On Fri, Apr 30, 2021 at 02:31:22PM +0200, Mark Kettenis wrote:
> media autoselect mediaopt hostap
> nwid openbsd chan 60 wpakey password
> inet 192.168.32.1
>
> and this is what ifconfig athn0 shows:
>
> athn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 6c:71:d9:33:44:55
> index 3 priority 4 llprio 3
> groups: wlan
> media: IEEE802.11 autoselect hostap (autoselect mode 11n hostap)
> status: active
> ieee80211: nwid humppa chan 60 bssid 6c:71:d9:33:44:55 -92dBm wpakey
> wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
> inet 192.168.32.1 netmask 0xffffff00 broadcast 192.168.32.255
>
>
Thank you, I believe I have found the problem.
Block ack request (BAR) frames are control frames, and apparently control
frames can trigger bogus michael mic failures with athn hardware decryption.
I suppose these errors occur whenever iwm sees a Tx failure on an aggregation
queue and sends a BAR frame to sync the BA window.
Does this patch fix it?
diff 54d90405e1f80df38ddacf107a6d85d23d1f766f /usr/src
blob - 2b77b0d686dd9025de558a94cbb0a5ce75b93747
file + sys/dev/ic/ar5008.c
--- sys/dev/ic/ar5008.c
+++ sys/dev/ic/ar5008.c
@@ -865,7 +865,7 @@ ar5008_rx_process(struct athn_softc *sc, struct mbuf_l
struct ieee80211_rxinfo rxi;
struct ieee80211_node *ni;
struct mbuf *m, *m1;
- int error, len;
+ int error, len, michael_mic_failure = 0;
bf = SIMPLEQ_FIRST(&rxq->head);
if (__predict_false(bf == NULL)) { /* Should not happen. */
@@ -915,16 +915,12 @@ ar5008_rx_process(struct athn_softc *sc, struct mbuf_l
ic->ic_stats.is_ccmp_dec_errs++;
} else if (ds->ds_status8 & AR_RXS8_MICHAEL_ERR) {
DPRINTFN(2, ("Michael MIC failure\n"));
- /* Report Michael MIC failures to net80211. */
- ic->ic_stats.is_rx_locmicfail++;
- ieee80211_michael_mic_failure(ic, 0);
- /*
- * XXX Check that it is not a control frame
- * (invalid MIC failures on valid ctl frames).
- */
+ michael_mic_failure = 1;
}
- ifp->if_ierrors++;
- goto skip;
+ if (!michael_mic_failure) {
+ ifp->if_ierrors++;
+ goto skip;
+ }
}
len = MS(ds->ds_status1, AR_RXS1_DATA_LEN);
@@ -978,6 +974,25 @@ ar5008_rx_process(struct athn_softc *sc, struct mbuf_l
wh = mtod(m, struct ieee80211_frame *);
ni = ieee80211_find_rxnode(ic, wh);
+ if (michael_mic_failure) {
+ /*
+ * Check that it is not a control frame
+ * (invalid MIC failures on valid ctl frames).
+ */
+ if (!(wh->i_fc[0] & IEEE80211_FC0_TYPE_CTL) &&
+ (ic->ic_flags & IEEE80211_F_RSNON) &&
+ (ni->ni_rsncipher == IEEE80211_CIPHER_TKIP ||
+ ni->ni_rsngroupcipher == IEEE80211_CIPHER_TKIP)) {
+ /* Report Michael MIC failures to net80211. */
+ ic->ic_stats.is_rx_locmicfail++;
+ ieee80211_michael_mic_failure(ic, 0);
+ ifp->if_ierrors++;
+ ieee80211_release_node(ic, ni);
+ m_freem(m);
+ goto skip;
+ }
+ }
+
/* Remove any HW padding after the 802.11 header. */
if (!(wh->i_fc[0] & IEEE80211_FC0_TYPE_CTL)) {
u_int hdrlen = ieee80211_get_hdrlen(wh);
