midiplay: Fix out-of-bounds memory access
Fix possible reads past the end of the buffer.
Found by random fuzz testing (zzuf). Without the fix the fuzzer crashes
in several seconds; with the patch, the fuzzer runs clean for hours.
Index: midiplay.c
===
RCS file: /cvs/src/usr.bin/midiplay/midiplay.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 midiplay.c
--- midiplay.c 8 Feb 2015 23:40:34 - 1.17
+++ midiplay.c 27 Apr 2016 21:45:13 -
@@ -319,6 +319,10 @@ playdata(u_char *buf, u_int tot, char *n
if (memcmp(p, MARK_TRACK, MARK_LEN) == 0) {
tracks[t].start = p + MARK_LEN + SIZE_LEN;
tracks[t].end = tracks[t].start + len;
+ if (tracks[t].end > end) {
+ warnx("Track length exceeds remaining size");
+ goto ret;
+ }
tracks[t].curtime = getvar([t]);
t++;
}
Re: siginfo_t.si_addr should be void*
On 2016-04-27 18:20, Joerg Sonnenberger wrote:
This
[...snip...]
and this disagree?
I... am so sorry. You're right of course; I don't know how that patch
happened.
Correct patch:
diff --git a/src/sys/sys/siginfo.h b/src/sys/sys/siginfo.h
index 814e8f2..1e8365f 100644
--- a/src/sys/sys/siginfo.h
+++ b/src/sys/sys/siginfo.h
@@ -150,7 +150,7 @@ typedef struct {
} _pdata;
} _proc;
struct {/* SIGSEGV, SIGBUS, SIGILL and SIGFPE */
- caddr_t _addr; /* faulting address */
+ void*_addr; /* faulting address */
int _trapno;/* illegal trap number */
} _fault;
#if 0
Re: siginfo_t.si_addr should be void*
On Wed, Apr 27, 2016 at 06:04:32PM -0400, i80...@foxquill.com wrote:
> POSIX specifies that siginfo_t.si_addr must be void*. OpenBSD currently
> defines it as caddr_t. This breaks some userspace programs, such as the
> following minimal case:
This
> The following patch builds the base system cleanly on x86_64, and
> resolves the problem.
>
> diff --git a/src/sys/sys/siginfo.h b/src/sys/sys/siginfo.h
> index 814e8f2..1e8365f 100644
> --- a/src/sys/sys/siginfo.h
> +++ b/src/sys/sys/siginfo.h
> @@ -150,7 +150,7 @@ typedef struct {
> } _pdata;
> } _proc;
> struct {/* SIGSEGV, SIGBUS, SIGILL and SIGFPE */
> - caddr_t _addr; /* faulting address */
> + char*_addr; /* faulting address */
> int _trapno;/* illegal trap number */
> } _fault;
> #if 0
and this disagree?
Joerg
siginfo_t.si_addr should be void*
POSIX specifies that siginfo_t.si_addr must be void*. OpenBSD currently
defines it as caddr_t. This breaks some userspace programs, such as the
following minimal case:
#include
#include
void handler(int, siginfo_t *info, void*) {
std::cout << "Foo" << info->si_addr << "bar\n";
}
int main(int, char**) {
struct sigaction action;
action.sa_sigaction = handler;
action.sa_flags = SA_SIGINFO;
sigaction(SIGILL, , NULL);
raise(SIGILL);
return 0;
}
On OpenBSD, ostream will treat the char* si_addr as a C-string. Luckily
it's NULL in this case, but it causes only "Foo" to be printed. No
future uses of std::cout will result in output.
The following patch builds the base system cleanly on x86_64, and
resolves the problem.
diff --git a/src/sys/sys/siginfo.h b/src/sys/sys/siginfo.h
index 814e8f2..1e8365f 100644
--- a/src/sys/sys/siginfo.h
+++ b/src/sys/sys/siginfo.h
@@ -150,7 +150,7 @@ typedef struct {
} _pdata;
} _proc;
struct {/* SIGSEGV, SIGBUS, SIGILL and SIGFPE */
- caddr_t _addr; /* faulting address */
+ char*_addr; /* faulting address */
int _trapno;/* illegal trap number */
} _fault;
#if 0
-- Andrew Aldridge
gzip -l: account for multiple streams
Currently, the info in "gzip -l" only accounts for the last stream
in the file. For example:
$ gzip.old -l valgrind-3.10.1p9.tgz
compressed uncompressed ratio uncompressed_name
2122549 9048576 76.5% valgrind-3.10.1p9.tar
$ gzip.new -l /usr/ports/packages/amd64/all/valgrind-3.10.1p9.tgz
compressed uncompressed ratio uncompressed_name
27988837 81453568 65.6% valgrind-3.10.1p9.tar
$ ls -l valgrind-3.10.1p9.tgz
-rw-r--r-- 3 millert staff 27988837 Mar 29 10:09 valgrind-3.10.1p9.tgz
$ gunzip -c valgrind-3.10.1p9.tgz | wc -c
81453568
Index: usr.bin/compress/gzopen.c
===
RCS file: /cvs/src/usr.bin/compress/gzopen.c,v
retrieving revision 1.29
diff -u -p -u -r1.29 gzopen.c
--- usr.bin/compress/gzopen.c 20 Aug 2015 22:32:41 - 1.29
+++ usr.bin/compress/gzopen.c 27 Apr 2016 20:34:20 -
@@ -83,14 +83,15 @@
typedef
struct gz_stream {
int z_fd; /* .gz file */
- z_stream z_stream; /* libz stream */
int z_eof; /* set if end of input file */
+ z_stream z_stream; /* libz stream */
u_char z_buf[Z_BUFSIZE]; /* i/o buffer */
+ charz_mode; /* 'w' or 'r' */
u_int32_t z_time; /* timestamp (mtime) */
- u_int32_t z_hlen; /* length of the gz header */
u_int32_t z_crc;/* crc32 of uncompressed data */
- charz_mode; /* 'w' or 'r' */
-
+ u_int32_t z_hlen; /* length of the gz header */
+ u_int64_t z_total_in; /* # bytes in */
+ u_int64_t z_total_out; /* # bytes out */
} gz_stream;
static const u_char gz_magic[2] = {0x1f, 0x8b}; /* gzip magic header */
@@ -128,6 +129,8 @@ gz_open(int fd, const char *mode, char *
s->z_eof = 0;
s->z_time = 0;
s->z_hlen = 0;
+ s->z_total_in = 0;
+ s->z_total_out = 0;
s->z_crc = crc32(0L, Z_NULL, 0);
s->z_mode = mode[0];
@@ -206,8 +209,8 @@ gz_close(void *cookie, struct z_info *in
info->mtime = s->z_time;
info->crc = s->z_crc;
info->hlen = s->z_hlen;
- info->total_in = (off_t)s->z_stream.total_in;
- info->total_out = (off_t)s->z_stream.total_out;
+ info->total_in = s->z_total_in;
+ info->total_out = s->z_total_out;
}
setfile(name, s->z_fd, sb);
@@ -336,7 +339,7 @@ get_header(gz_stream *s, char *name, int
(void)get_byte(s);
(void)get_byte(s);
- s->z_hlen = 10; /* magic, method, flags, time, xflags, OS code */
+ s->z_hlen += 10; /* magic, method, flags, time, xflags, OS code */
if ((flags & EXTRA_FIELD) != 0) { /* skip the extra field */
len = (uInt)get_byte(s);
len += ((uInt)get_byte(s))<<8;
@@ -438,11 +441,11 @@ gz_read(void *cookie, char *buf, int len
if (error == Z_DATA_ERROR) {
errno = EINVAL;
- return -1;
+ goto bad;
}
if (error == Z_BUF_ERROR) {
errno = EIO;
- return -1;
+ goto bad;
}
if (error == Z_STREAM_END) {
/* Check CRC and original size */
@@ -452,13 +455,18 @@ gz_read(void *cookie, char *buf, int len
if (get_int32(s) != s->z_crc) {
errno = EINVAL;
- return -1;
+ goto bad;
}
if (get_int32(s) != (u_int32_t)s->z_stream.total_out) {
errno = EIO;
return -1;
}
s->z_hlen += 2 * sizeof(int32_t);
+
+ /* Add byte counts from the finished stream. */
+ s->z_total_in += s->z_stream.total_in;
+ s->z_total_out += s->z_stream.total_out;
+
/* Check for the existence of an appended file. */
if (get_header(s, NULL, 0) != 0) {
s->z_eof = 1;
@@ -474,6 +482,11 @@ gz_read(void *cookie, char *buf, int len
len -= s->z_stream.avail_out;
return (len);
+bad:
+ /* Add byte counts from the finished stream. */
+ s->z_total_in += s->z_stream.total_in;
+ s->z_total_out += s->z_stream.total_out;
+ return (-1);
}
int
Re: pool related crashes, but "kernel did no panic"
On Wed, Apr 27, 2016 at 03:45:45PM +, Alexey Suslikov wrote: > Theo de Raadt cvs.openbsd.org> writes: > > > > > Most of these bug reports completely stink. > > > > ALWAYS include *ALL* information in a report. > > In an idealistic world, yes. > > Above are not parts of the "chain", but different statements of the > same bug. To have both blue screen and ddb, I need to keep kvm console > running in a browser for undefined period of time (crash can occur twice > per day, or once per 2 months), which isn't as easy as it seems. http://www.openbsd.org/report.html We are pretty clear in there what you need. and if you don't have all the information, there's really not a lot we can do.. we don't ask you to include it for decorative purposes, we ask so we can actually know what's going on - without it your report is only an exercise in frustration for all of us
Re: pool related crashes, but "kernel did no panic"
> On 27/04/16(Wed) 15:45, Alexey Suslikov wrote: > > Theo de Raadt cvs.openbsd.org> writes: > > > > > > > > Most of these bug reports completely stink. > > > > > > ALWAYS include *ALL* information in a report. > > > > In an idealistic world, yes. > > In an idealistic world their would be no bug. In an idealistic world, Alexey Suslikov wouldn't feel compelled to defend sloppiness.
