From nobody@FreeBSD.org  Fri Feb 26 14:19:05 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C68EF106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 26 Feb 2010 14:19:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id B455A8FC1D
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 26 Feb 2010 14:19:05 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o1QEJ5cF047155
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 26 Feb 2010 14:19:05 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o1QEJ5eS047154;
	Fri, 26 Feb 2010 14:19:05 GMT
	(envelope-from nobody)
Message-Id: <201002261419.o1QEJ5eS047154@www.freebsd.org>
Date: Fri, 26 Feb 2010 14:19:05 GMT
From: Alexander Egorenkov <egorenar@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [ieee80211] A response management frame appears in wireshark captures before the corresponding request management frame in HOSTAP mode
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         144323
>Category:       kern
>Synopsis:       [ieee80211] A response management frame appears in wireshark captures before the corresponding request management frame in HOSTAP mode
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bschmidt
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 26 14:20:01 UTC 2010
>Closed-Date:    Tue Jun 19 06:59:32 UTC 2012
>Last-Modified:  Tue Jun 19 06:59:32 UTC 2012
>Originator:     Alexander Egorenkov
>Release:        FreeBSD 8.0 STABLE
>Organization:
>Environment:
FreeBSD dantooine 8.0-RELEASE FreeBSD 8.0-RELEASE #2: Tue Dec 15 17:56:06 CET 2009 root@dantooine:/usr/obj/usr/src/sys/MYKERNEL i386
>Description:
I was testing my Ralink WLAN driver in HOSTAP mode and noticed the following strange behaviour of net80211 while capturing frames with wireshark.
All responses to management frame requests appeared in the wireshark capture
**before** the corresponding request frames, e.g. Probe Responses before Probe Requests, Action Responses before Action Requests, Association Responses before Association Requests and so on.
I observed this behaviour only for management frames, data frames were OK.
I also did't notice this behavior in STA mode.

I could provide a wireshark capture if needed.
>How-To-Repeat:
You need a WLAN NIC that supports HOSTAP mode.
Start hostapd and capture some Probe Requests and Responses.
>Fix:
I investigated the problem and found out that
in the function ieee80211_hostap.c:hostap_input that is responsible for processing
incoming frames in HOSTAP mode a management frame is passed to bpf **after**
the call to "iv_recv_mgmt". The function pointer iv_recv_mgmt that points to
the function ieee80211_hostap.c:hostap_recv_mgmt processes received management frames and, furthermore, **sends** corresponding response frames if needed.
And when hostap_recv_mgmt is done, management frames are passed to ieee80211_radiotap_rx.

To fix the problem, the call to ieee80211_radiotap_rx in ieee80211_hostap.c:hostap_input should happen **before** the call
to iv_recv_mgmt for management frames.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Feb 26 14:25:12 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144323 

From: Alexander Egorenkov <egorenar@googlemail.com>
To: bug-followup@FreeBSD.org, egorenar@gmail.com
Cc:  
Subject: Re: kern/144323: [ieee80211] A response management frame appears in 
	wireshark captures before the corresponding request management frame in 
	HOSTAP mode
Date: Fri, 26 Feb 2010 19:38:17 +0100

 --00c09f7d599cf93dc30480853386
 Content-Type: multipart/alternative; boundary=00c09f7d599cf93dba0480853384
 
 --00c09f7d599cf93dba0480853384
 Content-Type: text/plain; charset=ISO-8859-1
 
 Here is a patch i used on my system to fix the problem.
 
 --00c09f7d599cf93dba0480853384
 Content-Type: text/html; charset=ISO-8859-1
 
 Here is a patch i used on my system to fix the problem.<br>
 
 --00c09f7d599cf93dba0480853384--
 --00c09f7d599cf93dc30480853386
 Content-Type: application/octet-stream; name="ieee80211_hostap.c.patch"
 Content-Disposition: attachment; filename="ieee80211_hostap.c.patch"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_g65bqsv50
 
 LS0tIGllZWU4MDIxMV9ob3N0YXAuYy5vcmlnCTIwMTAtMDItMjYgMTk6MjI6NDMuMDAwMDAwMDAw
 ICswMTAwCisrKyBpZWVlODAyMTFfaG9zdGFwLmMJMjAxMC0wMi0yNiAxOToyMjo0OS4wMDAwMDAw
 MDAgKzAxMDAKQEAgLTg4NCw2ICs4ODQsMTEgQEAKIAkJCXdoID0gbXRvZChtLCBzdHJ1Y3QgaWVl
 ZTgwMjExX2ZyYW1lICopOwogCQkJd2gtPmlfZmNbMV0gJj0gfklFRUU4MDIxMV9GQzFfV0VQOwog
 CQl9CisKKwkJaWYgKGllZWU4MDIxMV9yYWRpb3RhcF9hY3RpdmVfdmFwKHZhcCkpCisJCQlpZWVl
 ODAyMTFfcmFkaW90YXBfcngodmFwLCBtKTsKKwkJbmVlZF90YXAgPSAwOworCiAJCXZhcC0+aXZf
 cmVjdl9tZ210KG5pLCBtLCBzdWJ0eXBlLCByc3NpLCBuZik7CiAJCWdvdG8gb3V0OwogCg==
 --00c09f7d599cf93dc30480853386--
State-Changed-From-To: open->patched 
State-Changed-By: rpaulo 
State-Changed-When: Tue Mar 23 14:31:56 UTC 2010 
State-Changed-Why:  
Fixed in HEAD. Will MFC. 
Thanks. 


