specific privilege names to a broad range of privileges. These may
require some future tweaking.
Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
Discussed on: arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
Alex Lyashkov <umka at sevcity dot net>,
Skip Ford <skip dot ford at verizon dot net>,
Antoine Brodin <antoine dot brodin at laposte dot net>
(1) bpf peer attaches to interface netif0
(2) Packet is received by netif0
(3) ifp->if_bpf pointer is checked and handed off to bpf
(4) bpf peer detaches from netif0 resulting in ifp->if_bpf being
initialized to NULL.
(5) ifp->if_bpf is dereferenced by bpf machinery
(6) Kaboom
This race condition likely explains the various different kernel panics
reported around sending SIGINT to tcpdump or dhclient processes. But really
this race can result in kernel panics anywhere you have frequent bpf attach
and detach operations with high packet per second load.
Summary of changes:
- Remove the bpf interface's "driverp" member
- When we attach bpf interfaces, we now set the ifp->if_bpf member to the
bpf interface structure. Once this is done, ifp->if_bpf should never be
NULL. [1]
- Introduce bpf_peers_present function, an inline operation which will do
a lockless read bpf peer list associated with the interface. It should
be noted that the bpf code will pickup the bpf_interface lock before adding
or removing bpf peers. This should serialize the access to the bpf descriptor
list, removing the race.
- Expose the bpf_if structure in bpf.h so that the bpf_peers_present function
can use it. This also removes the struct bpf_if; hack that was there.
- Adjust all consumers of the raw if_bpf structure to use bpf_peers_present
Now what happens is:
(1) Packet is received by netif0
(2) Check to see if bpf descriptor list is empty
(3) Pickup the bpf interface lock
(4) Hand packet off to process
From the attach/detach side:
(1) Pickup the bpf interface lock
(2) Add/remove from bpf descriptor list
Now that we are storing the bpf interface structure with the ifnet, there is
is no need to walk the bpf interface list to locate the correct bpf interface.
We now simply look up the interface, and initialize the pointer. This has a
nice side effect of changing a bpf interface attach operation from O(N) (where
N is the number of bpf interfaces), to O(1).
[1] From now on, we can no longer check ifp->if_bpf to tell us whether or
not we have any bpf peers that might be interested in receiving packets.
In collaboration with: sam@
MFC after: 1 month
rather than in ifindex_table[]; all (except one) accesses are
through ifp anyway. IF_LLADDR() works faster, and all (except
one) ifaddr_byindex() users were converted to use ifp->if_addr.
- Stop storing a (pointer to) Ethernet address in "struct arpcom",
and drop the IFP2ENADDR() macro; all users have been converted
to use IF_LLADDR() instead.
- WEP TX fix:
The original code called software crypto, ieee80211_crypto_encap(),
which never worked since IEEE80211_KEY_SWCRYPT was never flagged due to
ieee80211_crypto_newkey() assumes that wi always supports hardware based
crypto regardless of operational mode(by virtue of IEEE80211_C_WEP).
This fix works around that issue by adding wi_key_alloc() to force
the use of s/w crypto. Also if anyone ever decides to cleanup ioctl
handling where key changes wouldn't cause a call to wi_init() every time,
we'll need wi_key_alloc() to DTRT.
In addition to that, this fix also adds code to wi_write_wep() to force
existing keys to be switched between h/w and s/w crypto such that an
operation mode change(sta <-> hostap) will flag IEEE80211_KEY_SWCRYPT
properly.
- WEP RX fix:
Clear IEEE80211_F_DROPUNENC even in hostap mode. Quote from Sam:
"This is really gross but I don't see an easy way around it.
By doing it we lose the ability to independently drop unencode
frames (and support mixed wep/!wep use). We should really be
setting the EXCLUDE_UNENCRYPTED flag written in wi_write_wep
based on IEEE80211_F_DROPUNENC but with our clearing it we can't
depend on it being set properly."
Reported by: Holm Tiffe <holm at freibergnet dot de>
Submitted by: sam
MFC after: 3 days
could get an interrupt after we free the ifp, and the interrupt
handler depended on the ifp being still alive, this could, in theory,
cause a crash. Eliminate this possibility by moving the if_free to
after the bus_teardown_intr() call.
for the spl-era locking, but now that we can have multiple, concurrent
interrupts for multiple wi devices, having a global check to make sure
at most one of them was in wi_cmd no longer makes sense.
