It turns out that ieee80211_start_scan_locked() is only ever called by
the swscan code and it won't likely be required by firmware scanning
implementations.
So, don't bother keeping it in ieee80211_scan.c and it likely won't
become an API call.
Tested:
* Intel 5100, STA mode
* AR5416, STA mode
to us. Instead, advertise what we can do based on what the AP says and what
we're capped at by the VAP settings.
For non-STA modes we still advertise what our VAP settings are.
It may be that I've over-complicated this and instead of capping things
we can just always announce what we're capable of. But this should at least
stop the blatantly wrong handling of A-MPDU parameters.
(I'll happily simplify things if someone can dig up a replacement, better
compliant behaviour.)
PR: kern/176201
However, IBSS merge will be performed only if a driver calls
ieee80211_ibss_merge(); so, this applicable to the ath(4) only.
Also, this should fix bug 167870.
PR: kern/199632
Submitted by: Andriy Voskoboinyk <s3erios@gmail.com>
This may happen on RUN -> SCAN -> RUN -> SCAN state transition:
1. RUN -> SCAN: in ieee80211_sta_join1(): iv_bss will be moved to obss,
refcnt will be reduced by 2 (default minimum).
Now, if old iv_bss have some extra references (for example, from
unacknowledged probe responses), it will not be freed and will stay
in the node table.
2. SCAN -> RUN.
3. If old iv_bss will not be deleted by the time when the next RUN -> SCAN
state transition occurs, then sta_leave() will reduce it's reference
counter once more. As a result, two last users will free it -> this will
lead to kernel panic.
In this patch old iv_bss entry is explicitly removed from the node table in
ieee80211_sta_join1() (as a result, it will not be processed by sta_leave()).
PR: kern/199676
Differential Revision: Andriy Voskoboinyk <s3erios@gmail.com>
There's a bug in the ticks handling where when initialised at '0', once
the ticks counter wrapped the comparison math would never trigger.
The pps calculation would never happen, and thus aggregation was never
enabled.
It manifests itself as "oh you only get 11n transmit aggregation for the
first 10 minutes of uptime."
I'm sure there are other ticks related issues lurking in net80211.
Tested:
* ath / iwn, both with 'wlandebug +11n' and a little bit of iperf to
kick off the transmit A-MPDU negotiation once the pps gets high enough.
configured as 11b.
This came up when debugging other issues surrounding scanning and
channel modes.
What's going on:
* The VAP comes up as an 11b VAP, but on an 11n capable NIC;
* .. it announces HTINFO and MCS rates;
* The AP thinks it's an 11n capable device and transmits 11n frames
to the STA;
* But the STA is in 11b mode, and thus doesn't receive/ACK the frames.
It didn't happen for the ath(4) devices as the AR5416/AR9300 HALs
unconditionally enable MCS frame reception, even if the channel
mode is not 11n. But the Intel NICs are configured in 11b/11a/11g
modes when doing those, even if 11n is enabled and available.
So, don't announce 11n capabilities if the VAP isn't on an 11n
channel when sending management assocation request / reassociation
request frames.
TODO:
* Lots more testing - 11n should be "upgraded" after association,
and I just want to make sure I haven't broken 11n upgrade.
I shouldn't have - this is only happening for /sending/ association
requests, which APs aren't doing.
Tested:
* ath(4) APs (AR9331, AR7161+AR9280, AR934x)
* AR5416, STA mode
* Intel 5100, STA mode
PR: kern/196290
of the scan API.
The eventual aim is to have 'ieee80211_scan.c' have the net80211 and
driver facing scan API to start, finish and continue doing scanning
while 'ieee80211_swscan.c' implements the software scanner that
runs the scan task, handles probe request/reply bits, configures
the VAP off-channel, changes channel and does the scanning bits.
For NICs that do no scanning at all, the existing code is needed.
ath(4) and most of the other NICs (dumb USB ones in particular)
do little to no scan offload - it's all done in software.
Some NICs may do single channel at a time scanning; I haven't really
checked them out in detail.
iwn(4), the upcoming 7260 driver stuff, the new Qualcomm Atheros
11ac chipsets and the Atheros mobile/USB full-offload chips all
have complete scan engines in firmware. We don't have to drive
any of it at all - the firmware just needs to be told what to scan,
when to scan, how long to scan. It'll take care of going off
channel, pausing TX/RX appropriately, sending sleep notification
to the AP, sending probe requests and handling probe responses.
It'll do passive/active scan itself. It's almost completely
transparent to the network stack - all we see are scan notifications
when it finishes scanning each channel and beacons/probe responses
when it does its thing. Once it's done we get a final notification
that the scan is complete, with some scan results in the message.
The iwn(4) NICs handle doing active scanning too as an option
and will handle waiting appropriately on 5GHz passive channels
before active scanning.
