Discussion:
ath10k firmware sends probes on DFS channels without radar detection
Jean-Pierre Tosoni
2016-12-06 17:02:52 UTC
Permalink
This follows on the previous discussion
"Client station sends probes on DFS channels"

Problem:
The combination of QCA988X firmware v10.2.4.70-2 + ath10k +
wpa_supplicant do not comply with the norm ETSI/EN 301-893
section 4.7; because they can send probes for 600s when no
AP is around.

Analysis:
The problem seems to lie in the firmware, which regards the presence
of *any* beacon as a proof that the channel is radar-clean for 600s.

This is a wrong hypothesis, since a rogue AP sending fraudulent
beacons should not induce a scrupulous STA in sending illegal probes.

Moreover, the norm (table D.1) sets a time limit of 10s to
shutdown when no AP positively allows the STA to transmit on
the DFS channel.

Status:
- there is no known plan at QCA to fix the issue.
- ath10k firmware is not publicly available for fixes.
- there is no obvious fix working in ath10k.
- the issue does not show up with other mac80211 devices like ath9k.
- wpa_supplicant considers this is a kernel issue [2]

Jean-Pierre Tosoni
-----Message d'origine-----
Jean-Pierre Tosoni
Envoyé : mercredi 30 novembre 2016 19:04
Objet : Client station sends probes on DFS channels
Hello list,
There is a case where I can see probes on a DFS channel, from a non-
associated station using ath10k. (note that the problem does not arise
when using ath9k).
*The setup*
I am using Openwrt, wpa_supplicant and compat-wireless 2016-10-08,
Card firmware is ath10k_pci: qca988x hw2.0 (0x4100016c, 0x043202ff)
fw 10.2.4.70-2 api 5 htt-ver 2.1 wmi-op 5 htt-op 2
cal otp max-sta 128 features no-p2p
ath10k_pci: debug 0 debugfs 1 tracing 0 dfs 1 testmode 1
I am using channel 116, regdom US or FR, where I see no traffic at all
using wireshark+Airpcap.
I set wpa_supplicant to scan this channel only for a specific SSID
"ssid1".
At initial startup of the client device, no probes are going out, which
is OK.
Then, on another device, I start a hostapd set to channel 116, with a
different SSID "otherssid" so that the supplicant will not associate.
Shortly (1-2s) after the beacons appear in the air, the client begins to
Send probe request in the air, which is unexpected, but acceptable since
the client can infer absence of radars from the presence of beacons.
*The problem*
If I power down the AP, the client continues to send probes for around
10 minutes, which is unacceptable since it cannot handle radar detection,
as it is a slave device in the meaning of ETSI/EN 301-893[1].
- I tried to investigate the "beacon hint" mechanism but it appears
that it is not used on DFS channels.
- I tried to force the IEEE80211_NO_IR flag when IEEE80211_CHAN_DFS
is set.
- When I reload the reg. domain using "iw reg set", the probes cease,
but will reappear if I cycle my AP again On then Off.
- When I let the client associate, then disassociate and stop the AP,
the same problem arises. It disappears if I add a call to
ath10k_regd_update() in mac.c after a disconnection (This is not a
fix, since in my case the client never associates).
- Since at startup, the client does not send probes, I infer that the
problem is *not* caused by a hidden AP that the card could see but
not airpcap.
- I tried with channels 52 and 100, with regdom FR or US: same problem.
Any ideas?
[1] http://www.etsi.org/deliver/etsi_en/301800_301899/301893/
01.08.01_60/en_301893v010801p.pdf
[2] http://lists.shmoo.com/pipermail/hostap/2015-January/031906.html
J.P. Tosoni - ACKSYS
_______________________________________________
ath10k mailing list
http://lists.infradead.org/mailman/listinfo/ath10k
Ben Greear
2016-12-06 19:36:01 UTC
Permalink
Post by Jean-Pierre Tosoni
This follows on the previous discussion
"Client station sends probes on DFS channels"
The combination of QCA988X firmware v10.2.4.70-2 + ath10k +
wpa_supplicant do not comply with the norm ETSI/EN 301-893
section 4.7; because they can send probes for 600s when no
AP is around.
The problem seems to lie in the firmware, which regards the presence
of *any* beacon as a proof that the channel is radar-clean for 600s.
This is a wrong hypothesis, since a rogue AP sending fraudulent
beacons should not induce a scrupulous STA in sending illegal probes.
Moreover, the norm (table D.1) sets a time limit of 10s to
shutdown when no AP positively allows the STA to transmit on
the DFS channel.
- there is no known plan at QCA to fix the issue.
- ath10k firmware is not publicly available for fixes.
- there is no obvious fix working in ath10k.
- the issue does not show up with other mac80211 devices like ath9k.
- wpa_supplicant considers this is a kernel issue [2]
Have you confirmed that there are no probe requests being sent by
ath10k driver?