Re: pool related crashes, but "kernel did no panic"
On 27/04/16(Wed) 15:45, Alexey Suslikov wrote: > Theo de Raadt cvs.openbsd.org> writes: > > > > > Most of these bug reports completely stink. > > > > ALWAYS include *ALL* information in a report. > > In an idealistic world, yes. In an idealistic world their would be no bug. > Above are not parts of the "chain", but different statements of the > same bug. To have both blue screen and ddb, I need to keep kvm console > running in a browser for undefined period of time (crash can occur twice > per day, or once per 2 months), which isn't as easy as it seems. Come on, your bug reports are useless because you don't include a dmesg, how hard it is to, do so? If you don't include a dmesg, do not spend your time reporting a bug it is useless.
gif tunnel and IPv6 ND
gif(4) is the only p2p interface for which the kernel does some kind of
link-layer address resolution when it comes to IPv6 & ND.
I don't believe this is necessary because we do not install any cloning
route on p2p interfaces. However the rt_checkgate() call *is* necessary
because your default IPv6 route, or any gateway route, might go through
your tunnel.
So the diff below removes gif(4) interfaces from the list of interfaces
that need a link-layer cache and move the check *after* calling
rt_checkgate(). This way all the p2p-specific code in nd6_output()
can go away.
I'd like to hear from people using such setup to know if this break
anything.
Index: netinet6/nd6.c
===
RCS file: /cvs/src/sys/netinet6/nd6.c,v
retrieving revision 1.178
diff -u -p -r1.178 nd6.c
--- netinet6/nd6.c 27 Apr 2016 14:47:27 - 1.178
+++ netinet6/nd6.c 27 Apr 2016 15:54:17 -
@@ -1512,9 +1512,6 @@ nd6_output(struct ifnet *ifp, struct mbu
if (IN6_IS_ADDR_MULTICAST(>sin6_addr))
goto sendpkt;
- if (nd6_need_cache(ifp) == 0)
- goto sendpkt;
-
/*
* next hop determination.
*/
@@ -1524,21 +1521,11 @@ nd6_output(struct ifnet *ifp, struct mbu
m_freem(m);
return (error);
}
-
- /*
-* We skip link-layer address resolution and NUD
-* if the gateway is not a neighbor from ND point
-* of view, regardless of the value of nd_ifinfo.flags.
-* The second condition is a bit tricky; we skip
-* if the gateway is our own address, which is
-* sometimes used to install a route to a p2p link.
-*/
- if ((ifp->if_flags & IFF_POINTOPOINT) &&
- ((nd6_is_addr_neighbor(satosin6(rt_key(rt)), ifp) == 0) ||
- in6ifa_ifpwithaddr(ifp, (rt_key(rt))->sin6_addr)))
- goto sendpkt;
}
+ if (nd6_need_cache(ifp) == 0)
+ goto sendpkt;
+
/*
* Address resolution or Neighbor Unreachability Detection
* for the next hop.
@@ -1565,8 +1552,7 @@ nd6_output(struct ifnet *ifp, struct mbu
}
}
if (ln == NULL || rt == NULL) {
- if ((ifp->if_flags & IFF_POINTOPOINT) == 0 &&
- !(ND_IFINFO(ifp)->flags & ND6_IFF_PERFORMNUD)) {
+ if ((ND_IFINFO(ifp)->flags & ND6_IFF_PERFORMNUD) == 0) {
char addr[INET6_ADDRSTRLEN];
log(LOG_DEBUG, "%s: can't allocate llinfo for %s "
@@ -1591,9 +1577,7 @@ nd6_output(struct ifnet *ifp, struct mbu
TAILQ_REMOVE(_list, ln, ln_list);
TAILQ_INSERT_HEAD(_list, ln, ln_list);
- /* We don't have to do link-layer address resolution on a p2p link. */
- if ((ifp->if_flags & IFF_POINTOPOINT) != 0 &&
- ln->ln_state < ND6_LLINFO_REACHABLE) {
+ if (ln->ln_state < ND6_LLINFO_REACHABLE) {
ln->ln_state = ND6_LLINFO_STALE;
nd6_llinfo_settimer(ln, (long)nd6_gctimer * hz);
}
@@ -1658,11 +1642,8 @@ nd6_need_cache(struct ifnet *ifp)
*/
switch (ifp->if_type) {
case IFT_ETHER:
- case IFT_IEEE1394:
- case IFT_PROPVIRTUAL:
case IFT_IEEE80211:
case IFT_CARP:
- case IFT_GIF: /* XXX need more cases? */
return (1);
default:
return (0);
reduce 11n block ack gap timeout
Reduces ping jitter when the block ack window encounters gaps.
Index: ieee80211_node.h
===
RCS file: /cvs/src/sys/net80211/ieee80211_node.h,v
retrieving revision 1.59
diff -u -p -r1.59 ieee80211_node.h
--- ieee80211_node.h11 Feb 2016 17:15:43 - 1.59
+++ ieee80211_node.h27 Apr 2016 15:39:21 -
@@ -146,7 +146,7 @@ struct ieee80211_rx_ba {
u_int16_t ba_winsize;
u_int16_t ba_head;
struct timeout ba_gap_to;
-#define IEEE80211_BA_GAP_TIMEOUT 500 /* msec */
+#define IEEE80211_BA_GAP_TIMEOUT 100 /* msec */
/* Counter for consecutive frames which missed the BA window. */
int ba_winmiss;
/* Sequence number of previous frame which missed the BA window. */
fix iwn htprot updates
I'm investigating latency issues with 11n block ack on iwn.
There's a dedicated command to update RXON flags while associated.
Use this command instead of whacking the whole firmware node table
and restoring it. The firmware node table contains block ack state
and we shouldn't mess with that.