MFC After: 2 decifortnight
o add ic_curchan and use it uniformly for specifying the current
channel instead of overloading ic->ic_bss->ni_chan (or in some
drivers ic_ibss_chan)
o add ieee80211_scanparams structure to encapsulate scanning-related
state captured for rx frames
o move rx beacon+probe response frame handling into separate routines
o change beacon+probe response handling to treat the scan table
more like a scan cache--look for an existing entry before adding
a new one; this combined with ic_curchan use corrects handling of
stations that were previously found at a different channel
o move adhoc neighbor discovery by beacon+probe response frames to
a new ieee80211_add_neighbor routine
Reviewed by: avatar
Tested by: avatar, Michal Mertl
MFC after: 2 weeks
IFF_DRV_RUNNING, as well as the move from ifnet.if_flags to
ifnet.if_drv_flags. Device drivers are now responsible for
synchronizing access to these flags, as they are in if_drv_flags. This
helps prevent races between the network stack and device driver in
maintaining the interface flags field.
Many __FreeBSD__ and __FreeBSD_version checks maintained and continued;
some less so.
Reviewed by: pjd, bz
MFC after: 7 days
o separate configured beacon interval from listen interval; this
avoids potential use of one value for the other (e.g. setting
powersavesleep to 0 clobbers the beacon interval used in hostap
or ibss mode)
o bounds check the beacon interval received in probe response and
beacon frames and drop frames with bogus settings; not clear
if we should instead clamp the value as any alteration would
result in mismatched sta+ap configuration and probably be more
confusing (don't want to log to the console but perhaps ok with
rate limiting)
o while here up max beacon interval to reflect WiFi standard
Noticed by: Martin <nakal@nurfuerspam.de>
MFC after: 1 week
0. This means that we 'succeed' the attach, even after we've freed
the internal data bits. This leads to a panic when you eject the card
with this problem.
Set error = ENXIO in the mac read zeros case.
over iteration of their multicast address lists when synchronizing the
hardware address filter with the network stack-maintained list.
Problem reported by: Ed Maste (emaste at phaedrus dot sandvine dot ca>
MFC after: 1 week
Provide a backwards compatible way to have the extra macro by defining
PCCARD_API_LEVEL 5 before including pccarddevs for driver writers that
want/need to have the same driver on 5 and 6 with pccard attachments.
Approved by: re (dwhite)
struct ifnet or the layer 2 common structure it was embedded in have
been replaced with a struct ifnet pointer to be filled by a call to the
new function, if_alloc(). The layer 2 common structure is also allocated
via if_alloc() based on the interface type. It is hung off the new
struct ifnet member, if_l2com.
This change removes the size of these structures from the kernel ABI and
will allow us to better manage them as interfaces come and go.
Other changes of note:
- Struct arpcom is no longer referenced in normal interface code.
Instead the Ethernet address is accessed via the IFP2ENADDR() macro.
To enforce this ac_enaddr has been renamed to _ac_enaddr.
- The second argument to ether_ifattach is now always the mac address
from driver private storage rather than sometimes being ac_enaddr.
Reviewed by: sobomax, sam
variables in internal blocks.
Also, go ahead and fail if we can't load the firmware. It should have
failed like this, but never did (firmware loads generally don't fail).
CIS, weren't actually used anywhere (other than the generic PC Card
code when certain variables are defined). They aren't used in NetBSD
either. Make things simpler by removing them. Change PLANEX_2 to
PLANEX and tweak wi and owi to use that instead. The PLANEX id seems
to actually be pci ID assigned to planex, not its pcmcia id. Ooops.
I don't know if this is a reporting error from where this entry came
from, or if it is a mistake on PLANEX's part. I suspect the latter,
as ACTIONTEC and NEWMEDIA made the same mistake (although new media
may be because it uses an advansys chip inside). Make a note of this
in the file. The 0xc entires may be JEITA assigned, so note that as
well.
# This leaves just 3 entries that are totally unknown: airvast, archos
# and edimax although the arivast number is the same assigned to
# avertec in usb...
machine; instead use the intended entry points. There's still
too much incestuous knowledge about the internals of the
802.11 layer but this at least fixes adhoc mode.
o don't encapsulate on tx; the chip expect a raw frame w/o the crypto header
o clear the WEP bit in the 802.11 header on rx so the 802.11 layer doesn't
try to strip the crypto header
o clobber the "drop unencoded frames" state bit when privacy is enabled so
rx'd frames we pass up to the 802.11 layer are not discarded as unencrypted
This stuff will need to be redone if anyone decides to add WPA support.
your (network) modules as well as any userland that might make sense of
sizeof(struct ifnet).