You could also try disabling the station keep-alive and roaming logic in the firmware by
tweaking the wmi initial setup logic. I disable that in my firmware,
for instance, because mac80211 can do a better job and then I can
save resources in the firmware.

Finally, if that doesn't work, then I could probably fix that in CT firmware
in case that is of interest.

Thanks,
Ben
Post by Jean-Pierre Tosoni
Jean-Pierre Tosoni
-----Message d'origine-----
Jean-Pierre Tosoni
Envoyé : mercredi 30 novembre 2016 19:04
Objet : Client station sends probes on DFS channels
Hello list,
There is a case where I can see probes on a DFS channel, from a non-
associated station using ath10k. (note that the problem does not arise
when using ath9k).
*The setup*
I am using Openwrt, wpa_supplicant and compat-wireless 2016-10-08,
Card firmware is ath10k_pci: qca988x hw2.0 (0x4100016c, 0x043202ff)
fw 10.2.4.70-2 api 5 htt-ver 2.1 wmi-op 5 htt-op 2
cal otp max-sta 128 features no-p2p
ath10k_pci: debug 0 debugfs 1 tracing 0 dfs 1 testmode 1
I am using channel 116, regdom US or FR, where I see no traffic at all
using wireshark+Airpcap.
I set wpa_supplicant to scan this channel only for a specific SSID
"ssid1".
At initial startup of the client device, no probes are going out, which
is OK.
Then, on another device, I start a hostapd set to channel 116, with a
different SSID "otherssid" so that the supplicant will not associate.
Shortly (1-2s) after the beacons appear in the air, the client begins to
Send probe request in the air, which is unexpected, but acceptable since
the client can infer absence of radars from the presence of beacons.
*The problem*
If I power down the AP, the client continues to send probes for around
10 minutes, which is unacceptable since it cannot handle radar detection,
as it is a slave device in the meaning of ETSI/EN 301-893[1].
- I tried to investigate the "beacon hint" mechanism but it appears
that it is not used on DFS channels.
- I tried to force the IEEE80211_NO_IR flag when IEEE80211_CHAN_DFS
is set.
- When I reload the reg. domain using "iw reg set", the probes cease,
but will reappear if I cycle my AP again On then Off.
- When I let the client associate, then disassociate and stop the AP,
the same problem arises. It disappears if I add a call to
ath10k_regd_update() in mac.c after a disconnection (This is not a
fix, since in my case the client never associates).
- Since at startup, the client does not send probes, I infer that the
problem is *not* caused by a hidden AP that the card could see but
not airpcap.
- I tried with channels 52 and 100, with regdom FR or US: same problem.
Any ideas?
[1] http://www.etsi.org/deliver/etsi_en/301800_301899/301893/
01.08.01_60/en_301893v010801p.pdf
[2] http://lists.shmoo.com/pipermail/hostap/2015-January/031906.html
J.P. Tosoni - ACKSYS
_______________________________________________
ath10k mailing list
http://lists.infradead.org/mailman/listinfo/ath10k
--
Ben Greear <***@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
Ben Greear
2016-12-14 18:28:44 UTC
Permalink
Post by Jean-Pierre Tosoni
This follows on the previous discussion
"Client station sends probes on DFS channels"
The combination of QCA988X firmware v10.2.4.70-2 + ath10k +
wpa_supplicant do not comply with the norm ETSI/EN 301-893 section
4.7; because they can send probes for 600s when no AP is around.
The problem seems to lie in the firmware, which regards the presence
of *any* beacon as a proof that the channel is radar-clean for 600s.
This is a wrong hypothesis, since a rogue AP sending fraudulent
beacons should not induce a scrupulous STA in sending illegal probes.
Moreover, the norm (table D.1) sets a time limit of 10s to shutdown
when no AP positively allows the STA to transmit on the DFS channel.
- there is no known plan at QCA to fix the issue.
- ath10k firmware is not publicly available for fixes.
- there is no obvious fix working in ath10k.
- the issue does not show up with other mac80211 devices like ath9k.
- wpa_supplicant considers this is a kernel issue [2]
Have you confirmed that there are no probe requests being sent by ath10k
driver?
I have put a printk in the ath10k_tx function (in the path for management
frames) and it does not show up.
On another hand I cannot find any other function preparing / sending probes.
There is only the wmi command that starts scans.
That wmi command causes probes, so make sure it is not being called.
You could also try disabling the station keep-alive and roaming logic in
the firmware by tweaking the wmi initial setup logic. I disable that in
my firmware, for instance, because mac80211 can do a better job and then I
can save resources in the firmware.
Do you mean the values set in wmi.c:: ath10k_wmi_start_scan_init() ?
Should I replace all the scan offload by a mac80211-controlled scan like
in ath9k? The problem then is to switch channels; channel switching
seems very different from ath9k.
You might try one or more of these settings in the ath10k_wmi_10_1_op_gen_init
method (or 10.2 if that is the FW you are using):