Index: if_iwn.c
===
RCS file: /cvs/src/sys/dev/pci/if_iwn.c,v
retrieving revision 1.164
diff -u -p -r1.164 if_iwn.c
--- if_iwn.c13 Apr 2016 10:34:32 - 1.164
+++ if_iwn.c27 Apr 2016 15:50:34 -
@@ -5047,93 +5047,31 @@ void
iwn_update_htprot(struct ieee80211com *ic, struct ieee80211_node *ni)
{
struct iwn_softc *sc = ic->ic_softc;
- struct iwn_ops *ops = >ops;
enum ieee80211_htprot htprot;
- struct iwn_node_info node;
- int error, ridx;
-
- timeout_del(>calib_to);
-
- /* Fake a "disassociation" so we can change RXON configuration. */
- sc->rxon.filter &= ~htole32(IWN_FILTER_BSS);
- error = iwn_cmd(sc, IWN_CMD_RXON, >rxon, sc->rxonsz, 1);
- if (error != 0) {
- printf("%s: RXON command failed\n", sc->sc_dev.dv_xname);
- return;
- }
+ struct iwn_rxon_assoc rxon_assoc;
+ int error;
/* Update HT protection mode setting. */
htprot = (ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >>
IEEE80211_HTOP1_PROT_SHIFT;
sc->rxon.flags &= ~htole32(IWN_RXON_HT_PROTMODE(3));
sc->rxon.flags |= htole32(IWN_RXON_HT_PROTMODE(htprot));
- sc->rxon.filter |= htole32(IWN_FILTER_BSS);
- error = iwn_cmd(sc, IWN_CMD_RXON, >rxon, sc->rxonsz, 1);
- if (error != 0) {
- printf("%s: RXON command failed\n", sc->sc_dev.dv_xname);
- return;
- }
-
- /*
-* The firmware loses TX power table, node table, LQ table,
-* and sensitivity calibration after an RXON command.
-*/
-
- if ((error = ops->set_txpower(sc, 1)) != 0) {
- printf("%s: could not set TX power\n", sc->sc_dev.dv_xname);
- return;
- }
-
- ridx = IEEE80211_IS_CHAN_5GHZ(ni->ni_chan) ?
- IWN_RIDX_OFDM6 : IWN_RIDX_CCK1;
- if ((error = iwn_add_broadcast_node(sc, 1, ridx)) != 0) {
- printf("%s: could not add broadcast node\n",
- sc->sc_dev.dv_xname);
- return;
- }
-
- memset(, 0, sizeof node);
- IEEE80211_ADDR_COPY(node.macaddr, ni->ni_macaddr);
- node.id = IWN_ID_BSS;
- if (ni->ni_flags & IEEE80211_NODE_HT) {
- node.htmask = (IWN_AMDPU_SIZE_FACTOR_MASK |
- IWN_AMDPU_DENSITY_MASK);
- node.htflags = htole32(
- IWN_AMDPU_SIZE_FACTOR(
- (ic->ic_ampdu_params & IEEE80211_AMPDU_PARAM_LE)) |
- IWN_AMDPU_DENSITY(
- (ic->ic_ampdu_params & IEEE80211_AMPDU_PARAM_SS) >> 2));
- }
- error = ops->add_node(sc, , 1);
- if (error != 0) {
- printf("%s: could not add BSS node\n", sc->sc_dev.dv_xname);
- return;
- }
-
- if ((error = iwn_set_link_quality(sc, ni)) != 0) {
- printf("%s: could not setup link quality for node %d\n",
- sc->sc_dev.dv_xname, node.id);
- return;
- }
-
- if ((error = iwn_init_sensitivity(sc)) != 0) {
- printf("%s: could not set sensitivity\n",
- sc->sc_dev.dv_xname);
- return;
- }
-
- sc->calib.state = IWN_CALIB_STATE_ASSOC;
- sc->calib_cnt = 0;
- timeout_add_msec(>calib_to, 500);
- if ((ni->ni_flags & IEEE80211_NODE_RXPROT) &&
- ni->ni_pairwise_key.k_cipher == IEEE80211_CIPHER_CCMP) {
- if ((error = iwn_set_key(ic, ni, >ni_pairwise_key)) != 0) {
- printf("%s: could not set pairwise ccmp key\n",
- sc->sc_dev.dv_xname);
- return;
- }
- }
+ /* Update RXON config. */
+ memset(_assoc, 0, sizeof(rxon_assoc));
+ rxon_assoc.flags = sc->rxon.flags;
+ rxon_assoc.filter = sc->rxon.filter;
+ rxon_assoc.ofdm_mask = sc->rxon.ofdm_mask;
+ rxon_assoc.ht_single_mask = sc->rxon.ht_single_mask;
+ rxon_assoc.ht_dual_mask = sc->rxon.ht_dual_mask;
+ rxon_assoc.ht_triple_mask = sc->rxon.ht_triple_mask;
+ rxon_assoc.rxchain = sc->rxon.rxchain;
+ rxon_assoc.acquisition = sc->rxon.acquisition;
+
+ error = iwn_cmd(sc, IWN_CMD_RXON_ASSOC, _assoc,
+ sizeof(rxon_assoc), 1);
+ if (error != 0)
+ printf("%s: RXON_ASSOC command failed\n", sc->sc_dev.dv_xname);
}
/*
Index: if_iwnreg.h
===
RCS file: /cvs/src/sys/dev/pci/if_iwnreg.h,v
retrieving revision 1.52
diff -u -p -r1.52 if_iwnreg.h
---
Re: pool related crashes, but "kernel did no panic"
Theo de Raadt cvs.openbsd.org> writes: > > Most of these bug reports completely stink. > > ALWAYS include *ALL* information in a report. In an idealistic world, yes. Above are not parts of the "chain", but different statements of the same bug. To have both blue screen and ddb, I need to keep kvm console running in a browser for undefined period of time (crash can occur twice per day, or once per 2 months), which isn't as easy as it seems. But sure I'll try to fill more complete report.
Re: pool related crashes, but "kernel did no panic"
Most of these bug reports completely stink.
ALWAYS include *ALL* information in a report.
If you are told your report is missing information, write a completely
fresh report that includes ALL INFORMATION. Don't reply in a series
of emails adding more and more information. People who submit reports
which are missing information should feel terrible.
People in this project are not being paid to reconstruct sloppy email
chains of partial information.
It is a simple request, and we need to be firm.
> On Wed, Apr 27, 2016 at 09:13:40AM +, alexey.susli...@gmail.com wrote:
> > Hi tech@.
> >
> > (Maybe related to http://marc.info/?l=openbsd-bugs=146174654219490=2).
>
> ;-)
>
> > Crashing server acts as a carp backup (master has same hardware config but
> > don't crash, in contrast to backup). Will post additional information if
> > necessary.
>
> In my case, the server is acting as a backup for 2 carp devices and also
> as a master for 2 other carp devices.
> But indeed, it is always the same node (part of a 2 nodes setup) that is
> crashing. This node just crached again a few minutes ago. It seems
> upgrading it to 5.9 makes the bug more frequent. So I am keeping the
> other node with «OpenBSD 5.8-current (GENERIC.MP) #1661: Tue Nov 24
> 20:16:36 MST 2015» for now.
