +
                                         offsetof(struct ieee80211s_hdr, eaddr1),
@@ -397,6 +399,8 @@ int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
                         /* make sure meshdr->flags is on the linear part */
                         if (!pskb_may_pull(skb, hdrlen + 1))
                                 return -1;
+                        if (meshdr->flags & MESH_FLAGS_AE_A5_A6)
+                                return -1;
                         if (meshdr->flags & MESH_FLAGS_AE_A4)
                                 skb_copy_bits(skb, hdrlen +
                                         offsetof(struct ieee80211s_hdr, eaddr1),
@@ -703,19 +707,18 @@ void cfg80211_upload_connect_keys(struct wireless_dev *wdev)
         for (i = 0; i < 6; i++) {
                 if (!wdev->connect_keys->params[i].cipher)
                         continue;
-                if (rdev->ops->add_key(wdev->wiphy, dev, i, false, NULL,
-                                        &wdev->connect_keys->params[i])) {
+                if (rdev_add_key(rdev, dev, i, false, NULL,
+                                 &wdev->connect_keys->params[i])) {
                         netdev_err(dev, "failed to set key %d\n", i);
                         continue;
                 }
                 if (wdev->connect_keys->def == i)
-                        if (rdev->ops->set_default_key(wdev->wiphy, dev,
-                                                       i, true, true)) {
+                        if (rdev_set_default_key(rdev, dev, i, true, true)) {
                                 netdev_err(dev, "failed to set defkey %d\n", i);
                                 continue;
                         }
                 if (wdev->connect_keys->defmgmt == i)
-                        if (rdev->ops->set_default_mgmt_key(wdev->wiphy, dev, i))
+                        if (rdev_set_default_mgmt_key(rdev, dev, i))
                                 netdev_err(dev, "failed to set mgtdef %d\n", i);
         }
 
@@ -848,8 +851,7 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
                 cfg80211_process_rdev_events(rdev);
         }
 
-        err = rdev->ops->change_virtual_intf(&rdev->wiphy, dev,
-                                             ntype, flags, params);
+        err = rdev_change_virtual_intf(rdev, dev, ntype, flags, params);
 
         WARN_ON(!err && dev->ieee80211_ptr->iftype != ntype);
 
@@ -978,6 +980,105 @@ u32 cfg80211_calculate_bitrate(struct rate_info *rate)
 }
 EXPORT_SYMBOL(cfg80211_calculate_bitrate);
 
+unsigned int cfg80211_get_p2p_attr(const u8 *ies, unsigned int len,
+                                   u8 attr, u8 *buf, unsigned int bufsize)
+{
+        u8 *out = buf;
+        u16 attr_remaining = 0;
+        bool desired_attr = false;
+        u16 desired_len = 0;
+
+        while (len > 0) {
+                unsigned int iedatalen;
+                unsigned int copy;
+                const u8 *iedata;
+
+                if (len < 2)
+                        return -EILSEQ;
+                iedatalen = ies[1];
+                if (iedatalen + 2 > len)
+                        return -EILSEQ;
+
+                if (ies[0] != WLAN_EID_VENDOR_SPECIFIC)
+                        goto cont;
+
+                if (iedatalen < 4)
+                        goto cont;
+
+                iedata = ies + 2;
+
+                /* check WFA OUI, P2P subtype */
+                if (iedata[0] != 0x50 || iedata[1] != 0x6f ||
+                    iedata[2] != 0x9a || iedata[3] != 0x09)
+                        goto cont;
+
+                iedatalen -= 4;
+                iedata += 4;
+
+                /* check attribute continuation into this IE */
+                copy = min_t(unsigned int, attr_remaining, iedatalen);
+                if (copy && desired_attr) {
+                        desired_len += copy;
+                        if (out) {
+                                memcpy(out, iedata, min(bufsize, copy));
+                                out += min(bufsize, copy);
+                                bufsize -= min(bufsize, copy);
+                        }
+
+
+                        if (copy == attr_remaining)
+                                return desired_len;
+                }
+
+                attr_remaining -= copy;
+                if (attr_remaining)
+                        goto cont;
+
+                iedatalen -= copy;
+                iedata += copy;
+
+                while (iedatalen > 0) {
+                        u16 attr_len;
+
+                        /* P2P attribute ID & size must fit */
+                        if (iedatalen < 3)
+                                return -EILSEQ;
+                        desired_attr = iedata[0] == attr;
+                        attr_len = get_unaligned_le16(iedata + 1);
+                        iedatalen -= 3;
+                        iedata += 3;
+
+                        copy = min_t(unsigned int, attr_len, iedatalen);
+
+                        if (desired_attr) {
+                                desired_len += copy;
+                                if (out) {
+                                        memcpy(out, iedata, min(bufsize, copy));
+                                        out += min(bufsize, copy);
+                                        bufsize -= min(bufsize, copy);
+                                }
+
+                                if (copy == attr_len)
+                                        return desired_len;
+                        }
+
+                        iedata += copy;
+                        iedatalen -= copy;
+                        attr_remaining = attr_len - copy;
+                }
+
+ cont:
+                len -= ies[1] + 2;
+                ies += ies[1] + 2;
+        }
+
+        if (attr_remaining && desired_attr)
+                return -EILSEQ;
+
+        return -ENOENT;
+}
+EXPORT_SYMBOL(cfg80211_get_p2p_attr);
+
 int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev,
                                  u32 beacon_int)
 {
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index 494379eb464f..742ab6ec4c9d 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -19,6 +19,7 @@
 #include <net/cfg80211-wext.h>
 #include "wext-compat.h"
 #include "core.h"
+#include "rdev-ops.h"
 
