This routine gets the parsed rtnl attributes and creates a new
link with generic info (IFLA_LINKINFO policy). Its intention
is to help the drivers, that need to create several links at
once (like VETH).

This is nothing but a copy-paste-ed part of rtnl_newlink() function
that is responsible for creation of new device.
Signed-off-by: NPavel Emelianov <xemul@openvz.org>
Acked-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Several devices have multiple independant RX queues per net
device, and some have a single interrupt doorbell for several
queues.

In either case, it's easier to support layouts like that if the
structure representing the poll is independant from the net
device itself.

The signature of the ->poll() call back goes from:

	int foo_poll(struct net_device *dev, int *budget)

to

	int foo_poll(struct napi_struct *napi, int budget)

The caller is returned the number of RX packets processed (or
the number of "NAPI credits" consumed if you want to get
abstract).  The callee no longer messes around bumping
dev->quota, *budget, etc. because that is all handled in the
caller upon return.

The napi_struct is to be embedded in the device driver private data
structures.

Furthermore, it is the driver's responsibility to disable all NAPI
instances in it's ->stop() device close handler.  Since the
napi_struct is privatized into the driver's private data structures,
only the driver knows how to get at all of the napi_struct instances
it may have per-device.

With lots of help and suggestions from Rusty Russell, Roland Dreier,
Michael Chan, Jeff Garzik, and Jamal Hadi Salim.

Bug fixes from Thomas Graf, Roland Dreier, Peter Zijlstra,
Joseph Fannin, Scott Wood, Hans J. Koch, and Michael Chan.

[ Ported to current tree and all drivers converted.  Integrated
  Stephen's follow-on kerneldoc additions, and restored poll_list
  handling to the old style to fix mutual exclusion issues.  -DaveM ]
Signed-off-by: NStephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This makes the radiotap parser accept all other fields that are
currently defined.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

The wireless extensions ioctl's implemented in mac80211 do not include
SIOCGIWTXPOWER. This patch adds the necessary code.
Acked-by: NMichael Buesch <mb@bu3sch.de>
Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Makes use of the type safe netlink interface and adds a warning
if the message is too big for NLMSG_DEFAULT_SIZE to help debug.
Signed-off-by: NThomas Graf <tgraf@suug.ch>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

This makes it behave the same whether we have monitor during operation
or not.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Michael Wu noticed that the skb length checking is not taken care of enough when
a packet is presented on the Monitor interface for injection.

This patch improves the sanity checking and removes fake offsets placed
into the skb network and transport header.
Signed-off-by: NAndy Green <andy@warmcat.com>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

This patch replaces atomic allocations with regular ones where possible.

Merged with "revert some GFP_ATOMIC -> GFP_KERNEL changes" from Michael Wu:
> Some of the allocations made with GFP_ATOMIC really were necessary.
Signed-off-by: NMichael Wu <flamingice@sourmilk.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

zd1211rw and bcm43xx are interested in being notified when ERP IE conditions
change, so that they can reprogram a register which affects how control frames
are transmitted.

This patch adds an interface similar to the one that can be found in softmac.
Signed-off-by: NDaniel Drake <dsd@gentoo.org>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Similarly to CTS protection, whether short preambles are used for 802.11b
transmissions should be a per-subif setting, not device global.

For STAs, this patch makes short preamble handling automatic based on the ERP
IE. For APs, hostapd still uses the prism ioctls, but the write ioctl has been
restricted to AP-only subifs.

ieee80211_txrx_data.short_preamble (an unused field) was removed.

Unfortunately, some API changes were required for the following functions:
 - ieee80211_generic_frame_duration
 - ieee80211_rts_duration
 - ieee80211_ctstoself_duration
 - ieee80211_rts_get
 - ieee80211_ctstoself_get
Affected drivers were updated accordingly.
Signed-off-by: NDaniel Drake <dsd@gentoo.org>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

mac80211 informs the driver what the short and long retry values are through
set_retry_limit(), but when packets are being transmitted it did not inform the
driver which of the 2 retry limits should actually be used.
Instead it sends the actual value, but for drivers that can only set the retry limit
and the register and in the descriptor need to indicate which of the limits should
be used this is not really useful.