>
>
> Here is frech output:
>
> ddb{2}> trace
> Debugger() at Debugger+0x9
> panic() at panic+0xfe
> pool_runqueue() at pool_runqueue
> pool_get() at pool_get+0xb5
> m_clget() at m_clget+0x51
> m_dup_pkt() at m_dup_pkt+0x88
> carp_input() at carp_input+0x17c
> if_input_process() at if_input_process+0xcd
> taskq_thread() at taskq_thread+0x6c
> end trace frame: 0x0, count: -9
> ddb{2}> show panic
> pool_do_get: mcl2k free list modified: page 0xff00f1ec7000; item
> addr 0xfff
> fff00f1eca800; offset 0x0=0x0 != 0xaaa0cffd8d1e5cb4
> ddb{2}> show register
> rdi 0x1
> rsi0x292
> rbp 0x800022519b50
> rbx 0x817195a0systqmp+0x1860
> rdx0
> rcx 0x8004f000
> rax 0x1
> r80x800022519a70
> r9 0
> r10 0x800022519a20
> r11 0x8
> r120x100
> r13 0x800022519b60
> r14 0x2
> r15 0x2
> rip 0x81349a09Debugger+0x9
> cs 0x8
> rflags 0x282
> rsp 0x800022519b40
> ss 0x10
> Debugger+0x9: leave
> ddb{2}>
>
>
> --
> oc
>
Re: pool related crashes, but "kernel did no panic"
Stuart Henderson spacehopper.org> writes: > There should be some lines printed before you get dumped into DDB > (probably a uvm_fault), the information in them is important. I either have a screenshot, or ddb. Not both at the same time. Here is one of screenshots from 5.9 transcribed: uvm_fault(0x81940240, 0x10, 0, 1) -> e fatal page fault in supervisor mode trap type 6 code 0 rip 811a5c3e cs 8 rflags 10206 cr 2 10 cpl a rsp 800022171e20 panic: trap type 6, code=0, pc=811a5c3e Starting stack trace... panic() at panic+0x10b trap() at trap+0x7b8 --- trap (number 6) --- pool_p_free() at pool_p_free+0x7e pool_gc_pages() at pool_gc_pages+0xe4 taskq_thread() at taskq_thread+0x6c end trace frame: 0x0, count: 252 End of stack trace. syncing disks... 5 done
Re: pool related crashes, but "kernel did no panic"
Another one from my collection.
Apr 16:
ddb{0}> show panic
the kernel did not panic
ddb{0}> trace
pool_do_get() at pool_do_get+0x90
pool_get() at pool_get+0xb5
m_get() at m_get+0x28
sbappendaddr() at sbappendaddr+0x9a
uipc_usrreq() at uipc_usrreq+0x3b8
sosend() at sosend+0x3d8
dosendsyslog() at dosendsyslog+0x110
sys_sendsyslog2() at sys_sendsyslog2+0xbd
syscall() at syscall+0x368
--- syscall (number 112) ---
end of kernel
end trace frame: 0x183f8dab6913, count: -9
0x1842755e571a:
ddb{0}> show registers
rdi 0x7
rsi 0x9ff5c49ed229ae92
rbp 0x8000222f5b00
rbx 0xff022d80d6d0
rdx 0x8000222f5b64
rcx 0x818c76e0cpu_info_primary
rax 0x7293fa06e984af44
r8 0
r9 0x1
r10 0x811c7c00uipc_usrreq
r11 0x81344be0copy_fault
r12 0x8194c000mbpool
r13 0xff40b152a900
r14 0x2
r15 0x818b4570sun_noname
rip 0x811a5340pool_do_get+0x90
cs 0x8
rflags 0x10282__ALIGN_SIZE+0xf282
rsp 0x8000222f5ab0
ss 0x10
pool_do_get+0x90: movq0(%r13),%rdi
Re: pool related crashes, but "kernel did no panic"
On 2016/04/27 13:54, Alexey Suslikov wrote:
> Another one from my collection.
>
> Apr 16:
>
> ddb{0}> show panic
> the kernel did not panic
There should be some lines printed before you get dumped into DDB
(probably a uvm_fault), the information in them is important.
> ddb{0}> trace
> pool_do_get() at pool_do_get+0x90
> pool_get() at pool_get+0xb5
> m_get() at m_get+0x28
> sbappendaddr() at sbappendaddr+0x9a
> uipc_usrreq() at uipc_usrreq+0x3b8
> sosend() at sosend+0x3d8
> dosendsyslog() at dosendsyslog+0x110
> sys_sendsyslog2() at sys_sendsyslog2+0xbd
> syscall() at syscall+0x368
> --- syscall (number 112) ---
> end of kernel
> end trace frame: 0x183f8dab6913, count: -9
> 0x1842755e571a:
>
> ddb{0}> show registers
> rdi 0x7
> rsi 0x9ff5c49ed229ae92
> rbp 0x8000222f5b00
> rbx 0xff022d80d6d0
> rdx 0x8000222f5b64
> rcx 0x818c76e0cpu_info_primary
> rax 0x7293fa06e984af44
> r8 0
> r9 0x1
> r10 0x811c7c00uipc_usrreq
> r11 0x81344be0copy_fault
> r12 0x8194c000mbpool
> r13 0xff40b152a900
> r14 0x2
> r15 0x818b4570sun_noname
> rip 0x811a5340pool_do_get+0x90
> cs 0x8
> rflags 0x10282__ALIGN_SIZE+0xf282
> rsp 0x8000222f5ab0
> ss 0x10
> pool_do_get+0x90: movq0(%r13),%rdi
>
Re: sshd_config(5) : mention CIDR addressing for AllowUsers and DenyUsers
On Sun, Mar 13, 2016 at 09:26:55AM +0200, Lars Nood??n wrote: > It looks like sshd(8) has permitted for a while both AllowUsers and > DenyUsers in sshd_config(5) to use addresses in CIDR address/masklen > format. If so, it would be useful to mention in the manual page. > > /Lars > fixed, thanks. jmc > Index: sshd_config.5 > === > RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v > retrieving revision 1.220 > diff -u -p -u -p -r1.220 sshd_config.5 > --- sshd_config.5 17 Feb 2016 08:57:34 - 1.220 > +++ sshd_config.5 13 Mar 2016 07:10:27 - > @@ -173,6 +173,8 @@ By default, login is allowed for all use > If the pattern takes the form USER@HOST then USER and HOST > are separately checked, restricting logins to particular > users from particular hosts. > +HOST criteria may additionally contain addresses to match in CIDR > +address/masklen format. > The allow/deny directives are processed in the following order: > .Cm DenyUsers , > .Cm AllowUsers , > @@ -561,6 +563,8 @@ By default, login is allowed for all use > If the pattern takes the form USER@HOST then USER and HOST > are separately checked, restricting logins to particular > users from particular hosts. > +HOST criteria may additionally contain addresses to match in CIDR > +address/masklen format. > The allow/deny directives are processed in the following order: > .Cm DenyUsers , > .Cm AllowUsers , >
Re: pool related crashes, but "kernel did no panic"
On Wed, Apr 27, 2016 at 02:57:31PM +0200, Olivier Cherrier wrote:
> On Wed, Apr 27, 2016 at 09:13:40AM +, alexey.susli...@gmail.com wrote:
> > Hi tech@.
> >
> > (Maybe related to http://marc.info/?l=openbsd-bugs=146174654219490=2).
>
> ;-)
>
> > Crashing server acts as a carp backup (master has same hardware config but
> > don't crash, in contrast to backup). Will post additional information if
> > necessary.
>
> In my case, the server is acting as a backup for 2 carp devices and also
> as a master for 2 other carp devices.
> But indeed, it is always the same node (part of a 2 nodes setup) that is
> crashing. This node just crached again a few minutes ago. It seems
> upgrading it to 5.9 makes the bug more frequent. So I am keeping the
> other node with ?OpenBSD 5.8-current (GENERIC.MP) #1661: Tue Nov 24
> 20:16:36 MST 2015? for now.
>
>
> Here is frech output:
>
> ddb{2}> trace
> Debugger() at Debugger+0x9
> panic() at panic+0xfe
show panic please
> pool_runqueue() at pool_runqueue
> pool_get() at pool_get+0xb5
> m_clget() at m_clget+0x51
> m_dup_pkt() at m_dup_pkt+0x88
> carp_input() at carp_input+0x17c
> if_input_process() at if_input_process+0xcd
> taskq_thread() at taskq_thread+0x6c
> end trace frame: 0x0, count: -9
> ddb{2}> show panic
> pool_do_get: mcl2k free list modified: page 0xff00f1ec7000; item
> addr 0xfff
> fff00f1eca800; offset 0x0=0x0 != 0xaaa0cffd8d1e5cb4
> ddb{2}> show register
> rdi 0x1
> rsi0x292
> rbp 0x800022519b50
> rbx 0x817195a0systqmp+0x1860
> rdx0
> rcx 0x8004f000
> rax 0x1
> r80x800022519a70
> r9 0
> r10 0x800022519a20
> r11 0x8
> r120x100
> r13 0x800022519b60
> r14 0x2
> r15 0x2
> rip 0x81349a09Debugger+0x9
> cs 0x8
> rflags 0x282
> rsp 0x800022519b40
> ss 0x10
> Debugger+0x9: leave
> ddb{2}>
>
>
> --
> oc
>
Re: netstat -W counters for 11n
ok benno@
Stefan Sperling(s...@stsp.name) on 2016.04.27 13:36:51 +0200:
> I'd like to add some 802.11n-related counters to netstat -W output.
