MFC r342211:
net80211: fix out-of-bounds read in ieee80211_amrr(9)

MFC r337570-r337573

r337570:
bwi(4): Set ic->ic_softc before bwi_getradiocaps to avoid bad deref

r337571:
net80211: Drain ageq before cleaning it up.

The comment above ieee80211_ageq_cleanup specifically notes that the queue
is assumed to be empty, and in order to make it so, ieee80211_ageq_drain
must be used.

r337572:
ieee8021_node: fix whitespace issues

r337573:
ath: Minor style cleanups

device_printf => DPRINTF and two whitespace adjustments

MFC r306139:

[net80211] don't add IBSS node table entries for neighbors from other SSIDs.

The adhoc probe/beacon input path was creating nodes for all SSIDs.
This wasn't a problem when the NICs were configured to only process
frames for the current BSSID, but that didn't allow IBSS merges.
Once avos and I flipped on "beacons from all BSSIDs" to allow for
correct IBSS merging, we found this interesting behaviour.

This adds a check against the current SSID.

* If there's no VAP SSID, allow anything
* If there's a VAP SSID, check if the incoming frame has a suitable
SSID and if so, allow it.

This prevents nodes being created for other SSIDs in probe and beacon
frames - ie, beacons overlapping IBSSes with different SSIDs, and
probe requests from arbitrary devices.

Tested:

* AR9380, IBSS mode, both local and other IBSSes.

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

[net80211] remove node scan lock / generation number + fix few LORs

Drop scan generation number and node table scan lock - the only place
where ni_scangen is checked is in ieee80211_timeout_stations() (and it
is used to prevent duplicate checking of the same node); node scan lock
protects only this variable + node table scan generation number.

This will fix (at least) next LOR (hostap mode):

lock order reversal:
1st 0xc175f84c urtwm0_scan_loc (urtwm0_scan_loc) @ /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:2019
2nd 0xc175e018 urtwm0_com_lock (urtwm0_com_lock) @ /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:2693
stack backtrace:
#0 0xa070d1c5 at witness_debugger+0x75
#1 0xa070d0f6 at witness_checkorder+0xd46
#2 0xa0694cce at __mtx_lock_flags+0x9e
#3 0xb03ad9ef at ieee80211_node_leave+0x12f
#4 0xb03afd13 at ieee80211_timeout_stations+0x483
#5 0xb03aa1c2 at ieee80211_node_timeout+0x42
#6 0xa06c6fa1 at softclock_call_cc+0x1e1
#7 0xa06c7518 at softclock+0xc8
#8 0xa06789ae at intr_event_execute_handlers+0x8e
#9 0xa0678fa0 at ithread_loop+0x90
#10 0xa0675fbe at fork_exit+0x7e
#11 0xa08af910 at fork_trampoline+0x8

In addition to the above:

* switch to ieee80211_iterate_nodes();
* do not assert that node table lock is held, while calling node_age();
that's not really needed (there are no resources, which can be protected
by this lock) + this fixes LOR/deadlock between ieee80211_timeout_stations()
and ieee80211_set_tim() (easy to reproduce in HOSTAP mode while
sending something to an STA with enabled power management).

Tested:

* (avos) urtwn0, hostap mode
* (adrian) AR9380, STA mode
* (adrian) AR9380, AR9331, AR9580, hostap mode

Notes:

* This changes the net80211 internals, so you have to recompile all of it
and the wifi drivers.

Submitted by: avos
Approved by: re (delphij)
Differential Revision: https://reviews.freebsd.org/D6833

net80211: drop some unused variables / local macros

Most of them left after some commits (r178354, r191544, r287197 etc.);
some were never used.

Found by: Clang Static Analyzer

sys/net*: minor spelling fixes.

No functional change.

Try to unbreak the build: the 'vap' variable is only used if ieee80211
debugging compile is on.

[net80211] print out the channel type (eg a, b, g, n) when creating
an IBSS network.

[net8021] Pull out the ibss check code into a public function.

The ath(4) driver now sees beacons and management frames for different
BSSIDs in IBSS mode, which is a problem when you're in a very busy
IBSS environment.

So, expose this function so drivers can use it to check if the current
RX node is actually for a BSS we need to pay attention to or not.

PR: kern/208644
Sponsored by: Eva Automation. Inc.

[net80211] Initial A-MSDU support for testing / evaluation

A-MSDU is another 11n aggregation mechanism where multiple ethernet
frames get LLC encapsulated (so they have a length field), padded,
and put in a single MPDU (802.11 MAC frame.) This means it gets sent
out as a single frame, with a single seqno, it's acked as one frame, etc.

It turns out that, hah, atheros fast frames is almost but not quite
like this, so I'm reusing all of the current superg/fast-frames stuff
in order to actually transmit A-MSDU. Yes, this means that A-MSDU
frames are also only aggregated two at a time, so it's not necessarily
a huge win, but it's better than nothing.

This doesn't do anything by default - the driver needs to say it does
A-MSDU as well as set the AMSDU software TX capability so this code path
gets exercised.

For now, the only driver that enables this is urtwn. I'll enable it
for rsu at some point soon.
Tested:

* Add an amsdu encap path to aggregate two frames, same as the
fast-frames path.

* Always do the superg init/teardown and node init/teardown stuff,
regardless of whether the nodes are doing fast-frames (the ATH
capability stuff.) That way we can reuse it for amsdu.

* Don't do AMSDU for multicast/broadcast and EAPOL frames.

* If we're doing A-MPDU, then don't bother doing FF/A-MSDU.
We can likely do both together, but I don't want to change
behaviour.

* Teach the fast frames approx txtime logic to support the 11n
rates. But, since we don't currently have a full "current rate"
support, assume it's HT20, long-gi, etc. That way we overshoot
on the TX time estimation, so we're always inside the requirements.
(And we only aggregate two frames for now, so we're not really
going to exceed that.)

* Drop the maximum FF age default down to 2ms, otherwise we end up
with some very annoyingly large latencies.

TODO:

* We only aggregate two ethernet frames, so I'm not checking the max
A-MSDU size. But when it comes time to support >2 frames, we should
obey that.

Tested:

* urtwn(4)

[net80211] migrate the time_* macros to ieee80211_* namespace.

It turns out that these will clash very annoyingly with the linux
macros in the linuxkpi layer, so let the wookie^Wlinux win.

The only user that I can find is ath(4), so fix it there too.

net80211: fix TIM cleanup.

Remove duplicate 'ni->ni_associd = 0' assignment from
ieee80211_node_leave(), since it breaks iv_set_tim() in
ic->ic_node_cleanup() (associd is cleared right after this call).

