13 files changed, 157 insertions, 25 deletions

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 47656beee14c..1ba929c05d0d 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3040,6 +3040,50 @@ static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
         hci_dev_unlock(hdev);
 }
 
+static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
+                                         struct sk_buff *skb)
+{
+        struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
+        struct hci_conn *conn;
+
+        BT_DBG("%s status %u handle %u", hdev->name, ev->status,
+               __le16_to_cpu(ev->handle));
+
+        hci_dev_lock(hdev);
+
+        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
+        if (!conn)
+                goto unlock;
+
+        if (!ev->status)
+                conn->sec_level = conn->pending_sec_level;
+
+        clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
+
+        if (ev->status && conn->state == BT_CONNECTED) {
+                hci_acl_disconn(conn, HCI_ERROR_AUTH_FAILURE);
+                hci_conn_put(conn);
+                goto unlock;
+        }
+
+        if (conn->state == BT_CONFIG) {
+                if (!ev->status)
+                        conn->state = BT_CONNECTED;
+
+                hci_proto_connect_cfm(conn, ev->status);
+                hci_conn_put(conn);
+        } else {
+                hci_auth_cfm(conn, ev->status);
+
+                hci_conn_hold(conn);
+                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
+                hci_conn_put(conn);
+        }
+
+unlock:
+        hci_dev_unlock(hdev);
+}
+
 static u8 hci_get_auth_req(struct hci_conn *conn)
 {
         /* If remote requests dedicated bonding follow that lead */
@@ -3560,6 +3604,10 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
                 hci_extended_inquiry_result_evt(hdev, skb);
                 break;
 
+        case HCI_EV_KEY_REFRESH_COMPLETE:
+                hci_key_refresh_complete_evt(hdev, skb);
+                break;
+
         case HCI_EV_IO_CAPA_REQUEST:
                 hci_io_capa_request_evt(hdev, skb);
                 break;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index f9bffe3af026..4ca88247b7c2 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1314,7 +1314,12 @@ static void security_timeout(struct work_struct *work)
         struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
                                                 security_timer.work);
 
-        l2cap_conn_del(conn->hcon, ETIMEDOUT);
+        BT_DBG("conn %p", conn);
+
+        if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
+                smp_chan_destroy(conn);
+                l2cap_conn_del(conn->hcon, ETIMEDOUT);
+        }
 }
 
 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 958f764cc6ab..c72307cc25fc 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1873,6 +1873,22 @@ static void pairing_complete_cb(struct hci_conn *conn, u8 status)
                 pairing_complete(cmd, mgmt_status(status));
 }
 
+static void le_connect_complete_cb(struct hci_conn *conn, u8 status)
+{
+        struct pending_cmd *cmd;
+
+        BT_DBG("status %u", status);
+
+        if (!status)
+                return;
+
+        cmd = find_pairing(conn);
+        if (!cmd)
+                BT_DBG("Unable to find a pending command");
+        else
+                pairing_complete(cmd, mgmt_status(status));
+}
+
 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
                        u16 len)
 {
@@ -1941,6 +1957,8 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
         /* For LE, just connecting isn't a proof that the pairing finished */
         if (cp->addr.type == BDADDR_BREDR)
                 conn->connect_cfm_cb = pairing_complete_cb;
+        else
+                conn->connect_cfm_cb = le_connect_complete_cb;
 
         conn->security_cfm_cb = pairing_complete_cb;
         conn->disconn_cfm_cb = pairing_complete_cb;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index ff4835b61de9..16ef0dc85a0a 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -649,7 +649,7 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
 
         auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
 
-        ret = tk_request(conn, 0, auth, rsp->io_capability, req->io_capability);
+        ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
         if (ret)
                 return SMP_UNSPECIFIED;
 
@@ -704,7 +704,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
         return 0;
 }
 
-static u8 smp_ltk_encrypt(struct l2cap_conn *conn)
+static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
 {
         struct smp_ltk *key;
         struct hci_conn *hcon = conn->hcon;
@@ -713,6 +713,9 @@ static u8 smp_ltk_encrypt(struct l2cap_conn *conn)
         if (!key)
                 return 0;
 