>
> The first diff below is for the kernel, the second for netstat.
>
> ok?
>
> Index: ieee80211_input.c
> ===
> RCS file: /cvs/src/sys/net80211/ieee80211_input.c,v
> retrieving revision 1.171
> diff -u -p -r1.171 ieee80211_input.c
> --- ieee80211_input.c 15 Apr 2016 03:04:27 - 1.171
> +++ ieee80211_input.c 27 Apr 2016 11:30:08 -
> @@ -707,7 +707,7 @@ ieee80211_input_ba(struct ieee80211com *
> timeout_add_usec(>ba_to, ba->ba_timeout_val);
>
> if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */
> - ic->ic_stats.is_rx_dup++;
> + ic->ic_stats.is_ht_rx_frame_below_ba_winstart++;
> m_freem(m); /* discard the MPDU */
> return;
> }
> @@ -730,6 +730,7 @@ ieee80211_input_ba(struct ieee80211com *
> "%d, expecting %d:%d\n", __func__,
> sn, ba->ba_winstart, ba->ba_winend);
> #endif
> + ic->ic_stats.is_ht_rx_frame_above_ba_winend++;
> if (count > ba->ba_winsize) {
> if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) {
> if (ba->ba_missedsn == sn - 1)
> @@ -743,6 +744,7 @@ ieee80211_input_ba(struct ieee80211com *
> }
>
> /* It appears the window has moved for real. */
> + ic->ic_stats.is_ht_rx_ba_window_jump++;
> ba->ba_winmiss = 0;
> ba->ba_missedsn = 0;
>
> @@ -754,7 +756,8 @@ ieee80211_input_ba(struct ieee80211com *
> ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m,
> ni, >ba_buf[ba->ba_head].rxi);
> ba->ba_buf[ba->ba_head].m = NULL;
> - }
> + } else
> + ic->ic_stats.is_ht_rx_ba_frame_lost++;
> ba->ba_head = (ba->ba_head + 1) %
> IEEE80211_BA_MAX_WINSZ;
> }
> @@ -769,6 +772,7 @@ ieee80211_input_ba(struct ieee80211com *
> /* store the received MPDU in the buffer */
> if (ba->ba_buf[idx].m != NULL) {
> ifp->if_ierrors++;
> + ic->ic_stats.is_ht_rx_ba_no_buf++;
> m_freem(m);
> return;
> }
> @@ -820,6 +824,8 @@ ieee80211_input_ba_gap_timeout(void *arg
> struct ieee80211com *ic = ni->ni_ic;
> int s, skipped;
>
> + ic->ic_stats.is_ht_rx_ba_window_gap_timeout++;
> +
> s = splnet();
>
> skipped = 0;
> @@ -828,6 +834,7 @@ ieee80211_input_ba_gap_timeout(void *arg
> ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
> ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
> skipped++;
> + ic->ic_stats.is_ht_rx_ba_frame_lost++;
> }
> if (skipped > 0)
> ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
> @@ -861,7 +868,8 @@ ieee80211_ba_move_window(struct ieee8021
> ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni,
> >ba_buf[ba->ba_head].rxi);
> ba->ba_buf[ba->ba_head].m = NULL;
> - }
> + } else
> + ic->ic_stats.is_ht_rx_ba_frame_lost++;
> ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
> }
> /* move window forward */
> @@ -1580,6 +1588,7 @@ ieee80211_recv_probe_resp(struct ieee802
> DPRINTF(("[%s] htprot change: was %d, now %d\n",
> ether_sprintf((u_int8_t *)wh->i_addr2),
> htprot_last, htprot));
> + ic->ic_stats.is_ht_prot_change++;
> ic->ic_bss->ni_htop1 = ni->ni_htop1;
> ic->ic_update_htprot(ic, ic->ic_bss);
> }
> @@ -2491,6 +2500,7 @@ ieee80211_recv_addba_req(struct ieee8021
> goto resp;
> }
> ba->ba_state = IEEE80211_BA_AGREED;
> + ic->ic_stats.is_ht_rx_ba_agreements++;
> /* start Block Ack inactivity timer */
> if (ba->ba_timeout_val != 0)
> timeout_add_usec(>ba_to, ba->ba_timeout_val);
> @@ -2561,6 +2571,7 @@ ieee80211_recv_addba_resp(struct ieee802
> }
> /* MLME-ADDBA.confirm(Success) */
> ba->ba_state = IEEE80211_BA_AGREED;
> + ic->ic_stats.is_ht_tx_ba_agreements++;
>
> /* notify drivers of this new Block Ack agreement */
> if (ic->ic_ampdu_tx_start != NULL)
> Index: ieee80211_ioctl.h
> ===
> RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.h,v
>
Re: pool related crashes, but "kernel did no panic"
On Wed, Apr 27, 2016 at 09:13:40AM +, alexey.susli...@gmail.com wrote:
> Hi tech@.
>
> (Maybe related to http://marc.info/?l=openbsd-bugs=146174654219490=2).
;-)
> Crashing server acts as a carp backup (master has same hardware config but
> don't crash, in contrast to backup). Will post additional information if
> necessary.
In my case, the server is acting as a backup for 2 carp devices and also
as a master for 2 other carp devices.
But indeed, it is always the same node (part of a 2 nodes setup) that is
crashing. This node just crached again a few minutes ago. It seems
upgrading it to 5.9 makes the bug more frequent. So I am keeping the
other node with «OpenBSD 5.8-current (GENERIC.MP) #1661: Tue Nov 24
20:16:36 MST 2015» for now.
Here is frech output:
ddb{2}> trace
Debugger() at Debugger+0x9
panic() at panic+0xfe
pool_runqueue() at pool_runqueue
pool_get() at pool_get+0xb5
m_clget() at m_clget+0x51
m_dup_pkt() at m_dup_pkt+0x88
carp_input() at carp_input+0x17c
if_input_process() at if_input_process+0xcd
taskq_thread() at taskq_thread+0x6c
end trace frame: 0x0, count: -9
ddb{2}> show panic
pool_do_get: mcl2k free list modified: page 0xff00f1ec7000; item
addr 0xfff
fff00f1eca800; offset 0x0=0x0 != 0xaaa0cffd8d1e5cb4
ddb{2}> show register
rdi 0x1
rsi0x292
rbp 0x800022519b50
rbx 0x817195a0systqmp+0x1860
rdx0
rcx 0x8004f000
rax 0x1
r80x800022519a70
r9 0
r10 0x800022519a20
r11 0x8
r120x100
r13 0x800022519b60
r14 0x2
r15 0x2
rip 0x81349a09Debugger+0x9
cs 0x8
rflags 0x282
rsp 0x800022519b40
ss 0x10
Debugger+0x9: leave
ddb{2}>
--
oc
httpd: httpd.conf(5): text/plain for .txt
Hi,
For text content the response HTTP header "Content-Type: text/plain" is
commonly used. This patch changes it in the httpd.conf(5) documentation:
Index: httpd.conf.5
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.71
diff -u -p -r1.71 httpd.conf.5
--- httpd.conf.524 Apr 2016 21:06:53 - 1.71
+++ httpd.conf.527 Apr 2016 13:09:37 -
@@ -594,7 +594,7 @@ server "default" {
types {
text/csscss
text/html html htm
- text/txttxt
+ text/plain txt
image/gif gif
image/jpeg jpeg jpg
image/png png
--
Kind regards,
Hiltjo
show HT MCS for 11n APs in ifconfig scan
Copy out some 11n information to net80211 ioctl node records.