config.roam_offload_max_vdev = 0; /* disable roaming */
config.roam_offload_max_ap_profiles = 0; /* disable roaming */
config.bmiss_offload_max_vdev = 0;

I have only tested this using my CT firmware, and I have some additional
patches in my driver to enable mac80211 keep-alive logic when using my
CT firmware.

Thanks,
Ben
Thanks,
JP
Finally, if that doesn't work, then I could probably fix that in CT
firmware in case that is of interest.
Thanks,
Ben
Post by Jean-Pierre Tosoni
Jean-Pierre Tosoni
-----Message d'origine-----
channels
Hello list,
There is a case where I can see probes on a DFS channel, from a non-
associated station using ath10k. (note that the problem does not
arise when using ath9k).
*The setup*
I am using Openwrt, wpa_supplicant and compat-wireless 2016-10-08,
Card firmware is ath10k_pci: qca988x hw2.0 (0x4100016c, 0x043202ff)
fw 10.2.4.70-2 api 5 htt-ver 2.1 wmi-op 5 htt-op 2
cal otp max-sta 128 features no-p2p
ath10k_pci: debug 0 debugfs 1 tracing 0 dfs 1 testmode 1
I am using channel 116, regdom US or FR, where I see no traffic at
all using wireshark+Airpcap.
I set wpa_supplicant to scan this channel only for a specific SSID
"ssid1".
At initial startup of the client device, no probes are going out,
which is OK.
Then, on another device, I start a hostapd set to channel 116, with a
different SSID "otherssid" so that the supplicant will not associate.
Shortly (1-2s) after the beacons appear in the air, the client begins
to Send probe request in the air, which is unexpected, but acceptable
since the client can infer absence of radars from the presence of
beacons.
Post by Jean-Pierre Tosoni
*The problem*
If I power down the AP, the client continues to send probes for around
10 minutes, which is unacceptable since it cannot handle radar
detection, as it is a slave device in the meaning of ETSI/EN 301-
893[1].
Post by Jean-Pierre Tosoni
- I tried to investigate the "beacon hint" mechanism but it appears
that it is not used on DFS channels.
- I tried to force the IEEE80211_NO_IR flag when IEEE80211_CHAN_DFS
is set.
- When I reload the reg. domain using "iw reg set", the probes cease,
but will reappear if I cycle my AP again On then Off.
- When I let the client associate, then disassociate and stop the AP,
the same problem arises. It disappears if I add a call to
ath10k_regd_update() in mac.c after a disconnection (This is not a
fix, since in my case the client never associates).
- Since at startup, the client does not send probes, I infer that the
problem is *not* caused by a hidden AP that the card could see but
not airpcap.
- I tried with channels 52 and 100, with regdom FR or US: same problem.
Any ideas?
[1] http://www.etsi.org/deliver/etsi_en/301800_301899/301893/
01.08.01_60/en_301893v010801p.pdf
[2] http://lists.shmoo.com/pipermail/hostap/2015-January/031906.html
