On Fri, Apr 30, 2021 at 02:31:22PM +0200, Mark Kettenis wrote: > media autoselect mediaopt hostap > nwid openbsd chan 60 wpakey password > inet 192.168.32.1 > > and this is what ifconfig athn0 shows: > > athn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 6c:71:d9:33:44:55 > index 3 priority 4 llprio 3 > groups: wlan > media: IEEE802.11 autoselect hostap (autoselect mode 11n hostap) > status: active > ieee80211: nwid humppa chan 60 bssid 6c:71:d9:33:44:55 -92dBm wpakey > wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp > inet 192.168.32.1 netmask 0xffffff00 broadcast 192.168.32.255 > >
Thank you, I believe I have found the problem. Block ack request (BAR) frames are control frames, and apparently control frames can trigger bogus michael mic failures with athn hardware decryption. I suppose these errors occur whenever iwm sees a Tx failure on an aggregation queue and sends a BAR frame to sync the BA window. Does this patch fix it? diff 54d90405e1f80df38ddacf107a6d85d23d1f766f /usr/src blob - 2b77b0d686dd9025de558a94cbb0a5ce75b93747 file + sys/dev/ic/ar5008.c --- sys/dev/ic/ar5008.c +++ sys/dev/ic/ar5008.c @@ -865,7 +865,7 @@ ar5008_rx_process(struct athn_softc *sc, struct mbuf_l struct ieee80211_rxinfo rxi; struct ieee80211_node *ni; struct mbuf *m, *m1; - int error, len; + int error, len, michael_mic_failure = 0; bf = SIMPLEQ_FIRST(&rxq->head); if (__predict_false(bf == NULL)) { /* Should not happen. */ @@ -915,16 +915,12 @@ ar5008_rx_process(struct athn_softc *sc, struct mbuf_l ic->ic_stats.is_ccmp_dec_errs++; } else if (ds->ds_status8 & AR_RXS8_MICHAEL_ERR) { DPRINTFN(2, ("Michael MIC failure\n")); - /* Report Michael MIC failures to net80211. */ - ic->ic_stats.is_rx_locmicfail++; - ieee80211_michael_mic_failure(ic, 0); - /* - * XXX Check that it is not a control frame - * (invalid MIC failures on valid ctl frames). - */ + michael_mic_failure = 1; } - ifp->if_ierrors++; - goto skip; + if (!michael_mic_failure) { + ifp->if_ierrors++; + goto skip; + } } len = MS(ds->ds_status1, AR_RXS1_DATA_LEN); @@ -978,6 +974,25 @@ ar5008_rx_process(struct athn_softc *sc, struct mbuf_l wh = mtod(m, struct ieee80211_frame *); ni = ieee80211_find_rxnode(ic, wh); + if (michael_mic_failure) { + /* + * Check that it is not a control frame + * (invalid MIC failures on valid ctl frames). + */ + if (!(wh->i_fc[0] & IEEE80211_FC0_TYPE_CTL) && + (ic->ic_flags & IEEE80211_F_RSNON) && + (ni->ni_rsncipher == IEEE80211_CIPHER_TKIP || + ni->ni_rsngroupcipher == IEEE80211_CIPHER_TKIP)) { + /* Report Michael MIC failures to net80211. */ + ic->ic_stats.is_rx_locmicfail++; + ieee80211_michael_mic_failure(ic, 0); + ifp->if_ierrors++; + ieee80211_release_node(ic, ni); + m_freem(m); + goto skip; + } + } + /* Remove any HW padding after the 802.11 header. */ if (!(wh->i_fc[0] & IEEE80211_FC0_TYPE_CTL)) { u_int hdrlen = ieee80211_get_hdrlen(wh);