Responsible-Changed-From-To: freebsd-net->rpaulo 
Responsible-Changed-By: rpaulo 
Responsible-Changed-When: Tue Mar 23 14:31:56 UTC 2010 
Responsible-Changed-Why:  
Fixed in HEAD. Will MFC. 
Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144323 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/144323: commit references a PR
Date: Tue, 23 Mar 2010 14:31:43 +0000 (UTC)

 Author: rpaulo
 Date: Tue Mar 23 14:31:31 2010
 New Revision: 205516
 URL: http://svn.freebsd.org/changeset/base/205516
 
 Log:
   When receiving a management frame, pass the mbuf to bpf before calling
   iv_recv_mgmt(). iv_recv_mgmt() will generate management frame responses
   and pass them to bpf before the management frame that triggered the
   response.
   
   PR:		144323
   Submitted by:	Alexander Egorenkov <egorenar at gmail.com>
   MFC after:	2 weeks
   Sponsored by:	iXsystems, inc.
 
 Modified:
   head/sys/net80211/ieee80211_hostap.c
 
 Modified: head/sys/net80211/ieee80211_hostap.c
 ==============================================================================
 --- head/sys/net80211/ieee80211_hostap.c	Tue Mar 23 13:15:11 2010	(r205515)
 +++ head/sys/net80211/ieee80211_hostap.c	Tue Mar 23 14:31:31 2010	(r205516)
 @@ -883,6 +883,9 @@ hostap_input(struct ieee80211_node *ni, 
  			wh = mtod(m, struct ieee80211_frame *);
  			wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
  		}
 +		if (ieee80211_radiotap_active_vap(vap))
 +			ieee80211_radiotap_rx(vap, m);
 +		need_tap = 0;
  		vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
  		goto out;
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/144323: commit references a PR
Date: Tue,  6 Apr 2010 14:07:57 +0000 (UTC)

 Author: rpaulo
 Date: Tue Apr  6 14:07:48 2010
 New Revision: 206271
 URL: http://svn.freebsd.org/changeset/base/206271
 
 Log:
   MFC r203422, r205516:
   
    When receiving a management frame, pass the mbuf to bpf before calling
    iv_recv_mgmt(). iv_recv_mgmt() will generate management frame
    responses
    and pass them to bpf before the management frame that triggered the
    response.
   
    PR:		144323
    Submitted by:	Alexander Egorenkov <egorenar at gmail.com>
    Sponsored by:	iXsystems, inc.
 
 Modified:
   stable/8/sys/net80211/ieee80211_hostap.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
   stable/8/sys/dev/xen/xenpci/   (props changed)
 
 Modified: stable/8/sys/net80211/ieee80211_hostap.c
 ==============================================================================
 --- stable/8/sys/net80211/ieee80211_hostap.c	Tue Apr  6 13:12:11 2010	(r206270)
 +++ stable/8/sys/net80211/ieee80211_hostap.c	Tue Apr  6 14:07:48 2010	(r206271)
 @@ -884,6 +884,14 @@ hostap_input(struct ieee80211_node *ni, 
  			wh = mtod(m, struct ieee80211_frame *);
  			wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
  		}
 +		/*
 +		 * Pass the packet to radiotap before calling iv_recv_mgmt().
 +		 * Otherwise iv_recv_mgmt() might pass another packet to
 +		 * radiotap, resulting in out of order packet captures.
 +		 */
 +		if (ieee80211_radiotap_active_vap(vap))
 +			ieee80211_radiotap_rx(vap, m);
 +		need_tap = 0;
  		vap->iv_recv_mgmt(ni, m, subtype, rssi, nf);
  		goto out;
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
Responsible-Changed-From-To: rpaulo->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Dec 4 16:18:13 UTC 2010 
Responsible-Changed-Why:  
rpaulo has return his commit bit for safekeeing. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144323 
State-Changed-From-To: patched->feedback 
State-Changed-By: bschmidt 
State-Changed-When: Mon Jan 3 21:19:00 UTC 2011 
State-Changed-Why:  
Patch committed and MFCed, I assume this PR can be closed? 


Responsible-Changed-From-To: freebsd-bugs->bschmidt 
Responsible-Changed-By: bschmidt 
Responsible-Changed-When: Mon Jan 3 21:19:00 UTC 2011 
Responsible-Changed-Why:  
over to me 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144323 
State-Changed-From-To: feedback->closed 
State-Changed-By: bschmidt 
State-Changed-When: Tue Jun 19 06:59:21 UTC 2012 
State-Changed-Why:  
feedback timeout 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144323 
>Unformatted:
