midiplay: Fix out-of-bounds memory access
Fix possible reads past the end of the buffer. Found by random fuzz testing (zzuf). Without the fix the fuzzer crashes in several seconds; with the patch, the fuzzer runs clean for hours. Index: midiplay.c === RCS file: /cvs/src/usr.bin/midiplay/midiplay.c,v retrieving revision 1.17 diff -u -p -u -r1.17 midiplay.c --- midiplay.c 8 Feb 2015 23:40:34 - 1.17 +++ midiplay.c 27 Apr 2016 21:45:13 - @@ -319,6 +319,10 @@ playdata(u_char *buf, u_int tot, char *n if (memcmp(p, MARK_TRACK, MARK_LEN) == 0) { tracks[t].start = p + MARK_LEN + SIZE_LEN; tracks[t].end = tracks[t].start + len; + if (tracks[t].end > end) { + warnx("Track length exceeds remaining size"); + goto ret; + } tracks[t].curtime = getvar([t]); t++; }
Re: siginfo_t.si_addr should be void*
On 2016-04-27 18:20, Joerg Sonnenberger wrote: This [...snip...] and this disagree? I... am so sorry. You're right of course; I don't know how that patch happened. Correct patch: diff --git a/src/sys/sys/siginfo.h b/src/sys/sys/siginfo.h index 814e8f2..1e8365f 100644 --- a/src/sys/sys/siginfo.h +++ b/src/sys/sys/siginfo.h @@ -150,7 +150,7 @@ typedef struct { } _pdata; } _proc; struct {/* SIGSEGV, SIGBUS, SIGILL and SIGFPE */ - caddr_t _addr; /* faulting address */ + void*_addr; /* faulting address */ int _trapno;/* illegal trap number */ } _fault; #if 0
Re: siginfo_t.si_addr should be void*
On Wed, Apr 27, 2016 at 06:04:32PM -0400, i80...@foxquill.com wrote: > POSIX specifies that siginfo_t.si_addr must be void*. OpenBSD currently > defines it as caddr_t. This breaks some userspace programs, such as the > following minimal case: This > The following patch builds the base system cleanly on x86_64, and > resolves the problem. > > diff --git a/src/sys/sys/siginfo.h b/src/sys/sys/siginfo.h > index 814e8f2..1e8365f 100644 > --- a/src/sys/sys/siginfo.h > +++ b/src/sys/sys/siginfo.h > @@ -150,7 +150,7 @@ typedef struct { > } _pdata; > } _proc; > struct {/* SIGSEGV, SIGBUS, SIGILL and SIGFPE */ > - caddr_t _addr; /* faulting address */ > + char*_addr; /* faulting address */ > int _trapno;/* illegal trap number */ > } _fault; > #if 0 and this disagree? Joerg
siginfo_t.si_addr should be void*
POSIX specifies that siginfo_t.si_addr must be void*. OpenBSD currently defines it as caddr_t. This breaks some userspace programs, such as the following minimal case: #include #include void handler(int, siginfo_t *info, void*) { std::cout << "Foo" << info->si_addr << "bar\n"; } int main(int, char**) { struct sigaction action; action.sa_sigaction = handler; action.sa_flags = SA_SIGINFO; sigaction(SIGILL, , NULL); raise(SIGILL); return 0; } On OpenBSD, ostream will treat the char* si_addr as a C-string. Luckily it's NULL in this case, but it causes only "Foo" to be printed. No future uses of std::cout will result in output. The following patch builds the base system cleanly on x86_64, and resolves the problem. diff --git a/src/sys/sys/siginfo.h b/src/sys/sys/siginfo.h index 814e8f2..1e8365f 100644 --- a/src/sys/sys/siginfo.h +++ b/src/sys/sys/siginfo.h @@ -150,7 +150,7 @@ typedef struct { } _pdata; } _proc; struct {/* SIGSEGV, SIGBUS, SIGILL and SIGFPE */ - caddr_t _addr; /* faulting address */ + char*_addr; /* faulting address */ int _trapno;/* illegal trap number */ } _fault; #if 0 -- Andrew Aldridge
gzip -l: account for multiple streams
Currently, the info in "gzip -l" only accounts for the last stream in the file. For example: $ gzip.old -l valgrind-3.10.1p9.tgz compressed uncompressed ratio uncompressed_name 2122549 9048576 76.5% valgrind-3.10.1p9.tar $ gzip.new -l /usr/ports/packages/amd64/all/valgrind-3.10.1p9.tgz compressed uncompressed ratio uncompressed_name 27988837 81453568 65.6% valgrind-3.10.1p9.tar $ ls -l valgrind-3.10.1p9.tgz -rw-r--r-- 3 millert staff 27988837 Mar 29 10:09 valgrind-3.10.1p9.tgz $ gunzip -c valgrind-3.10.1p9.tgz | wc -c 81453568 Index: usr.bin/compress/gzopen.c === RCS file: /cvs/src/usr.bin/compress/gzopen.c,v retrieving revision 1.29 diff -u -p -u -r1.29 gzopen.c --- usr.bin/compress/gzopen.c 20 Aug 2015 22:32:41 - 1.29 +++ usr.bin/compress/gzopen.c 27 Apr 2016 20:34:20 - @@ -83,14 +83,15 @@ typedef struct gz_stream { int z_fd; /* .gz file */ - z_stream z_stream; /* libz stream */ int z_eof; /* set if end of input file */ + z_stream z_stream; /* libz stream */ u_char z_buf[Z_BUFSIZE]; /* i/o buffer */ + charz_mode; /* 'w' or 'r' */ u_int32_t z_time; /* timestamp (mtime) */ - u_int32_t z_hlen; /* length of the gz header */ u_int32_t z_crc;/* crc32 of uncompressed data */ - charz_mode; /* 'w' or 'r' */ - + u_int32_t z_hlen; /* length of the gz header */ + u_int64_t z_total_in; /* # bytes in */ + u_int64_t z_total_out; /* # bytes out */ } gz_stream; static const u_char gz_magic[2] = {0x1f, 0x8b}; /* gzip magic header */ @@ -128,6 +129,8 @@ gz_open(int fd, const char *mode, char * s->z_eof = 0; s->z_time = 0; s->z_hlen = 0; + s->z_total_in = 0; + s->z_total_out = 0; s->z_crc = crc32(0L, Z_NULL, 0); s->z_mode = mode[0]; @@ -206,8 +209,8 @@ gz_close(void *cookie, struct z_info *in info->mtime = s->z_time; info->crc = s->z_crc; info->hlen = s->z_hlen; - info->total_in = (off_t)s->z_stream.total_in; - info->total_out = (off_t)s->z_stream.total_out; + info->total_in = s->z_total_in; + info->total_out = s->z_total_out; } setfile(name, s->z_fd, sb); @@ -336,7 +339,7 @@ get_header(gz_stream *s, char *name, int (void)get_byte(s); (void)get_byte(s); - s->z_hlen = 10; /* magic, method, flags, time, xflags, OS code */ + s->z_hlen += 10; /* magic, method, flags, time, xflags, OS code */ if ((flags & EXTRA_FIELD) != 0) { /* skip the extra field */ len = (uInt)get_byte(s); len += ((uInt)get_byte(s))<<8; @@ -438,11 +441,11 @@ gz_read(void *cookie, char *buf, int len if (error == Z_DATA_ERROR) { errno = EINVAL; - return -1; + goto bad; } if (error == Z_BUF_ERROR) { errno = EIO; - return -1; + goto bad; } if (error == Z_STREAM_END) { /* Check CRC and original size */ @@ -452,13 +455,18 @@ gz_read(void *cookie, char *buf, int len if (get_int32(s) != s->z_crc) { errno = EINVAL; - return -1; + goto bad; } if (get_int32(s) != (u_int32_t)s->z_stream.total_out) { errno = EIO; return -1; } s->z_hlen += 2 * sizeof(int32_t); + + /* Add byte counts from the finished stream. */ + s->z_total_in += s->z_stream.total_in; + s->z_total_out += s->z_stream.total_out; + /* Check for the existence of an appended file. */ if (get_header(s, NULL, 0) != 0) { s->z_eof = 1; @@ -474,6 +482,11 @@ gz_read(void *cookie, char *buf, int len len -= s->z_stream.avail_out; return (len); +bad: + /* Add byte counts from the finished stream. */ + s->z_total_in += s->z_stream.total_in; + s->z_total_out += s->z_stream.total_out; + return (-1); } int
Re: pool related crashes, but "kernel did no panic"
On Wed, Apr 27, 2016 at 03:45:45PM +, Alexey Suslikov wrote: > Theo de Raadt cvs.openbsd.org> writes: > > > > > Most of these bug reports completely stink. > > > > ALWAYS include *ALL* information in a report. > > In an idealistic world, yes. > > Above are not parts of the "chain", but different statements of the > same bug. To have both blue screen and ddb, I need to keep kvm console > running in a browser for undefined period of time (crash can occur twice > per day, or once per 2 months), which isn't as easy as it seems. http://www.openbsd.org/report.html We are pretty clear in there what you need. and if you don't have all the information, there's really not a lot we can do.. we don't ask you to include it for decorative purposes, we ask so we can actually know what's going on - without it your report is only an exercise in frustration for all of us
Re: pool related crashes, but "kernel did no panic"
> On 27/04/16(Wed) 15:45, Alexey Suslikov wrote: > > Theo de Raadt cvs.openbsd.org> writes: > > > > > > > > Most of these bug reports completely stink. > > > > > > ALWAYS include *ALL* information in a report. > > > > In an idealistic world, yes. > > In an idealistic world their would be no bug. In an idealistic world, Alexey Suslikov wouldn't feel compelled to defend sloppiness.
Re: pool related crashes, but "kernel did no panic"
On 27/04/16(Wed) 15:45, Alexey Suslikov wrote: > Theo de Raadt cvs.openbsd.org> writes: > > > > > Most of these bug reports completely stink. > > > > ALWAYS include *ALL* information in a report. > > In an idealistic world, yes. In an idealistic world their would be no bug. > Above are not parts of the "chain", but different statements of the > same bug. To have both blue screen and ddb, I need to keep kvm console > running in a browser for undefined period of time (crash can occur twice > per day, or once per 2 months), which isn't as easy as it seems. Come on, your bug reports are useless because you don't include a dmesg, how hard it is to, do so? If you don't include a dmesg, do not spend your time reporting a bug it is useless.
gif tunnel and IPv6 ND
gif(4) is the only p2p interface for which the kernel does some kind of link-layer address resolution when it comes to IPv6 & ND. I don't believe this is necessary because we do not install any cloning route on p2p interfaces. However the rt_checkgate() call *is* necessary because your default IPv6 route, or any gateway route, might go through your tunnel. So the diff below removes gif(4) interfaces from the list of interfaces that need a link-layer cache and move the check *after* calling rt_checkgate(). This way all the p2p-specific code in nd6_output() can go away. I'd like to hear from people using such setup to know if this break anything. Index: netinet6/nd6.c === RCS file: /cvs/src/sys/netinet6/nd6.c,v retrieving revision 1.178 diff -u -p -r1.178 nd6.c --- netinet6/nd6.c 27 Apr 2016 14:47:27 - 1.178 +++ netinet6/nd6.c 27 Apr 2016 15:54:17 - @@ -1512,9 +1512,6 @@ nd6_output(struct ifnet *ifp, struct mbu if (IN6_IS_ADDR_MULTICAST(>sin6_addr)) goto sendpkt; - if (nd6_need_cache(ifp) == 0) - goto sendpkt; - /* * next hop determination. */ @@ -1524,21 +1521,11 @@ nd6_output(struct ifnet *ifp, struct mbu m_freem(m); return (error); } - - /* -* We skip link-layer address resolution and NUD -* if the gateway is not a neighbor from ND point -* of view, regardless of the value of nd_ifinfo.flags. -* The second condition is a bit tricky; we skip -* if the gateway is our own address, which is -* sometimes used to install a route to a p2p link. -*/ - if ((ifp->if_flags & IFF_POINTOPOINT) && - ((nd6_is_addr_neighbor(satosin6(rt_key(rt)), ifp) == 0) || - in6ifa_ifpwithaddr(ifp, (rt_key(rt))->sin6_addr))) - goto sendpkt; } + if (nd6_need_cache(ifp) == 0) + goto sendpkt; + /* * Address resolution or Neighbor Unreachability Detection * for the next hop. @@ -1565,8 +1552,7 @@ nd6_output(struct ifnet *ifp, struct mbu } } if (ln == NULL || rt == NULL) { - if ((ifp->if_flags & IFF_POINTOPOINT) == 0 && - !(ND_IFINFO(ifp)->flags & ND6_IFF_PERFORMNUD)) { + if ((ND_IFINFO(ifp)->flags & ND6_IFF_PERFORMNUD) == 0) { char addr[INET6_ADDRSTRLEN]; log(LOG_DEBUG, "%s: can't allocate llinfo for %s " @@ -1591,9 +1577,7 @@ nd6_output(struct ifnet *ifp, struct mbu TAILQ_REMOVE(_list, ln, ln_list); TAILQ_INSERT_HEAD(_list, ln, ln_list); - /* We don't have to do link-layer address resolution on a p2p link. */ - if ((ifp->if_flags & IFF_POINTOPOINT) != 0 && - ln->ln_state < ND6_LLINFO_REACHABLE) { + if (ln->ln_state < ND6_LLINFO_REACHABLE) { ln->ln_state = ND6_LLINFO_STALE; nd6_llinfo_settimer(ln, (long)nd6_gctimer * hz); } @@ -1658,11 +1642,8 @@ nd6_need_cache(struct ifnet *ifp) */ switch (ifp->if_type) { case IFT_ETHER: - case IFT_IEEE1394: - case IFT_PROPVIRTUAL: case IFT_IEEE80211: case IFT_CARP: - case IFT_GIF: /* XXX need more cases? */ return (1); default: return (0);
reduce 11n block ack gap timeout
Reduces ping jitter when the block ack window encounters gaps. Index: ieee80211_node.h === RCS file: /cvs/src/sys/net80211/ieee80211_node.h,v retrieving revision 1.59 diff -u -p -r1.59 ieee80211_node.h --- ieee80211_node.h11 Feb 2016 17:15:43 - 1.59 +++ ieee80211_node.h27 Apr 2016 15:39:21 - @@ -146,7 +146,7 @@ struct ieee80211_rx_ba { u_int16_t ba_winsize; u_int16_t ba_head; struct timeout ba_gap_to; -#define IEEE80211_BA_GAP_TIMEOUT 500 /* msec */ +#define IEEE80211_BA_GAP_TIMEOUT 100 /* msec */ /* Counter for consecutive frames which missed the BA window. */ int ba_winmiss; /* Sequence number of previous frame which missed the BA window. */
fix iwn htprot updates
I'm investigating latency issues with 11n block ack on iwn. There's a dedicated command to update RXON flags while associated. Use this command instead of whacking the whole firmware node table and restoring it. The firmware node table contains block ack state and we shouldn't mess with that. Index: if_iwn.c === RCS file: /cvs/src/sys/dev/pci/if_iwn.c,v retrieving revision 1.164 diff -u -p -r1.164 if_iwn.c --- if_iwn.c13 Apr 2016 10:34:32 - 1.164 +++ if_iwn.c27 Apr 2016 15:50:34 - @@ -5047,93 +5047,31 @@ void iwn_update_htprot(struct ieee80211com *ic, struct ieee80211_node *ni) { struct iwn_softc *sc = ic->ic_softc; - struct iwn_ops *ops = >ops; enum ieee80211_htprot htprot; - struct iwn_node_info node; - int error, ridx; - - timeout_del(>calib_to); - - /* Fake a "disassociation" so we can change RXON configuration. */ - sc->rxon.filter &= ~htole32(IWN_FILTER_BSS); - error = iwn_cmd(sc, IWN_CMD_RXON, >rxon, sc->rxonsz, 1); - if (error != 0) { - printf("%s: RXON command failed\n", sc->sc_dev.dv_xname); - return; - } + struct iwn_rxon_assoc rxon_assoc; + int error; /* Update HT protection mode setting. */ htprot = (ni->ni_htop1 & IEEE80211_HTOP1_PROT_MASK) >> IEEE80211_HTOP1_PROT_SHIFT; sc->rxon.flags &= ~htole32(IWN_RXON_HT_PROTMODE(3)); sc->rxon.flags |= htole32(IWN_RXON_HT_PROTMODE(htprot)); - sc->rxon.filter |= htole32(IWN_FILTER_BSS); - error = iwn_cmd(sc, IWN_CMD_RXON, >rxon, sc->rxonsz, 1); - if (error != 0) { - printf("%s: RXON command failed\n", sc->sc_dev.dv_xname); - return; - } - - /* -* The firmware loses TX power table, node table, LQ table, -* and sensitivity