There's some more refactoring, tidying up and lock assertions to
sprinkle around to tidy this whole thing up before I turn swscan.c
into another set of ic methods to override by the driver or
alternate scan module. So in theory this is all one big no-op
commit. In theory.
Tested:
* iwn(4) 5200, STA mode
* ath(4) 6205, STA mode
* ath(4) - various NICs, AP mode
the knowledge of mbuf layout, and in particular constants such as M_EXT,
MLEN, MHLEN, and so on, in mbuf consumers by unifying various alignment
utility functions (M_ALIGN(), MH_ALIGN(), MEXT_ALIGN() in a single
M_ALIGN() macro, implemented by a now-inlined m_align() function:
- Move m_align() from uipc_mbuf.c to mbuf.h; mark as __inline.
- Reimplement M_ALIGN(), MH_ALIGN(), and MEXT_ALIGN() using m_align().
- Update consumers around the tree to simply use M_ALIGN().
This change eliminates a number of cases where mbuf consumers must be aware
of whether or not mbufs returned by the allocator use external storage, but
also assumptions about the size of the returned mbuf. This will make it
easier to introduce changes in how we use external storage, as well as
features such as variable-size mbufs.
Differential Revision: https://reviews.freebsd.org/D1436
Reviewed by: glebius, trasz, gnn, bz
Sponsored by: EMC / Isilon Storage Division
to awake transition as well as handle waking up a VAP in STA powersave
mode if it's in bgscan.
This was a reasonably hairy bug to try and figure out and it became
more obvious because of stuff I've done.
Specifically:
* a NIC would go into bgscan mode - either because of a bgscan timer
or wpa_supplicant asked it to;
* the AP would indicate there's traffic for the STA by setting the TIM
bitmap bit for it;
* mindwell would be met during scan, so it'd wake up and break out of
the scan loop in scan_task(), but
* because the scan wasn't completed, it wouldn't bring the VAP out of
STA mode powersave (so it wouldn't tell the AP about it and it would
block VAP TX);
* .. but because we kept seeing the TIM bit set, ic->ic_lastdata was
being constantly updated, and ..
* bgscancont() would thus never say "yes we can continue a bgscan"
so the bgscan would hang and never make progress.
Now, I do see this particular state occur on iwn(4) - /however/ -
this NIC has the firmware call ieee80211_scan_next() once the firmware
scan for that channel has completed. This has the effect of moving
the scan along to the next channel. I do see the debug that I'm adding
where we see a beacon with a TIM bit set whilst we're in bgscan, so
the condition about waking up to receive traffic is triggering.
It just won't cause a hang.
For other NICs - all of the USB ones and at least ath(4) -
ieee80211_scan_next() / ieee80211_scan_done() isn't called.
So it relies upon the mindwell timer, the beacon receive and the
beacon / probe response -> ieee80211_add_scan() to move along
the scan state.
In the above case, mindwell triggered, there's no beacons triggering
the scan_add code to move things along, and we weren't waking things
up when seeing the TIM set for us. So it just hung until the interface
was dropped.
So, the short-term fix here is to do what the comment in scan_task()
says - if we are in bgscan mode and we see our TIM bit set, just wake
up the VAP. If it's already awake then it's a nop. If we're awake
then we transition to awake and handle the traffic. Once there's no
TX or RX traffic going on, ic->ic_lastdata won't be updated anymore
and bgscancont() will continue.
This was triggered more often after my initial SLEEP state handling
for software sleep states - because now I update ic->ic_lastdata
upon seeing a TIM bit set, not just the RX of the subsequent traffic.
That's needed so the thing doesn't ping-pong up and down between
seeing the TIM bit set, sending the "I'm awake" NULL data frame, and
starting to receive data from the AP.
I'd like to subsequently split ic_lastdata into two - one for TX and
one for RX - so it becomes easier to use the correct one (or both!)
when making decisions like whether to scan, go to sleep, etc.
I'd appreciate this getting some further testing.
Tested:
* rsu(4), STA mode, bgscan on
* iwn(4), STA mode, bgscan on
that indicates we have traffic" bit and a "do something if we have
traffic bit."
I'm going to be fleshing out this stuff more over time and it'll make
more sense to have it broken out into two pieces here.
deal/log a warning if the scan flags change during one of those race
windows.
It's highly likely that I need to actually sit down and replace this
scan infrastructure at some point. It has some other side effects too -
the scan task is a blocking task scheduled in the net80211 taskqueue;
so drivers that use this taskqueue have other things not run. Eek.
If you see this printf happen then please let me know!
it's not just 11b/11g.
The following was happening, and it's quite .. annoyingly grr-y.