J.P. Tosoni - ACKSYS
_______________________________________________
ath10k mailing list
http://lists.infradead.org/mailman/listinfo/ath10k
--
Candela Technologies Inc http://www.candelatech.com
_______________________________________________
ath10k mailing list
http://lists.infradead.org/mailman/listinfo/ath10k
--
Ben Greear <***@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
Jouni Malinen
2016-12-14 19:58:05 UTC
Permalink
Post by Jean-Pierre Tosoni
This follows on the previous discussion
"Client station sends probes on DFS channels"
The combination of QCA988X firmware v10.2.4.70-2 + ath10k +
wpa_supplicant do not comply with the norm ETSI/EN 301-893
section 4.7; because they can send probes for 600s when no
AP is around.
The problem seems to lie in the firmware, which regards the presence
of *any* beacon as a proof that the channel is radar-clean for 600s.
I don't think this is really firmware, but cfg80211 regulatory code and
how it interacts with ath10k..
Post by Jean-Pierre Tosoni
- there is no obvious fix working in ath10k.
- the issue does not show up with other mac80211 devices like ath9k.
- wpa_supplicant considers this is a kernel issue [2]
There seems to be a difference between ath9k (mac80211-based Probe
Request frame sending) and ath10k (firmware) in this area for active
scanning. mac80211 uses IEEE80211_CHAN_NO_IR | IEEE80211_CHAN_RADAR
while ath10k uses IEEE80211_CHAN_NO_IR. I'd assume this difference
results in ath10k using cfg80211 beacon hints (etc.) to update the NO_IR
flag and that might be behind the difference you see.

Could you check whether the following change gets you the behavior you
want to see here? I have not had a chance to test this yet, but based on
code review, it looks like something that brings the same behavior to
ath10k that ath9k has for this through mac80211.


diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index aa545a1..758dbbd 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -2973,7 +2973,8 @@ static int ath10k_update_channel_list(struct ath10k *ar)
ch->chan_radar =
!!(channel->flags & IEEE80211_CHAN_RADAR);

- passive = channel->flags & IEEE80211_CHAN_NO_IR;
+ passive = channel->flags & (IEEE80211_CHAN_NO_IR |
+ IEEE80211_CHAN_RADAR);
ch->passive = passive;

ch->freq = channel->center_freq;
--
Jouni Malinen PGP id EFC895FA
Jean-Pierre Tosoni
2016-12-15 15:22:34 UTC
Permalink
Jouni,

Thanks for the suggestion, I already tried something like this in wmi.c,
with the same result:

- Before patching the firmware scans DFS channels actively (with probes).

- After patching, the firmware scans DFS channels passively *until* any
beacon is received on the DFS channel. When *any* beacon is seen, the
firmware decides to scan actively on its own, without any new IR/RADAR
info from the driver.

So, your patch is required but not sufficient.

