Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 8 Oct 2010 19:36:13 +0200
From:      Bernhard Schmidt <bschmidt@techwires.net>
To:        Paul B Mahol <onemda@gmail.com>
Cc:        Alexey Dokuchaev <danfe@freebsd.org>, net@freebsd.org
Subject:   Re: Monitor mode not working for iwi(4) on 7.X
Message-ID:  <201010081936.14269.bschmidt@techwires.net>
In-Reply-To: <AANLkTikopXOR8aT1=T=Tz5D=Fb_OJh7wk-W2SsvhnMtO@mail.gmail.com>
References:  <4763016D.7060100@janh.de> <20101008160422.GC81218@FreeBSD.org> <AANLkTikopXOR8aT1=T=Tz5D=Fb_OJh7wk-W2SsvhnMtO@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-00=_Oa1rMALqoTlYxaa
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

On Friday 08 October 2010 18:59:44 Paul B Mahol wrote:
> On 10/8/10, Alexey Dokuchaev <danfe@freebsd.org> wrote:
> > On Fri, Oct 08, 2010 at 03:20:08PM +0000, Paul B Mahol wrote:
> >> On 10/8/10, Alexey Dokuchaev <danfe@freebsd.org> wrote:
> >> > On Thu, Oct 07, 2010 at 08:43:37PM +0200, Bernhard Schmidt wrote:
> >> >> Try the attached patch, this is basically the code from stable/6
> >> >> ported to head and stable/7. I did only some basic tests but monitor
> >> >> mode seems to work and it is still possible to use the card in STA
> >> >> mode.
> >> > 
> >> > Unfortunately, I am getting instant panic when trying any of
> >> > aircrack-ng suite utilities ("ifconfig iwi0 scan/list scan" works
> >> > though):
> >> > 
> >> > Fatal trap 12: page fault while in kernel mode
> >> > processor eflags        = interrupt enabled, resume, IOPL = 0
> >> > current process         = 35 (iwi0 taskq)
> >> > 
> >> > Any suggestions?
> >> 
> >> 7.X is buggy regarding taskqueue, I think (maybe it is net80211 bug
> >> and not iwi fault).
> > 
> > That's a sad thing to hear about stable branch.
> > 
> >> Does it panic with tcpdump too?
> > 
> > Bernhard's tests indicate it's not.  However, me doing "ifconfig iwi0
> > mediaopt monitor" here resulted in immediate panic (did not catch the
> > core this time, but I'm positive it's the same as with aircrack-ng).
> 
> Looks like SMP issue.
> Let me look if it is something obvious.

After having another cup of coffee it's pretty obvious what's wrong.. and I 
really wonder how that could have worked during my tests yesterday. Just to be 
sure I did the same tests again today and it still worked. The only difference 
between what I did and your scenario is, that I didn't use
ifconfig iwi0 mediaopt monitor
but
ifconfig iwi0 monitor
instead.. anyways..

ic != sc

Attached patched should behave better now.

alix# kldload if_iwi
iwi0: <Intel(R) PRO/Wireless 2200BG> mem 0xe0040000-0xe0040fff irq 10 at 
device 
12.0 on pci0
iwi0: Ethernet address: 00:16:6f:64:37:68
iwi0: [ITHREAD]
kalix# kldload wlan_scan_sta
alix# ifconfig iwi0 -mediaopt monitor
alix# ifconfig iwi0 channel 1 up
alix# aireplay-ng -9 iwi0
00:34:10  Trying broadcast probe requests...
00:34:12  No Answer...
00:34:12  Found 1 AP 

00:34:12  Trying directed probe requests...
00:34:12  00:15:6D:84:06:6B - channel: 1 - 'aplab'
wi_write(): Input/output error
wi_write(): Input/output error
^C/ 6:   0%
alix# tcpdump -nei iwi0 -y IEEE802_11_RADIO
tcpdump: data link type IEEE802_11_RADIO                                        
tcpdump: WARNING: iwi0: no IPv4 address assigned                                
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      
listening on iwi0, link-type IEEE802_11_RADIO (802.11 plus BSD radio 
information
 header), capture size 96 bytes                                                 
00:37:56.039527 1.0 Mb/s 2412 MHz 11g antenna 0 37dB signal 
BSSID:00:15:6d:84:06
:6b DA:ff:ff:ff:ff:ff:ff SA:00:15:6d:84:06:6b Beacon (aplab) [1.0* 2.0* 5.5* 
11.
0* 6.0 9.0 12.0 18.0 Mbit] ESS CH: 1, PRIVACY 

-- 
Bernhard

--Boundary-00=_Oa1rMALqoTlYxaa
Content-Type: text/x-patch; charset="ISO-8859-1";
	name="iwi_monitor-stable7.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="iwi_monitor-stable7.diff"

