Commit Graph

949 Commits

Author SHA1 Message Date
adrian
151389a51e Fix a use-after-free node reference issue when waiting for a return
from a management frame transmission.

This bug is a bit loopy, so here goes.

The underlying cause is pretty easy to understand - the node isn't
referenced before passing into the callout, so if the node is deleted
before the callout fires, it'll dereference free'd memory.

The code path however is slightly more convoluted.

The functions _say_ mgt_tx - ie management transmit - which is partially
true.  Yes, that callback is attached to the mbuf for some management
frames.  However, it's only for frames relating to scanning and
authentication attempts.  It helpfully drives the VAP state back to
"SCAN" if the transmission fails _OR_ (as I subsequently found out!)
if the transmission succeeds but the state machine doesn't make progress
towards being authenticated and active.

Now, the code itself isn't terribly clear about this.

It _looks_ like it's just handling the transmit failure case.

However, when you look at what goes on in the transmit success case, it's
moving the VAP state back to SCAN if it hasn't changed state since
the time the callback was scheduled.  Ie, if it's in ASSOC or AUTH still,
it'll go back to SCAN.  But if it has transitioned to the RUN state,
the comparison will fail and it'll not transition things back to the
SCAN state.

So, to fix this, I decided to leave everything the way it is and merely
fix the locking and remove the node reference.

The _better_ fix would be to turn this callout into a "assoc/auth request"
timeout callback and make the callout locked, thus eliminating all races.
However, until all the drivers have been fixed so that transmit completions
occur outside of any locking that's going on, it's going to be impossible
to do this without introducing LORs.  So, I leave some of the evilness
in there.

Tested:

* AR5212, ath(4), STA mode
* 5100 and 4965 wifi, iwn(4), STA mode
2013-10-24 17:04:16 +00:00
adrian
a022b44571 Fix the "am I a net80211 vap" check for bpf listeners.
I changed it to use if_transmit a while ago but apparently with monitor
mode the if_transmit method is overridden.

This is (mostly) a workaround until a more permanent solution can be
found.

Submitted by:	Patrick Kelsey <kelsey@ieee.org>
Approved by:	re@ (gjb)
2013-10-10 19:56:31 +00:00
adrian
d3ddbbbab8 Create a new function to complete 802.11 mbuf transmission.
The aim of this function is to eventually be the completion entry point
for all 802.11 encapsulated mbufs.  All the wifi drivers end up doing
what is in this function so it's an easy win to turn it into a net80211
method and abstract out this code.

Ideally the drivers will all eventually be modified to queue up completed
mbufs and call this function with all the driver locks not held.
This will allow for some much more interesting software queue handling
in the future (like net80211 based A-MSDU, fast-frames, A-MPDU aggregation
and retransmission.)

Tested:

* ath(4), iwn(4)
2013-08-27 14:37:13 +00:00
adrian
ce40cb7097 Migrate the ff_encap1() routine out into the normal output code.
This will eventually be used by the A-MSDU encapsulation code that
I'm writing - the sub-frame encapsulation requirement is the same.
2013-08-26 09:52:05 +00:00
adrian
40e805bbd2 Add in some backwards compatability hacks to make -HEAD net80211 compile
on -9.
2013-08-22 05:53:47 +00:00
andre
328ae66ebf Reorder the mbuf defines to make more sense and group related flags
together.

Add M_FLAG_PRINTF for use with printf(9) %b indentifier.

Use the generic mbuf flags print names in the net80211 code and adjust
the protocol specific bits for their new positions.

Change SCTP M_PROTO mapping from 5 to 1 to fit within the 16bit field
they use internally to store some additional information.

Discussed with:	trociny, glebius
2013-08-19 14:25:11 +00:00
andre
653dac5a00 Migrate the net80211 protocol specific use of M_FRAG, M_FIRSTFRAG and
M_LASTFRAG flags to protocol specific flags.

Remove the now unused M_FRAG, M_FIRSTFRAG and M_LASTFRAG mbuf flags.

Discussed with:	trociny, glebius, adrian
2013-08-19 14:07:31 +00:00
andre
7cc6cc696c Add m_clrprotoflags() to clear protocol specific mbuf flags at up and
downwards layer crossings.