Somehow I was able to overcome this by reloading the regulation domain
in the radio card before each scan request:

////// awful patch ahead ////////

--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -2842,7 +2842,9 @@ static int ath10k_update_channel_list(st
ch->chan_radar =
!!(channel->flags & IEEE80211_CHAN_RADAR);

- passive = channel->flags & IEEE80211_CHAN_NO_IR;
+ passive = channel->flags & (IEEE80211_CHAN_NO_IR |
+ IEEE80211_CHAN_RADAR);
+
ch->passive = passive;

ch->freq = channel->center_freq;
@@ -3548,6 +3550,9 @@ static int ath10k_start_scan(struct ath1

lockdep_assert_held(&ar->conf_mutex);

+ if (ar->state == ATH10K_STATE_ON)
+ ath10k_regd_update(ar);
+
ret = ath10k_wmi_start_scan(ar, arg);
if (ret)
return ret;

////////////////////////////////////////

...But this sets a terrible penalty on performance when applied to
background scan.
Post by Jouni Malinen
Post by Jean-Pierre Tosoni
This follows on the previous discussion
"Client station sends probes on DFS channels"
The combination of QCA988X firmware v10.2.4.70-2 + ath10k +
wpa_supplicant do not comply with the norm ETSI/EN 301-893 section
4.7; because they can send probes for 600s when no AP is around.
The problem seems to lie in the firmware, which regards the presence
of *any* beacon as a proof that the channel is radar-clean for 600s.
I don't think this is really firmware, but cfg80211 regulatory code and
how it interacts with ath10k..
Post by Jean-Pierre Tosoni
- there is no obvious fix working in ath10k.
- the issue does not show up with other mac80211 devices like ath9k.
- wpa_supplicant considers this is a kernel issue [2]
There seems to be a difference between ath9k (mac80211-based Probe Request
frame sending) and ath10k (firmware) in this area for active scanning.
mac80211 uses IEEE80211_CHAN_NO_IR | IEEE80211_CHAN_RADAR while ath10k
uses IEEE80211_CHAN_NO_IR. I'd assume this difference results in ath10k
using cfg80211 beacon hints (etc.) to update the NO_IR flag and that might
be behind the difference you see.
Could you check whether the following change gets you the behavior you
want to see here? I have not had a chance to test this yet, but based on
code review, it looks like something that brings the same behavior to
ath10k that ath9k has for this through mac80211.
diff --git a/drivers/net/wireless/ath/ath10k/mac.c
b/drivers/net/wireless/ath/ath10k/mac.c
index aa545a1..758dbbd 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -2973,7 +2973,8 @@ static int ath10k_update_channel_list(struct ath10k *ar)
ch->chan_radar =
!!(channel->flags & IEEE80211_CHAN_RADAR);
- passive = channel->flags & IEEE80211_CHAN_NO_IR;
+ passive = channel->flags & (IEEE80211_CHAN_NO_IR |
+ IEEE80211_CHAN_RADAR);
ch->passive = passive;
ch->freq = channel->center_freq;
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
ath10k mailing list
http://lists.infradead.org/mailman/listinfo/ath10k
Ben Greear
2016-12-15 16:32:44 UTC
Permalink
Post by Jean-Pierre Tosoni
Jouni,
Thanks for the suggestion, I already tried something like this in wmi.c,
- Before patching the firmware scans DFS channels actively (with probes).
- After patching, the firmware scans DFS channels passively *until* any
beacon is received on the DFS channel. When *any* beacon is seen, the
firmware decides to scan actively on its own, without any new IR/RADAR
info from the driver.
So, your patch is required but not sufficient.
Somehow I was able to overcome this by reloading the regulation domain
////// awful patch ahead ////////
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -2842,7 +2842,9 @@ static int ath10k_update_channel_list(st
ch->chan_radar =
!!(channel->flags & IEEE80211_CHAN_RADAR);
- passive = channel->flags & IEEE80211_CHAN_NO_IR;
+ passive = channel->flags & (IEEE80211_CHAN_NO_IR |
+ IEEE80211_CHAN_RADAR);
So, should we add a new flag in firmware and driver that means 'really-no-IR', or
should the NO_IR flag here just always make the firmware never do IR when probing
regardless of whether it has seen beacons or not?