Tested with RTL8188EU (HOSTAP mode) and
WUSB54GC (STA mode, with powersaving enabled).

Approved by: adrian (mentor)
Differential Revision: https://reviews.freebsd.org/D5398

Convert malloc/free back to #define's, as part of OS portability work.

DragonflyBSD uses the FreeBSD wireless stack and drivers. Their malloc()
API is named differently, so they don't have userland/kernel symbol
clashes like we do (think libuinet.)

So, to make it easier for them and to port to other BSDs/other operating
systems, start hiding the malloc specific bits behind defines in
ieee80211_freebsd.h.

DragonflyBSD can now put these portability defines in their local
ieee80211_dragonflybsd.h.

This should be a great big no-op for everyone running wifi.

TODO:

* kill M_WAITOK - some platforms just don't want you to use it
* .. and/or handle it returning NULL rather than waiting forever.
* MALLOC_DEFINE() ?
* Migrate the well-known malloc names (eg M_TEMP) to net80211
namespace defines.

Use name from ieee80211com instead of parent ifnet, in debugging printfs.

Sponsored by: Netflix
Sponsored by: Nginx, Inc.

CALLOUT_MPSAFE has lost its meaning since r141428, i.e., for more than ten
years for head. However, it is continuously misused as the mpsafe argument
for callout_init(9). Deprecate the flag and clean up callout_init() calls
to make them more consistent.

Differential Revision: https://reviews.freebsd.org/D2613
Reviewed by: jhb
MFC after: 2 weeks

Add node_clear_keyixmap() and use it in the ieee80211_free_node() / node_reclaim().

PR: kern/199672
Submitted by: Andriy Voskoboinyk <s3erios@gmail.com>

Remove old iv_bss entry from the node table

This may happen on RUN -> SCAN -> RUN -> SCAN state transition:

1. RUN -> SCAN: in ieee80211_sta_join1(): iv_bss will be moved to obss,
refcnt will be reduced by 2 (default minimum).

Now, if old iv_bss have some extra references (for example, from
unacknowledged probe responses), it will not be freed and will stay
in the node table.

2. SCAN -> RUN.

3. If old iv_bss will not be deleted by the time when the next RUN -> SCAN
state transition occurs, then sta_leave() will reduce it's reference
counter once more. As a result, two last users will free it -> this will
lead to kernel panic.

In this patch old iv_bss entry is explicitly removed from the node table in
ieee80211_sta_join1() (as a result, it will not be processed by sta_leave()).

PR: kern/199676
Differential Revision: Andriy Voskoboinyk <s3erios@gmail.com>

The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare
to this event, adding if_var.h to files that do need it. Also, include
all includes that now are included due to implicit pollution via if_var.h

Sponsored by: Netflix
Sponsored by: Nginx, Inc.

Replace the homegrown implementation of nitems() with calls to nitems()
(param.h).

Operating systems that don't have nitems() can easily define it on their own
net80211 OS-specific header file.

Discussed with: adrian

Initial cut at making IBSS support 802.11n aware.

* Add HTINFO field decoding to ieee80211_ies_expand() - it's likely not
100% correct as it's not looking at the draft 11n HTINFO location,
but I don't think anyone will care.

* When doing an IBSS join make sure the 11n channel configuration
is used - otherwise the 11a/11bg channel will be used
and there won't be any chance for an upgrade to 11n.

* When creating an IBSS network, ensure the channel is updated to an
11n channel so other 11n nodes can see it and speak to it with MCS
rates.

* Add a bit of code that's disabled for now which handles the HT
field updating. This won't work out very well with lots of adhoc
nodes as we'd end up ping-ponging between the HT configuration for
each node. Instead, we should likely only pay attention to the
"master" node we initially associated against and then ensure we
propagate that information forward in our subsequent beacons. However,
due to the nature of IBSS (ie, there's no specific "master" node in
the specification) it's unclear which node we should lift the HT
parameters from.

So for now this assumes the HT parameters are squirreled away in the
initial beacon/probe response.

So there's some trickiness here.

With ap/sta pairing, the probe response just populates a legacy node
and the association request/response is what is used for negotiation
11n-ness (and upgrading things as needed.)

With ibss networks, the pairing is done with probe request/response,
with discovery being done by creating nodes when new beacons in the
IBSS / BSSID are heard. There's no assoc request/response frames going on.

So the trick here has been to figure out where to upgrade things.
I don't like how I just taught ieee80211_sta_join() to "speak" HT -
I'd rather there be an upgrade path when an IBSS node joins and there
are HT parameters present. Once I've done that, I'll kill this
HT special casing that's going on in ieee80211_sta_join().

Tested:

* AR9280, AR5416, AR5212 - basic iperf and ping interoperability tests
whilst in a non-encrypted adhoc network.

TODO:

* Fix up the HT upgrade path for IBSS nodes rather than adding code
in ieee80211_sta_join(), then remove my code from there.

* When associating, there's a concept of a "master" node in the IBSS
which is the node you first joined the network through. It's possible
the correct thing to do is to listen to HT updates and configure WME
parameters from that node. However, once that node goes away, which
node(s) should be listened to for configuration changes?

For things like HT channel width, it's likely going to be ok to
just associate as HT40 and then use the per-neighbor rate control
and HTINFO/HTCAP fields to figure out which rates and configuration
to speak. Ie, for a 20MHz 11n node, just speak 20MHz rates to
it. It shouldn't "change", like what goes on in AP/STA configurations.

Fix a crash bug introduced in the iterate node work recently done.

When resuming, the first VAP is checked for max_aid; however if there
is no VAP, this results in a NULL pointer dereference and kernel
panic.

Fix an incorrect comparison.

PR: kern/170098

Don't call the node iteration function inside the node table / node
iterate lock.

This causes LORs and deadlocks as some code paths will have the com lock
held when calling ieee80211_iterate_nodes().

Here, the comlock isn't held during the node table and node iteration
locks; and the callback isn't called with any (extra) lock held.

PR: kern/170098
Submitted by: moonlightakkiy@yahoo.ca
MFC after: 4 weeks

Create a new task to handle 802.11n channel width changes.

Currently, a channel width change updates the 802.11n HT info data in
net80211 but it doesn't trigger any device changes. So the device
driver may decide that HT40 frames can be transmitted but the last
device channel set only had HT20 set.

Now, a task is scheduled so a hardware reset or change isn't done
during any active ongoing RX. It also means that it's serialised
with the other task operations (eg channel change.)

This isn't the final incantation of this work, see below.