calibration after an RXON command. -*/ - - if ((error = ops->set_txpower(sc, 1)) != 0) { - printf("%s: could not set TX power\n", sc->sc_dev.dv_xname); - return; - } - - ridx = IEEE80211_IS_CHAN_5GHZ(ni->ni_chan) ? - IWN_RIDX_OFDM6 : IWN_RIDX_CCK1; - if ((error = iwn_add_broadcast_node(sc, 1, ridx)) != 0) { - printf("%s: could not add broadcast node\n", - sc->sc_dev.dv_xname); - return; - } - - memset(, 0, sizeof node); - IEEE80211_ADDR_COPY(node.macaddr, ni->ni_macaddr); - node.id = IWN_ID_BSS; - if (ni->ni_flags & IEEE80211_NODE_HT) { - node.htmask = (IWN_AMDPU_SIZE_FACTOR_MASK | - IWN_AMDPU_DENSITY_MASK); - node.htflags = htole32( - IWN_AMDPU_SIZE_FACTOR( - (ic->ic_ampdu_params & IEEE80211_AMPDU_PARAM_LE)) | - IWN_AMDPU_DENSITY( - (ic->ic_ampdu_params & IEEE80211_AMPDU_PARAM_SS) >> 2)); - } - error = ops->add_node(sc, , 1); - if (error != 0) { - printf("%s: could not add BSS node\n", sc->sc_dev.dv_xname); - return; - } - - if ((error = iwn_set_link_quality(sc, ni)) != 0) { - printf("%s: could not setup link quality for node %d\n", - sc->sc_dev.dv_xname, node.id); - return; - } - - if ((error = iwn_init_sensitivity(sc)) != 0) { - printf("%s: could not set sensitivity\n", - sc->sc_dev.dv_xname); - return; - } - - sc->calib.state = IWN_CALIB_STATE_ASSOC; - sc->calib_cnt = 0; - timeout_add_msec(>calib_to, 500); - if ((ni->ni_flags & IEEE80211_NODE_RXPROT) && - ni->ni_pairwise_key.k_cipher == IEEE80211_CIPHER_CCMP) { - if ((error = iwn_set_key(ic, ni, >ni_pairwise_key)) != 0) { - printf("%s: could not set pairwise ccmp key\n", - sc->sc_dev.dv_xname); - return; - } - } + /* Update RXON config. */ + memset(_assoc, 0, sizeof(rxon_assoc)); + rxon_assoc.flags = sc->rxon.flags; + rxon_assoc.filter = sc->rxon.filter; + rxon_assoc.ofdm_mask = sc->rxon.ofdm_mask; + rxon_assoc.ht_single_mask = sc->rxon.ht_single_mask; + rxon_assoc.ht_dual_mask = sc->rxon.ht_dual_mask; + rxon_assoc.ht_triple_mask = sc->rxon.ht_triple_mask; + rxon_assoc.rxchain = sc->rxon.rxchain; + rxon_assoc.acquisition = sc->rxon.acquisition; + + error = iwn_cmd(sc, IWN_CMD_RXON_ASSOC, _assoc, + sizeof(rxon_assoc), 1); + if (error != 0) + printf("%s: RXON_ASSOC command failed\n", sc->sc_dev.dv_xname); } /* Index: if_iwnreg.h === RCS file: /cvs/src/sys/dev/pci/if_iwnreg.h,v retrieving revision 1.52 diff -u -p -r1.52 if_iwnreg.h ---
Re: pool related crashes, but "kernel did no panic"
Theo de Raadt cvs.openbsd.org> writes: > > Most of these bug reports completely stink. > > ALWAYS include *ALL* information in a report. In an idealistic world, yes. Above are not parts of the "chain", but different statements of the same bug. To have both blue screen and ddb, I need to keep kvm console running in a browser for undefined period of time (crash can occur twice per day, or once per 2 months), which isn't as easy as it seems. But sure I'll try to fill more complete report.
Re: pool related crashes, but "kernel did no panic"
Most of these bug reports completely stink. ALWAYS include *ALL* information in a report. If you are told your report is missing information, write a completely fresh report that includes ALL INFORMATION. Don't reply in a series of emails adding more and more information. People who submit reports which are missing information should feel terrible. People in this project are not being paid to reconstruct sloppy email chains of partial information. It is a simple request, and we need to be firm. > On Wed, Apr 27, 2016 at 09:13:40AM +, alexey.susli...@gmail.com wrote: > > Hi tech@. > > > > (Maybe related to http://marc.info/?l=openbsd-bugs=146174654219490=2). > > ;-) > > > Crashing server acts as a carp backup (master has same hardware config but > > don't crash, in contrast to backup). Will post additional information if > > necessary. > > In my case, the server is acting as a backup for 2 carp devices and also > as a master for 2 other carp devices. > But indeed, it is always the same node (part of a 2 nodes setup) that is > crashing. This node just crached again a few minutes ago. It seems > upgrading it to 5.9 makes the bug more frequent. So I am keeping the > other node with «OpenBSD 5.8-current (GENERIC.MP) #1661: Tue Nov 24 > 20:16:36 MST 2015» for now. > > > Here is frech output: > > ddb{2}> trace > Debugger() at Debugger+0x9 > panic() at panic+0xfe > pool_runqueue() at pool_runqueue > pool_get() at pool_get+0xb5 > m_clget() at m_clget+0x51 > m_dup_pkt() at m_dup_pkt+0x88 > carp_input() at carp_input+0x17c > if_input_process() at if_input_process+0xcd > taskq_thread() at taskq_thread+0x6c > end trace frame: 0x0, count: -9 > ddb{2}> show panic > pool_do_get: mcl2k free list modified: page 0xff00f1ec7000; item > addr 0xfff > fff00f1eca800; offset 0x0=0x0 != 0xaaa0cffd8d1e5cb4 > ddb{2}> show register > rdi 0x1 > rsi0x292 > rbp 0x800022519b50 > rbx 0x817195a0systqmp+0x1860 > rdx0 > rcx 0x8004f000 > rax 0x1 > r80x800022519a70 > r9 0 > r10 0x800022519a20 > r11 0x8 > r120x100 > r13 0x800022519b60 > r14 0x2 > r15 0x2 > rip 0x81349a09Debugger+0x9 > cs 0x8 > rflags 0x282 > rsp 0x800022519b40 > ss 0x10 > Debugger+0x9: leave > ddb{2}> > > > -- > oc >
Re: pool related crashes, but "kernel did no panic"
Stuart Henderson spacehopper.org> writes: > There should be some lines printed before you get dumped into DDB > (probably a uvm_fault), the information in them is important. I either have a screenshot, or ddb. Not both at the same time. Here is one of screenshots from 5.9 transcribed: uvm_fault(0x81940240, 0x10, 0, 1) -> e fatal page fault in supervisor mode trap type 6 code 0 rip 811a5c3e cs 8 rflags 10206 cr 2 10 cpl a rsp 800022171e20 panic: trap type 6, code=0, pc=811a5c3e Starting stack trace... panic() at panic+0x10b trap() at trap+0x7b8 --- trap (number 6) --- pool_p_free() at pool_p_free+0x7e pool_gc_pages() at pool_gc_pages+0xe4 taskq_thread() at taskq_thread+0x6c end trace frame: 0x0, count: 252 End of stack trace. syncing disks... 5 done