+        if (sec_level > BT_SECURITY_MEDIUM && !key->authenticated)
+                return 0;
+
         if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
                 return 1;
 
@@ -733,7 +736,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
 
         hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req);
 
-        if (smp_ltk_encrypt(conn))
+        if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
                 return 0;
 
         if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
@@ -772,7 +775,7 @@ int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
                 return 1;
 
         if (hcon->link_mode & HCI_LM_MASTER)
-                if (smp_ltk_encrypt(conn))
+                if (smp_ltk_encrypt(conn, sec_level))
                         goto done;
 
         if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index 26ddb699d693..c649188314cc 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -145,15 +145,20 @@ static void sta_rx_agg_session_timer_expired(unsigned long data)
         struct tid_ampdu_rx *tid_rx;
         unsigned long timeout;
 
+        rcu_read_lock();
         tid_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[*ptid]);
-        if (!tid_rx)
+        if (!tid_rx) {
+                rcu_read_unlock();
                 return;
+        }
 
         timeout = tid_rx->last_rx + TU_TO_JIFFIES(tid_rx->timeout);
         if (time_is_after_jiffies(timeout)) {
                 mod_timer(&tid_rx->session_timer, timeout);
+                rcu_read_unlock();
                 return;
         }
+        rcu_read_unlock();
 
 #ifdef CONFIG_MAC80211_HT_DEBUG
         printk(KERN_DEBUG "rx session timer expired on tid %d\n", (u16)*ptid);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 495831ee48f1..e9cecca5c44d 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -533,16 +533,16 @@ static void ieee80211_get_et_stats(struct wiphy *wiphy,
                 sinfo.filled = 0;
                 sta_set_sinfo(sta, &sinfo);
 
-                if (sinfo.filled | STATION_INFO_TX_BITRATE)
+                if (sinfo.filled & STATION_INFO_TX_BITRATE)
                         data[i] = 100000 *
                                 cfg80211_calculate_bitrate(&sinfo.txrate);
                 i++;
-                if (sinfo.filled | STATION_INFO_RX_BITRATE)
+                if (sinfo.filled & STATION_INFO_RX_BITRATE)
                         data[i] = 100000 *
                                 cfg80211_calculate_bitrate(&sinfo.rxrate);
                 i++;
 
-                if (sinfo.filled | STATION_INFO_SIGNAL_AVG)
+                if (sinfo.filled & STATION_INFO_SIGNAL_AVG)
                         data[i] = (u8)sinfo.signal_avg;
                 i++;
         } else {
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index d4c19a7773db..8664111d0566 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -637,6 +637,18 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                 ieee80211_configure_filter(local);
                 break;
         default:
+                mutex_lock(&local->mtx);
+                if (local->hw_roc_dev == sdata->dev &&
+                    local->hw_roc_channel) {
+                        /* ignore return value since this is racy */
+                        drv_cancel_remain_on_channel(local);
+                        ieee80211_queue_work(&local->hw, &local->hw_roc_done);
+                }
+                mutex_unlock(&local->mtx);
+
+                flush_work(&local->hw_roc_start);
+                flush_work(&local->hw_roc_done);
+
                 flush_work(&sdata->work);
                 /*
                  * When we get here, the interface is marked down.
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 04c306308987..d94627c2929c 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1220,6 +1220,22 @@ static void ieee80211_sta_wmm_params(struct ieee80211_local *local,
         sdata->vif.bss_conf.qos = true;
 }
 
+static void __ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
+{
+        lockdep_assert_held(&sdata->local->mtx);
+
+        sdata->u.mgd.flags &= ~(IEEE80211_STA_CONNECTION_POLL |
+                                IEEE80211_STA_BEACON_POLL);
+        ieee80211_run_deferred_scan(sdata->local);
+}
+
+static void ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
+{
+        mutex_lock(&sdata->local->mtx);
+        __ieee80211_stop_poll(sdata);
+        mutex_unlock(&sdata->local->mtx);
+}
+
 static u32 ieee80211_handle_bss_capability(struct ieee80211_sub_if_data *sdata,
                                            u16 capab, bool erp_valid, u8 erp)
 {
@@ -1285,8 +1301,7 @@ static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
         sdata->u.mgd.flags |= IEEE80211_STA_RESET_SIGNAL_AVE;
 