For now, any unmodified drivers will simply receive a channel
change log entry. A subsequent patch to ath(4) will introduce
some basic channel change handling (by resetting the NIC.)
Other NICs may need to update their rate control information.

TODO:

* There's still a small window at the present moment where the
channel width has been updated but the task hasn't been fired.
The final version of this should likely pass in a channel width
field to the driver and let the driver atomically do whatever
it needs to before changing the channel.

PR: kern/166286

Revert r220907 and r220915.

Changing the size of struct ieee80211_mimo_info changes
the STA info data, breaking ifconfig in general.

Change the MIMO userland export ABI to include flags, number of radio chains,
extended EVM statistics and EXT channel data.

ifconfig still displays 3 chains worth of ctl noise/rssi.

Add initial support for MIMO statistics to net80211.

This introduces struct ieee80211_rx_stats - which stores the various kinds
of RX statistics which a MIMO and non-MIMO 802.11 device can export.

It also fleshes out the mimo export to userland (node_getmimoinfo()).

It assumes that MIMO radios (for now) export both ctl and ext channels.
Non-11n MIMO radios are possible (and I believe Atheros made at least
one), so if that chipset support is added, extra flags to the
struct ieee80211_rx_stats can be added to extend this support.

Two new input functions have been added - ieee80211_input_mimo() and
ieee80211_input_mimo_all() - which MIMO-aware devices can call with
MIMO specific statistics.

802.11 devices calling the non-MIMO input functions will still function.

Honor device capabilities while initializing ni_htrates.

Instead of hardcoding MCS0-15 generate the table dynamically, also
restrict the MCS rates to our own capabilities while parsing a htcap
element.

Pull ieee80211_ratectl_node_init() calls from drivers into net80211.
This fixes hostap mode for at least ral(4) and run(4), because there is
no sufficient call into drivers which could be used initialize the node
related ratectl variables.

MFC after: 3 days

Instead of using the AMRR ratectl algo as default for drivers which have
the IEEE80211_C_RATECTL flag set, default to NONE for all drivers. Only if
a driver calls ieee80211_ratectl_init() check if the NONE algo is still
selected and try to use AMRR in that case. Drivers are still free to use
any other algo by calling ieee80211_ratectl_set() prior to the
ieee80211_ratectl_init() call.

After this change it is now safe to assume that a ratectl algo is always
available and selected, which renders the IEEE80211_C_RATECTL flag pretty
much useless. Therefore revert r211314 and 211546.

Reviewed by: rpaulo
MFC after: 2 weeks

Wrap remaining ieee80211_ratectl_node_init() calls missed in r211314.

MFC after: 1 week

Introduce IEEE80211_C_RATECTL, drivers which use the ratectl framework
should set this capability.

MFC after: 2 weeks

Initialize ni_txrate after txparams have been setup. Some drivers
calculate various things prior to association based on ni_txrate and
rely on it being nonzero.

PR: kern/149185
MFC after: 2 weeks

Fix typo. No functional change.

Obtained from: DragonFlyBSD

net80211 rate control framework (net80211 ratectl).

This framework allows drivers to abstract the rate control algorithm and
just feed the framework with the usable parameters. The rate control
framework will now deal with passing the parameters to the selected
algorithm. Right now we have AMRR (the default) and RSSADAPT but there's
no way to select one with ifconfig, yet.
The objective is to have more rate control algorithms in the net80211
stack so all drivers[0] can use it. Ideally, we'll have the well-known
sample rate control algorithm in the net80211 at some point so all
drivers can use it (not just ath).

[0] all drivers that do rate control in software, that is.

Reviewed by: bschmidt, thompsa, weyongo
MFC after: 1 months

Remove extraneous semicolons, no functional changes.

Submitted by: Marc Balmer <marc@msys.ch>
MFC after: 1 week

Implementation of the upcoming Wireless Mesh standard, 802.11s, on the
net80211 wireless stack. This work is based on the March 2009 D3.0 draft
standard. This standard is expected to become final next year.
This includes two main net80211 modules, ieee80211_mesh.c
which deals with peer link management, link metric calculation,
routing table control and mesh configuration and ieee80211_hwmp.c
which deals with the actually routing process on the mesh network.
HWMP is the mandatory routing protocol on by the mesh standard, but
others, such as RA-OLSR, can be implemented.

Authentication and encryption are not implemented.

There are several scripts under tools/tools/net80211/scripts that can be
used to test different mesh network topologies and they also teach you
how to setup a mesh vap (for the impatient: ifconfig wlan0 create
wlandev ... wlanmode mesh).

A new build option is available: IEEE80211_SUPPORT_MESH and it's enabled
by default on GENERIC kernels for i386, amd64, sparc64 and pc98.

Drivers that support mesh networks right now are: ath, ral and mwl.

More information at: http://wiki.freebsd.org/WifiMesh

Please note that this work is experimental. Also, please note that
bridging a mesh vap with another network interface is not yet supported.

Many thanks to the FreeBSD Foundation for sponsoring this project and to
Sam Leffler for his support.
Also, I would like to thank Gateworks Corporation for sending me a
Cambria board which was used during the development of this project.

Reviewed by: sam
Approved by: re (kensmith)
Obtained from: projects/mesh11s

Add ieee80211_ageq; a facility for staging packets that require
long-term work before they can be serviced. Packets are tagged and
assigned an age (in seconds) at the point they are added to the
queue. If a packet is not retrieved before it's age expires it is
reclaimed. Tagging can take two forms: a reference to an ieee80211_node
(as happens in the tx path) or an opaque token in cases where there
is no reference or the node structure is not stable (i.e. it's going
to be destroyed).

o add ic_stageq to replace the per-node wds staging queue used for
dynamic wds
o add ieee80211_mac_hash for building ageq tokens; this computes a
32-bit hash from an 802.11 mac address (copied from the bridge)
o while here fix a stray ';' noticed in IEEE80211_PSQ_INIT

Reviewed by: rpaulo
Approved by: re (kensmith)

When associating to an AP we don't know if HT is negotiated until
we receive the AssocResp, so we can only set ni_txparms properly
at that point. To make this possible make node_setuptxparms public
as ieee80211_node_setuptxparms.

iv_flags_ext is full, make room by moving HT-related flags to a new
iv_flags_ht word