Thanks,
Ben
Post by Jean-Pierre Tosoni
+
ch->passive = passive;
ch->freq = channel->center_freq;
@@ -3548,6 +3550,9 @@ static int ath10k_start_scan(struct ath1
lockdep_assert_held(&ar->conf_mutex);
+ if (ar->state == ATH10K_STATE_ON)
+ ath10k_regd_update(ar);
+
ret = ath10k_wmi_start_scan(ar, arg);
if (ret)
return ret;
////////////////////////////////////////
...But this sets a terrible penalty on performance when applied to
background scan.
Post by Jouni Malinen
Post by Jean-Pierre Tosoni
This follows on the previous discussion
"Client station sends probes on DFS channels"
The combination of QCA988X firmware v10.2.4.70-2 + ath10k +
wpa_supplicant do not comply with the norm ETSI/EN 301-893 section
4.7; because they can send probes for 600s when no AP is around.
The problem seems to lie in the firmware, which regards the presence
of *any* beacon as a proof that the channel is radar-clean for 600s.
I don't think this is really firmware, but cfg80211 regulatory code and
how it interacts with ath10k..
Post by Jean-Pierre Tosoni
- there is no obvious fix working in ath10k.
- the issue does not show up with other mac80211 devices like ath9k.
- wpa_supplicant considers this is a kernel issue [2]
There seems to be a difference between ath9k (mac80211-based Probe Request
frame sending) and ath10k (firmware) in this area for active scanning.
mac80211 uses IEEE80211_CHAN_NO_IR | IEEE80211_CHAN_RADAR while ath10k
uses IEEE80211_CHAN_NO_IR. I'd assume this difference results in ath10k
using cfg80211 beacon hints (etc.) to update the NO_IR flag and that might
be behind the difference you see.
Could you check whether the following change gets you the behavior you
want to see here? I have not had a chance to test this yet, but based on
code review, it looks like something that brings the same behavior to
ath10k that ath9k has for this through mac80211.
diff --git a/drivers/net/wireless/ath/ath10k/mac.c
b/drivers/net/wireless/ath/ath10k/mac.c
index aa545a1..758dbbd 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -2973,7 +2973,8 @@ static int ath10k_update_channel_list(struct ath10k *ar)
ch->chan_radar =
!!(channel->flags & IEEE80211_CHAN_RADAR);
- passive = channel->flags & IEEE80211_CHAN_NO_IR;
+ passive = channel->flags & (IEEE80211_CHAN_NO_IR |
+ IEEE80211_CHAN_RADAR);
ch->passive = passive;
ch->freq = channel->center_freq;
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
ath10k mailing list
http://lists.infradead.org/mailman/listinfo/ath10k
--
Ben Greear <***@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
Jean-Pierre Tosoni
2016-12-15 17:53:47 UTC
Permalink
-----Message d'origine-----
Envoyé : jeudi 15 décembre 2016 17:33
À : Jean-Pierre Tosoni; 'Jouni Malinen'
Objet : Re: ath10k firmware sends probes on DFS channels without radar
detection
Post by Jean-Pierre Tosoni
Jouni,
Thanks for the suggestion, I already tried something like this in
- Before patching the firmware scans DFS channels actively (with
probes).
Post by Jean-Pierre Tosoni
- After patching, the firmware scans DFS channels passively *until*
any beacon is received on the DFS channel. When *any* beacon is seen,
the firmware decides to scan actively on its own, without any new
IR/RADAR info from the driver.
So, your patch is required but not sufficient.
Somehow I was able to overcome this by reloading the regulation domain
////// awful patch ahead ////////
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -2842,7 +2842,9 @@ static int ath10k_update_channel_list(st
ch->chan_radar =
!!(channel->flags & IEEE80211_CHAN_RADAR);
- passive = channel->flags & IEEE80211_CHAN_NO_IR;
+ passive = channel->flags & (IEEE80211_CHAN_NO_IR |
+ IEEE80211_CHAN_RADAR);
So, should we add a new flag in firmware and driver that means 'really-no-
IR', or should the NO_IR flag here just always make the firmware never do
IR when probing regardless of whether it has seen beacons or not?
The distinction between NO_IR and CHAN_RADAR is not very clear to me.
NO_IR appears only in the world regulatory domain so it's not relevant here.

