Avoid creating input routes with ip_route_me_harder.
It does not work for locally generated packets. Instead,
restrict sockets to provide valid saddr for output route (or
unicast saddr for transparent proxy). For other traffic
allow saddr to be unicast or local but if callers forget
to check saddr type use 0 for the output route.

	The resulting handling should be:

- REJECT TCP:
	- in INPUT we can provide addr_type = RTN_LOCAL but
	better allow rejecting traffic delivered with
	local route (no IP address => use RTN_UNSPEC to
	allow also RTN_UNICAST).
	- FORWARD: RTN_UNSPEC => allow RTN_LOCAL/RTN_UNICAST
	saddr, add fix to ignore RTN_BROADCAST and RTN_MULTICAST
	- OUTPUT: RTN_UNSPEC

- NAT, mangle, ip_queue, nf_ip_reroute: RTN_UNSPEC in LOCAL_OUT

- IPVS:
	- use RTN_LOCAL in LOCAL_OUT and FORWARD after SNAT
	to restrict saddr to be local
Signed-off-by: NJulian Anastasov <ja@ssi.bg>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

ip_append_data() builds packets based on the mtu from dst_mtu(rt->dst.path).
On IPsec the effective mtu is lower because we need to add the protocol
headers and trailers later when we do the IPsec transformations. So after
the IPsec transformations the packet might be too big, which leads to a
slowpath fragmentation then. This patch fixes this by building the packets
based on the lower IPsec mtu from dst_mtu(&rt->dst) and adapts the exthdr
handling to this.
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Git commit 59104f06 (ip: take care of last fragment in ip_append_data)
added a check to see if we exceed the mtu when we add trailer_len.
However, the mtu is already subtracted by the trailer length when the
xfrm transfomation bundles are set up. So IPsec packets with mtu
size get fragmented, or if the DF bit is set the packets will not
be send even though they match the mtu perfectly fine. This patch
actually reverts commit 59104f06.
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Fixed call to skb_record_rx_queue where we were passing the queue index
relative to the adapter when it should have been relative to the net_device.
Signed-off-by: NJohn (Jay) Hernandez <jay@chelsio.com>
Signed-off-by: NDivy Le Ray <divy@chelsio.com>
Reported-by: NShawn Bohrer <sbohrer@rgmadvisors.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The bridge currently floods packets to groups that we have never
seen before to all ports.  This is not required by RFC4541 and
in fact it is not desirable in environment where traffic to
unregistered group is always present.

This patch changes the behaviour so that we only send traffic
to unregistered groups to ports marked as routers.

The user can always force flooding behaviour to any given port
by marking it as a router.

Note that this change does not apply to traffic to 224.0.0.X
as traffic to those groups must always be flooded to all ports.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Signed-off-by: NRon Mercer <ron.mercer@qlogic.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The socketcan-core lists require subscription, so mark them as such.
Signed-off-by: NMike Frysinger <vapier@gentoo.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

I cannot speak on behalf of the batman-adv developers due to conflicts
in the opinion about the ongoing development. The batman-adv module is
still maintained by Marek Lindner and Simon Wunderlich. Those are the
main persons behind the visions of batman-adv. Therefore, the state of
module hasn't changed.
Signed-off-by: NSven Eckelmann <sven@narfation.org>
Cc: b.a.t.m.a.n@lists.open-mesh.org
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into for-davem

Signed-off-by: NFrancois Romieu <romieu@fr.zoreil.com>
Cc: Realtek linux nic maintainers <nic_swsd@realtek.com>

"status" should be an int here for the error handling to work.
Signed-off-by: NDan Carpenter <error27@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

-Support for big endian.
-Do not use USB buffers at the stack.
-Safer/more efficient code for local constants.
Signed-off-by: NMarius B. Kotsbak <marius@kotsbak.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

In commit 3ac5e26a entitled
"rtlwifi: rtl8192c-common: Change common firmware routines for addition
of rtl8192se and rtl8192de", the firmware loading code was moved.
Unfortunately, some necessary code was dropped for rtl8192cu.