         /* just to be sure */
-        sdata->u.mgd.flags &= ~(IEEE80211_STA_CONNECTION_POLL |
-                                IEEE80211_STA_BEACON_POLL);
+        ieee80211_stop_poll(sdata);
 
         ieee80211_led_assoc(local, 1);
 
@@ -1456,8 +1471,7 @@ static void ieee80211_reset_ap_probe(struct ieee80211_sub_if_data *sdata)
                 return;
         }
 
-        ifmgd->flags &= ~(IEEE80211_STA_CONNECTION_POLL |
-                          IEEE80211_STA_BEACON_POLL);
+        __ieee80211_stop_poll(sdata);
 
         mutex_lock(&local->iflist_mtx);
         ieee80211_recalc_ps(local, -1);
@@ -1477,7 +1491,6 @@ static void ieee80211_reset_ap_probe(struct ieee80211_sub_if_data *sdata)
                   round_jiffies_up(jiffies +
                                    IEEE80211_CONNECTION_IDLE_TIME));
 out:
-        ieee80211_run_deferred_scan(local);
         mutex_unlock(&local->mtx);
 }
 
@@ -2408,7 +2421,11 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
                 net_dbg_ratelimited("%s: cancelling probereq poll due to a received beacon\n",
                                     sdata->name);
 #endif
+                mutex_lock(&local->mtx);
                 ifmgd->flags &= ~IEEE80211_STA_BEACON_POLL;
+                ieee80211_run_deferred_scan(local);
+                mutex_unlock(&local->mtx);
+
                 mutex_lock(&local->iflist_mtx);
                 ieee80211_recalc_ps(local, -1);
                 mutex_unlock(&local->iflist_mtx);
@@ -2595,8 +2612,7 @@ static void ieee80211_sta_connection_lost(struct ieee80211_sub_if_data *sdata,
         struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
         u8 frame_buf[DEAUTH_DISASSOC_LEN];
 
-        ifmgd->flags &= ~(IEEE80211_STA_CONNECTION_POLL |
-                          IEEE80211_STA_BEACON_POLL);
+        ieee80211_stop_poll(sdata);
 
         ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, reason,
                                false, frame_buf);
@@ -2874,8 +2890,7 @@ static void ieee80211_restart_sta_timer(struct ieee80211_sub_if_data *sdata)
         u32 flags;
 
         if (sdata->vif.type == NL80211_IFTYPE_STATION) {
-                sdata->u.mgd.flags &= ~(IEEE80211_STA_BEACON_POLL |
-                                        IEEE80211_STA_CONNECTION_POLL);
+                __ieee80211_stop_poll(sdata);
 
                 /* let's probe the connection once */
                 flags = sdata->local->hw.flags;
@@ -2944,7 +2959,10 @@ void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
         if (test_and_clear_bit(TMR_RUNNING_CHANSW, &ifmgd->timers_running))
                 add_timer(&ifmgd->chswitch_timer);
         ieee80211_sta_reset_beacon_monitor(sdata);
+
+        mutex_lock(&sdata->local->mtx);
         ieee80211_restart_sta_timer(sdata);
+        mutex_unlock(&sdata->local->mtx);
 }
 #endif
 
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index f054e94901a2..935aa4b6deee 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -234,6 +234,22 @@ static void ieee80211_hw_roc_done(struct work_struct *work)
                 return;
         }
 
+        /* was never transmitted */
+        if (local->hw_roc_skb) {
+                u64 cookie;
+
+                cookie = local->hw_roc_cookie ^ 2;
+
+                cfg80211_mgmt_tx_status(local->hw_roc_dev, cookie,
+                                        local->hw_roc_skb->data,
+                                        local->hw_roc_skb->len, false,
+                                        GFP_KERNEL);
+
+                kfree_skb(local->hw_roc_skb);
+                local->hw_roc_skb = NULL;
+                local->hw_roc_skb_for_status = NULL;
+        }
+
         if (!local->hw_roc_for_tx)
                 cfg80211_remain_on_channel_expired(local->hw_roc_dev,
                                                    local->hw_roc_cookie,
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index f5b1638fbf80..de455f8bbb91 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -378,7 +378,7 @@ static int sta_info_insert_finish(struct sta_info *sta) __acquires(RCU)
         /* make the station visible */
         sta_info_hash_add(local, sta);
 