Overhaul monitor mode handling:
o replace DLT_IEEE802_11 support in net80211 with DLT_IEEE802_11_RADIO
and remove explicit bpf support from wireless drivers; drivers now
use ieee80211_radiotap_attach to setup shared data structures that
hold the radiotap header for each packet tx/rx
o remove rx timestamp from the rx path; it was used only by the tdma support
for debugging and was mostly useless due to it being 32-bits and mostly
unavailable
o track DLT_IEEE80211_RADIO bpf attachments and maintain per-vap and
per-com state when there are active taps
o track the number of monitor mode vaps
o use bpf tap and monitor mode vap state to decide when to collect radiotap
state and dispatch frames; drivers no longer explicitly directly check
bpf state or use bpf calls to tap frames
o handle radiotap state updates on channel change in net80211; drivers
should not do this (unless they bypass net80211 which is almost always
a mistake)
o update various drivers to be more consistent/correct in handling radiotap
o update ral to include TSF in radiotap'd frames
o add promisc mode callback to wi

Reviewed by: cbzimmer, rpaulo, thompsa

correct handling of ctl frames: the sender's address is always i_addr2 for
frames we should expect to process (old code was trying to handle frames
we should never see--like ACK)

Reviewed by: thompsa, cbzimmer

Create a taskqueue for each wireless interface which provides a serialised
sleepable context for net80211 driver callbacks. This removes the need for USB
and firmware based drivers to roll their own code to defer the chip programming
for state changes, scan requests, channel changes and mcast/promisc updates.
When a driver callback completes the hardware state is now guaranteed to have
been updated and is in sync with net80211 layer.

This nukes around 1300 lines of code from the wireless device drivers making
them more readable and less race prone.

The net80211 layer has been updated as follows
- all state/channel changes are serialised on the taskqueue.
- ieee80211_new_state() always queues and can now be called from any context
- scanning runs from a single taskq function and executes to completion. driver
callbacks are synchronous so the channel, phy mode and rx filters are
guaranteed to be set in hardware before probe request frames are
transmitted.

Help and contributions from Sam Leffler.

Reviewed by: sam

fix txparms setup for 108G sta's: ieee80211_iserp_rateset does not
identify a station operating in turbo-boost mode because it has a
pure ofdm rate set; add an explicit check for the channel type
instead of depending on IEEE80211_NODE_ERP being set

Hoist 802.11 encapsulation up into net80211:
o call ieee80211_encap in ieee80211_start so frames passed down to drivers
are already encapsulated
o remove ieee80211_encap calls in drivers
o fixup wi so it recreates the 802.3 head it requires from the 802.11
header contents
o move fast-frame aggregation from ath to net80211 (conditional on
IEEE80211_SUPPORT_SUPERG):
- aggregation is now done in ieee80211_start; it is enabled when the
packets/sec exceeds ieee80211_ffppsmin (net.wlan.ffppsmin) and frames
are held on a staging queue according to ieee80211_ffagemax
(net.wlan.ffagemax) to wait for a frame to combine with
- drivers must call back to age/flush the staging queue (ath does this
on tx done, at swba, and on rx according to the state of the tx queues
and/or the contents of the staging queue)
- remove fast-frame-related data structures from ath
- add ieee80211_ff_node_init and ieee80211_ff_node_cleanup to handle
per-node fast-frames state (we reuse 11n tx ampdu state)
o change ieee80211_encap calling convention to include an explicit vap
so frames coming through a WDS vap are recognized w/o setting M_WDS

With these changes any device able to tx/rx 3Kbyte+ frames can use fast-frames.

Reviewed by: thompsa, rpaulo, avatar, imp, sephe

o add ic_rt to track the rate table for the current channel; this enables
calculation of packet transmit times to do things like check txop limits
o remove equivalent driver code and convert to use net80211 state

split Atheros SuperG support out into it's own file that's included only
with a new IEEE80211_SUPPORT_SUPERG option

mark nodes created by way of neighbor discovery need to be marked as ERP
so they get the correct tx parameters setup by node_settxparms

Add modes for 1/2 and 1/4-width channels so we have separate roaming
and xmit parameters. This makes it possible to use tdma on fractional
channels.
o add IEEE80211_MODE_HALF and IEEE80211_MODE_QUARTER; note these are
band-agnostic (may need revisiting)
o setup all default rates in ic_sup_rates instead of doing it only
for active modes; we need these to calculate the default tx parameters
which are not recalculated after a regulatory update (can't just
recalculate after installing a new channel list because we might
clobber user settings)
o remove special case code in ieee80211_get_suprates; this is now
a candidate for an inline or removal
o add various entries for new modes (roaming+tx params, wme, rate
mapping, scan set setup, country ie construction, tdma, basic rates)

Note these modes are intentionally not visible through if_media.

o replace ieee80211_node_reclaim by individual operations to release the
references to iv_bss and the sta table; this is equivalent and causes
direct reclaim of the old bss node when any references in packets inflight
are reclaimed (previously the old node would sit in the bss table until
the inactivity processing reclaimed it)
o remove ieee80211_node_reclaim now that it's only use is gone

Reviewed by: avatar, cbzimmer

improve key index map reclaim debug msg

set ni_txparms for static turbo mode

TDMA support for long distance point-to-point links using ath devices:
o add net80211 support for a tdma vap that is built on top of the
existing adhoc-demo support
o add tdma scheduling of frame transmission to the ath driver; it's
conceivable other devices might be capable of this too in which case
they can make use of the 802.11 protocol additions etc.
o add minor bits to user tools that need to know: ifconfig to setup and
configure, new statistics in athstats, and new debug mask bits

While the architecture can support >2 slots in a TDMA BSS the current
design is intended (and tested) for only 2 slots.

Sponsored by: Intel

only mark an infrastructure node to require an associd for xmit; fixes adhoc
mode sta's that join an existing ibss

mark discovered neighbors QoS capable if they advertise wme

convert MALLOC/FREE to malloc/free

Fix ucastkey teardown for drivers that plumb clear keys or similar
(e.g. ath): we must check the key index and not whether the key
points at a cipher other than "undef". This looks like it's been
broken for a while. Might be worth adding an explicit clear cipher
at some point though this would require changes to the usage of
IEEE80211_KEY_UNDEFINED.

PR: 125906

Replace adhoc checks in ieee80211_start with a per-node flag that
indicates if an association id is required before outbound traffic
is permitted. This cleans up the previous change that broke mcast
traffic "to the stack" in ap mode as a side effect.

Reviewed by: sephe, thompsa, weongyo

o re-enable a lock assert
o while here reformat a comment to sync w/ other repot's

New ap-side power save implementation; the main change is to allow drivers
to queue frames previously encapsulated on a separate high priority list
that is dispatched before the unencapsulated frames (to preserve order).

set erp flag and tx parameter state when joining a bss; this allows
drivers to use ni_txparms

improve inactivity handling debug support

change ieee80211_sta_join to take an explicit channel instead of
using the value in the scan parameters; this will be used to fix
issues with 11b operation

Revert the removal of the MALLOC and FREE macros from the net80211 code.

