Date: Fri, 8 Oct 2010 19:36:13 +0200 From: Bernhard Schmidt <bschmidt@techwires.net> To: Paul B Mahol <onemda@gmail.com> Cc: Alexey Dokuchaev <danfe@freebsd.org>, net@freebsd.org Subject: Re: Monitor mode not working for iwi(4) on 7.X Message-ID: <201010081936.14269.bschmidt@techwires.net> In-Reply-To: <AANLkTikopXOR8aT1=T=Tz5D=Fb_OJh7wk-W2SsvhnMtO@mail.gmail.com> References: <4763016D.7060100@janh.de> <20101008160422.GC81218@FreeBSD.org> <AANLkTikopXOR8aT1=T=Tz5D=Fb_OJh7wk-W2SsvhnMtO@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-00=_Oa1rMALqoTlYxaa Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit On Friday 08 October 2010 18:59:44 Paul B Mahol wrote: > On 10/8/10, Alexey Dokuchaev <danfe@freebsd.org> wrote: > > On Fri, Oct 08, 2010 at 03:20:08PM +0000, Paul B Mahol wrote: > >> On 10/8/10, Alexey Dokuchaev <danfe@freebsd.org> wrote: > >> > On Thu, Oct 07, 2010 at 08:43:37PM +0200, Bernhard Schmidt wrote: > >> >> Try the attached patch, this is basically the code from stable/6 > >> >> ported to head and stable/7. I did only some basic tests but monitor > >> >> mode seems to work and it is still possible to use the card in STA > >> >> mode. > >> > > >> > Unfortunately, I am getting instant panic when trying any of > >> > aircrack-ng suite utilities ("ifconfig iwi0 scan/list scan" works > >> > though): > >> > > >> > Fatal trap 12: page fault while in kernel mode > >> > processor eflags = interrupt enabled, resume, IOPL = 0 > >> > current process = 35 (iwi0 taskq) > >> > > >> > Any suggestions? > >> > >> 7.X is buggy regarding taskqueue, I think (maybe it is net80211 bug > >> and not iwi fault). > > > > That's a sad thing to hear about stable branch. > > > >> Does it panic with tcpdump too? > > > > Bernhard's tests indicate it's not. However, me doing "ifconfig iwi0 > > mediaopt monitor" here resulted in immediate panic (did not catch the > > core this time, but I'm positive it's the same as with aircrack-ng). > > Looks like SMP issue. > Let me look if it is something obvious. After having another cup of coffee it's pretty obvious what's wrong.. and I really wonder how that could have worked during my tests yesterday. Just to be sure I did the same tests again today and it still worked. The only difference between what I did and your scenario is, that I didn't use ifconfig iwi0 mediaopt monitor but ifconfig iwi0 monitor instead.. anyways.. ic != sc Attached patched should behave better now. alix# kldload if_iwi iwi0: <Intel(R) PRO/Wireless 2200BG> mem 0xe0040000-0xe0040fff irq 10 at device 12.0 on pci0 iwi0: Ethernet address: 00:16:6f:64:37:68 iwi0: [ITHREAD] kalix# kldload wlan_scan_sta alix# ifconfig iwi0 -mediaopt monitor alix# ifconfig iwi0 channel 1 up alix# aireplay-ng -9 iwi0 00:34:10 Trying broadcast probe requests... 00:34:12 No Answer... 00:34:12 Found 1 AP 00:34:12 Trying directed probe requests... 00:34:12 00:15:6D:84:06:6B - channel: 1 - 'aplab' wi_write(): Input/output error wi_write(): Input/output error ^C/ 6: 0% alix# tcpdump -nei iwi0 -y IEEE802_11_RADIO tcpdump: data link type IEEE802_11_RADIO tcpdump: WARNING: iwi0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on iwi0, link-type IEEE802_11_RADIO (802.11 plus BSD radio information header), capture size 96 bytes 00:37:56.039527 1.0 Mb/s 2412 MHz 11g antenna 0 37dB signal BSSID:00:15:6d:84:06 :6b DA:ff:ff:ff:ff:ff:ff SA:00:15:6d:84:06:6b Beacon (aplab) [1.0* 2.0* 5.5* 11. 