The dmesg output shows the following:

rtl8192c: Loading firmware file rtlwifi/rtl8192cufw.bin
rtl8192c_common:_rtl92c_fw_free_to_go():<0-0> Polling FW ready fail!! REG_MCUFWDL:0x00000006 .
rtl8192c_common:rtl92c_download_fw():<0-0> Firmware is not ready to run!

In addition, the interface will authenticate and associate, but cannot
transfer data.

This is reported as Kernel Bug #38012.
Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Consider this scenario: When the size of the first received udp packet
is bigger than the receive buffer, MSG_TRUNC bit is set in msg->msg_flags.
However, if checksum error happens and this is a blocking socket, it will
goto try_again loop to receive the next packet.  But if the size of the
next udp packet is smaller than receive buffer, MSG_TRUNC flag should not
be set, but because MSG_TRUNC bit is not cleared in msg->msg_flags before
receive the next packet, MSG_TRUNC is still set, which is wrong.

Fix this problem by clearing MSG_TRUNC flag when starting over for a
new packet.
Signed-off-by: NXufeng Zhang <xufeng.zhang@windriver.com>
Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

udpv6_recvmsg() function is not using the correct variable to determine
whether or not the socket is in non-blocking operation, this will lead
to unexpected behavior when a UDP checksum error occurs.

Consider a non-blocking udp receive scenario: when udpv6_recvmsg() is
called by sock_common_recvmsg(), MSG_DONTWAIT bit of flags variable in
udpv6_recvmsg() is cleared by "flags & ~MSG_DONTWAIT" in this call:

    err = sk->sk_prot->recvmsg(iocb, sk, msg, size, flags & MSG_DONTWAIT,
                   flags & ~MSG_DONTWAIT, &addr_len);

i.e. with udpv6_recvmsg() getting these values:

	int noblock = flags & MSG_DONTWAIT
	int flags = flags & ~MSG_DONTWAIT

So, when udp checksum error occurs, the execution will go to
csum_copy_err, and then the problem happens:

    csum_copy_err:
            ...............
            if (flags & MSG_DONTWAIT)
                    return -EAGAIN;
            goto try_again;
            ...............

But it will always go to try_again as MSG_DONTWAIT has been cleared
from flags at call time -- only noblock contains the original value
of MSG_DONTWAIT, so the test should be:

            if (noblock)
                    return -EAGAIN;

This is also consistent with what the ipv4/udp code does.
Signed-off-by: NXufeng Zhang <xufeng.zhang@windriver.com>
Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

When NETCONSOLE_DYNAMIC=y and CONFIGFS_FS=m, there are build errors
in netconsole:

drivers/built-in.o: In function `drop_netconsole_target':
netconsole.c:(.text+0x1a100f): undefined reference to `config_item_put'
drivers/built-in.o: In function `make_netconsole_target':
netconsole.c:(.text+0x1a10b9): undefined reference to `config_item_init_type_name'
drivers/built-in.o: In function `write_msg':
netconsole.c:(.text+0x1a11a4): undefined reference to `config_item_get'
netconsole.c:(.text+0x1a1211): undefined reference to `config_item_put'
drivers/built-in.o: In function `netconsole_netdev_event':
netconsole.c:(.text+0x1a12cc): undefined reference to `config_item_put'
netconsole.c:(.text+0x1a12ec): undefined reference to `config_item_get'
netconsole.c:(.text+0x1a1366): undefined reference to `config_item_put'
drivers/built-in.o: In function `init_netconsole':
netconsole.c:(.init.text+0x953a): undefined reference to `config_group_init'
netconsole.c:(.init.text+0x9560): undefined reference to `configfs_register_subsystem'
drivers/built-in.o: In function `dynamic_netconsole_exit':
netconsole.c:(.exit.text+0x809): undefined reference to `configfs_unregister_subsystem'

so fix the NETCONSOLE_DYNAMIC depends clause to prevent this.
Based on email suggestion from Ben Hutchings.  Thanks.