This patch will add a IEEE80211_TXCTL_LONG_RETRY_LIMIT flag to the
ieee80211_tx_control structure. By default the short retry limit should be
used but if the flag is set the long retry should be used.

This does not prevent the driver to ignore the request for "no retry" packets,
but at least those will be send out with the short retry limit. But there is no
perfect cure for this problem.. :(
Signed-off-by: NIvo van Doorn <IvDoorn@gmail.com>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

My cheapy D-Link AP behaves strangely w.r.t reassociations.

The following sequence of commands causes me to lose association and to be
unable to regain it:

	ifconfig eth8 down
	ifconfig eth8 up
	iwconfig eth8 essid <x>

This is because mac80211 tries to reassociate, rather than just associate.
My AP replies with an association response (not a reassociation response...)
denying the association with code 12: "Association denied due to reason
outside the scope of this standard"

mac80211 tries this reassociation another 4 times or so before finally giving
up.

I see 2 problems here:
 1. bringing the interface down and up again should be resetting interface state
    i.e. after the interface is brought down, it should have no memory of if or
         where it was previously associated
 2. after the first reassociation fails, mac80211 should fall back to
    standard association for the next attempt
Signed-off-by: NDaniel Drake <dsd@gentoo.org>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

The sta_info code has some awkward locking which prevents some driver
callbacks from being allowed to sleep. This patch makes the locking more
focused so code that calls driver callbacks are allowed to sleep. It also
converts sta_lock to a rwlock.
Signed-off-by: NMichael Wu <flamingice@sourmilk.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Introduce a new file util.c and move a whole bunch of functions into it.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

This patch groups a whole bunch of functions together to make
ieee80211.c more maintainable.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

I think these can go with rate control just as well and it makes
ieee80211.c more readable.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

into a new file key.c which doesn't have much code right now but
it makes ieee80211.c easier to read.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Some more outdenting to make the code more readable.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

pre_rx handlers can't really touch sta since for IBSS it might not be
assigned yet, it can create sta info structs on-the-fly.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

The really indented part that does the huge switch on the interface
type is a nuisance. Put it into an own function 'prepare_for_handlers'.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

The ieee80211_rx_h_check handler really does two things, it's
a lot easier to understand if it's split into ieee80211_rx_h_check
and ieee80211_rx_h_load_key, and it may be possible in the future
to optimise the key loading to not do it for each interface.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Make some really indented code more readable by outdenting.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

This patch moves the QoS handlers into rx.c making it possible
to compile wme.c only when NET_SCHED is defined.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJiri Benc <jbenc@suse.cz>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

When the ICMPv6 Target address is multicast, Linux processes the 
redirect instead of dropping it.  The problem is in this code in 
ndisc_redirect_rcv():

         if (ipv6_addr_equal(dest, target)) {
                 on_link = 1;
         } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) {
                 ND_PRINTK2(KERN_WARNING
                            "ICMPv6 Redirect: target address is not 
link-local.\n");
                 return;
         }

This second check will succeed if the Target address is, for example, 
FF02::1 because it has link-local scope.  Instead, it should be checking 
if it's a unicast link-local address, as stated in RFC 2461/4861 Section 
8.1:

       - The ICMP Target Address is either a link-local address (when
         redirected to a router) or the same as the ICMP Destination
         Address (when redirected to the on-link destination).

I know this doesn't explicitly say unicast link-local address, but it's 
implied.

This bug is preventing Linux kernels from achieving IPv6 Logo Phase II 
certification because of a recent error that was found in the TAHI test 
suite - Neighbor Disovery suite test 206 (v6LC.2.3.6_G) had the 
multicast address in the Destination field instead of Target field, so 
we were passing the test.  This won't be the case anymore.