Use a subset of this info to display the highest AP Rx rate during scan.
Since 11n implies support for 11a/b/g rates up to 54Mbit/s, we
only show a legacy rate if the AP doesn't support 11n.
In theory, 11n rate suport is not symmetric, ie. the max Tx rate can differ
from the max Rx rate. I'd like to keep things simple for now and just show Rx.
Rx is more straightforward to parse and, in practice, assymmetric rate support
is rare.
Note that converting an MCS index to Mbit/s is non-trivial since the actual
rate depends on several feature toggles (short guard, wide channels, etc.).
Some of these toggles can change at run time so it's impossible to make a
good guess in advance. If you really want to know the max Mbit/s value for
a given MCS index, go to mcsindex.com. But that won't tell you the actual
run-time throughput.
Kernel and ifconfig diffs follow. ok?
Index: ieee80211_ioctl.c
===
RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.c,v
retrieving revision 1.40
diff -u -p -r1.40 ieee80211_ioctl.c
--- ieee80211_ioctl.c 4 Jan 2016 12:28:46 - 1.40
+++ ieee80211_ioctl.c 27 Apr 2016 11:52:23 -
@@ -106,6 +106,12 @@ ieee80211_node2req(struct ieee80211com *
nr->nr_flags |= IEEE80211_NODEREQ_AP;
if (ni == ic->ic_bss)
nr->nr_flags |= IEEE80211_NODEREQ_AP_BSS;
+
+ /* HT */
+ nr->nr_htcaps = ni->ni_htcaps;
+ memcpy(nr->nr_rxmcs, ni->ni_rxmcs, sizeof(nr->nr_rxmcs));
+ nr->nr_max_rxrate = ni->ni_max_rxrate;
+ nr->nr_tx_mcs_set = ni->ni_tx_mcs_set;
}
void
Index: ieee80211_ioctl.h
===
RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.h,v
retrieving revision 1.24
diff -u -p -r1.24 ieee80211_ioctl.h
--- ieee80211_ioctl.h 27 Apr 2016 11:58:10 - 1.24
+++ ieee80211_ioctl.h 27 Apr 2016 12:39:01 -
@@ -332,6 +332,12 @@ struct ieee80211_nodereq {
/* Node flags */
u_int8_tnr_flags;
+
+ /* HT */
+ uint16_tnr_htcaps;
+ uint8_t nr_rxmcs[howmany(80,NBBY)];
+ uint16_tnr_max_rxrate; /* in Mb/s, 0 <= rate <= 1023 */
+ uint8_t nr_tx_mcs_set;
};
#define IEEE80211_NODEREQ_STATE(_s)(1 << _s)
Index: ifconfig.c
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.320
diff -u -p -r1.320 ifconfig.c
--- ifconfig.c 18 Apr 2016 06:20:23 - 1.320
+++ ifconfig.c 27 Apr 2016 12:14:02 -
@@ -63,6 +63,7 @@
#include
#include
#include
+#include
#include
#include
@@ -2283,7 +2284,7 @@ ieee80211_listnodes(void)
void
ieee80211_printnode(struct ieee80211_nodereq *nr)
{
- int len;
+ int len, i;
if (nr->nr_flags & IEEE80211_NODEREQ_AP ||
nr->nr_capinfo & IEEE80211_CAPINFO_IBSS) {
@@ -2311,8 +2312,15 @@ ieee80211_printnode(struct ieee80211_nod
if (nr->nr_pwrsave)
printf("powersave ");
- if (nr->nr_nrates) {
- /* Only print the fastest rate */
+ /* Only print the fastest rate */
+ if (nr->nr_max_rxrate) {
+ printf("%uM HT ", nr->nr_max_rxrate);
+ } else if (nr->nr_rxmcs[0] != 0) {
+ for (i = IEEE80211_HT_NUM_MCS - 1; i >= 0; i--)
+ if (isset(nr->nr_rxmcs, i))
+ break;
+ printf("HT-MCS%d ", i);
+ } else if (nr->nr_nrates) {
printf("%uM",
(nr->nr_rates[nr->nr_nrates - 1] & IEEE80211_RATE_VAL) / 2);
putchar(' ');
httpd: fix/style: unbalanced va_start and va_end macros
Hi,
The following patch for httpd fixes unbalanced va_start() and va_end() macros.
This is in style with the rest of httpd. Also POSIX says:
"Each invocation of the va_start() and va_copy() macros shall be matched by a
corresponding invocation of the va_end() macro in the same function."
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/stdarg.h.html
Index: httpd.c
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
retrieving revision 1.54
diff -u -p -r1.54 httpd.c
--- httpd.c 2 Feb 2016 17:51:11 - 1.54
+++ httpd.c 27 Apr 2016 12:00:43 -
@@ -1000,11 +1000,13 @@ kv_set(struct kv *kv, char *fmt, ...)
va_list ap;
char*value = NULL;
struct kv *ckv;
+ int ret;
va_start(ap, fmt);
- if (vasprintf(, fmt, ap) == -1)
- return (-1);
+ ret = vasprintf(, fmt, ap);
va_end(ap);
+ if (ret == -1)
+ return (-1);
/* Remove all children */
while ((ckv = TAILQ_FIRST(>kv_children)) != NULL) {
@@ -1025,11 +1027,13 @@ kv_setkey(struct kv *kv, char *fmt, ...)
{
va_list ap;
char*key = NULL;
+ int ret;
va_start(ap, fmt);
- if (vasprintf(, fmt, ap) == -1)
- return (-1);
+ ret = vasprintf(, fmt, ap);
va_end(ap);
+ if (ret == -1)
+ return (-1);
free(kv->kv_key);
kv->kv_key = key;
---
Kind regards,
Hiltjo
httpd: patch for portability asprintf use
Hi,
The following patch for httpd makes sure the value of the asprintf buffer is
zeroed on error and not relied upon, so at the 'done' label free(body) and
free(hstsheader) is safe.
from asprintf(3):
"The asprintf() and vasprintf() functions return the number of
characters
that were output to the newly allocated string (excluding the '\0').
A pointer to the newly allocated string is returned in ret; it
should be passed to free(3) to release the allocated storage when it is
no longer needed. If sufficient space cannot be allocated, these
functions will return -1. >>The value of ret in this situation is
implementation-dependent (on OpenBSD, ret will be set to the null
pointer, but this behavior should not be relied upon)."<<
Index: server_http.c
===
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.106
diff -u -p -r1.106 server_http.c
--- server_http.c 8 Mar 2016 09:33:15 - 1.106
+++ server_http.c 27 Apr 2016 12:01:00 -
@@ -826,8 +826,10 @@ server_abort_http(struct client *clt, un
"\n%s\n"
"\n"
"\n",
- code, httperr, style, code, httperr, HTTPD_SERVERNAME)) == -1)
+ code, httperr, style, code, httperr, HTTPD_SERVERNAME)) == -1) {
+ body = NULL;
goto done;
+ }
if (srv_conf->flags & SRVFLAG_SERVER_HSTS) {
if (asprintf(, "Strict-Transport-Security: "
@@ -835,8 +837,10 @@ server_abort_http(struct client *clt, un
srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ?
"; includeSubDomains" : "",
srv_conf->hsts_flags & HSTSFLAG_PRELOAD ?
- "; preload" : "") == -1)
+ "; preload" : "") == -1) {
+ hstsheader = NULL;
goto done;
+ }
}
/* Add basic HTTP headers */
--
Kind regards,
Hiltjo
Re: pool related crashes, but "kernel did no panic"
On 27/04/16(Wed) 09:13, Alexey Suslikov wrote: > Hi tech@. > > (Maybe related to http://marc.info/?l=openbsd-bugs=146174654219490=2). Maybe maybe not. Please keep send your bug reports to bugs@ with all the required informations.
netstat -W counters for 11n
I'd like to add some 802.11n-related counters to netstat -W output.
The first diff below is for the kernel, the second for netstat.
ok?