I'd say
"the CHAN_RADAR flag should always make the firmware never do IR when
probing"
...maybe, except if the channel is the operating channel. (this should
exclude
unassociated stations)

I am out of office for the next week.
Regards,
Jean-Pierre
Thanks,
Ben
Post by Jean-Pierre Tosoni
+
ch->passive = passive;
ch->freq = channel->center_freq;
@@ -3548,6 +3550,9 @@ static int ath10k_start_scan(struct ath1
lockdep_assert_held(&ar->conf_mutex);
+ if (ar->state == ATH10K_STATE_ON)
+ ath10k_regd_update(ar);
+
ret = ath10k_wmi_start_scan(ar, arg);
if (ret)
return ret;
////////////////////////////////////////
...But this sets a terrible penalty on performance when applied to
background scan.
Post by Jouni Malinen
Post by Jean-Pierre Tosoni
This follows on the previous discussion
"Client station sends probes on DFS channels"
The combination of QCA988X firmware v10.2.4.70-2 + ath10k +
wpa_supplicant do not comply with the norm ETSI/EN 301-893 section
4.7; because they can send probes for 600s when no AP is around.
The problem seems to lie in the firmware, which regards the presence
of *any* beacon as a proof that the channel is radar-clean for 600s.
I don't think this is really firmware, but cfg80211 regulatory code
and how it interacts with ath10k..
Post by Jean-Pierre Tosoni
- there is no obvious fix working in ath10k.
- the issue does not show up with other mac80211 devices like ath9k.
- wpa_supplicant considers this is a kernel issue [2]
There seems to be a difference between ath9k (mac80211-based Probe
Request frame sending) and ath10k (firmware) in this area for active
scanning.
Post by Jean-Pierre Tosoni
Post by Jouni Malinen
mac80211 uses IEEE80211_CHAN_NO_IR | IEEE80211_CHAN_RADAR while
ath10k uses IEEE80211_CHAN_NO_IR. I'd assume this difference results
in ath10k using cfg80211 beacon hints (etc.) to update the NO_IR flag
and that might be behind the difference you see.
Could you check whether the following change gets you the behavior
you want to see here? I have not had a chance to test this yet, but
based on code review, it looks like something that brings the same
behavior to ath10k that ath9k has for this through mac80211.
diff --git a/drivers/net/wireless/ath/ath10k/mac.c
b/drivers/net/wireless/ath/ath10k/mac.c
index aa545a1..758dbbd 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -2973,7 +2973,8 @@ static int ath10k_update_channel_list(struct
ath10k
*ar)
ch->chan_radar =
!!(channel->flags & IEEE80211_CHAN_RADAR);
- passive = channel->flags & IEEE80211_CHAN_NO_IR;
+ passive = channel->flags & (IEEE80211_CHAN_NO_IR |
+ IEEE80211_CHAN_RADAR);
ch->passive = passive;
ch->freq = channel->center_freq;
--
Jouni Malinen PGP id
EFC895FA
Post by Jean-Pierre Tosoni
Post by Jouni Malinen
_______________________________________________
ath10k mailing list
http://lists.infradead.org/mailman/listinfo/ath10k
--
Candela Technologies Inc http://www.candelatech.com
Jouni Malinen
2016-12-15 22:58:27 UTC
Permalink
Post by Jean-Pierre Tosoni
Post by Jean-Pierre Tosoni
Post by Jean-Pierre Tosoni
Thanks for the suggestion, I already tried something like this in
- Before patching the firmware scans DFS channels actively (with
probes).
Post by Jean-Pierre Tosoni
- After patching, the firmware scans DFS channels passively *until*
any beacon is received on the DFS channel. When *any* beacon is seen,
the firmware decides to scan actively on its own, without any new
IR/RADAR info from the driver.
So, your patch is required but not sufficient.
Somehow I was able to overcome this by reloading the regulation domain
Interesting.. I'm not completely sure what could have changed the
behavior based on beacon hint. I thought it was cfg80211, but if the
simple change for doing NO_IR | RADAR is not sufficient, it would seem
to imply that something else can do this. Some more debugging to do, I
guess.
Post by Jean-Pierre Tosoni
The distinction between NO_IR and CHAN_RADAR is not very clear to me.