The patch below fixes this problem, and also fixes ndisc_send_redirect() 
to not send an invalid redirect with a multicast address in the Target 
field.  I re-ran the TAHI Neighbor Discovery section to make sure Linux 
passes all 245 tests now.
Signed-off-by: NBrian Haley <brian.haley@hp.com>
Acked-by: NDavid L Stevens <dlstevens@us.ibm.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Signed-off-by: NStephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Commit a3d38402 aka
"[AX.25]: Fix unchecked rose_add_loopback_neigh uses"
transformed rose_loopback_neigh var into statically allocated one.
However, on unload it will be kfree's which can't work.

Steps to reproduce:

	modprobe rose
	rmmod rose

BUG: unable to handle kernel NULL pointer dereference at virtual address 00000008
 printing eip:
c014c664
*pde = 00000000
Oops: 0000 [#1]
PREEMPT DEBUG_PAGEALLOC
Modules linked in: rose ax25 fan ufs loop usbhid rtc snd_intel8x0 snd_ac97_codec ehci_hcd ac97_bus uhci_hcd thermal usbcore button processor evdev sr_mod cdrom
CPU:    0
EIP:    0060:[<c014c664>]    Not tainted VLI
EFLAGS: 00210086   (2.6.23-rc9 #3)
EIP is at kfree+0x48/0xa1
eax: 00000556   ebx: c1734aa0   ecx: f6a5e000   edx: f7082000
esi: 00000000   edi: f9a55d20   ebp: 00200287   esp: f6a5ef28
ds: 007b   es: 007b   fs: 0000  gs: 0033  ss: 0068
Process rmmod (pid: 1823, ti=f6a5e000 task=f7082000 task.ti=f6a5e000)
Stack: f9a55d20 f9a5200c 00000000 00000000 00000000 f6a5e000 f9a5200c f9a55a00 
       00000000 bf818cf0 f9a51f3f f9a55a00 00000000 c0132c60 65736f72 00000000 
       f69f9630 f69f9528 c014244a f6a4e900 00200246 f7082000 c01025e6 00000000 
Call Trace:
 [<f9a5200c>] rose_rt_free+0x1d/0x49 [rose]
 [<f9a5200c>] rose_rt_free+0x1d/0x49 [rose]
 [<f9a51f3f>] rose_exit+0x4c/0xd5 [rose]
 [<c0132c60>] sys_delete_module+0x15e/0x186
 [<c014244a>] remove_vma+0x40/0x45
 [<c01025e6>] sysenter_past_esp+0x8f/0x99
 [<c012bacf>] trace_hardirqs_on+0x118/0x13b
 [<c01025b6>] sysenter_past_esp+0x5f/0x99
 =======================
Code: 05 03 1d 80 db 5b c0 8b 03 25 00 40 02 00 3d 00 40 02 00 75 03 8b 5b 0c 8b 73 10 8b 44 24 18 89 44 24 04 9c 5d fa e8 77 df fd ff <8b> 56 08 89 f8 e8 84 f4 fd ff e8 bd 32 06 00 3b 5c 86 60 75 0f 
EIP: [<c014c664>] kfree+0x48/0xa1 SS:ESP 0068:f6a5ef28
Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

When only GSO skb was partially ACKed, no hints are reset,
therefore fastpath_cnt_hint must be tweaked too or else it can
corrupt fackets_out. The corruption to occur, one must have
non-trivial ACK/SACK sequence, so this bug is not very often
that harmful. There's a fackets_out state reset in TCP because
fackets_out is known to be inaccurate and that fixes the issue
eventually anyway.

In case there was also at least one skb that got fully ACKed,
the fastpath_skb_hint is set to NULL which causes a recount for
fastpath_cnt_hint (the old value won't be accessed anymore),
thus it can safely be decremented without additional checking.