Index: ieee80211_input.c
===
RCS file: /cvs/src/sys/net80211/ieee80211_input.c,v
retrieving revision 1.171
diff -u -p -r1.171 ieee80211_input.c
--- ieee80211_input.c 15 Apr 2016 03:04:27 - 1.171
+++ ieee80211_input.c 27 Apr 2016 11:30:08 -
@@ -707,7 +707,7 @@ ieee80211_input_ba(struct ieee80211com *
timeout_add_usec(>ba_to, ba->ba_timeout_val);
if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */
- ic->ic_stats.is_rx_dup++;
+ ic->ic_stats.is_ht_rx_frame_below_ba_winstart++;
m_freem(m); /* discard the MPDU */
return;
}
@@ -730,6 +730,7 @@ ieee80211_input_ba(struct ieee80211com *
"%d, expecting %d:%d\n", __func__,
sn, ba->ba_winstart, ba->ba_winend);
#endif
+ ic->ic_stats.is_ht_rx_frame_above_ba_winend++;
if (count > ba->ba_winsize) {
if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) {
if (ba->ba_missedsn == sn - 1)
@@ -743,6 +744,7 @@ ieee80211_input_ba(struct ieee80211com *
}
/* It appears the window has moved for real. */
+ ic->ic_stats.is_ht_rx_ba_window_jump++;
ba->ba_winmiss = 0;
ba->ba_missedsn = 0;
@@ -754,7 +756,8 @@ ieee80211_input_ba(struct ieee80211com *
ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m,
ni, >ba_buf[ba->ba_head].rxi);
ba->ba_buf[ba->ba_head].m = NULL;
- }
+ } else
+ ic->ic_stats.is_ht_rx_ba_frame_lost++;
ba->ba_head = (ba->ba_head + 1) %
IEEE80211_BA_MAX_WINSZ;
}
@@ -769,6 +772,7 @@ ieee80211_input_ba(struct ieee80211com *
/* store the received MPDU in the buffer */
if (ba->ba_buf[idx].m != NULL) {
ifp->if_ierrors++;
+ ic->ic_stats.is_ht_rx_ba_no_buf++;
m_freem(m);
return;
}
@@ -820,6 +824,8 @@ ieee80211_input_ba_gap_timeout(void *arg
struct ieee80211com *ic = ni->ni_ic;
int s, skipped;
+ ic->ic_stats.is_ht_rx_ba_window_gap_timeout++;
+
s = splnet();
skipped = 0;
@@ -828,6 +834,7 @@ ieee80211_input_ba_gap_timeout(void *arg
ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff;
skipped++;
+ ic->ic_stats.is_ht_rx_ba_frame_lost++;
}
if (skipped > 0)
ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff;
@@ -861,7 +868,8 @@ ieee80211_ba_move_window(struct ieee8021
ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni,
>ba_buf[ba->ba_head].rxi);
ba->ba_buf[ba->ba_head].m = NULL;
- }
+ } else
+ ic->ic_stats.is_ht_rx_ba_frame_lost++;
ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ;
}
/* move window forward */
@@ -1580,6 +1588,7 @@ ieee80211_recv_probe_resp(struct ieee802
DPRINTF(("[%s] htprot change: was %d, now %d\n",
ether_sprintf((u_int8_t *)wh->i_addr2),
htprot_last, htprot));
+ ic->ic_stats.is_ht_prot_change++;
ic->ic_bss->ni_htop1 = ni->ni_htop1;
ic->ic_update_htprot(ic, ic->ic_bss);
}
@@ -2491,6 +2500,7 @@ ieee80211_recv_addba_req(struct ieee8021
goto resp;
}
ba->ba_state = IEEE80211_BA_AGREED;
+ ic->ic_stats.is_ht_rx_ba_agreements++;
/* start Block Ack inactivity timer */
if (ba->ba_timeout_val != 0)
timeout_add_usec(>ba_to, ba->ba_timeout_val);
@@ -2561,6 +2571,7 @@ ieee80211_recv_addba_resp(struct ieee802
}
/* MLME-ADDBA.confirm(Success) */
ba->ba_state = IEEE80211_BA_AGREED;
+ ic->ic_stats.is_ht_tx_ba_agreements++;
/* notify drivers of this new Block Ack agreement */
if (ic->ic_ampdu_tx_start != NULL)
Index: ieee80211_ioctl.h
===
RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.h,v
retrieving revision 1.23
diff -u -p -r1.23 ieee80211_ioctl.h
--- ieee80211_ioctl.h 12 Jan 2016 09:28:09 - 1.23
+++ ieee80211_ioctl.h 27
Re: AMRR improvements for rt2860
On Sun, Apr 24, 2016 at 08:47:46AM +0200, Stefan Sperling wrote:
> On Sun, Apr 24, 2016 at 01:25:31PM +0800, Nathanael Rensen wrote:
> > The diff below also introduces dedicated timers for AMRR and for scan
> > instead of using the RT2860 GP interrupt, which also improves consistency
> > with the way other drivers manage AMRR.
>
> Can you please split your diff into separate submissions, one per topic?
> That would make review and testing a lot easier.
This version includes minor tweak: When the AP goes down, we don't
need to send disassoc frames to nodes in COLLECT state.
Index: ieee80211_node.c
===
RCS file: /cvs/src/sys/net80211/ieee80211_node.c,v
retrieving revision 1.101
diff -u -p -r1.101 ieee80211_node.c
--- ieee80211_node.c12 Apr 2016 14:33:27 - 1.101
+++ ieee80211_node.c24 Apr 2016 07:11:38 -
@@ -1699,8 +1699,6 @@ ieee80211_node_leave(struct ieee80211com
if (ic->ic_node_leave != NULL)
(*ic->ic_node_leave)(ic, ni);
- IEEE80211_AID_CLR(ni->ni_associd, ic->ic_aid_bitmap);
- ni->ni_associd = 0;
ieee80211_node_newstate(ni, IEEE80211_STA_COLLECT);
#if NBRIDGE > 0
Index: ieee80211_proto.c
===
RCS file: /cvs/src/sys/net80211/ieee80211_proto.c,v
retrieving revision 1.65
diff -u -p -r1.65 ieee80211_proto.c
--- ieee80211_proto.c 12 Apr 2016 14:33:27 - 1.65
+++ ieee80211_proto.c 24 Apr 2016 07:13:09 -
@@ -840,7 +840,9 @@ ieee80211_newstate(struct ieee80211com *
case IEEE80211_M_HOSTAP:
s = splnet();
RB_FOREACH(ni, ieee80211_tree, >ic_tree) {
- if (ni->ni_associd == 0)
+ if (ni->ni_associd == 0 ||
+ ni->ni_state ==
+ IEEE80211_STA_COLLECT)
continue;
IEEE80211_SEND_MGMT(ic, ni,
IEEE80211_FC0_SUBTYPE_DISASSOC,
pool related crashes, but "kernel did no panic"
Hi tech@.
(Maybe related to http://marc.info/?l=openbsd-bugs=146174654219490=2).
Crashing server acts as a carp backup (master has same hardware config but
don't crash, in contrast to backup). Will post additional information if
necessary.
There's a collection of crashes (including pre 5.9) but see below for most
recent ones.
Any advice to track down the issue?