Re: pool related crashes, but "kernel did no panic"
Another one from my collection. Apr 16: ddb{0}> show panic the kernel did not panic ddb{0}> trace pool_do_get() at pool_do_get+0x90 pool_get() at pool_get+0xb5 m_get() at m_get+0x28 sbappendaddr() at sbappendaddr+0x9a uipc_usrreq() at uipc_usrreq+0x3b8 sosend() at sosend+0x3d8 dosendsyslog() at dosendsyslog+0x110 sys_sendsyslog2() at sys_sendsyslog2+0xbd syscall() at syscall+0x368 --- syscall (number 112) --- end of kernel end trace frame: 0x183f8dab6913, count: -9 0x1842755e571a: ddb{0}> show registers rdi 0x7 rsi 0x9ff5c49ed229ae92 rbp 0x8000222f5b00 rbx 0xff022d80d6d0 rdx 0x8000222f5b64 rcx 0x818c76e0cpu_info_primary rax 0x7293fa06e984af44 r8 0 r9 0x1 r10 0x811c7c00uipc_usrreq r11 0x81344be0copy_fault r12 0x8194c000mbpool r13 0xff40b152a900 r14 0x2 r15 0x818b4570sun_noname rip 0x811a5340pool_do_get+0x90 cs 0x8 rflags 0x10282__ALIGN_SIZE+0xf282 rsp 0x8000222f5ab0 ss 0x10 pool_do_get+0x90: movq0(%r13),%rdi
Re: pool related crashes, but "kernel did no panic"
On 2016/04/27 13:54, Alexey Suslikov wrote: > Another one from my collection. > > Apr 16: > > ddb{0}> show panic > the kernel did not panic There should be some lines printed before you get dumped into DDB (probably a uvm_fault), the information in them is important. > ddb{0}> trace > pool_do_get() at pool_do_get+0x90 > pool_get() at pool_get+0xb5 > m_get() at m_get+0x28 > sbappendaddr() at sbappendaddr+0x9a > uipc_usrreq() at uipc_usrreq+0x3b8 > sosend() at sosend+0x3d8 > dosendsyslog() at dosendsyslog+0x110 > sys_sendsyslog2() at sys_sendsyslog2+0xbd > syscall() at syscall+0x368 > --- syscall (number 112) --- > end of kernel > end trace frame: 0x183f8dab6913, count: -9 > 0x1842755e571a: > > ddb{0}> show registers > rdi 0x7 > rsi 0x9ff5c49ed229ae92 > rbp 0x8000222f5b00 > rbx 0xff022d80d6d0 > rdx 0x8000222f5b64 > rcx 0x818c76e0cpu_info_primary > rax 0x7293fa06e984af44 > r8 0 > r9 0x1 > r10 0x811c7c00uipc_usrreq > r11 0x81344be0copy_fault > r12 0x8194c000mbpool > r13 0xff40b152a900 > r14 0x2 > r15 0x818b4570sun_noname > rip 0x811a5340pool_do_get+0x90 > cs 0x8 > rflags 0x10282__ALIGN_SIZE+0xf282 > rsp 0x8000222f5ab0 > ss 0x10 > pool_do_get+0x90: movq0(%r13),%rdi >
Re: sshd_config(5) : mention CIDR addressing for AllowUsers and DenyUsers
On Sun, Mar 13, 2016 at 09:26:55AM +0200, Lars Nood??n wrote: > It looks like sshd(8) has permitted for a while both AllowUsers and > DenyUsers in sshd_config(5) to use addresses in CIDR address/masklen > format. If so, it would be useful to mention in the manual page. > > /Lars > fixed, thanks. jmc > Index: sshd_config.5 > === > RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v > retrieving revision 1.220 > diff -u -p -u -p -r1.220 sshd_config.5 > --- sshd_config.5 17 Feb 2016 08:57:34 - 1.220 > +++ sshd_config.5 13 Mar 2016 07:10:27 - > @@ -173,6 +173,8 @@ By default, login is allowed for all use > If the pattern takes the form USER@HOST then USER and HOST > are separately checked, restricting logins to particular > users from particular hosts. > +HOST criteria may additionally contain addresses to match in CIDR > +address/masklen format. > The allow/deny directives are processed in the following order: > .Cm DenyUsers , > .Cm AllowUsers , > @@ -561,6 +563,8 @@ By default, login is allowed for all use > If the pattern takes the form USER@HOST then USER and HOST > are separately checked, restricting logins to particular > users from particular hosts. > +HOST criteria may additionally contain addresses to match in CIDR > +address/masklen format. > The allow/deny directives are processed in the following order: > .Cm DenyUsers , > .Cm AllowUsers , >
Re: pool related crashes, but "kernel did no panic"
On Wed, Apr 27, 2016 at 02:57:31PM +0200, Olivier Cherrier wrote: > On Wed, Apr 27, 2016 at 09:13:40AM +, alexey.susli...@gmail.com wrote: > > Hi tech@. > > > > (Maybe related to http://marc.info/?l=openbsd-bugs=146174654219490=2). > > ;-) > > > Crashing server acts as a carp backup (master has same hardware config but > > don't crash, in contrast to backup). Will post additional information if > > necessary. > > In my case, the server is acting as a backup for 2 carp devices and also > as a master for 2 other carp devices. > But indeed, it is always the same node (part of a 2 nodes setup) that is > crashing. This node just crached again a few minutes ago. It seems > upgrading it to 5.9 makes the bug more frequent. So I am keeping the > other node with ?OpenBSD 5.8-current (GENERIC.MP) #1661: Tue Nov 24 > 20:16:36 MST 2015? for now. > > > Here is frech output: > > ddb{2}> trace > Debugger() at Debugger+0x9 > panic() at panic+0xfe show panic please > pool_runqueue() at pool_runqueue > pool_get() at pool_get+0xb5 > m_clget() at m_clget+0x51 > m_dup_pkt() at m_dup_pkt+0x88 > carp_input() at carp_input+0x17c > if_input_process() at if_input_process+0xcd > taskq_thread() at taskq_thread+0x6c > end trace frame: 0x0, count: -9 > ddb{2}> show panic > pool_do_get: mcl2k free list modified: page 0xff00f1ec7000; item > addr 0xfff > fff00f1eca800; offset 0x0=0x0 != 0xaaa0cffd8d1e5cb4 > ddb{2}> show register > rdi 0x1 > rsi0x292 > rbp 0x800022519b50 > rbx 0x817195a0systqmp+0x1860 > rdx0 > rcx 0x8004f000 > rax 0x1 > r80x800022519a70 > r9 0 > r10 0x800022519a20 > r11 0x8 > r120x100 > r13 0x800022519b60 > r14 0x2 > r15 0x2 > rip 0x81349a09Debugger+0x9 > cs 0x8 > rflags 0x282 > rsp 0x800022519b40 > ss 0x10 > Debugger+0x9: leave > ddb{2}> > > > -- > oc >
Re: netstat -W counters for 11n