0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 1, PRIVACY -- Bernhard --Boundary-00=_Oa1rMALqoTlYxaa Content-Type: text/x-patch; charset="ISO-8859-1"; name="iwi_monitor-stable7.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="iwi_monitor-stable7.diff" Index: sys/dev/iwi/if_iwivar.h =================================================================== --- sys/dev/iwi/if_iwivar.h (revision 213522) +++ sys/dev/iwi/if_iwivar.h (working copy) @@ -193,6 +193,7 @@ struct iwi_softc { struct task sc_scanaborttask; /* cancel active scan */ struct task sc_restarttask; /* restart adapter processing */ struct task sc_opstask; /* scan / auth processing */ + struct task sc_monitortask; unsigned int sc_softled : 1, /* enable LED gpio status */ sc_ledstate: 1, /* LED on/off state */ Index: sys/dev/iwi/if_iwi.c =================================================================== --- sys/dev/iwi/if_iwi.c (revision 213522) +++ sys/dev/iwi/if_iwi.c (working copy) @@ -163,6 +163,7 @@ static void iwi_release_fw_dma(struct iwi_softc *s static int iwi_config(struct iwi_softc *); static int iwi_get_firmware(struct iwi_softc *); static void iwi_put_firmware(struct iwi_softc *); +static void iwi_monitor_scan(void *, int); static int iwi_scanchan(struct iwi_softc *, unsigned long, int); static void iwi_scan_start(struct ieee80211com *); static void iwi_scan_end(struct ieee80211com *); @@ -291,6 +292,7 @@ iwi_attach(device_t dev) TASK_INIT(&sc->sc_restarttask, 0, iwi_restart, sc); TASK_INIT(&sc->sc_opstask, 0, iwi_ops, sc); TASK_INIT(&sc->sc_scanaborttask, 0, iwi_scanabort, sc); + TASK_INIT(&sc->sc_monitortask, 0, iwi_monitor_scan, sc); callout_init_mtx(&sc->sc_wdtimer, &sc->sc_mtx, 0); if (pci_get_powerstate(dev) != PCI_POWERSTATE_D0) { @@ -978,7 +980,8 @@ iwi_newstate(struct ieee80211com *ic, enum ieee802 */ if (ic->ic_state == IEEE80211_S_SCAN) iwi_assoc(ic); - } + } else if (ic->ic_opmode == IEEE80211_M_MONITOR) + taskqueue_enqueue(sc->sc_tq, &sc->sc_monitortask); break; case IEEE80211_S_INIT: /* @@ -1411,6 +1414,18 @@ iwi_notification_intr(struct iwi_softc *sc, struct IWI_STATE_END(sc, IWI_FW_SCANNING); + /* + * Monitor mode works by doing a passive scan to set + * the channel and enable rx. Because we don't want + * to abort a scan lest the firmware crash we scan + * for a short period of time and automatically restart + * the scan when notified the sweep has completed. + */ + if (ic->ic_opmode == IEEE80211_M_MONITOR) { + taskqueue_enqueue(sc->sc_tq, &sc->sc_monitortask); + break; + } + if (scan->status == IWI_SCAN_COMPLETED) ieee80211_scan_next(ic); @@ -2595,6 +2610,11 @@ iwi_config(struct iwi_softc *sc) config.answer_pbreq = (ic->ic_opmode == IEEE80211_M_IBSS) ? 1 : 0; config.disable_unicast_decryption = 1; config.disable_multicast_decryption = 1; + if (ic->ic_opmode == IEEE80211_M_MONITOR) { + config.allow_invalid_frames = 1; + config.allow_beacon_and_probe_resp = 1; + config.allow_mgt = 1; + } DPRINTF(("Configuring adapter\n")); error = iwi_cmd(sc, IWI_CMD_SET_CONFIG, &config, sizeof config); if (error != 0) @@ -2717,6 +2737,18 @@ scan_band(const struct ieee80211_channel *c) return IEEE80211_IS_CHAN_5GHZ(c) ? IWI_CHAN_5GHZ : IWI_CHAN_2GHZ; } +static void +iwi_monitor_scan(void *arg, int npending) +{ + struct ieee80211com *ic = arg; + struct iwi_softc *sc = ic->ic_ifp->if_softc; + IWI_LOCK_DECL; + + IWI_LOCK(sc); + (void) iwi_scanchan(sc, 2000, 0); + IWI_UNLOCK(sc); +} + /* * Start a scan on the current channel or all channels. */ --Boundary-00=_Oa1rMALqoTlYxaa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201010081936.14269.bschmidt>