NO_IR appears only in the world regulatory domain so it's not relevant here.
NO_IR is a combination of not allowing AP, IBSS, or active scanning
without having somehow been enabled by another device. RADAR has that
same impact and in addition, requirement for doing radar detection and
DFS by a master device.
Post by Jean-Pierre Tosoni
I'd say
"the CHAN_RADAR flag should always make the firmware never do IR when
probing"
...maybe, except if the channel is the operating channel. (this should
exclude
unassociated stations)
For most cases, I'd agree that active scanning should not be used on DFS
channels. That said, unicast Probe Request frame to the current AP while
associated could be a reasonable exception. In addition, WPS with PBC
depends on Probe Request frames to allow PBC session overlap detection,
so there might be sufficient justification to allow Probe Request frame
to be sent out for a very short duration (couple of seconds) after
seeing a Beacon frame on the channel for such special cases.
--
Jouni Malinen PGP id EFC895FA
Jean-Pierre Tosoni
2016-12-26 11:15:02 UTC
Permalink
-----Message d'origine-----
Envoyé : jeudi 15 décembre 2016 23:58
À : Jean-Pierre Tosoni
Objet : Re: ath10k firmware sends probes on DFS channels without radar
detection
Post by Jean-Pierre Tosoni
Post by Jean-Pierre Tosoni
Post by Jean-Pierre Tosoni
Thanks for the suggestion, I already tried something like this in
- Before patching the firmware scans DFS channels actively (with
probes).
Post by Jean-Pierre Tosoni
- After patching, the firmware scans DFS channels passively
*until* any beacon is received on the DFS channel. When *any*
beacon is seen, the firmware decides to scan actively on its own,
without any new IR/RADAR info from the driver.
So, your patch is required but not sufficient.
Somehow I was able to overcome this by reloading the regulation
Interesting.. I'm not completely sure what could have changed the behavior
based on beacon hint. I thought it was cfg80211, but if the simple change
for doing NO_IR | RADAR is not sufficient, it would seem to imply that
something else can do this. Some more debugging to do, I guess.
After some debugging I think the card firmware does this, probably due to
the lack of precise definition of NO_IR, see below.
Post by Jean-Pierre Tosoni
The distinction between NO_IR and CHAN_RADAR is not very clear to me.
NO_IR appears only in the world regulatory domain so it's not relevant
here.
NO_IR is a combination of not allowing AP, IBSS, or active scanning
without having somehow been enabled by another device. RADAR has that same
impact and in addition, requirement for doing radar detection and DFS by a
master device.
Ah, thanks. But then, NO_IR does not define the way for the "other device"
to enable the local device? So, depending on the interpretation, it can
render the local device unusable. OTOH RADAR defines a way which depends on
the local regulations.
Post by Jean-Pierre Tosoni
I'd say
"the CHAN_RADAR flag should always make the firmware never do IR when
probing"
...maybe, except if the channel is the operating channel. (this should
exclude unassociated stations)
For most cases, I'd agree that active scanning should not be used on DFS
channels. That said, unicast Probe Request frame to the current AP while
associated could be a reasonable exception. In addition, WPS with PBC
depends on Probe Request frames to allow PBC session overlap detection, so
there might be sufficient justification to allow Probe Request frame to be
sent out for a very short duration (couple of seconds) after seeing a
Beacon frame on the channel for such special cases.
I agree that unicast probes to the current AP should go through. It goes
with my condition "operating channel".

For WPS, I do not know it well, but I guess probes are acceptable if
1) they are not sent repeatedly over a long period of time during
unassociated state,
2) the AP uses CAC.
And here, both seem to be true.
--
Jouni Malinen PGP id EFC895FA
Regards, Jean-Pierre

Loading...