Index: sys/dev/iwi/if_iwivar.h
===================================================================
--- sys/dev/iwi/if_iwivar.h	(revision 213522)
+++ sys/dev/iwi/if_iwivar.h	(working copy)
@@ -193,6 +193,7 @@ struct iwi_softc {
 	struct task		sc_scanaborttask;	/* cancel active scan */
 	struct task		sc_restarttask;	/* restart adapter processing */
 	struct task		sc_opstask;	/* scan / auth processing */
+	struct task		sc_monitortask;
 
 	unsigned int		sc_softled : 1,	/* enable LED gpio status */
 				sc_ledstate: 1,	/* LED on/off state */
Index: sys/dev/iwi/if_iwi.c
===================================================================
--- sys/dev/iwi/if_iwi.c	(revision 213522)
+++ sys/dev/iwi/if_iwi.c	(working copy)
@@ -163,6 +163,7 @@ static void	iwi_release_fw_dma(struct iwi_softc *s
 static int	iwi_config(struct iwi_softc *);
 static int	iwi_get_firmware(struct iwi_softc *);
 static void	iwi_put_firmware(struct iwi_softc *);
+static void	iwi_monitor_scan(void *, int);
 static int	iwi_scanchan(struct iwi_softc *, unsigned long, int);
 static void	iwi_scan_start(struct ieee80211com *);
 static void	iwi_scan_end(struct ieee80211com *);
@@ -291,6 +292,7 @@ iwi_attach(device_t dev)
 	TASK_INIT(&sc->sc_restarttask, 0, iwi_restart, sc);
 	TASK_INIT(&sc->sc_opstask, 0, iwi_ops, sc);
 	TASK_INIT(&sc->sc_scanaborttask, 0, iwi_scanabort, sc);
+	TASK_INIT(&sc->sc_monitortask, 0, iwi_monitor_scan, sc);
 	callout_init_mtx(&sc->sc_wdtimer, &sc->sc_mtx, 0);
 
 	if (pci_get_powerstate(dev) != PCI_POWERSTATE_D0) {
@@ -978,7 +980,8 @@ iwi_newstate(struct ieee80211com *ic, enum ieee802
 			 */
 			if (ic->ic_state == IEEE80211_S_SCAN)
 				iwi_assoc(ic);
-		} 
+		} else if (ic->ic_opmode == IEEE80211_M_MONITOR)
+			taskqueue_enqueue(sc->sc_tq, &sc->sc_monitortask);
 		break;
 	case IEEE80211_S_INIT:
 		/*
@@ -1411,6 +1414,18 @@ iwi_notification_intr(struct iwi_softc *sc, struct
 
 		IWI_STATE_END(sc, IWI_FW_SCANNING);
 
+		/*
+		 * Monitor mode works by doing a passive scan to set
+		 * the channel and enable rx.  Because we don't want
+		 * to abort a scan lest the firmware crash we scan
+		 * for a short period of time and automatically restart
+		 * the scan when notified the sweep has completed.
+		 */
+		if (ic->ic_opmode == IEEE80211_M_MONITOR) {
+			taskqueue_enqueue(sc->sc_tq, &sc->sc_monitortask);
+			break;
+		}
+
 		if (scan->status == IWI_SCAN_COMPLETED)
 			ieee80211_scan_next(ic);
 
@@ -2595,6 +2610,11 @@ iwi_config(struct iwi_softc *sc)
 	config.answer_pbreq = (ic->ic_opmode == IEEE80211_M_IBSS) ? 1 : 0;
 	config.disable_unicast_decryption = 1;
 	config.disable_multicast_decryption = 1;
+	if (ic->ic_opmode == IEEE80211_M_MONITOR) {
+		config.allow_invalid_frames = 1;
+		config.allow_beacon_and_probe_resp = 1;
+		config.allow_mgt = 1;
+	}
 	DPRINTF(("Configuring adapter\n"));
 	error = iwi_cmd(sc, IWI_CMD_SET_CONFIG, &config, sizeof config);
 	if (error != 0)
@@ -2717,6 +2737,18 @@ scan_band(const struct ieee80211_channel *c)
 	return IEEE80211_IS_CHAN_5GHZ(c) ?  IWI_CHAN_5GHZ : IWI_CHAN_2GHZ;
 }
 
+static void
+iwi_monitor_scan(void *arg, int npending)
+{
+	struct ieee80211com *ic = arg;
+	struct iwi_softc *sc = ic->ic_ifp->if_softc;
+	IWI_LOCK_DECL;
+
+	IWI_LOCK(sc);
+	(void) iwi_scanchan(sc, 2000, 0);
+	IWI_UNLOCK(sc);
+}
+
 /*
  * Start a scan on the current channel or all channels.
  */

--Boundary-00=_Oa1rMALqoTlYxaa--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201010081936.14269.bschmidt>