Requested by: sam

Retire the MALLOC and FREE macros. They are an abomination unto style(9).

MFC after: 3 months

cleanup bss node setup; syncs w/ p4 state that's been in use for months

RIFS support; needs driver callback for dynamic state change

MIMO power save support; still needs callbacks for notifying drivers
of dynamic state change in station mode.

Add current transmit parameters for fixed rate handling so drivers
don't duplicate this. These are setup according to the role of the
node--the bss node for ap and adhoc modes need to use parameters
that are the least common denomimator of all nodes in the bss;
otherwise we are setting up params for a station joining a bss and
we select those according to the capabilities of the station.

This stuff needs more work as we do extra work due to having setup
in common code paths shared by nodes using both roles.

make all checks if ni_chw consistent

Change the calling convention for ic_node_alloc to deal with
some longstanding issues:
o pass the vap since it's now the "coin of the realm" and required
to do things like set initial tx parameters in private node
state for use prior to association
o pass the mac address as cards that maintain outboard station
tables require this to create an entry (e.g. in ibss mode)
o remove the node table reference, we only have one node table
and it's unlikely this will change so this is not needed to
find the com structure

Split ieee80211_notify_erp into locked and unlocked variants
and use the locked version to handle the hostap input path
case where the com lock is not already held.

Noticed by: Jared Go

Fix node cleanup issues when the last reference is held by
the driver (e.g. in the tx q); ni_vap may not be valid, we
must carefully check before using it.

correct code returned in AsssocResp; the previous code is spec'd for use
only in deauth+disassoc frames

Submitted by: Chris Zimmermann
MFC after: 1 month

Don't override the txpower cap installed by ieee80211_alloc_node;
we use ic_txpowlimit (for now) to initialize all new sta entries.

special-case broadcast probe request in ieee80211_find_rxnode; we need
to spam all vaps and this won't happen if the frame comes from a station
that is associated to an ap vap (and so has an entry in the table)

Noticed by: Jared Go
Reviewed by: thompsa

fix build w/ IEEE80211_DEBUG_REFCNT enabled

Multi-bss (aka vap) support for 802.11 devices.

Note this includes changes to all drivers and moves some device firmware
loading to use firmware(9) and a separate module (e.g. ral). Also there
no longer are separate wlan_scan* modules; this functionality is now
bundled into the wlan module.

Supported by: Hobnob and Marvell
Reviewed by: many
Obtained from: Atheros (some bits)

o correct re-association indicator dispatched in node join event
o remove misleading "reassociation" msg on sta join

MFC after: 3 days

parse htcap ie early so ampdu density and max rx size are available
for constructing the AssocReq frame

MFC after: 3 days

sync 11n support with vap code base; many changes based on interop
testing with all major vendors

MFC after: 1 week

Close longstanding race dropping inactive stations; grab a reference
to the node before starting the work, otherwise the node may go
away before a reference is made in ieee80211_send_mgmt.

Approved by: re (blanket wireless)
Obtained from: Atheros

Safeguard count of stations in power save; don't touch it unless we're
operating in a mode where it should be maintained.

Approved by: re (blanket wireless)
MFC after: 2 weeks

Update beacon handling to sync w/ vap code base:
o add driver callback to handle notification of beacon changes;
this is required for devices that manage beacon frames themselves
(devices must override the default handler which does nothing)
o move beacon update-related flags from ieee80211com to the beacon
offsets storage (or handle however a driver wants)
o expand beacon offsets structure with members needed for 11h/dfs
and appie's
o change calling convention for ieee80211_beacon_alloc and
ieee80211_beacon_update
o add overlapping bss support for 11g; requires driver to pass
beacon frames from overlapping bss up to net80211 which is not
presently done by any driver
o move HT beacon contents update to a routine in the HT code area

Reviewed by: avatar, thompsa, sephe
Approved by: re (blanket wireless)

oops, add missing bit from last change

Approved by: re (blanket wireless)

Fixup sta inactivity handling:
o reset ni_inact when ni_inact_reload is changed so we're
assured a valid setting
o never let ni_inact go negative
o add a knob to disable hostap sta idle handling (e.g. so it can be done
by a user application)
o remove bogus reload on associate

Reviewed by: avatar
Approved by: re (blanket wireless)

Update 802.11 wireless support:
o major overhaul of the way channels are handled: channels are now
fully enumerated and uniquely identify the operating characteristics;
these changes are visible to user applications which require changes
o make scanning support independent of the state machine to enable
background scanning and roaming
o move scanning support into loadable modules based on the operating
mode to enable different policies and reduce the memory footprint
on systems w/ constrained resources
o add background scanning in station mode (no support for adhoc/ibss
mode yet)
o significantly speedup sta mode scanning with a variety of techniques
o add roaming support when background scanning is supported; for now
we use a simple algorithm to trigger a roam: we threshold the rssi
and tx rate, if either drops too low we try to roam to a new ap
o add tx fragmentation support
o add first cut at 802.11n support: this code works with forthcoming
drivers but is incomplete; it's included now to establish a baseline
for other drivers to be developed and for user applications
o adjust max_linkhdr et. al. to reflect 802.11 requirements; this eliminates
prepending mbufs for traffic generated locally
o add support for Atheros protocol extensions; mainly the fast frames
encapsulation (note this can be used with any card that can tx+rx
large frames correctly)
o add sta support for ap's that beacon both WPA1+2 support
o change all data types from bsd-style to posix-style
o propagate noise floor data from drivers to net80211 and on to user apps
o correct various issues in the sta mode state machine related to handling
authentication and association failures
o enable the addition of sta mode power save support for drivers that need
net80211 support (not in this commit)
o remove old WI compatibility ioctls (wicontrol is officially dead)
o change the data structures returned for get sta info and get scan
results so future additions will not break user apps
o fixed tx rate is now maintained internally as an ieee rate and not an
index into the rate set; this needs to be extended to deal with
multi-mode operation
o add extended channel specifications to radiotap to enable 11n sniffing

Drivers:
o ath: add support for bg scanning, tx fragmentation, fast frames,
dynamic turbo (lightly tested), 11n (sniffing only and needs
new hal)
o awi: compile tested only
o ndis: lightly tested
o ipw: lightly tested
o iwi: add support for bg scanning (well tested but may have some
rough edges)
o ral, ural, rum: add suppoort for bg scanning, calibrate rssi data
o wi: lightly tested