* create vap, setup wpa_supplicant with no bgscanning, etc - there's
no call to ieee80211_media_change, so vap->iv_des_mode is
IEEE80211_MODE_AUTO;
* do ifconfig wlan0 scan - same thing, media_change doesn't get called,
iv_des_mode stays as auto.
* But then, run wpa_cli and do 'scan' - it'll do a media change.
* if you're on 11ng, vap->iv_des_mode gets changed to IEEE80211_MODE_11NG
* Then makescanlist() is called. There's a block of code that gets
called if iv_des_mode != IEEE80211_MODE_AUTO, and it does this:
if (vap->iv_des_mode != IEEE80211_MODE_11G ||
mode != IEEE80211_MODE_11B)
continue;
mode = IEEE80211_MODE_11G; /* upgrade */
* .. now, iv_des_mode is not IEEE80211_MODE_11G, so it always runs
'continue'
* .. and thus the scan list stays empty and no further channel
scans occur. Ever.(1)
If you then disassociate and try associating to something, your
scan table has likely been purged / aged out and you'll never
see anything in the scan list.
(1) You need to do 'ifconfig wlan0 mode auto' or just destroy/re-create
the VAP to get working wireless again.
Tested:
* iwn(4) - intel 5300 wifi; STA mode; using wpa_supplicant; bgscan
enabled -and- wpa_supplicant scanning.
Thanks to:
* Everyone who kept poking me about this and wondering why the hell
their wifi would eventually stop seeing scan lists. Grr.
I eventually snapped this evening and dug back into this code.
- Wrong integer type was specified.
- Wrong or missing "access" specifier. The "access" specifier
sometimes included the SYSCTL type, which it should not, except for
procedural SYSCTL nodes.
- Logical OR where binary OR was expected.
- Properly assert the "access" argument passed to all SYSCTL macros,
using the CTASSERT macro. This applies to both static- and dynamically
created SYSCTLs.
- Properly assert the the data type for both static and dynamic
SYSCTLs. In the case of static SYSCTLs we only assert that the data
pointed to by the SYSCTL data pointer has the correct size, hence
there is no easy way to assert types in the C language outside a
C-function.
- Rewrote some code which doesn't pass a constant "access" specifier
when creating dynamic SYSCTL nodes, which is now a requirement.
- Updated "EXAMPLES" section in SYSCTL manual page.
MFC after: 3 days
Sponsored by: Mellanox Technologies
I've decided that for 11n rates it's best to start (very) low and work
our way up.
So, from now on, the initial rate for AMRR 11n is MCS4.
It doesn't try MCS12 or MCS20 - at low signal strengths those don't
work very well at all.
AMRR will step the rate control up over time if things work out better.
Tested:
* Intel 5100
* Intel 5300 (using local diffs to test out 3x3 stream support)
The original commit was supposed to stop the ability to do raw frame
injection in monitor mode to arbitrary channels (whether supported
by regulatory or not) however it doesn't seem to have been followed
by any useful way of doing it.
Apparently AHDEMO is supposed to be that way, but it seems to require
too much fiddly things (disable scanning, set a garbage SSID, etc)
for it to actually be useful for spoofing things.
So for now let's just disable it and instead look to filter transmit
in the output path if the channel isn't allowed by regulatory.
That way monitor RX works fine but TX will be blocked.
I don't plan on MFC'ing this to -10 until the regulatory enforcement
bits are written.
request during SLEEP results in a hang.
Whilst I'm here, add in some disabled code that will transition to RUN
if there's multicast traffic. It's not needed for Atheros hardware but
it may be for other hardware.
Tested:
* AR5416, STA mode (powersave)
* AR5212, STA mode (powersave)
SLEEP rather than RUN.
Without this things like 'ifconfig wlan0 list sta' don't work when the
NIC is power save.
Tested:
* AR5212, STA mode (with powersave)
* AR5416, STA mode (with powersave)
This transitions the VAP in and out of SLEEP state based on:
* whether there's been an active transmission in the last (hardcoded) 500ms;
* whether the TIM from the AP indicates there is data available.
It uses the beacon reception to trigger the active traffic check.
This way there's no further timer running to wake up the CPU
from its own sleep states.
Right now the VAP isn't woken up for multicast traffic - mostly because
the only NIC I plan on doing this for right will auto wakeup and stay
awake for multicast traffic indicated in the TIM. So I don't have
to manually keep the hardware awake.
This doesn't do anything if the NIC doesn't advertise it implements
the new SWSLEEP capability AND if the VAP doesn't have powersave
enabled.
It also doesn't do much with ath(4) as it doesn't currently implement
the SLEEP state.
Tested:
* AR5416, STA mode (with local ath(4) changes)
Frames transmitted during SLEEP state should be queued in the
power save queue before waking the unit up. Otherwise DHCP
requests and such will be dropped if the NIC is asleep - the
NIC will wake up but not transmit the frame.
