From owner-freebsd-net@FreeBSD.ORG Wed Dec 22 09:10:11 2010 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 292A41065673 for ; Wed, 22 Dec 2010 09:10:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F12AF8FC12 for ; Wed, 22 Dec 2010 09:10:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oBM9AAFW056153 for ; Wed, 22 Dec 2010 09:10:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oBM9AASq056152; Wed, 22 Dec 2010 09:10:10 GMT (envelope-from gnats) Date: Wed, 22 Dec 2010 09:10:10 GMT Message-Id: <201012220910.oBM9AASq056152@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Bernhard Schmidt Cc: Subject: Re: kern/144987: [wpi] [panic] injecting packets with wlaninject using Intel 3945ABG wireless card gives kernel panic X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Bernhard Schmidt List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2010 09:10:11 -0000 The following reply was made to PR kern/144987; it has been noted by GNATS. From: Bernhard Schmidt To: bug-followup@freebsd.org, gabrielquadros@hotmail.com Cc: Julian Elischer Subject: Re: kern/144987: [wpi] [panic] injecting packets with wlaninject using Intel 3945ABG wireless card gives kernel panic Date: Wed, 22 Dec 2010 09:58:34 +0100 On Monday 20 December 2010 15:10:02 Bernhard Schmidt wrote: > Hi, > > The issue here is that you've tried to use wlaninject with a VAP in sta > mode. As soon as wlaninject tries to set up the interface, net80211 will > start to do a scan which means constant channel switches until it finds > something to associate. wlaninject itself is not aware of that and happily > injects frames no matter what the current channel state is, as the above > trace shows, you hit a point where no channel is set between 2 scan > interations. > > wlaninject is supposed to be used with VAPs in ahdemo mode and wpi(4) does > not support that mode. Therefore I tend to close this PR. Looking closer I might have been a bit wrong. There are several issue here.. One being that ni_chan is used in the TX path which should and can actually be replaced by ic_curchan. This will fix the panic reported above, though, this does no longer obscure other issues. For examples, we are allowed to pass in frames of arbitrary length, extremely short frames will be discarded early due to an overflow checking the length (the message to long error). But, if the length is just long enough to reach the driver it might still be shorter then the header for a 802.11 frame. This will result in another panic() in m_copydata() as we try to copy over the header to firmware.. I'll try to find a useful solution for that. -- Bernhard