Consistently use it within IP, IPv6 and ethernet protocols.

Discussed with:	trociny, glebius
2013-08-19 13:27:32 +00:00
adrian
7fb3e64ee2 Don't return ENOTSUPP here - the net80211 pluggable ioctl API will treat
this as the final item in the linker set and not try others.

This stopped the fast frames IOCTLs from being called.
2013-08-18 23:40:30 +00:00
adrian
7bc0ae6019 Return the correct status if ieee80211_ff_check() consumes the mbuf.
I broke this when converting the net80211 TX path to use if_transmit.
2013-08-18 20:40:13 +00:00
rpaulo
b66e5efc0f Replace the homegrown implementation of nitems() with calls to nitems()
(param.h).

Operating systems that don't have nitems() can easily define it on their own
net80211 OS-specific header file.

Discussed with:		adrian
2013-08-14 04:24:25 +00:00
adrian
a2aef27368 Blank m_nextpkt before passing it up. 2013-08-12 22:27:53 +00:00
adrian
fea1a66936 When flushing packets from the powersave queue, make sure that
m_nextpkt is NULL before passing it up to the parent transmit
method.
2013-08-12 02:21:44 +00:00
adrian
5c0ad988c9 Add in missing m_free()'s during error conditions. 2013-08-10 21:46:58 +00:00
adrian
aa68907eda Convert net80211 over to using if_transmit for the dispatch from the
upper layer(s).

This eliminates the if_snd queue from net80211. Yay!

This unfortunately has a few side effects:

* It breaks ALTQ to net80211 for now - sorry everyone, but fixing
  parallelism and eliminating the if_snd queue is more important
  than supporting this broken traffic scheduling model. :-)

* There's no VAP and IC flush methods just yet - I think I'll add
  some NULL methods for now just as placeholders.

* It reduces throughput a little because now net80211 will drop packets
  rather than buffer them if the driver doesn't do its own buffering.
  This will be addressed in the future as I implement per-node software
  queues.

Tested:

* ath(4) and iwn(4) in STA operation
2013-08-08 05:09:35 +00:00
adrian
8897697280 Allow net80211 to compile on stable/9 and stable/8. 2013-08-07 22:01:43 +00:00
adrian
7096445057 Fix compilation when debugging is disabled. 2013-07-28 17:35:19 +00:00
adrian
302dbbc64e Commit the missing header change. 2013-07-28 16:50:45 +00:00
adrian
7594fa5c70 Refactor the VAP transmit path code into a utility function that both
the normal and the mesh transmit paths can use.

The API is a bit horrible because it both consumes the mbuf and frees
the node reference regardless of whether it succeeds or not.
It's a hold-over from how the code behaves; it'd be nice to have it
not free the node reference / mbuf if TX fails and let the caller
decide what to do.
2013-07-28 04:53:00 +00:00
rpaulo
d94b5d358f Add ieee80211_add_{qos,wpa,rsn}() functions since they are needed by an
OpenBSD driver that is being ported to FreeBSD.

Reviewed by:	adrian
2013-07-25 06:23:26 +00:00
alfred
89aac2b3a1 Make kassert_printf use __printflike.
Fix associated errors/warnings while I'm here.

Requested by: avg
2013-07-07 21:39:37 +00:00
adrian
ae37349274 Add a missing unlock. 2013-07-05 22:10:50 +00:00
adrian
266c009204 Document the current 11n rate selection shortcoming in the AMRR code. 2013-07-05 00:03:53 +00:00
adrian
1724725351 Implement basic 802.11n awareness in the PHY and AMRR rate control code.
* Add 802.11n 2ghz and 5ghz tables, including legacy rates and up to
  MCS23 rates (3x3.)

* Populate the rate code -> rate index lookup table with MCS _and_
  normal rates, but _not_ the basic rate flag.  Since the basic rate flag
  is the same as the MCS flag, we can only use one.

* Introduce some accessor inlines that do PLCP and rate table lookup/access
  and enforce that it doesn't set the basic rate bit.  They're not
  designed for MCS rates, so it will panic.