This does not change the queueing yet. These changes will follow in a
seperate commit. Same with the driver changes, which need case by case
evaluation.
__FreeBSD_version bump will follow.
Tested-by: (i386)LINT
different cards that matched vendor/id, but weren't wi cards. This is
because the vendor foolishly didn't have unique product ids. Symbol
has a serial card that would otherwise match the wi driver, for
example...
Taken from a patch for xe posted by: Carlos Velasco
there's not dependencies on pccard symboles, such a dependency is not
necessary. This means that drivers that have multiple attachments can
not drag bogus devices into the kernel at load time.
We can't (yet) do this with pci and isa. Drivers written for them
actually do seem to have symbols that depend on these busses'
implementation code.
ndis not touched until other things can be tested.
clip/destroy the dB value contained in the wi(4)'s receive frames,
it doesn't match with the flag set in the radiotap header
(unperturbed dB versus dBm).
a new bpf_mtap2 routine that does the right thing for an mbuf
and a variable-length chunk of data that should be prepended.
o while we're sweeping the drivers, use u_int32_t uniformly when
when prepending the address family (several places were assuming
sizeof(int) was 4)
o return M_ASSERTVALID to BPF_MTAP* now that all stack-allocated
mbufs have been eliminated; this may better be moved to the bpf
routines
Reviewed by: arch@ and several others
versions of the firmware. It responds more slowly to commands, and we
bogusly failed them. We assume that all versions of the intersil
firmware before 1.0 are 10 times slower and will give it 10x the time
to finish.
# for 5.2 we should always just assume 5s.
o Back out workaround for not resetting lucent cards more than once. With
these fixes, it appaers they are no longer necessary.
o Set wi_gone when the card goes awol: typically when we get 0xffff back from
the card. Also, don't interact with a card that's gone, so we fail in
seconds rather than minutes. Also reduce amount of time we wait to .5s
in wi_cmd.
o clear wi_gone on ifconfig down to give some cards a chance after they wedge
(this appears to unwedge one of my prism cards with old firmware). ifconfig
up will fail quickly enough if the card really is out to lunch.
o Add delay in wi_init of 100ms.
o wi_stop(ifp, 0->1) changes so that we clear sc_enabled so that we
exit out of the interrupt routine by just acking the interrupt
Submitted by: iedowse
Approved by: re@ (scottl)
# after the freeze I'll fix some of the minor style issues that reviewers
# of this patch have told me about.
operating mode to HostAP, the card will lock up indefinitely (but
the wi(4) driver can recover if you eject the card). The problem is
that the card needs to be "reset" in a way before you even change the
media to hostap. In practice this isn't as noticeable because you
probably do some operation beforehand which prevents the lock-up
before you enable hostap mode.
e.g.:
"ifconfig wi0 up media autoselect mediaopt hostap" will lock up
(if you just inserted the card).
"ifconfig wi0 up ssid foo media autoselect mediaopt hostap" won't lock up.
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.
This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.
Approved By: re (in principle)
Reviewed By: njl, imp
Tested On: i386, amd64, sparc64
Obtained From: NetBSD (if_xname)
count handling of station entries in hostap mode:
Input path:
o driver is now expected to find the node associated with the
sender of a received frame; use ic_bss if none is located
o driver passes the (referenced) node into ieee80211_input for
use within the wlan module and is responsible for cleaning up
on return
o the antenna state is no longer passed up with each frame; this
is now considered driver-private state and drivers are responsible
for keeping it in the driver-private part of a node
Output path:
Revamp output path for management frames to eliminate redundant
locking that causes problems and to correct reference counting
bogosity that occurs when stations are timed out due to inactivity
(in AP mode). On output the refcnt'd node is stashed in the pkthdr's
recvif field (yech) and retrieved by the driver. This eliminates
an unref/ref scenario and related node table unlock/lock due to the
driver looking up the node. This is particularly important when
stations are timed out as this causes a lock order reversal that
can result in a deadlock. As a byproduct we also reduce the overhead
for sending management frames (minimal). Additional fallout from
this is a change to ieee80211_encap to return a refcn't node for
tieing to the outbound frame. Node refcnts are not reclaimed until
after a frame is completely processed (e.g. in the tx interrupt
handler). This is especially important for timed out stations as
this deref will be the final one causing the node entry to be
reclaimed.