Thanks,
Alexey
OpenBSD 5.9-stable (GENERIC.MP) #0: Sun Mar 27 16:03:33 EEST 2016
***@***:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Apr 15:
ddb{2}> show panic
the kernel did not panic
ddb{2}> trace
pool_do_get() at pool_do_get+0x90
pool_get() at pool_get+0xb5
ffs_vget() at ffs_vget+0xa7
ufs_lookup() at ufs_lookup+0x36f
VOP_LOOKUP() at VOP_LOOKUP+0x39
vfs_lookup() at vfs_lookup+0x277
namei() at namei+0x24c
dofstatat() at dofstatat+0x94
syscall() at syscall+0x368
--- syscall (number 40) ---
end of kernel
end trace frame: 0x45ea97030a0, count: -9
0x45e29dc70fa:
ddb{2}> show registers
rdi 0x
rsi 0x957581e21a424e5c
rbp 0x8000224a2a10
rbx 0xff02290e7810
rdx 0x8000224a2a74
rcx 0x80067000
rax 0x5abd427fd20d77f3
r8 0x30
r9 0
r100
r11 0x8000224a2a10
r12 0x819694c0ffs_ino_pool
r13 0xff122c4b0968
r14 0x9
r150x407
rip 0x811a5340pool_do_get+0x90
cs 0x8
rflags 0x10286__ALIGN_SIZE+0xf286
rsp 0x8000224a29c0
ss 0x10
pool_do_get+0x90: movq0(%r13),%rdi
Apr 23:
ddb{2}> show panic
the kernel did not panic
ddb{2}> trace
pool_p_free() at pool_p_free+0x7e
pool_gc_pages() at pool_gc_pages+0xe4
taskq_thread() at taskq_thread+0x6c
end trace frame: 0x0, count: -3
ddb{2}> show registers
rdi 0x8194c000mbpool
rsi 0x60329ee8bc5a0776
rbp 0x800022171e70
rbx 0xff009e7b3300
rdx 0x9fcd61e822213476
rcx 0xddbc8af92f3ff41a
rax 0x10
r8 0x1
r90xff0108eeda00
r10 0x1
r11 0x811a3e70pool_page_free
r12 0xff022d8b7a50
r130
r14 0x8194c000mbpool
r15 0x800022171e30
rip 0x811a5c3epool_p_free+0x7e
cs 0x8
rflags 0x10206__ALIGN_SIZE+0xf206
rsp 0x800022171e20
ss 0x10
pool_p_free+0x7e: movq0(%rax),%rsi
bpf device nodes
Following diff replaces /dev/bpf[0-9] with only /dev/bpf and /dev/bpf0.
The /dev/bpf node is unused for now, but I plan to convert all programs
in base to use it in a future diff. /dev/bpf0 is for compatibility with
existing binaries and is to be removed after a transition period.
install.sub contains a routine to check for an idle bpf device before
invoking dhclient. Due to bpf being a cloning device now, this can be
removed. I included this in the diff below, so the ramdisk only has to
be tested once, not twice.
I'm not asking for OK's yet, but for tests on all platforms. I've done
successful tests of the MAKEDEV bits and the ramdisk on all platforms I
have access to: amd64, i386 and macppc. This leaves alpha, armish,
armv7, hppa, hppa64, landisk, loongson, luna88k, octeon, sgi, socppc,
sparc, sparc64 and zaurus to be tested. If you own one of those
machines, please give the diff a spin and report the results back to me,
so this diff can move forward. (You will need a post-2016/04/14 kernel
for this to work.) Thanks.
natano
Index: distrib/miniroot/install.sub
===
RCS file: /cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.893
diff -u -p -r1.893 install.sub
--- distrib/miniroot/install.sub25 Apr 2016 09:55:23 - 1.893
+++ distrib/miniroot/install.sub26 Apr 2016 19:01:13 -
@@ -741,16 +741,6 @@ askpassword() {
# Support functions for donetconfig()
#
--
-# Run dhclient, making sure there is a free bpf first.
-dhclient() {
- local _i=0
-
- while makedev bpf$_i && ! /dev/null
- /sbin/dhclient "$@"
-}
-
# Issue a DHCP request to configure interface $1 and add the host-name option
to
# /etc/dhclient.conf using $2.
dhcp_request() {
Index: etc/MAKEDEV.common
===
RCS file: /cvs/src/etc/MAKEDEV.common,v
retrieving revision 1.86
diff -u -p -r1.86 MAKEDEV.common
--- etc/MAKEDEV.common 25 Apr 2016 20:39:42 - 1.86
+++ etc/MAKEDEV.common 26 Apr 2016 19:01:13 -
@@ -168,6 +168,7 @@ target(all, pppx)dnl
target(all, fuse)dnl
target(all, vmm)dnl
target(all, pvbus, 0)dnl
+target(all, bpf)dnl
dnl
_mkdev(all, {-all-}, {-dnl
show_target(all)dnl
@@ -215,7 +216,7 @@ show_target(ramd)dnl
-})dnl
dnl
target(ramd, std)dnl
-target(ramd, bpf, 0)dnl
+target(ramd, bpf)dnl
twrget(ramd, com, tty0, 0, 1)dnl
target(ramd, sd, 0, 1, 2, 3, 4)dnl
target(ramd, wd, 0, 1, 2, 3, 4)dnl
@@ -446,8 +447,9 @@ __devitem(oppr, openprom,PROM settings,o
_cdev(oppr, openprom, 70, 0)dnl
__devitem(pf, pf*, Packet Filter)dnl
_mkdev(pf, {-pf*-}, {-M pf c major_pf_c 0 600-})dnl
-__devitem(bpf, bpf*, Berkeley Packet Filter)dnl
-_mkdev(bpf, {-bpf*-}, {-M bpf$U c major_bpf_c $U 600-}, 600)dnl
+__devitem(bpf, bpf, Berkeley Packet Filter)dnl
+_mkdev(bpf, bpf, {-M bpf c major_bpf_c 0 600
+ M bpf0 c major_bpf_c 0 600-})dnl
_mkdev(tun, {-tun*-}, {-M tun$U c major_tun_c $U 600-}, 600)dnl
_mkdev(tap, {-tap*-}, {-M tap$U c major_tap_c $U 600-}, 600)dnl
__devitem(speak, speaker, PC speaker,spkr)dnl
Index: etc/etc.alpha/MAKEDEV
===
RCS file: /cvs/src/etc/etc.alpha/MAKEDEV,v
retrieving revision 1.194
diff -u -p -r1.194 MAKEDEV
--- etc/etc.alpha/MAKEDEV 25 Apr 2016 20:38:34 - 1.194
+++ etc/etc.alpha/MAKEDEV 26 Apr 2016 19:01:13 -
@@ -4,7 +4,7 @@
# generated from:
#
# OpenBSD: etc.alpha/MAKEDEV.md,v 1.66 2016/04/25 20:38:10 tedu Exp
-# OpenBSD: MAKEDEV.common,v 1.85 2016/02/05 06:29:45 uebayasi Exp
+# OpenBSD: MAKEDEV.common,v 1.86 2016/04/25 20:39:42 tedu Exp
# OpenBSD: MAKEDEV.mi,v 1.82 2016/03/12 17:58:59 espie Exp
# OpenBSD: MAKEDEV.sub,v 1.14 2005/02/07 06:14:18 david Exp
#
@@ -68,7 +68,7 @@
# audio* Audio devices
# bio ioctl tunnel pseudo-device
# bktr* Video frame grabbers
-# bpf*Berkeley Packet Filter
+# bpf Berkeley Packet Filter
# diskmap Disk mapper
# fd fd/* nodes
# fuseUserland Filesystem
@@ -213,7 +213,7 @@ U=`unt $i`
case $i in
ramdisk)
- R std fd0 wd0 wd1 wd2 sd0 sd1 sd2 bpf0
+ R std fd0 wd0 wd1 wd2 sd0 sd1 sd2 bpf
R st0 cd0 ttyC0 rd0 bio diskmap random
;;
@@ -320,8 +320,9 @@ diskmap)
M diskmap c 63 0 640 operator
;;
-bpf*)
- M bpf$U c 11 $U 600
+bpf)
+ M bpf c 11 0 600
+ M bpf0 c 11 0 600
;;
bktr*)
@@ -518,12 +519,11 @@ local)
all)
R vnd0 vnd1 vnd2 vnd3 sd0 sd1 sd2 sd3 sd4 sd5 sd6 sd7 sd8 sd9
- R cd0 cd1 rd0 tap0 tap1 tap2 tap3 tun0 tun1 tun2 tun3 bpf0
- R bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 pty0 fd1 fd1B
- R fd1C fd1D fd1E fd1F fd1G fd1H fd0 fd0B fd0C fd0D fd0E fd0F
- R fd0G fd0H diskmap vscsi0 ch0 bio audio0 audio1 audio2 fuse
- R