ok benno@ Stefan Sperling(s...@stsp.name) on 2016.04.27 13:36:51 +0200: > I'd like to add some 802.11n-related counters to netstat -W output. > > The first diff below is for the kernel, the second for netstat. > > ok? > > Index: ieee80211_input.c > === > RCS file: /cvs/src/sys/net80211/ieee80211_input.c,v > retrieving revision 1.171 > diff -u -p -r1.171 ieee80211_input.c > --- ieee80211_input.c 15 Apr 2016 03:04:27 - 1.171 > +++ ieee80211_input.c 27 Apr 2016 11:30:08 - > @@ -707,7 +707,7 @@ ieee80211_input_ba(struct ieee80211com * > timeout_add_usec(>ba_to, ba->ba_timeout_val); > > if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ > - ic->ic_stats.is_rx_dup++; > + ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; > m_freem(m); /* discard the MPDU */ > return; > } > @@ -730,6 +730,7 @@ ieee80211_input_ba(struct ieee80211com * > "%d, expecting %d:%d\n", __func__, > sn, ba->ba_winstart, ba->ba_winend); > #endif > + ic->ic_stats.is_ht_rx_frame_above_ba_winend++; > if (count > ba->ba_winsize) { > if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { > if (ba->ba_missedsn == sn - 1) > @@ -743,6 +744,7 @@ ieee80211_input_ba(struct ieee80211com * > } > > /* It appears the window has moved for real. */ > + ic->ic_stats.is_ht_rx_ba_window_jump++; > ba->ba_winmiss = 0; > ba->ba_missedsn = 0; > > @@ -754,7 +756,8 @@ ieee80211_input_ba(struct ieee80211com * > ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, > ni, >ba_buf[ba->ba_head].rxi); > ba->ba_buf[ba->ba_head].m = NULL; > - } > + } else > + ic->ic_stats.is_ht_rx_ba_frame_lost++; > ba->ba_head = (ba->ba_head + 1) % > IEEE80211_BA_MAX_WINSZ; > } > @@ -769,6 +772,7 @@ ieee80211_input_ba(struct ieee80211com * > /* store the received MPDU in the buffer */ > if (ba->ba_buf[idx].m != NULL) { > ifp->if_ierrors++; > + ic->ic_stats.is_ht_rx_ba_no_buf++; > m_freem(m); > return; > } > @@ -820,6 +824,8 @@ ieee80211_input_ba_gap_timeout(void *arg > struct ieee80211com *ic = ni->ni_ic; > int s, skipped; > > + ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; > + > s = splnet(); > > skipped = 0; > @@ -828,6 +834,7 @@ ieee80211_input_ba_gap_timeout(void *arg > ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; > ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; > skipped++; > + ic->ic_stats.is_ht_rx_ba_frame_lost++; > } > if (skipped > 0) > ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; > @@ -861,7 +868,8 @@ ieee80211_ba_move_window(struct ieee8021 > ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, > >ba_buf[ba->ba_head].rxi); > ba->ba_buf[ba->ba_head].m = NULL; > - } > + } else > + ic->ic_stats.is_ht_rx_ba_frame_lost++; > ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; > } > /* move window forward */ > @@ -1580,6 +1588,7 @@ ieee80211_recv_probe_resp(struct ieee802 > DPRINTF(("[%s] htprot change: was %d, now %d\n", > ether_sprintf((u_int8_t *)wh->i_addr2), > htprot_last, htprot)); > + ic->ic_stats.is_ht_prot_change++; > ic->ic_bss->ni_htop1 = ni->ni_htop1; > ic->ic_update_htprot(ic, ic->ic_bss); > } > @@ -2491,6 +2500,7 @@ ieee80211_recv_addba_req(struct ieee8021 > goto resp; > } > ba->ba_state = IEEE80211_BA_AGREED; > + ic->ic_stats.is_ht_rx_ba_agreements++; > /* start Block Ack inactivity timer */ > if (ba->ba_timeout_val != 0) > timeout_add_usec(>ba_to, ba->ba_timeout_val); > @@ -2561,6 +2571,7 @@ ieee80211_recv_addba_resp(struct ieee802 > } > /* MLME-ADDBA.confirm(Success) */ > ba->ba_state = IEEE80211_BA_AGREED; > + ic->ic_stats.is_ht_tx_ba_agreements++; > > /* notify drivers of this new Block Ack agreement */ > if (ic->ic_ampdu_tx_start != NULL) > Index: ieee80211_ioctl.h > === > RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.h,v >
Re: pool related crashes, but "kernel did no panic"
On Wed, Apr 27, 2016 at 09:13:40AM +, alexey.susli...@gmail.com wrote: > Hi tech@. > > (Maybe related to http://marc.info/?l=openbsd-bugs=146174654219490=2). ;-) > Crashing server acts as a carp backup (master has same hardware config but > don't crash, in contrast to backup). Will post additional information if > necessary. In my case, the server is acting as a backup for 2 carp devices and also as a master for 2 other carp devices. But indeed, it is always the same node (part of a 2 nodes setup) that is crashing. This node just crached again a few minutes ago. It seems upgrading it to 5.9 makes the bug more frequent. So I am keeping the other node with «OpenBSD 5.8-current (GENERIC.MP) #1661: Tue Nov 24 20:16:36 MST 2015» for now. Here is frech output: ddb{2}> trace Debugger() at Debugger+0x9 panic() at panic+0xfe pool_runqueue() at pool_runqueue pool_get() at pool_get+0xb5 m_clget() at m_clget+0x51 m_dup_pkt() at m_dup_pkt+0x88 carp_input() at carp_input+0x17c if_input_process() at if_input_process+0xcd taskq_thread() at taskq_thread+0x6c end trace frame: 0x0, count: -9 ddb{2}> show panic pool_do_get: mcl2k free list modified: page 0xff00f1ec7000; item addr 0xfff fff00f1eca800; offset 0x0=0x0 != 0xaaa0cffd8d1e5cb4 ddb{2}> show register rdi 0x1 rsi0x292 rbp 0x800022519b50 rbx 0x817195a0systqmp+0x1860 rdx0 rcx 0x8004f000 rax 0x1 r80x800022519a70 r9 0 r10 0x800022519a20 r11 0x8 r120x100 r13 0x800022519b60 r14 0x2 r15 0x2 rip 0x81349a09Debugger+0x9 cs 0x8 rflags 0x282 rsp 0x800022519b40 ss 0x10 Debugger+0x9: leave ddb{2}> -- oc
httpd: httpd.conf(5): text/plain for .txt
Hi, For text content the response HTTP header "Content-Type: text/plain" is commonly used. This patch changes it in the httpd.conf(5) documentation: Index: httpd.conf.5 === RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v retrieving revision 1.71 diff -u -p -r1.71 httpd.conf.5 --- httpd.conf.524 Apr 2016 21:06:53 - 1.71 +++ httpd.conf.527 Apr 2016 13:09:37 - @@ -594,7 +594,7 @@ server "default" { types { text/csscss text/html html htm - text/txttxt + text/plain txt image/gif gif image/jpeg jpeg jpg image/png png -- Kind regards, Hiltjo
show HT MCS for 11n APs in ifconfig scan