This work is based on contributions by Atheros, kmacy, sephe, thompsa,
mlaier, kevlo, and others. Much of the scanning work was supported by
Atheros. The 11n work was supported by Marvell.

copyright updates:
o update to include 2007
o switch back to a 2-clause bsd-only license

Reviewed by: onoe

change ieee80211_fix_rate to take a rate set instead of using
ni_rates; this lets us re-use the code to check 11n HT rates

MFC after: 2 weeks

keep tx/rx seq #'s for non-QoS traffic separate from QoS; stations
aren't supposed mix traffic but if they did frames might be mis-handled

Obtained from: Atheros
MFC after: 2 weeks

when starting up an ibss master use a random address for
the bssid; this is required for wifi alliance compliance

Obtained from: Atheros
MFC after: 2 weeks

Add initial support for 900MHz cards like the Ubiquiti SR9:
o add channel flag to enable freq <-> ieee channel # mapping (can
go away in the future when ieee number is precomputed)
o add mapping between 900mhz freq's and channel #'s that gives a
unique channel # for each half/quarter/full width channel
o remove assumptions that half/quarter rate channels on happen in 11a
o remove assumptions that all 11g channels are full width
o ensure ic_curchan is reset on mode change so changing the channel
list (e.g. on countrycode change) doesn't leave curchan set to an
invalid channel

There is still an issue with switching rate sets; to be fixed separately.

MFC after: 1 month

Correct several issues with rate set negotiation:
o add IEEE80211_F_JOIN flag to ieee80211_fix_rate to indicate a station
is joining a BSS; this is used to control whether or not we over-write
the basic rate bit in the calculated rate set
o fix ieee80211_fix_rate to honor IEEE80211_F_DODEL when IEEE80211_F_DONEGO
is not specified (e.g. when joining an ibss network)
o on sta join always delete unusable rates from the negotiated rate set,
this was being done only ibss networks but is also needed for 11g bss
with mixed stations
o on sta join delete unusable rates from the bss node's rate set, not the
scan table entry's rate set
o when calculating a rate set for new neighbors in an ibss caculate a
negotiated rate set so drivers are not presented with rates they should
not use

Submitted by: Sepherosa Ziehau (w/ modifications)
Obtained from: DragonFly
MFC after: 1 month

First cut at half/quarter-rate 11a channel support (e.g. for use
in the Public Safety Band):
o add channel flags to identify half/quarter-rate operation
o add rate sets (need to check spec on 4Mb/s in 1/4 rate)
o add if_media definitions for new rates
o split net80211 channel setup out into ieee80211_chan_init
o fixup ieee80211_mhz2ieee and ieee80211_ieee2mhz to understand half/quarter
rate channels: note we temporarily use a nonstandard/hack numbering that
avoids overlap with 2.4G channels because we don't (yet) have enough
state to identify and/or map overlapping channel sets
o fixup ieee80211_ifmedia_init so it can be called post attach and will
recalculate the channel list and associated state; this enables changing
channel-related state like the regulatory domain after attach (will be
needed for 802.11d support too)
o add ieee80211_get_suprates to return a reference to the supported rate
set for a given channel
o add 3, 4.5, and 27 MB/s tx rates to rate <-> media conversion routines
o const-poison channel arg to ieee80211_chan2mode

Move conditional preprocessing out from the IEEE80211_DPRINTF macro
invocation. Per C99 6.10.3 paragraph 11 preprocessing directives
appearing as macro arguments yield undefined behavior.

Ensure outbound data packets in hostap mode are delivered only to
stations that are associated by making ieee80211_find_txnode return
NULL when a unicast frame is to be delivered to an unassociated
station. This will be handled differently in the future but for
now putting the check here allows all drivers to immediately do
the right thing.

Reviewed by: avatar
MFC after: 1 week

when scanning channels marked passive defer probe request until
802.11 traffic is seen; fixes problems with ap's hiding their ssid

Obtained from: atheros
MFC after: 1 week

bump the scan generation number before iterating so we're guaranteed
to have a value that's not been used before; this fixes the problem
where the first traversal of the scan list did nothing because the
entries were initialized with the current generation number (a
separate issue)

MFC after: 1 week

update erp information element in the beacon frame to reflect
changes in the bss

Reviewed by: avatar
Obtained from: atheros
MFC after: 2 weeks

When creating neighbor entries for an ahdemo bss apply the local
settings. In particular this allows us to use QoS frames in a
bss and in turn enables disabling ack's.

when creating an ahdemo bss use any requested bssid; otherwise use zero

Obtained from: madwifi

propagate current bss state on sta join so, in particular, authmode
is set properly in the new bss node

MFC after: 2 weeks

Bandaid ieee80211_set_chan to handle a channel parameter of "any";
this can happen under certain conditions when scanning. This logic
will eventually go away with the new scanning code.

While here de-inline the routine.

MFC after: 1 week

Adhoc mode fixups:
o plug memory leak in adhoc mode: on rx the sender may be the
current master so simply checking against ic_bss is not enough
to identify if the packet comes from an unknown sender; must
also check the mac address
o split neighbor node creation into two routines and fillin state
of nodes faked up on xmit when a beacon or probe response frame
is later received; this ensures important state like the rate set
and advertised capabilities are correct

Obtained from: netbsd
MFC after: 1 week

revert 1.64: we cannot use the channel characteristics to decide when to
do 11g erp sta accounting because b/g channels show up as false positives
when operating in 11b.

Noticed by: Michal Mertl

Don't use ic_curmode to decide when to do 11g station accounting,
use the station channel properties. Fixes assert failure/bogus
operation when an ap is operating in 11a and has associated stations
then switches to 11g.

Noticed by: Michal Mertl
Reviewed by: avatar
MFC after: 2 weeks

Clarify/fix handling of the current channel:
o add ic_curchan and use it uniformly for specifying the current
channel instead of overloading ic->ic_bss->ni_chan (or in some
drivers ic_ibss_chan)
o add ieee80211_scanparams structure to encapsulate scanning-related
state captured for rx frames
o move rx beacon+probe response frame handling into separate routines
o change beacon+probe response handling to treat the scan table
more like a scan cache--look for an existing entry before adding
a new one; this combined with ic_curchan use corrects handling of
stations that were previously found at a different channel
o move adhoc neighbor discovery by beacon+probe response frames to
a new ieee80211_add_neighbor routine

Reviewed by: avatar
Tested by: avatar, Michal Mertl
MFC after: 2 weeks

Split crypto tx+rx key indices and add a key index -> node mapping table:

Crypto changes:
o change driver/net80211 key_alloc api to return tx+rx key indices; a
driver can leave the rx key index set to IEEE80211_KEYIX_NONE or set
it to be the same as the tx key index (the former disables use of
the key index in building the keyix->node mapping table and is the
default setup for naive drivers by null_key_alloc)
o add cs_max_keyid to crypto state to specify the max h/w key index a
driver will return; this is used to allocate the key index mapping
table and to bounds check table loookups
o while here introduce ieee80211_keyix (finally) for the type of a h/w
key index
o change crypto notifiers for rx failures to pass the rx key index up
as appropriate (michael failure, replay, etc.)