Fixes https://bugzilla.kernel.org/show_bug.cgi?id=37992Reported-by: NDavid Hill <hilld@binarystorm.net>
Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Commit 13e12d14 ("vfs: reorganize 'struct inode' layout a bit")
moved things around a bit changed i_state to be unsigned int instead of
unsigned long.  That was to help structure layout for the 64-bit case,
and shrink 'struct inode' a bit (admittedly that only happened when
spinlock debugging was on and i_flags didn't pack with i_lock).

However, Meelis Roos reports that this results in unaligned exceptions
on sprc, and it turns out that the bit-locking primitives that we use
for the I_NEW bit want to use the bitops.  Which want 'unsigned long',
not 'unsigned int'.

We really should fix the bit locking code to not have that kind of
requirement, but that's a much bigger change.  So for now, revert that
field back to 'unsigned long' (but keep the other re-ordering changes
from the commit that caused this).

Andi points out that we have played games with this in 'struct page', so
it's solvable with other hacks too, but since right now the struct inode
size advantage only happens with some rare config options, it's not
worth fighting.

It _would_ be worth fixing the bitlocking code, though.  Especially
since there is no type safety in the bitlocking code (this never caused
any warnings, and worked fine on x86-64, because the bitlocks take a
'void *' and x86-64 doesn't care that deeply about alignment).  So it's
currently a very easy problem to trigger by mistake and never notice.
Reported-by: NMeelis Roos <mroos@linux.ee>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/radeon/kms/r6xx+: voltage fixes
  drm/nouveau: drop leftover debugging
  drm/radeon: avoid warnings from r600/eg irq handlers on powered off card.
  drm/radeon/kms: add missing param for dce3.2 DP transmitter setup
  drm/radeon/kms/atom: fix duallink on some early DCE3.2 cards
  drm/nouveau: fix assumption that semaphore dmaobj is valid in x-chan sync
  drm/nv50/disp: fix gamma with page flipping overlay turned on
  drm/nouveau/pm: Prevent overflow in nouveau_perf_init()
  drm/nouveau: fix big-endian switch

* 'msm-fix' of git://codeaurora.org/quic/kernel/davidb/linux-msm:
  msm: timer: Fix DGT rate on 8960 and 8660
  msm: timer: compensate for timer shift in msm_read_timer_count
  msm: timer: Fix SMP build error

* 'for-2.6.40' of git://linux-nfs.org/~bfields/linux:
  nfsd4: fix break_lease flags on nfsd open
  nfsd: link returns nfserr_delay when breaking lease
  nfsd: v4 support requires CRYPTO
  nfsd: fix dependency of nfsd on auth_rpcgss

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (40 commits)
  pxa168_eth: fix race in transmit path.
  ipv4, ping: Remove duplicate icmp.h include
  netxen: fix race in skb->len access
  sgi-xp: fix a use after free
  hp100: fix an skb->len race
  netpoll: copy dev name of slaves to struct netpoll
  ipv4: fix multicast losses
  r8169: fix static initializers.
  inet_diag: fix inet_diag_bc_audit()
  gigaset: call module_put before restart of if_open()
  farsync: add module_put to error path in fst_open()
  net: rfs: enable RFS before first data packet is received
  fs_enet: fix freescale FCC ethernet dp buffer alignment
  netdev: bfin_mac: fix memory leak when freeing dma descriptors
  vlan: don't call ndo_vlan_rx_register on hardware that doesn't have vlan support
  caif: Bugfix - XOFF removed channel from caif-mux
  tun: teach the tun/tap driver to support netpoll
  dp83640: drop PHY status frames in the driver.
  dp83640: fix phy status frame event parsing
  phylib: Allow BCM63XX PHY to be selected only on BCM63XX.
  ...