Copy out some 11n information to net80211 ioctl node records. Use a subset of this info to display the highest AP Rx rate during scan. Since 11n implies support for 11a/b/g rates up to 54Mbit/s, we only show a legacy rate if the AP doesn't support 11n. In theory, 11n rate suport is not symmetric, ie. the max Tx rate can differ from the max Rx rate. I'd like to keep things simple for now and just show Rx. Rx is more straightforward to parse and, in practice, assymmetric rate support is rare. Note that converting an MCS index to Mbit/s is non-trivial since the actual rate depends on several feature toggles (short guard, wide channels, etc.). Some of these toggles can change at run time so it's impossible to make a good guess in advance. If you really want to know the max Mbit/s value for a given MCS index, go to mcsindex.com. But that won't tell you the actual run-time throughput. Kernel and ifconfig diffs follow. ok? Index: ieee80211_ioctl.c === RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.c,v retrieving revision 1.40 diff -u -p -r1.40 ieee80211_ioctl.c --- ieee80211_ioctl.c 4 Jan 2016 12:28:46 - 1.40 +++ ieee80211_ioctl.c 27 Apr 2016 11:52:23 - @@ -106,6 +106,12 @@ ieee80211_node2req(struct ieee80211com * nr->nr_flags |= IEEE80211_NODEREQ_AP; if (ni == ic->ic_bss) nr->nr_flags |= IEEE80211_NODEREQ_AP_BSS; + + /* HT */ + nr->nr_htcaps = ni->ni_htcaps; + memcpy(nr->nr_rxmcs, ni->ni_rxmcs, sizeof(nr->nr_rxmcs)); + nr->nr_max_rxrate = ni->ni_max_rxrate; + nr->nr_tx_mcs_set = ni->ni_tx_mcs_set; } void Index: ieee80211_ioctl.h === RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.h,v retrieving revision 1.24 diff -u -p -r1.24 ieee80211_ioctl.h --- ieee80211_ioctl.h 27 Apr 2016 11:58:10 - 1.24 +++ ieee80211_ioctl.h 27 Apr 2016 12:39:01 - @@ -332,6 +332,12 @@ struct ieee80211_nodereq { /* Node flags */ u_int8_tnr_flags; + + /* HT */ + uint16_tnr_htcaps; + uint8_t nr_rxmcs[howmany(80,NBBY)]; + uint16_tnr_max_rxrate; /* in Mb/s, 0 <= rate <= 1023 */ + uint8_t nr_tx_mcs_set; }; #define IEEE80211_NODEREQ_STATE(_s)(1 << _s) Index: ifconfig.c === RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v retrieving revision 1.320 diff -u -p -r1.320 ifconfig.c --- ifconfig.c 18 Apr 2016 06:20:23 - 1.320 +++ ifconfig.c 27 Apr 2016 12:14:02 - @@ -63,6 +63,7 @@ #include #include #include +#include #include #include @@ -2283,7 +2284,7 @@ ieee80211_listnodes(void) void ieee80211_printnode(struct ieee80211_nodereq *nr) { - int len; + int len, i; if (nr->nr_flags & IEEE80211_NODEREQ_AP || nr->nr_capinfo & IEEE80211_CAPINFO_IBSS) { @@ -2311,8 +2312,15 @@ ieee80211_printnode(struct ieee80211_nod if (nr->nr_pwrsave) printf("powersave "); - if (nr->nr_nrates) { - /* Only print the fastest rate */ + /* Only print the fastest rate */ + if (nr->nr_max_rxrate) { + printf("%uM HT ", nr->nr_max_rxrate); + } else if (nr->nr_rxmcs[0] != 0) { + for (i = IEEE80211_HT_NUM_MCS - 1; i >= 0; i--) + if (isset(nr->nr_rxmcs, i)) + break; + printf("HT-MCS%d ", i); + } else if (nr->nr_nrates) { printf("%uM", (nr->nr_rates[nr->nr_nrates - 1] & IEEE80211_RATE_VAL) / 2); putchar(' ');
httpd: fix/style: unbalanced va_start and va_end macros
Hi, The following patch for httpd fixes unbalanced va_start() and va_end() macros. This is in style with the rest of httpd. Also POSIX says: "Each invocation of the va_start() and va_copy() macros shall be matched by a corresponding invocation of the va_end() macro in the same function." http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/stdarg.h.html Index: httpd.c === RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v retrieving revision 1.54 diff -u -p -r1.54 httpd.c --- httpd.c 2 Feb 2016 17:51:11 - 1.54 +++ httpd.c 27 Apr 2016 12:00:43 - @@ -1000,11 +1000,13 @@ kv_set(struct kv *kv, char *fmt, ...) va_list ap; char*value = NULL; struct kv *ckv; + int ret; va_start(ap, fmt); - if (vasprintf(, fmt, ap) == -1) - return (-1); + ret = vasprintf(, fmt, ap); va_end(ap); + if (ret == -1) + return (-1); /* Remove all children */ while ((ckv = TAILQ_FIRST(>kv_children)) != NULL) { @@ -1025,11 +1027,13 @@ kv_setkey(struct kv *kv, char *fmt, ...) { va_list ap; char*key = NULL; + int ret; va_start(ap, fmt); - if (vasprintf(, fmt, ap) == -1) - return (-1); + ret = vasprintf(, fmt, ap); va_end(ap); + if (ret == -1) + return (-1); free(kv->kv_key); kv->kv_key = key; --- Kind regards, Hiltjo
httpd: patch for portability asprintf use
Hi, The following patch for httpd makes sure the value of the asprintf buffer is zeroed on error and not relied upon, so at the 'done' label free(body) and free(hstsheader) is safe. from asprintf(3): "The asprintf() and vasprintf() functions return the number of characters that were output to the newly allocated string (excluding the '\0'). A pointer to the newly allocated string is returned in ret; it should be passed to free(3) to release the allocated storage when it is no longer needed. If sufficient space cannot be allocated, these functions will return -1. >>The value of ret in this situation is implementation-dependent (on OpenBSD, ret will be set to the null pointer, but this behavior should not be relied upon)."<< Index: server_http.c === RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v retrieving revision 1.106 diff -u -p -r1.106 server_http.c --- server_http.c 8 Mar 2016 09:33:15 - 1.106 +++ server_http.c 27 Apr 2016 12:01:00 - @@ -826,8 +826,10 @@ server_abort_http(struct client *clt, un "\n%s\n" "\n" "\n", - code, httperr, style, code, httperr, HTTPD_SERVERNAME)) == -1) + code, httperr, style, code, httperr, HTTPD_SERVERNAME)) == -1) { + body = NULL; goto done; + } if (srv_conf->flags & SRVFLAG_SERVER_HSTS) { if (asprintf(, "Strict-Transport-Security: " @@ -835,8 +837,10 @@ server_abort_http(struct client *clt, un srv_conf->hsts_flags & HSTSFLAG_SUBDOMAINS ? "; includeSubDomains" : "", srv_conf->hsts_flags & HSTSFLAG_PRELOAD ? - "; preload" : "") == -1) + "; preload" : "") == -1) { + hstsheader = NULL; goto done; + } } /* Add basic HTTP headers */ -- Kind regards, Hiltjo
Re: pool related crashes, but "kernel did no panic"
On 27/04/16(Wed) 09:13, Alexey Suslikov wrote: > Hi tech@. > > (Maybe related to http://marc.info/?l=openbsd-bugs=146174654219490=2). Maybe maybe not. Please keep send your bug reports to bugs@ with all the required informations.
