Date: Fri, 25 Dec 2009 19:04:21 +0100 (CET) From: Andre Albsmeier <Andre.Albsmeier@siemens.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/142018: iwi: Possibly wrong interpretation of beacon->number in if_iwi.c Message-ID: <200912251804.nBPI4LvG079706@curry.mchp.siemens.de> Resent-Message-ID: <200912251820.nBPIK2uu010587@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 142018
>Category: kern
>Synopsis: iwi: Possibly wrong interpretation of beacon->number in if_iwi.c
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Dec 25 18:20:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Andre Albsmeier
>Release: FreeBSD 7.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD 7.2-STABLE #9: Wed Dec 23 20:32:46 CET 2009
using iwi driver
>Description:
In WLAN environments where beacon misses may happen occasionally
iwi(4) might reassociate even if the set threshold (bmiss) is not
reached. sysctl debug.iwi=5 enables logging of beacon misses
which are ridiculous high even after an uptime of only a
few minutes:
Beacon state (1, 19006982)
Beacon miss: 19006982 >= 10
Beacon state (1, 19007496)
Beacon miss: 19007496 >= 10
Beacon state (1, 19269126)
Beacon miss: 19269126 >= 10
Adding code to if_iwi.c which prints out the hex values
leads us to this picture:
iwi0: Beacon miss: 19006982 1220606
iwi0: Beacon miss: 19006982 1220606
iwi0: Beacon miss: 19007239 1220707
iwi0: Beacon miss: 19007496 1220808
iwi0: Beacon miss: 19269126 1260606
iwi0: Beacon miss: 19269383 1260707
iwi0: Beacon miss: 19269640 1260808
iwi0: Beacon miss: 19269126 1260606
iwi0: Beacon miss: 19269383 1260707
iwi0: Beacon miss: 19269640 1260808
^^^^^^^ hex values
It seems to be wrong to use all 32bits of beacon->number in if_iwi.c.
However, if_iwi.c in 7.2 is the same as in RELENG_6 where the problem
didn't show up under same conditions. It might depend on the contents
of other memory locations, stack, ...
>How-To-Repeat:
Use iwi in a WLAN environments where beacon misses happen.
Use sysctl debug.iwi=5 to see debugging output. If numbers
are reasonably low, you might not have been hit bit the
problem for reasons mentioned above.
See also:
http://lists.freebsd.org/pipermail/freebsd-mobile/2009-December/011833.html
>Fix:
I am currently using this patch to mask out only the lower
8 bits of beacon->number in if_iwi.c:
--- if_iwi.c.ORI 2009-12-07 16:17:46.000000000 +0100
+++ if_iwi.c 2009-12-07 16:20:10.000000000 +0100
@@ -1508,9 +1508,9 @@
* 802.11 layer.
* XXX try to roam, drop assoc only on much higher count
*/
- if (le32toh(beacon->number) >= ic->ic_bmissthreshold) {
+ if ((le32toh(beacon->number) & 0xFF) >= ic->ic_bmissthreshold) {
DPRINTF(("Beacon miss: %u >= %u\n",
- le32toh(beacon->number),
+ le32toh(beacon->number) & 0xFF,
ic->ic_bmissthreshold));
ieee80211_beacon_miss(ic);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912251804.nBPI4LvG079706>