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
  devcgroup_inode_permission: take "is it a device node" checks to inlined wrapper
  fix comment in generic_permission()
  kill obsolete comment for follow_down()
  proc_sys_permission() is OK in RCU mode
  reiserfs_permission() doesn't need to bail out in RCU mode
  proc_fd_permission() is doesn't need to bail out in RCU mode
  nilfs2_permission() doesn't need to bail out in RCU mode
  logfs doesn't need ->permission() at all
  coda_ioctl_permission() is safe in RCU mode
  cifs_permission() doesn't need to bail out in RCU mode
  bad_inode_permission() is safe from RCU mode
  ubifs: dereferencing an ERR_PTR in ubifs_mount()

0xff01 is not an actual voltage value, but a flag
for the driver.  If the power state as that value,
skip setting the voltage.
Signed-off-by: NAlex Deucher <alexdeucher@gmail.com>
Signed-off-by: NDave Airlie <airlied@redhat.com>

The DGT runs at 27 MHz divided by 4 on 8660 and 8960.
Signed-off-by: NStephen Boyd <sboyd@codeaurora.org>
Signed-off-by: NDavid Brown <davidb@codeaurora.org>

Because the socket buffer is freed in the completion interrupt, it is not
safe to access it after submitting it to the hardware.

Cc: stable@kernel.org
Cc: Sachin Sanap <ssanap@marvell.com>
Cc: Zhangfei Gao <zgao6@marvell.com>
Cc: Philip Rakity <prakity@marvell.com>
Signed-off-by: NRichard Cochran <richard.cochran@omicron.at>
Acked-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Remove the duplicate inclusion of net/icmp.h from net/ipv4/ping.c
Signed-off-by: NJesper Juhl <jj@chaosbits.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

As soon as skb is given to hardware, TX completion can free skb under
us.
Therefore, we should update dev stats before kicking the device.
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
CC: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

There are two devices with PCI ID 0x10ec:0x8192, namely RTL8192E and
RTL8192SE. The method of distinguishing them is by the revision ID
at offset 0x8 of the PCI configuration space. If the value is 0x10,
then the device uses rtl8192se for a driver.
Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

* 'stable/bug.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
  xen/setup: Fix for incorrect xen_extra_mem_start.
  xen: When calling power_off, don't call the halt function.
  xen: Fix compile warning when CONFIG_SMP is not defined.
  xen: support CONFIG_MAXSMP
  xen: partially revert "xen: set max_pfn_mapped to the last pfn mapped"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: sh_keysc - 8x8 MODE_6 fix
  Input: omap-keypad - add missing input_sync()
  Input: evdev - try to wake up readers only if we have full packet
  Input: properly assign return value of clamp() macro.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable:
  Btrfs: avoid delayed metadata items during commits
  btrfs: fix uninitialized return value
  btrfs: fix wrong reservation when doing delayed inode operations
  btrfs: Remove unused sysfs code
  btrfs: fix dereference of ERR_PTR value
  Btrfs: fix relocation races
  Btrfs: set no_trans_join after trying to expand the transaction
  Btrfs: protect the pending_snapshots list with trans_lock
  Btrfs: fix path leakage on subvol deletion
  Btrfs: drop the delalloc_bytes check in shrink_delalloc
  Btrfs: check the return value from set_anon_super

* 'kvm-updates/3.0' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: Fix register corruption in pvclock_scale_delta
  KVM: MMU: fix opposite condition in mapping_level_dirty_bitmap
  KVM: VMX: do not overwrite uptodate vcpu->arch.cr3 on KVM_SET_SREGS
  KVM: MMU: Fix build warnings in walk_addr_generic()

inode_permission() calls devcgroup_inode_permission() and almost all such
calls are _not_ for device nodes; let's at least keep the common path
straight...
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

CAP_DAC_OVERRIDE is enough for MAY_EXEC on directory, even if
no exec bits are set.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

nothing blocking there, since all instances of sysctl
->permissions() method are non-blocking - both of them,
that is.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

nothing blocking other than generic_permission() (and
check_acl callback does bail out in RCU mode).
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>