Additional semi-related changes:
o replace m_copym use with m_copypacket (optimization)
o add assert to verify ic_bss is never free'd during normal operation
o add comments explaining calling conventions by drivers for frames
going in each direction
o remove extraneous code that "cannot be executed" (e.g. because
pointers may never be null)
PCG-505BX (for example) has one of those:
wi0: <Intersil Prism3> mem 0xf8000000-0xf8000fff at device 2.0 on pci2
wi0: 802.11 address: 00:02:8a:94:d8:73
wi0: using RF:PRISM3(Mini-PCI)
wi0: Intersil Firmware: Primary (1.1.1), Station (1.5.6)
wi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
function unless the device is configured up. Without this fix, the
device ends up in the RUNNING state even though it is configured down.
Also, check the RUNNING flag before calling the if_start function, in
case the if_init function failed for one reason or another.
newer lucent/hermes firmware than indicated (investigating). I'm committing
this now since it shouldn't hurt anything.
o Vaguely related, add bogus frame length check from netbsd.
Obtained from: netbsd
Add two new arguments to bus_dma_tag_create(): lockfunc and lockfuncarg.
Lockfunc allows a driver to provide a function for managing its locking
semantics while using busdma. At the moment, this is used for the
asynchronous busdma_swi and callback mechanism. Two lockfunc implementations
are provided: busdma_lock_mutex() performs standard mutex operations on the
mutex that is specified from lockfuncarg. dftl_lock() is a panic
implementation and is defaulted to when NULL, NULL are passed to
bus_dma_tag_create(). The only time that NULL, NULL should ever be used is
when the driver ensures that bus_dmamap_load() will not be deferred.
Drivers that do not provide their own locking can pass
busdma_lock_mutex,&Giant args in order to preserve the former behaviour.
sparc64 and powerpc do not provide real busdma_swi functions, so this is
largely a noop on those platforms. The busdma_swi on is64 is not properly
locked yet, so warnings will be emitted on this platform when busdma
callback deferrals happen.
If anyone gets panics or warnings from dflt_lock() being called, please
let me know right away.
Reviewed by: tmm, gibbs
o add back rx monitor support
o make WI_RID_SCAN_RES DTRT
o fix a bug handling zero-length RID requests (used by dstumbler to set
a zero-length SSID)
o make RID_SCAN_REQ DTRT
o add back WI_RID_OWN_SSID
o fix wi_scan_ap to take a channel mask and txrate (for prism cards)
These changes fix dstumbler -o (monitor mode). A minor change to dstumbler
is needed to get normal AP scanning mode to work right; this is preferred to
modifying the driver.
PR: kern/53187
Reviewed by: Bruce M Simpson <bms@spc.org>
than once. This appears to work around the hanging issues, at the
expense of warnings about bad RID allocations. I'm not sure this is a
permanant workaround, but does appear to help in the tests that I've
done here.
that one cannot generally hold a lock and call bus_teardown_intr.
This is race free with wi_intr because bus_teardown_intr won't allow
wi_intr to be called after it returns.
# jeff hsu points out that there might be a race between this unlock
# and wi_start. While that may be true also, it won't impact this commit.
Submitted by: jhb
firmware 1.50.12, but 2.20.1 and 3.10.4 work. The 1.50.12 card gets
past doing dhclient, but hangs on transmit a little after the ip
address is set. The 1.50.12 card has always been 'cranky' and Bill
Paul's tearing it apart at FreeBSD '99 hasn't helped.
sc_reset and sc_enable are subtlely different things. sc_reset means
exactly "WI_CMD_INI has happened." sc_enabled means "WI_CMD_ENABLE
has been sent to the card without a WI_CMD_DISABLE following." This
is a little different than what they mean on NetBSD (where both of
these concepts are comingled). NetBSD will try to only enable symbol
cards once, while FreeBSD only sends the WI_CMD_INI once.
Also, only try once to reset the card on a symbol.
This makes the lucent cards no worse than before, but apparently not
much better either. I got fewer hangs in my testing than I have in
the past, but I don't know if it is statistically significant or not.