IPX was a network transport protocol in Novell's NetWare network operating
system from late 80s and then 90s. The NetWare itself switched to TCP/IP
as default transport in 1998. Later, in this century the Novell Open
Enterprise Server became successor of Novell NetWare. The last release
that claimed to still support IPX was OES 2 in 2007. Routing equipment
vendors (e.g. Cisco) discontinued support for IPX in 2011.
Thus, IPX won't be supported in FreeBSD 11.0-RELEASE.
The origin of WEP comes from IEEE Std 802.11-1997 where it defines
whether the frame body of MAC frame has been encrypted using WEP
algorithm or not.
IEEE Std. 802.11-2007 changes WEP to Protected Frame, indicates
whether the frame is protected by a cryptographic encapsulation
algorithm.
Reviewed by: adrian, rpaulo
decides to do nothing.
If this isn't done, then a scan request whilst a scan occurs in an active
channel set or a completed channel set will hang.
Tested:
* Intel 5100, STA mode
There were two bugs:
* If the initial lowest rate didn't go through the loop at least once,
the AMRR rate index would be the highest rate in the table
(eg the rix mapping to MCS15) but rate would stay at the default
value, namely 0.
This meant that the initial rate selection would be MCS15 _but_ the
node ni_txrate value would be MCS0.
* If the node is 11n, then break out of the loop correctly. Beforehand,
my initial 11n AMRR commit would immediately exit out as it would
fail the 11n check, then it would always fall through to the non-11n
rate which would then see if it was < 36mbit (ie, "72"), which would
always match. Hence, it'd always return MCS15.
Tested:
* Intel Centrino 2230 STA (local changes), STA mode
* Intel Wifi 5100, STA
For now, the AMRR code only knows about _either_ MCS or non-MCS rates.
It doesn't know how to downgrade (ie, doing 11b CCK rates if MCS0 isn't
reliable.)
PR: kern/183428
to this event, adding if_var.h to files that do need it. Also, include
all includes that now are included due to implicit pollution via if_var.h
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
from a management frame transmission.
This bug is a bit loopy, so here goes.
The underlying cause is pretty easy to understand - the node isn't
referenced before passing into the callout, so if the node is deleted
before the callout fires, it'll dereference free'd memory.
The code path however is slightly more convoluted.
The functions _say_ mgt_tx - ie management transmit - which is partially
true. Yes, that callback is attached to the mbuf for some management
frames. However, it's only for frames relating to scanning and
authentication attempts. It helpfully drives the VAP state back to
"SCAN" if the transmission fails _OR_ (as I subsequently found out!)
if the transmission succeeds but the state machine doesn't make progress
towards being authenticated and active.
Now, the code itself isn't terribly clear about this.
It _looks_ like it's just handling the transmit failure case.
However, when you look at what goes on in the transmit success case, it's
moving the VAP state back to SCAN if it hasn't changed state since
the time the callback was scheduled. Ie, if it's in ASSOC or AUTH still,
it'll go back to SCAN. But if it has transitioned to the RUN state,
the comparison will fail and it'll not transition things back to the
SCAN state.
So, to fix this, I decided to leave everything the way it is and merely
fix the locking and remove the node reference.
The _better_ fix would be to turn this callout into a "assoc/auth request"
timeout callback and make the callout locked, thus eliminating all races.
However, until all the drivers have been fixed so that transmit completions
occur outside of any locking that's going on, it's going to be impossible
to do this without introducing LORs. So, I leave some of the evilness
in there.
Tested:
* AR5212, ath(4), STA mode
* 5100 and 4965 wifi, iwn(4), STA mode
I changed it to use if_transmit a while ago but apparently with monitor
mode the if_transmit method is overridden.
This is (mostly) a workaround until a more permanent solution can be
found.
Submitted by: Patrick Kelsey <kelsey@ieee.org>
Approved by: re@ (gjb)
The aim of this function is to eventually be the completion entry point
for all 802.11 encapsulated mbufs. All the wifi drivers end up doing
what is in this function so it's an easy win to turn it into a net80211
method and abstract out this code.
Ideally the drivers will all eventually be modified to queue up completed
mbufs and call this function with all the driver locks not held.
This will allow for some much more interesting software queue handling
in the future (like net80211 based A-MSDU, fast-frames, A-MPDU aggregation
and retransmission.)
Tested:
* ath(4), iwn(4)
together.
Add M_FLAG_PRINTF for use with printf(9) %b indentifier.
Use the generic mbuf flags print names in the net80211 code and adjust
the protocol specific bits for their new positions.
Change SCTP M_PROTO mapping from 5 to 1 to fit within the 16bit field
they use internally to store some additional information.
Discussed with: trociny, glebius