* Start converting drivers that use the rate table stuff to use the
  accessor inlines and strip the basic flag.

* Teach AMRR about basic 11n - it's still as crap for MCS as it is
  being used by iwn, so it's not a step _backwardS_.

* Convert iwn over to accept 11n MCS rates rather than 'translate' legacy
  to MCS rates.  It doesn't use a lookup table any longer; instead it's a
  function which takes the current node (for HT parameters) and the
  rate code, and returns the hardware PLCP code to use.

Tested:

* ath - it's a no-op, and it works that way
* iwn - both 11n and non-11n
2013-07-04 21:16:49 +00:00
rpaulo
19c9c3ef18 Don't panic the kernel if we run wpa_supplicant on a hostap VAP.
Reviewed by:	adrian
2013-06-29 06:36:42 +00:00
eadler
7df13c4780 Fix typo (dbM -> dBm)
Submitted by:	Daan@vitsch.nl
Reviewed by:	adrian
2013-06-14 23:04:31 +00:00
adrian
c7b7fe134d Don't hold the node lock over the iterator.
The "find node" function call will increase the node reference anyway;
so there's no reason to hold the node table lock during the MLME change.

The only reason I could think of is to stop overlapping mlme ioctls
from causing issues, but this should be fixed a different way.

This fixes a whole class of LORs that creep up when nodes are being
timed out or removed by hostapd.

Tested:

* AR5416, hostap, with nodes coming and going.  No LORs or stability
  issues were observed.
2013-06-07 09:03:56 +00:00
adrian
58d0c29676 Fix net80211 fragment creation.
When creating fragment frames, the header length should honour the
DATAPAD flag.

This fixes the fragments that are queued to the ath(4) driver but it
doesn't yet fix fragment transmission.  That requires further changes
to the ath(4) transmit path.  Well, strictly speaking, it requires
further changes to _all_ wifi driver transmit paths, but this is at least
a start.

Tested:

* AR5416, STA mode, w/ fragthreshold set to 256.
2013-05-25 06:28:30 +00:00
adrian
9bbb992f11 Fix a VAP BSS node reference in the HT code to actually take a reference
before using said node.

The "blessed" way here is to take a node reference before referencing
anything inside the node, otherwise the node can be freed between
the time the pointer is copied/dereferenced and the time the node contents
are used.

This mirrors fixes that I've done elsewhere in the net80211/driver
stack.

PR:		kern/178470
2013-05-10 09:37:58 +00:00
glebius
b4bc270e8f Add const qualifier to the dst parameter of the ifnet if_output method. 2013-04-26 12:50:32 +00:00
adrian
0128a675f3 Implement a utility function to return the current TX power cap for
the given node.

This takes into account the per-node cap, the ic cap and the
per-channel regulatory caps.

This is designed to replace references to ni_txpower in various net80211
drivers - ni_txpower doesn't necessarily reflect the actual cap for
the given node (eg if the node has the default value of 50dBm (100) and
the administrator has manually configured a lower TX power.)
2013-04-16 20:36:32 +00:00
adrian
d607a69714 Add VNET wrappers around the rest of the ieee80211 rtsock messages.
I triggered the cac/radar messages when doing testing in DFS channels.
2013-03-20 02:42:52 +00:00
adrian
e4cecd0fe3 Kill this, it's not needed at this point and (hopefully) the parent
has correctly locked the ic/vap.
2013-03-10 04:38:06 +00:00
adrian
7c437f512e Fix another compiler warning issue when invariants are disabled. 2013-03-09 15:35:31 +00:00
adrian
11f27b0f39 Fix non-invariant compilation. 2013-03-09 05:20:33 +00:00
adrian
291b1e2469 Bring over my initial work from the net80211 TX locking branch.
This patchset implements a new TX lock, covering both the per-VAP (and
thus per-node) TX locking and the serialisation through to the underlying
physical device.

This implements the hard requirement that frames to the underlying physical
device are scheduled to the underlying device in the same order that they
are processed at the VAP layer.  This includes adding extra encapsulation
state (such as sequence numbers and CCMP IV numbers.)  Any order mismatch
here will result in dropped packets at the receiver.