 int cfg80211_wext_giwname(struct net_device *dev,
                           struct iw_request_info *info,
@@ -301,8 +302,7 @@ int cfg80211_wext_siwrts(struct net_device *dev,
         else
                 wdev->wiphy->rts_threshold = rts->value;
 
-        err = rdev->ops->set_wiphy_params(wdev->wiphy,
-                                          WIPHY_PARAM_RTS_THRESHOLD);
+        err = rdev_set_wiphy_params(rdev, WIPHY_PARAM_RTS_THRESHOLD);
         if (err)
                 wdev->wiphy->rts_threshold = orts;
 
@@ -342,8 +342,7 @@ int cfg80211_wext_siwfrag(struct net_device *dev,
                 wdev->wiphy->frag_threshold = frag->value & ~0x1;
         }
 
-        err = rdev->ops->set_wiphy_params(wdev->wiphy,
-                                          WIPHY_PARAM_FRAG_THRESHOLD);
+        err = rdev_set_wiphy_params(rdev, WIPHY_PARAM_FRAG_THRESHOLD);
         if (err)
                 wdev->wiphy->frag_threshold = ofrag;
 
@@ -396,7 +395,7 @@ static int cfg80211_wext_siwretry(struct net_device *dev,
         if (!changed)
                 return 0;
 
-        err = rdev->ops->set_wiphy_params(wdev->wiphy, changed);
+        err = rdev_set_wiphy_params(rdev, changed);
         if (err) {
                 wdev->wiphy->retry_short = oshort;
                 wdev->wiphy->retry_long = olong;
@@ -490,8 +489,8 @@ static int __cfg80211_set_encryption(struct cfg80211_registered_device *rdev,
                             !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
                                 err = -ENOENT;
                         else
-                                err = rdev->ops->del_key(&rdev->wiphy, dev, idx,
-                                                         pairwise, addr);
+                                err = rdev_del_key(rdev, dev, idx, pairwise,
+                                                   addr);
                 }
                 wdev->wext.connect.privacy = false;
                 /*
@@ -525,8 +524,7 @@ static int __cfg80211_set_encryption(struct cfg80211_registered_device *rdev,
 
         err = 0;
         if (wdev->current_bss)
-                err = rdev->ops->add_key(&rdev->wiphy, dev, idx,
-                                         pairwise, addr, params);
+                err = rdev_add_key(rdev, dev, idx, pairwise, addr, params);
         if (err)
                 return err;
 
@@ -552,8 +550,7 @@ static int __cfg80211_set_encryption(struct cfg80211_registered_device *rdev,
                                 __cfg80211_leave_ibss(rdev, wdev->netdev, true);
                                 rejoin = true;
                         }
-                        err = rdev->ops->set_default_key(&rdev->wiphy, dev,
-                                                         idx, true, true);
+                        err = rdev_set_default_key(rdev, dev, idx, true, true);
                 }
                 if (!err) {
                         wdev->wext.default_key = idx;
@@ -566,8 +563,7 @@ static int __cfg80211_set_encryption(struct cfg80211_registered_device *rdev,
         if (params->cipher == WLAN_CIPHER_SUITE_AES_CMAC &&
             (tx_key || (!addr && wdev->wext.default_mgmt_key == -1))) {
                 if (wdev->current_bss)
-                        err = rdev->ops->set_default_mgmt_key(&rdev->wiphy,
-                                                              dev, idx);
+                        err = rdev_set_default_mgmt_key(rdev, dev, idx);
                 if (!err)
                         wdev->wext.default_mgmt_key = idx;
                 return err;
@@ -631,8 +627,8 @@ static int cfg80211_wext_siwencode(struct net_device *dev,
                 err = 0;
                 wdev_lock(wdev);
                 if (wdev->current_bss)
-                        err = rdev->ops->set_default_key(&rdev->wiphy, dev,
-                                                         idx, true, true);
+                        err = rdev_set_default_key(rdev, dev, idx, true,
+                                                   true);
                 if (!err)
                         wdev->wext.default_key = idx;
                 wdev_unlock(wdev);
@@ -839,7 +835,7 @@ static int cfg80211_wext_giwfreq(struct net_device *dev,
                 if (!rdev->ops->get_channel)
                         return -EINVAL;
 