Node table changes:
o optionally allocate a h/w key index to node mapping table for the
station table using the max key index setting supplied by drivers
(note the scan table does not get a map)
o defer node table allocation to lateattach so the driver has a chance
to set the max key id to size the key index map
o while here also defer the aid bitmap allocation
o add new ieee80211_find_rxnode_withkey api to find a sta/node entry
on frame receive with an optional h/w key index to use in checking
mapping table; also updates the map if it does a hash lookup and the
found node has a rx key index set in the unicast key; note this work
is separated from the old ieee80211_find_rxnode call so drivers do
not need to be aware of the new mechanism
o move some node table manipulation under the node table lock to close
a race on node delete
o add ieee80211_node_delucastkey to do the dirty work of deleting
unicast key state for a node (deletes any key and handles key map
references)

Ath driver:
o nuke private sc_keyixmap mechansim in favor of net80211 support
o update key alloc api

These changes close several race conditions for the ath driver operating
in ap mode. Other drivers should see no change. Station mode operation
for ath no longer uses the key index map but performance tests show no
noticeable change and this will be fixed when the scan table is eliminated
with the new scanning support.

Tested by: Michal Mertl, avatar, others
Reviewed by: avatar, others
MFC after: 2 weeks

Cleanup beacon/listen interval handling:
o separate configured beacon interval from listen interval; this
avoids potential use of one value for the other (e.g. setting
powersavesleep to 0 clobbers the beacon interval used in hostap
or ibss mode)
o bounds check the beacon interval received in probe response and
beacon frames and drop frames with bogus settings; not clear
if we should instead clamp the value as any alteration would
result in mismatched sta+ap configuration and probably be more
confusing (don't want to log to the console but perhaps ok with
rate limiting)
o while here up max beacon interval to reflect WiFi standard

Noticed by: Martin <nakal@nurfuerspam.de>
MFC after: 1 week

Fix handling of frames sent prior to a station being authorized
when operating in ap mode. Previously we allocated a node from the
station table, sent the frame (using the node), then released the
reference that "held the frame in the table". But while the frame
was in flight the node might be reclaimed which could lead to
problems. The solution is to add an ieee80211_tmp_node routine
that crafts a node that does exist in a table and so isn't ever
reclaimed; it exists only so long as the associated frame is in flight.

MFC after: 5 days

close a race between reclaiming a node when a station is inactive
and sending the null data frame used to probe inactive stations

MFC after: 5 days

bandaid ni_fails handling so ap's with association failures are
reconsidered after a bit; a proper fix involves more changes to
the scanning infrastructure

Reviewed by: avatar, David Young
MFC after: 5 days

the AREF flag is only meaningful in ap mode; adhoc neighbors now
are timed out of the sta/neighbor table

o move inactivity-related debug msgs under IEEE80211_MSG_INACT
o probe inactive neighbors in adhoc mode (they don't have an
association id so previously were being timed out)

MFC after: 3 days

split xmit of probe request frame out into a separate routine that
takes explicit parameters; this will be needed when scanning is
decoupled from the state machine to do bg scanning

MFC after: 3 days

simplify ic_newassoc callback

MFC after: 3 days

simplify ieee80211_ibss_merge api

MFC after: 3 days

simplify tim callback api

MFC after: 3 days

simplify ieee80211_node_authorize and ieee80211_node_unauthorize api's

MFC after: 3 days

simplifiy ieee80211_send_nulldata api

MFC after: 3 days

simplify rate set api's by removing ic parameter (implicit in node reference)

MFC after: 3 days

Fix race condition in handling node reference counts for authenticating
stations in ap mode. Track when a node's first auth frame is
received and use this to decide whether or not to bump the refcnt.
This insures we only ever bump the refcnt once.

Reviewed by: avatar
Approved by: re (scottl)

move AID implementation defines from the protocol definitions to
where they are used

Change the MLME ASSOCIATE ioctl to accept either a ssid, a bssid,
or a bssid+ssid. This is needed for later versions of wpa_supplicant
and for forthcoming addons to wpa_supplicant.

Note this is an api change and applications must be rebuilt.

avoid potential array index by -1

Noticed by: Coverity Prevent analysis tool

honor any desired bssid when creating an ibss

Prodded by: David Young
Obtained from: netbsd

propagate state kept in the bss node when re-creating the node
on state transitions; this is a stopgap measure, need to rethink
how we do management of this state

Identified by: Divy Le Ray

update node reference count debug msgs to include the node address
since the mac address may not be sufficient to uniquely identify a node

statically allocate the station/neighbor node table; the deferred
allocation scheme introduced a race condition during device state
transitions

when a station is timed out for inactivity, remove it from the table
so it isn't considered again

explicitly avoid timing out ourself due to inactivity; it
can easily happen if the bss is quiet

fix refcnt leak in adhoc mode: entries in the neighbor table
created due to rx'd frames had an extra reference

remove debug msg from ieee80211_iterate_nodes; it makes logs very noisy
as onoe rate control invokes this once a second

avoid possible null pointer deref when refcnt debugging is enabled; the
node may be orphaned

Submitted by: Tai-hwa Liang

Explicitly ignore ibss merge requests when the node is ic_bss. This can
happen on the first management frame received from a neighbor; we assume
any merge candidate will send more frames and those should be processed
with a suitable table entry.