netstat -W counters for 11n
I'd like to add some 802.11n-related counters to netstat -W output. The first diff below is for the kernel, the second for netstat. ok? Index: ieee80211_input.c === RCS file: /cvs/src/sys/net80211/ieee80211_input.c,v retrieving revision 1.171 diff -u -p -r1.171 ieee80211_input.c --- ieee80211_input.c 15 Apr 2016 03:04:27 - 1.171 +++ ieee80211_input.c 27 Apr 2016 11:30:08 - @@ -707,7 +707,7 @@ ieee80211_input_ba(struct ieee80211com * timeout_add_usec(>ba_to, ba->ba_timeout_val); if (SEQ_LT(sn, ba->ba_winstart)) { /* SN < WinStartB */ - ic->ic_stats.is_rx_dup++; + ic->ic_stats.is_ht_rx_frame_below_ba_winstart++; m_freem(m); /* discard the MPDU */ return; } @@ -730,6 +730,7 @@ ieee80211_input_ba(struct ieee80211com * "%d, expecting %d:%d\n", __func__, sn, ba->ba_winstart, ba->ba_winend); #endif + ic->ic_stats.is_ht_rx_frame_above_ba_winend++; if (count > ba->ba_winsize) { if (ba->ba_winmiss < IEEE80211_BA_MAX_WINMISS) { if (ba->ba_missedsn == sn - 1) @@ -743,6 +744,7 @@ ieee80211_input_ba(struct ieee80211com * } /* It appears the window has moved for real. */ + ic->ic_stats.is_ht_rx_ba_window_jump++; ba->ba_winmiss = 0; ba->ba_missedsn = 0; @@ -754,7 +756,8 @@ ieee80211_input_ba(struct ieee80211com * ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, >ba_buf[ba->ba_head].rxi); ba->ba_buf[ba->ba_head].m = NULL; - } + } else + ic->ic_stats.is_ht_rx_ba_frame_lost++; ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; } @@ -769,6 +772,7 @@ ieee80211_input_ba(struct ieee80211com * /* store the received MPDU in the buffer */ if (ba->ba_buf[idx].m != NULL) { ifp->if_ierrors++; + ic->ic_stats.is_ht_rx_ba_no_buf++; m_freem(m); return; } @@ -820,6 +824,8 @@ ieee80211_input_ba_gap_timeout(void *arg struct ieee80211com *ic = ni->ni_ic; int s, skipped; + ic->ic_stats.is_ht_rx_ba_window_gap_timeout++; + s = splnet(); skipped = 0; @@ -828,6 +834,7 @@ ieee80211_input_ba_gap_timeout(void *arg ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; ba->ba_winstart = (ba->ba_winstart + 1) & 0xfff; skipped++; + ic->ic_stats.is_ht_rx_ba_frame_lost++; } if (skipped > 0) ba->ba_winend = (ba->ba_winstart + ba->ba_winsize - 1) & 0xfff; @@ -861,7 +868,8 @@ ieee80211_ba_move_window(struct ieee8021 ieee80211_input(ifp, ba->ba_buf[ba->ba_head].m, ni, >ba_buf[ba->ba_head].rxi); ba->ba_buf[ba->ba_head].m = NULL; - } + } else + ic->ic_stats.is_ht_rx_ba_frame_lost++; ba->ba_head = (ba->ba_head + 1) % IEEE80211_BA_MAX_WINSZ; } /* move window forward */ @@ -1580,6 +1588,7 @@ ieee80211_recv_probe_resp(struct ieee802 DPRINTF(("[%s] htprot change: was %d, now %d\n", ether_sprintf((u_int8_t *)wh->i_addr2), htprot_last, htprot)); + ic->ic_stats.is_ht_prot_change++; ic->ic_bss->ni_htop1 = ni->ni_htop1; ic->ic_update_htprot(ic, ic->ic_bss); } @@ -2491,6 +2500,7 @@ ieee80211_recv_addba_req(struct ieee8021 goto resp; } ba->ba_state = IEEE80211_BA_AGREED; + ic->ic_stats.is_ht_rx_ba_agreements++; /* start Block Ack inactivity timer */ if (ba->ba_timeout_val != 0) timeout_add_usec(>ba_to, ba->ba_timeout_val); @@ -2561,6 +2571,7 @@ ieee80211_recv_addba_resp(struct ieee802 } /* MLME-ADDBA.confirm(Success) */ ba->ba_state = IEEE80211_BA_AGREED; + ic->ic_stats.is_ht_tx_ba_agreements++; /* notify drivers of this new Block Ack agreement */ if (ic->ic_ampdu_tx_start != NULL) Index: ieee80211_ioctl.h === RCS file: /cvs/src/sys/net80211/ieee80211_ioctl.h,v retrieving revision 1.23 diff -u -p -r1.23 ieee80211_ioctl.h --- ieee80211_ioctl.h 12 Jan 2016 09:28:09 - 1.23 +++ ieee80211_ioctl.h 27
Re: AMRR improvements for rt2860
On Sun, Apr 24, 2016 at 08:47:46AM +0200, Stefan Sperling wrote: > On Sun, Apr 24, 2016 at 01:25:31PM +0800, Nathanael Rensen wrote: > > The diff below also introduces dedicated timers for AMRR and for scan > > instead of using the RT2860 GP interrupt, which also improves consistency > > with the way other drivers manage AMRR. > > Can you please split your diff into separate submissions, one per topic? > That would make review and testing a lot easier. This version includes minor tweak: When the AP goes down, we don't need to send disassoc frames to nodes in COLLECT state. Index: ieee80211_node.c === RCS file: /cvs/src/sys/net80211/ieee80211_node.c,v retrieving revision 1.101 diff -u -p -r1.101 ieee80211_node.c --- ieee80211_node.c12 Apr 2016 14:33:27 - 1.101 +++ ieee80211_node.c24 Apr 2016 07:11:38 - @@ -1699,8 +1699,6 @@ ieee80211_node_leave(struct ieee80211com if (ic->ic_node_leave != NULL) (*ic->ic_node_leave)(ic, ni); - IEEE80211_AID_CLR(ni->ni_associd, ic->ic_aid_bitmap); - ni->ni_associd = 0; ieee80211_node_newstate(ni, IEEE80211_STA_COLLECT); #if NBRIDGE > 0 Index: ieee80211_proto.c === RCS file: /cvs/src/sys/net80211/ieee80211_proto.c,v retrieving revision 1.65 diff -u -p -r1.65 ieee80211_proto.c --- ieee80211_proto.c 12 Apr 2016 14:33:27 - 1.65 +++ ieee80211_proto.c 24 Apr 2016 07:13:09 - @@ -840,7 +840,9 @@ ieee80211_newstate(struct ieee80211com * case IEEE80211_M_HOSTAP: s = splnet(); RB_FOREACH(ni, ieee80211_tree, >ic_tree) { - if (ni->ni_associd == 0) + if (ni->ni_associd == 0 || + ni->ni_state == + IEEE80211_STA_COLLECT) continue; IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
pool related crashes, but "kernel did no panic"