-                chan = rdev->ops->get_channel(wdev->wiphy, wdev, &channel_type);
+                chan = rdev_get_channel(rdev, wdev, &channel_type);
                 if (!chan)
                         return -EINVAL;
                 freq->m = chan->center_freq;
@@ -899,7 +895,7 @@ static int cfg80211_wext_siwtxpower(struct net_device *dev,
                 return 0;
         }
 
-        return rdev->ops->set_tx_power(wdev->wiphy, type, DBM_TO_MBM(dbm));
+        return rdev_set_tx_power(rdev, wdev, type, DBM_TO_MBM(dbm));
 }
 
 static int cfg80211_wext_giwtxpower(struct net_device *dev,
@@ -918,7 +914,7 @@ static int cfg80211_wext_giwtxpower(struct net_device *dev,
         if (!rdev->ops->get_tx_power)
                 return -EOPNOTSUPP;
 
-        err = rdev->ops->get_tx_power(wdev->wiphy, &val);
+        err = rdev_get_tx_power(rdev, wdev, &val);
         if (err)
                 return err;
 
@@ -1158,7 +1154,7 @@ static int cfg80211_wext_siwpower(struct net_device *dev,
                         timeout = wrq->value / 1000;
         }
 
-        err = rdev->ops->set_power_mgmt(wdev->wiphy, dev, ps, timeout);
+        err = rdev_set_power_mgmt(rdev, dev, ps, timeout);
         if (err)
                 return err;
 
@@ -1200,7 +1196,7 @@ static int cfg80211_wds_wext_siwap(struct net_device *dev,
         if (!rdev->ops->set_wds_peer)
                 return -EOPNOTSUPP;
 
-        err = rdev->ops->set_wds_peer(wdev->wiphy, dev, (u8 *) &addr->sa_data);
+        err = rdev_set_wds_peer(rdev, dev, (u8 *)&addr->sa_data);
         if (err)
                 return err;
 
@@ -1272,7 +1268,7 @@ static int cfg80211_wext_siwrate(struct net_device *dev,
         if (!match)
                 return -EINVAL;
 
-        return rdev->ops->set_bitrate_mask(wdev->wiphy, dev, NULL, &mask);
+        return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
 }
 
 static int cfg80211_wext_giwrate(struct net_device *dev,
@@ -1302,7 +1298,7 @@ static int cfg80211_wext_giwrate(struct net_device *dev,
         if (err)
                 return err;
 
-        err = rdev->ops->get_station(&rdev->wiphy, dev, addr, &sinfo);
+        err = rdev_get_station(rdev, dev, addr, &sinfo);
         if (err)
                 return err;
 
@@ -1339,7 +1335,7 @@ static struct iw_statistics *cfg80211_wireless_stats(struct net_device *dev)
         memcpy(bssid, wdev->current_bss->pub.bssid, ETH_ALEN);
         wdev_unlock(wdev);
 
-        if (rdev->ops->get_station(&rdev->wiphy, dev, bssid, &sinfo))
+        if (rdev_get_station(rdev, dev, bssid, &sinfo))
                 return NULL;
 
         memset(&wstats, 0, sizeof(wstats));
@@ -1474,19 +1470,19 @@ static int cfg80211_wext_siwpmksa(struct net_device *dev,
                 if (!rdev->ops->set_pmksa)
                         return -EOPNOTSUPP;
 
-                return rdev->ops->set_pmksa(&rdev->wiphy, dev, &cfg_pmksa);
+                return rdev_set_pmksa(rdev, dev, &cfg_pmksa);
 
         case IW_PMKSA_REMOVE:
                 if (!rdev->ops->del_pmksa)
                         return -EOPNOTSUPP;
 
-                return rdev->ops->del_pmksa(&rdev->wiphy, dev, &cfg_pmksa);
+                return rdev_del_pmksa(rdev, dev, &cfg_pmksa);
 
         case IW_PMKSA_FLUSH:
                 if (!rdev->ops->flush_pmksa)
                         return -EOPNOTSUPP;
 
-                return rdev->ops->flush_pmksa(&rdev->wiphy, dev);
+                return rdev_flush_pmksa(rdev, dev);
 
         default:
                 return -EOPNOTSUPP;