Reported by Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: NIlpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

  CC      net/ieee80211/softmac/ieee80211softmac_wx.o
/home/kernel/src/net/ieee80211/softmac/ieee80211softmac_wx.c: In function ‘ieee80211softmac_wx_set_essid’:
/home/kernel/src/net/ieee80211/softmac/ieee80211softmac_wx.c:117: warning: label ‘out’ defined but not used

due to commit: efe870f9. Removing the label.
Signed-off-by: NRichard Knutsson <ricknu-0@student.ltu.se>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Reported by Chris Evans <scarybeasts@gmail.com>:

> The summary is that an evil 80211 frame can crash out a victim's
> machine. It only applies to drivers using the 80211 wireless code, and
> only then to certain drivers (and even then depends on a card's
> firmware not dropping a dubious packet). I must confess I'm not
> keeping track of Linux wireless support, and the different protocol
> stacks etc.
>
> Details are as follows:
>
> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
> There are other skb->len checks, but not enough to prevent a subtle
> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
> set.
>
> This leads to integer underflow and crash here:
>
> if (frag != 0)
>    flen -= hdrlen;
>
> (flen is subsequently used as a memcpy length parameter).

How about this?
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This is followup to Patrick's patch. A little optimization to enqueue
routine allows to remove artificial limitation on queue length.

Plus, testing showed that hash function used by SFQ is too bad or even worse.
It does not even sweep the whole range of hash values.
Switched to Jenkins' hash.
Signed-off-by: NAlexey Kuznetsov <kaber@ms2.inr.ac.ru>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Based upon a report and initial patch by Peter Lieven.

tcp4_md5sig_key and tcp6_md5sig_key need to start with
the exact same members as tcp_md5sig_key.  Because they
are both cast to that type by tcp_v{4,6}_md5_do_lookup().

Unfortunately tcp{4,6}_md5sig_key use a u16 for the key
length instead of a u8, which is what tcp_md5sig_key
uses.  This just so happens to work by accident on
little-endian, but on big-endian it doesn't.

Instead of casting, just place tcp_md5sig_key as the first member of
the address-family specific structures, adjust the access sites, and
kill off the ugly casts.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This fixes kernel bugzilla #5731

It should generate an empty packet for datagram protocols when the
socket is connected, for one.

The check is doubly-wrong because all that a write() can be is a
sendmsg() call with a NULL msg_control and a single entry iovec.  No
special semantics should be assigned to it, therefore the zero length
check should be removed entirely.

This matches the behavior of BSD and several other systems.

Alan Cox notes that SuSv3 says the behavior of a zero length write on
non-files is "unspecified", but that's kind of useless since BSD has
defined this behavior for a quarter century and BSD is essentially
what application folks code to.

Based upon a patch from Stephen Hemminger.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

It gets pointer to fastcall function, expects a pointer to normal
one and calls the sucker.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

If ADDIP is enabled, when an ASCONF chunk is received with ASCONF
paramter length set to zero, this will cause infinite loop.
By the way, if an malformed ASCONF chunk is received, will cause
processing to access memory without verifying.

This is because of not check the validity of parameters in ASCONF chunk.
This patch fixed this.
Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

RFC 4460 and future RFC 4960 (2960-bis) specify that packets
with bundled INIT chunks need to be dropped.  We currenlty do
that only after processing any leading chunks.  For OOTB chunks,
since we already walk the entire packet, we should discard packets
with bundled INITs.

There are other chunks chunks that MUST NOT be bundled, but the spec
is silent on theire treatment.  Thus, we'll leave their teatment
alone for the moment.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: NWei Yongjun <yjwei@cn.fujitsu.com>

While processing OOTB chunks as well as chunks with an invalid
length of 0, it was possible to SCTP to get wedged inside an
infinite loop because we didn't catch the condition correctly,
or didn't mark the packet for discard correctly.
This work is based on original findings and work by
Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>

Explicitely discard OOTB chunks, whether the result is a
SHUTDOWN COMPLETE or an ABORT.  We need to discard the OOTB
SHUTDOWN ACK to prevent bombing attackes since responsed
MUST NOT be bundled.  We also explicietely discard in the
ABORT case since that function is widely used internally.
Signed-off-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Acked-by: NNeil Horman <nhorman@tuxdriver.com>