Frames injected from user space carry the DLT_IEEE802_11_RADIO
mbuf tag, and are handled as a special case. Do not fall back
to regular encapsulation while we are in monitor mode and the
frame injected by userspace is found to be invalid.

This fixes an issue when iwx(4) runs in monitor mode with addresses
configured on the interface and leaving 11n/11ac mode directly for
monitor mode. In this case, traffic generated by userspace or the
kernel (such as ICMPv6) would trigger Tx attempts, which in turn
would trigger an attempt to set up a block ACK agreement and then
cause a firmware panic.

This points at a related issue where interface configuration state
is not properly cleaned up while switching into monitor mode.
The 11n/11ac interface config should ideally be cleared completely,
preventing block ack from being initiated.

But preventing the stack from trying to send frames down the regular
Tx path in monitor mode is a good idea in general because drivers may
not handle this very well for various reasons, block ack being just one.
 
 M  sys/net80211/ieee80211_output.c  |  3+  0-

1 file changed, 3 insertions(+), 0 deletions(-)

diff 0af06ae5564c25f587b7517e02a7d830d8b58b82 d4481401f1b866cb10e660d22019c8e8184f14a4
commit - 0af06ae5564c25f587b7517e02a7d830d8b58b82
commit + d4481401f1b866cb10e660d22019c8e8184f14a4
blob - a6161bf8e420bc29c2422aa6cd702ea297c9b568
blob + 668c318cb55277c3f9c6f5224596cb2d1af74b52
--- sys/net80211/ieee80211_output.c
+++ sys/net80211/ieee80211_output.c
@@ -569,6 +569,9 @@ ieee80211_encap(struct ifnet *ifp, struct mbuf *m, str
 	}
 
  fallback:
+	if (ic->ic_opmode == IEEE80211_M_MONITOR)
+		goto bad;
+
 	if (m->m_len < sizeof(struct ether_header)) {
 		m = m_pullup(m, sizeof(struct ether_header));
 		if (m == NULL) {