Stepped on by: Tai-hwa Liang

Simplify the logic for checking the scan candidates at the end of a scan.
Hold a lock on the table instead of futzing with reference counts which
was potentially dangerous except drivers were quiescent while we did this
so the table contents never changed. Disable the hack logic for removing
scan candidates with multiple association failures; it's never done the
right thing and will be fixed correctly with background scanning goes in.

when scanning is interrupted reset state so table entries go in the station
table and not the scan table

Noticed by: Tai-hwa Liang

do fixed rate check when considering if a scan candidate is suitable so when
it's time to join the bss we can't get an error

Correct scan candidate selection logic for dual-band devices: prefer
candidate on 5Ghz channel to candidate on 2Ghz channel only when the
rssi are comparable (wasn't considering rssi).

bump copyright for 2005

fixup inactivity timers:
o ic_inact_auth is a bad name, it's the inactivity threshold
for being associated but not authorized; use it that way
o reset ni_inact when switching inactivity thresholds to
minimize the race against the timer (don't want to lock
for this stuff)
o change the inactivity probe threshold from a one-shot to
cover a range: when below this threshold but not expired
send a probe each inactivity interval; should probably
guard against the interval being turned way down as this
could cause us to spam the net with probes

compare pointers against NULL

make ap mode sta association debug msg as informative as sta mode

do 11g erp station management in turboG mode too

check if the node/station table is already present before creating one; this
can happen on an ibss merge

include phy mode in scan debug msg

Update 802.11 support; too much new functionality to fully describe
here but it includes completed 802.11g, WPA, 802.11i, 802.1x, WME/WMM,
AP-side power-save, crypto plugin framework, authenticator plugin framework,
and access control plugin frameowrk.

make malloc tag for ieee80211_node more recognizable

Note previous commit also purges all node table entries collected while
do scanning when operating in adhoc mode. This is necessary to insure
nodes in the table have a correct refcnt and driver-private state but is
suboptimal. A better solution is to probe undiscovered neighbors and use
the probe response to do the right thing (support for that comming in a
separate commit).

fix adhoc/ibss operation for drivers that require host support (e.g. ath):

o remove IEEE80211_C_RCVMGT capability
o on transmit craft new nodes as needed using new ieee80211_find_txnode routine
o add ieee80211_find_txnode routine to lookup a node by mac address and
if not present create one when operating in ibss/ahdemo mode; new nodes
are dup'd from bss and the driver is told to treat the node as if a new
association has been created so driver-private state (e.g. rate control
handling) is setup

Obtained from: netbsd (basic idea)

o change ieee80211_dup_bss to inherit explicit data from ic_bss instead of
blindy copying the node contents; this turns out to be a bad idea as we
add more state in the node for things like WPA
o track node allocation failures in ieee80211_dup_bss instead of the callers

Obtained from: madwifi

track node allocation failure stats in ieee80211_alloc_node instead
of each caller

Obtained from: madwifi

replace explicit malloc/free with MALLOC/FREE for portability

Obtained from: madwifi

extract node matching logic into new ieee80211_match_bss routine for use
in background/incremental scanning

Obtained from: madwifi

diff reduction against madwifi

o add support for controlling the power of transmitted frames
o add support for controlling the 11g protection mechanism used
to protect OFDM frames in a mixed 11b/g network

Reviewed by: imp

fix typo that broke AP scanning by BSSID

Submitted by: Len Widra

Replace the if_name and if_unit members of struct ifnet with new members
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.

This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.

Approved By: re (in principle)
Reviewed By: njl, imp
Tested On: i386, amd64, sparc64
Obtained From: NetBSD (if_xname)

add statistics for all failures and/or abnormal events; still need
to add per-node statistics

parameterize locking to improve portability and possible
change to different locking strategies

Try yet again to deal with timing out nodes. We cannot hold the
node lock while sending a management frame as this will potentially
result in a LOR with a driver lock. This doesn't happen for the
Atheros driver but does for the wi driver. Use a generation number
to help process each node once when scanning the node table and
drop the node lock if we need to timeout a node and send a frame.

allocate node table entries with a specific malloc type

Generalize the per-node RSSI data so drivers can do more interesting
things than record a single value.

o add a per-node method for returning the "current RSSI" for a node
o create a default method that returns ni_rssi which is the rssi for
the last received frame
o use the per-node "get rssi" method to return data for the RID's
submitted by wicontrol, et. al.

Loosely based on work by Tom Marshall <tommy@home.tig-grr.com> for MADWIFI.

MFp4 changes to fix locking issues and correct reference
count handling of station entries in hostap mode:

Input path:

o driver is now expected to find the node associated with the
sender of a received frame; use ic_bss if none is located
o driver passes the (referenced) node into ieee80211_input for
use within the wlan module and is responsible for cleaning up
on return
o the antenna state is no longer passed up with each frame; this
is now considered driver-private state and drivers are responsible
for keeping it in the driver-private part of a node

Output path:

Revamp output path for management frames to eliminate redundant
locking that causes problems and to correct reference counting
bogosity that occurs when stations are timed out due to inactivity
(in AP mode). On output the refcnt'd node is stashed in the pkthdr's
recvif field (yech) and retrieved by the driver. This eliminates
an unref/ref scenario and related node table unlock/lock due to the
driver looking up the node. This is particularly important when
stations are timed out as this causes a lock order reversal that
can result in a deadlock. As a byproduct we also reduce the overhead
for sending management frames (minimal). Additional fallout from
this is a change to ieee80211_encap to return a refcn't node for
tieing to the outbound frame. Node refcnts are not reclaimed until
after a frame is completely processed (e.g. in the tx interrupt
handler). This is especially important for timed out stations as
this deref will be the final one causing the node entry to be
reclaimed.

Additional semi-related changes:
o replace m_copym use with m_copypacket (optimization)
o add assert to verify ic_bss is never free'd during normal operation
o add comments explaining calling conventions by drivers for frames
going in each direction
o remove extraneous code that "cannot be executed" (e.g. because
pointers may never be null)

Delay creating ic_bss until after the super-class has a chance
to override the method pointers for manipulating nodes; this fixes
a problem where the ic_bss node was not being created properly
for the ath driver causing the driver to scribble on random memory.

Noticed by: David Young <dyoung@pobox.com>

o change ieee80211_new_state handling to use a proper method that drivers
override in their sub-class; this eliminates the hack of interpreting the
EINPROGRESS return value to mean "don't do any of the normal work"
o correct active scanning so the first channel is only scanned once and so
per-channel passive mode is properly honored
o expose 802.11 FSM state names so every driver doesn't keep a private copy
o eliminate node parameter to ieee80211_begin_scan; it was not being used

insure ic_bss always has a "valid" channel; avoids problems where users could
query the state of a card and find a null channel since allocating the node
left ni_chan zero

revise copyright notices per discussion with Atsushi Onoe <onoe@sm.sony.co.jp>

new 802.11 layer:

o code reorg (relative to old netbsd-derived code) for future growth
o drivers now specify available channels and rates and 802.11 layer handles
almost all ifmedia actions
o multi-mode support for 11a/b/g devices
o 11g protocol additions (incomplete)
o new element id additions (for other than 11g)
o node/station table redone for proper locking and to eliminate driver
incestuousness
o split device flags and capabilities to reduce confusion and provide room
for expansion
o incomplete power management infrastructure (need to revisit)
o incomplete hooks for software retry
o more...