net80211: workaround a beacon setup crash race w/ ieee80211_getcapinfo()
Needs RevisionPublic
Actions

Authored by adrian on Mar 26 2025, 3:50 AM.

Details

Reviewers

Group Reviewers

Summary

There's a race during beacon setup and VAP setup/interface up that
is easily triggered by configuring AP interfaces in rc.conf and letting
the rc system bring things up.

ic->ic_curchan has a channel (which is a legacy hold over anyway),
but ni->ni_chan is set to IEEE80211_CHAN_ANYC. So, the BSS stuff
is (surprise!) not quite setup by the time the newstate path is
run (newstate_cb -> ath_newstate into RUN state -> ath_beacon_alloc()
-> ieee80211_beacon_alloc() -> ieee80211_beacon_construct() ->
ieee80211_getcapinfo()) and things explode.

This is definitely the wrong place to solve this problem though,
and when it's actually solved, a KASSERT belongs here instead.

In the meantime, this will just set up an incomplete capinfo field
until the next beacon update, at which point there'll (hopefully!) be
a valid BSS ni->ni_chan.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 63132
Build 60016: arc lint + arc unit

Event Timeline

adrian created this revision.Mar 26 2025, 3:50 AM

Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptMar 26 2025, 3:50 AM

adrian requested review of this revision.Mar 26 2025, 3:50 AM

Harbormaster completed remote builds in B63132: Diff 152687.Mar 26 2025, 3:50 AM

adrian added a parent revision: D49513: net80211: document the 802.11 specification for ieee80211_getcapinfo().Mar 26 2025, 3:51 AM

adrian added a reviewer: wireless.

adrian added a project: wireless.

adrian added a child revision: D49545: ath: fix athtools common code to correctly init state.Mar 27 2025, 11:42 PM

thj added a subscriber: thj.Mar 28 2025, 3:48 PM

thj added inline comments.

sys/net80211/ieee80211_output.c
2678	Should there also be a check for IEEE80211_CHAN_ANY here? I don't know if it makes sense of empty capinfo to have SHSLOT set

Hmm See also, e.g., wpi_run():

/* XXX kernel panic workaround */
if (c == IEEE80211_CHAN_ANYC) {
        device_printf(sc->sc_dev, "%s: incomplete configuration\n",
            __func__);
        return EINVAL;
}

If you want to add the ANYC checks there they both must come with a comment as-to why that is.

I agree on the race problem -- plenty of them in STA land too.

This revision now requires changes to proceed.Apr 12 2025, 12:49 AM

I believe we have a different underlying problem and this should not go in as it manifests elsewhere as well:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286063

In D49514#1136551, @bz wrote:

I believe we have a different underlying problem and this should not go in as it manifests elsewhere as well:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286063

Hmmmmmmmmmmmmm.

Yeah, I think there's some fun race(s) going on here between VAP setup and the initial newstate change.

Time to go add some tracing.. :-) Let's sit on this commit for a while longer.