Hi tech@. (Maybe related to http://marc.info/?l=openbsd-bugs=146174654219490=2). Crashing server acts as a carp backup (master has same hardware config but don't crash, in contrast to backup). Will post additional information if necessary. There's a collection of crashes (including pre 5.9) but see below for most recent ones. Any advice to track down the issue? Thanks, Alexey OpenBSD 5.9-stable (GENERIC.MP) #0: Sun Mar 27 16:03:33 EEST 2016 ***@***:/usr/src/sys/arch/amd64/compile/GENERIC.MP Apr 15: ddb{2}> show panic the kernel did not panic ddb{2}> trace pool_do_get() at pool_do_get+0x90 pool_get() at pool_get+0xb5 ffs_vget() at ffs_vget+0xa7 ufs_lookup() at ufs_lookup+0x36f VOP_LOOKUP() at VOP_LOOKUP+0x39 vfs_lookup() at vfs_lookup+0x277 namei() at namei+0x24c dofstatat() at dofstatat+0x94 syscall() at syscall+0x368 --- syscall (number 40) --- end of kernel end trace frame: 0x45ea97030a0, count: -9 0x45e29dc70fa: ddb{2}> show registers rdi 0x rsi 0x957581e21a424e5c rbp 0x8000224a2a10 rbx 0xff02290e7810 rdx 0x8000224a2a74 rcx 0x80067000 rax 0x5abd427fd20d77f3 r8 0x30 r9 0 r100 r11 0x8000224a2a10 r12 0x819694c0ffs_ino_pool r13 0xff122c4b0968 r14 0x9 r150x407 rip 0x811a5340pool_do_get+0x90 cs 0x8 rflags 0x10286__ALIGN_SIZE+0xf286 rsp 0x8000224a29c0 ss 0x10 pool_do_get+0x90: movq0(%r13),%rdi Apr 23: ddb{2}> show panic the kernel did not panic ddb{2}> trace pool_p_free() at pool_p_free+0x7e pool_gc_pages() at pool_gc_pages+0xe4 taskq_thread() at taskq_thread+0x6c end trace frame: 0x0, count: -3 ddb{2}> show registers rdi 0x8194c000mbpool rsi 0x60329ee8bc5a0776 rbp 0x800022171e70 rbx 0xff009e7b3300 rdx 0x9fcd61e822213476 rcx 0xddbc8af92f3ff41a rax 0x10 r8 0x1 r90xff0108eeda00 r10 0x1 r11 0x811a3e70pool_page_free r12 0xff022d8b7a50 r130 r14 0x8194c000mbpool r15 0x800022171e30 rip 0x811a5c3epool_p_free+0x7e cs 0x8 rflags 0x10206__ALIGN_SIZE+0xf206 rsp 0x800022171e20 ss 0x10 pool_p_free+0x7e: movq0(%rax),%rsi
bpf device nodes
Following diff replaces /dev/bpf[0-9] with only /dev/bpf and /dev/bpf0. The /dev/bpf node is unused for now, but I plan to convert all programs in base to use it in a future diff. /dev/bpf0 is for compatibility with existing binaries and is to be removed after a transition period. install.sub contains a routine to check for an idle bpf device before invoking dhclient. Due to bpf being a cloning device now, this can be removed. I included this in the diff below, so the ramdisk only has to be tested once, not twice. I'm not asking for OK's yet, but for tests on all platforms. I've done successful tests of the MAKEDEV bits and the ramdisk on all platforms I have access to: amd64, i386 and macppc. This leaves alpha, armish, armv7, hppa, hppa64, landisk, loongson, luna88k, octeon, sgi, socppc, sparc, sparc64 and zaurus to be tested. If you own one of those machines, please give the diff a spin and report the results back to me, so this diff can move forward. (You will need a post-2016/04/14 kernel for this to work.) Thanks. natano Index: distrib/miniroot/install.sub === RCS file: /cvs/src/distrib/miniroot/install.sub,v retrieving revision 1.893 diff -u -p -r1.893 install.sub --- distrib/miniroot/install.sub25 Apr 2016 09:55:23 - 1.893 +++ distrib/miniroot/install.sub26 Apr 2016 19:01:13 - @@ -741,16 +741,6 @@ askpassword() { # Support functions for donetconfig() # -- -# Run dhclient, making sure there is a free bpf first. -dhclient() { - local _i=0 - - while makedev bpf$_i && ! /dev/null - /sbin/dhclient "$@" -} - # Issue a DHCP request to configure interface $1 and add the host-name option to # /etc/dhclient.conf using $2. dhcp_request() { Index: etc/MAKEDEV.common === RCS file: /cvs/src/etc/MAKEDEV.common,v retrieving revision 1.86 diff -u -p -r1.86 MAKEDEV.common --- etc/MAKEDEV.common 25 Apr 2016 20:39:42 - 1.86 +++ etc/MAKEDEV.common 26 Apr 2016 19:01:13 - @@ -168,6 +168,7 @@ target(all, pppx)dnl target(all, fuse)dnl target(all, vmm)dnl target(all, pvbus, 0)dnl +target(all, bpf)dnl dnl _mkdev(all, {-all-}, {-dnl show_target(all)dnl @@ -215,7 +216,7 @@ show_target(ramd)dnl -})dnl dnl target(ramd, std)dnl -target(ramd, bpf, 0)dnl +target(ramd, bpf)dnl twrget(ramd, com, tty0, 0, 1)dnl target(ramd, sd, 0, 1, 2, 3, 4)dnl target(ramd, wd, 0, 1, 2, 3, 4)dnl @@ -446,8 +447,9 @@ __devitem(oppr, openprom,PROM settings,o _cdev(oppr, openprom, 70, 0)dnl __devitem(pf, pf*, Packet Filter)dnl _mkdev(pf, {-pf*-}, {-M pf c major_pf_c 0 600-})dnl -__devitem(bpf, bpf*, Berkeley Packet Filter)dnl -_mkdev(bpf, {-bpf*-}, {-M bpf$U c major_bpf_c $U 600-}, 600)dnl +__devitem(bpf, bpf, Berkeley Packet Filter)dnl +_mkdev(bpf, bpf, {-M bpf c major_bpf_c 0 600 + M bpf0 c major_bpf_c 0 600-})dnl _mkdev(tun, {-tun*-}, {-M tun$U c major_tun_c $U 600-}, 600)dnl _mkdev(tap, {-tap*-}, {-M tap$U c major_tap_c $U 600-}, 600)dnl __devitem(speak, speaker, PC speaker,spkr)dnl Index: etc/etc.alpha/MAKEDEV === RCS file: /cvs/src/etc/etc.alpha/MAKEDEV,v retrieving revision 1.194 diff -u -p -r1.194 MAKEDEV --- etc/etc.alpha/MAKEDEV 25 Apr 2016 20:38:34 - 1.194 +++ etc/etc.alpha/MAKEDEV 26 Apr 2016 19:01:13 - @@ -4,7 +4,7 @@ # generated from: # # OpenBSD: etc.alpha/MAKEDEV.md,v 1.66 2016/04/25 20:38:10 tedu Exp -# OpenBSD: MAKEDEV.common,v 1.85 2016/02/05 06:29:45 uebayasi Exp +# OpenBSD: MAKEDEV.common,v 1.86 2016/04/25 20:39:42 tedu Exp # OpenBSD: MAKEDEV.mi,v 1.82 2016/03/12 17:58:59 espie Exp # OpenBSD: MAKEDEV.sub,v 1.14 2005/02/07 06:14:18 david Exp # @@ -68,7 +68,7 @@ # audio* Audio devices # bio ioctl tunnel pseudo-device # bktr* Video frame grabbers -# bpf*Berkeley Packet Filter +# bpf Berkeley Packet Filter # diskmap Disk mapper # fd fd/* nodes # fuseUserland Filesystem @@ -213,7 +213,7 @@ U=`unt $i` case $i in ramdisk) - R std fd0 wd0 wd1 wd2 sd0 sd1 sd2 bpf0 + R std fd0 wd0 wd1 wd2 sd0 sd1 sd2 bpf R st0 cd0 ttyC0 rd0 bio diskmap random ;; @@ -320,8 +320,9 @@ diskmap) M diskmap c 63 0 640 operator ;; -bpf*) - M bpf$U c 11 $U 600 +bpf) + M bpf c 11 0 600 + M bpf0 c 11 0 600 ;; bktr*) @@ -518,12 +519,11 @@ local) all) R vnd0 vnd1 vnd2 vnd3 sd0 sd1 sd2 sd3 sd4 sd5 sd6 sd7 sd8 sd9 - R cd0 cd1 rd0 tap0 tap1 tap2 tap3 tun0 tun1 tun2 tun3 bpf0 - R bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 pty0 fd1 fd1B - R fd1C fd1D fd1E fd1F fd1G fd1H fd0 fd0B fd0C fd0D fd0E fd0F - R fd0G fd0H diskmap vscsi0 ch0 bio audio0 audio1 audio2 fuse - R