There are multiple transmit contexts from the upper protocol layers as well
as the "raw" interface via the management and BPF transmit paths.
All of these need to be correctly serialised or bad behaviour will result
under load.

The specifics:

* add a new TX IC lock - it will eventually just be used for serialisation
  to the underlying physical device but for now it's used for both the
  VAP encapsulation/serialisation and the physical device dispatch.

  This lock is specifically non-recursive.

* Methodize the parent transmit, vap transmit and ic_raw_xmit function
  pointers; use lock assertions in the parent/vap transmit routines.

* Add a lock assertion in ieee80211_encap() - the TX lock must be held
  here to guarantee sensible behaviour.

* Refactor out the packet sending code from ieee80211_start() - now
  ieee80211_start() is just a loop over the ifnet queue and it dispatches
  each VAP packet send through ieee80211_start_pkt().

  Yes, I will likely rename ieee80211_start_pkt() to something that
  better reflects its status as a VAP packet transmit path.  More on
  that later.

* Add locking around the management and BAR TX sending - to ensure that
  encapsulation and TX are done hand-in-hand.

* Add locking in the mesh code - again, to ensure that encapsulation
  and mesh transmit are done hand-in-hand.

* Add locking around the power save queue and ageq handling, when
  dispatching to the parent interface.

* Add locking around the WDS handoff.

* Add a note in the mesh dispatch code that the TX path needs to be
  re-thought-out - right now it's doing a direct parent device transmit
  rather than going via the vap layer.  It may "work", but it's likely
  incorrect (as it bypasses any possible per-node power save and
  aggregation handling.)

Why not a per-VAP or per-node lock?

Because in order to ensure per-VAP ordering, we'd have to hold the
VAP lock across parent->if_transmit().  There are a few problems
with this:

* There's some state being setup during each driver transmit - specifically,
  the encryption encap / CCMP IV setup.  That should eventually be dragged
  back into the encapsulation phase but for now it lives in the driver TX path.
  This should be locked.

* Two drivers (ath, iwn) re-use the node->ni_txseqs array in order to
  allocate sequence numbers when doing transmit aggregation.  This should
  also be locked.

* Drivers may have multiple frames queued already - so when one calls
  if_transmit(), it may end up dispatching multiple frames for different
  VAPs/nodes, each needing a different lock when handling that particular
  end destination.

So to be "correct" locking-wise, we'd end up needing to grab a VAP or
node lock inside the driver TX path when setting up crypto / AMPDU sequence
numbers, and we may already _have_ a TX lock held - mostly for the same
destination vap/node, but sometimes it'll be for others.  That could lead
to LORs and thus deadlocks.

So for now, I'm sticking with an IC TX lock.  It has the advantage of
papering over the above and it also has the added advantage that I can
assert that it's being held when doing a parent device transmit.
I'll look at splitting the locks out a bit more later on.

General outstanding net80211 TX path issues / TODO:

* Look into separating out the VAP serialisation and the IC handoff.
  It's going to be tricky as parent->if_transmit() doesn't give me the
  opportunity to split queuing from driver dispatch.  See above.

* Work with monthadar to fix up the mesh transmit path so it doesn't go via
  the parent interface when retransmitting frames.

* Push the encryption handling back into the driver, if it's at all
  architectually sane to do so.  I know it's possible - it's what mac80211
  in Linux does.

* Make ieee80211_raw_xmit() queue a frame into VAP or parent queue rather
  than doing a short-cut direct into the driver.  There are QoS issues
  here - you do want your management frames to be encapsulated and pushed
  onto the stack sooner than the (large, bursty) amount of data frames
  that are queued.  But there has to be a saner way to do this.

* Fragments are still broken - drivers need to be upgraded to an if_transmit()
  implementation and then fragmentation handling needs to be properly fixed.