-        list_add(&sta->list, &local->sta_list);
+        list_add_rcu(&sta->list, &local->sta_list);
 
         set_sta_flag(sta, WLAN_STA_INSERTED);
 
@@ -688,7 +688,7 @@ int __must_check __sta_info_destroy(struct sta_info *sta)
         if (ret)
                 return ret;
 
-        list_del(&sta->list);
+        list_del_rcu(&sta->list);
 
         mutex_lock(&local->key_mtx);
         for (i = 0; i < NUM_DEFAULT_KEYS; i++)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 847215bb2a6f..e453212fa17f 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1737,7 +1737,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
         __le16 fc;
         struct ieee80211_hdr hdr;
         struct ieee80211s_hdr mesh_hdr __maybe_unused;
-        struct mesh_path __maybe_unused *mppath = NULL;
+        struct mesh_path __maybe_unused *mppath = NULL, *mpath = NULL;
         const u8 *encaps_data;
         int encaps_len, skip_header_bytes;
         int nh_pos, h_pos;
@@ -1803,8 +1803,11 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                         goto fail;
                 }
                 rcu_read_lock();
-                if (!is_multicast_ether_addr(skb->data))
-                        mppath = mpp_path_lookup(skb->data, sdata);
+                if (!is_multicast_ether_addr(skb->data)) {
+                        mpath = mesh_path_lookup(skb->data, sdata);
+                        if (!mpath)
+                                mppath = mpp_path_lookup(skb->data, sdata);
+                }
 
                 /*
                  * Use address extension if it is a packet from
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index a44c6807df01..8dd4712620ff 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1271,7 +1271,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                         enum ieee80211_sta_state state;
 
                         for (state = IEEE80211_STA_NOTEXIST;
-                             state < sta->sta_state - 1; state++)
+                             state < sta->sta_state; state++)
                                 WARN_ON(drv_sta_state(local, sta->sdata, sta,
                                                       state, state + 1));
                 }
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index d2a19b0ff71f..89baa3328411 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -42,6 +42,7 @@ void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid)
         cfg80211_hold_bss(bss_from_pub(bss));
         wdev->current_bss = bss_from_pub(bss);
 
+        wdev->sme_state = CFG80211_SME_CONNECTED;
         cfg80211_upload_connect_keys(wdev);
 
         nl80211_send_ibss_bssid(wiphy_to_dev(wdev->wiphy), dev, bssid,
@@ -60,7 +61,7 @@ void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp)
         struct cfg80211_event *ev;
         unsigned long flags;
 
-        CFG80211_DEV_WARN_ON(!wdev->ssid_len);
+        CFG80211_DEV_WARN_ON(wdev->sme_state != CFG80211_SME_CONNECTING);
 
         ev = kzalloc(sizeof(*ev), gfp);
         if (!ev)
@@ -115,9 +116,11 @@ int __cfg80211_join_ibss(struct cfg80211_registered_device *rdev,
 #ifdef CONFIG_CFG80211_WEXT
         wdev->wext.ibss.channel = params->channel;
 #endif
+        wdev->sme_state = CFG80211_SME_CONNECTING;
         err = rdev->ops->join_ibss(&rdev->wiphy, dev, params);
         if (err) {
                 wdev->connect_keys = NULL;
+                wdev->sme_state = CFG80211_SME_IDLE;
                 return err;
         }
 
@@ -169,6 +172,7 @@ static void __cfg80211_clear_ibss(struct net_device *dev, bool nowext)
         }
 
         wdev->current_bss = NULL;
+        wdev->sme_state = CFG80211_SME_IDLE;
         wdev->ssid_len = 0;
 #ifdef CONFIG_CFG80211_WEXT
         if (!nowext)