Tested:

* STA - AR5416, AR9280, Intel 5300 abgn wifi
* Hostap - AR5416, AR9160, AR9280
* Mesh - some testing by monthadar@, more to come.
2013-03-08 20:23:55 +00:00
adrian
6c5725b06d Disable this variable; the code using it is also disabled. 2013-02-18 01:37:55 +00:00
adrian
4089ecb7c4 Disable this code and add a note as to why.
It wasn't currently being called anyway - but being explicit about it
can't hurt.
2013-02-18 01:08:59 +00:00
adrian
8261579eca Fix an incorrect sizeof()
Spotted by:	clang

Submitted by:	dim
2013-02-16 00:12:21 +00:00
monthadar
095b73eee8 Mesh: QoS Control field bit flags fix.
* The following bit flags where incroccetly defined:
    o Mesh Control Present
    o Mesh Power Save Level
    o RSPI
  This is now corrected according to Table 8.4 as per IEEE 802.11 2012;

Approved by:	adrian (mentor)
2013-02-14 20:00:38 +00:00
glebius
f03c14c9a7 Substitute '#ifdef ALIGNED_POINTER' with '#ifndef __NO_STRICT_ALIGNMENT',
since the former is defined everywhere. This cuts off some code not
necessary on non strict aligment arches.

Reviewed by:	adrian
Sponsored by:	Nginx, Inc.
2013-02-12 11:24:37 +00:00
adrian
cfebb21d99 Fix ieee80211_mesh.c compilation.
* Add the superg.h header to allow ieee80211_check_ff() to work
* Since the assert stuff creates assertions based on line numbers and there
  was a conflict, just nudge things down a bit.
2013-02-08 09:11:55 +00:00
monthadar
541d8676f1 Mesh: recevied GANN frames where not parsed correctly.
* Added mesh_parse_meshgate_action that parse all values to host endian;
* Add more detailed debug output;

Approved by:	adrian (mentor)
2013-02-07 21:32:09 +00:00
monthadar
2587b68b1c Mesh HWMP forwarding information: updating FI for transmitter.
* Added hwmp_update_transmitter function that checks if the metric
  to the transmitter have improved. If old FI is invalid or metric
  is larger the FI to the transmitter is updated occurdingly.
  This is a recommendation from the 802.11 2012 standard, table 13-9;

Approved by:	adrian (mentor)
2013-02-07 21:31:37 +00:00
monthadar
6c23af63de Mesh HWMP PERR bug fixes.
* When calling ieee80211_mesh_rt_flush_peer, the rt->rt_dest argument
  should not be passed because it can get freed before invalidating
  the other routes that depends on it to compare with next_hop.
  Use PERR_DADDR(i) instead;

Approved by:	adrian (mentor)
2013-02-07 21:30:58 +00:00
monthadar
ecd76b4133 Mesh bug: debug infomartion showing swapped SA and DA address.
* Fix bug for "forward frame from SA(%6D), DA(%6D)" where addresses where
  swapped between SA and DA;

Approved by:	adrian (mentor)
2013-02-07 21:30:29 +00:00
monthadar
3e303ed5b8 Update ddb to print mesh routing table.
* Modified _db_show_vap and _db_show_com to print mesh routing table
  if the 'm' modifier is specified;

Approved by:	adrian (mentor)
2013-02-07 21:29:48 +00:00
monthadar
422806540d Mesh HWMP PREQ: fixed conditions for discarding elements.
Approved by:	adrian (mentor)
2013-02-07 21:29:14 +00:00
monthadar
94b538df94 Mesh HWMP: don't send an intermediate PREP for proxy entries.
* The standard is unclear about what should happen in case a mesh STA (not
  marked as a mesh gate) recevies a PREQ for a destination that is marked
  as proxy. Solution for now is not to do intermediate reply at all, and
  let the PREQ reach the mesh gate;

Approved by:	adrian (mentor)
2013-02-07 21:28:25 +00:00
monthadar
989940d9ef Mesh HWMP PREQ update: proxy reply only if mesh STA is a meshgate.
* Original PREP frame is transmitted only by the target mesh STA or the
  mesh STA that is the proxy target;
* Fixed so that metric value is not over written incorrectly in
  hwmp_recv_preq for when replying back with a PREP;

Approved by:	adrian (mentor)
2013-02-07 21:27:40 +00:00