Page MenuHomeFreeBSD
Differential D49865

net80211: fix a race between ieee80211_sta_join and scan entries
Needs ReviewPublic
Actions

Authored by bz on Wed, Apr 16, 7:24 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Apr 22, 8:04 AM
Unknown Object (File)
Sat, Apr 19, 9:25 PM
Unknown Object (File)
Sat, Apr 19, 7:54 PM
Unknown Object (File)
Sat, Apr 19, 11:06 AM
Unknown Object (File)
Sat, Apr 19, 9:12 AM
Unknown Object (File)
Fri, Apr 18, 8:19 AM
Unknown Object (File)
Fri, Apr 18, 3:22 AM
Unknown Object (File)
Thu, Apr 17, 8:43 PM
View All 10 Files
Subscribers
adrian
glebius
imp
melifaro
rm
thj

Details

Reviewers
None
Group Reviewers
wireless
Summary

We were seeing panics during ieee80211_sta_join() which seemed that
the ni->ni_chan was not valid anymore, which was true.
We also saw errors indicating data put into ni_ies became inalid.

The problem was that the ieee80211_scan_entry passed into
ieee80211_sta_join() (in the observed case from setmlme_assoc_sta())
became invalid during ieee80211_alloc_node().
As a result for the ni_chan case the the rateset and len in rates[1]
became invalid. Similarly for the IEs.

Make a (deep)copy of the scan entry in setmlme_assoc_sta() and return
the copy as once we leave ieee80211_scan_iterate() we can no longer
rely on the scan entry to be valid.

Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reported by: rm
PR: 286063

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 63550
Build 60434: arc lint + arc unit

Event Timeline

bz created this revision.Wed, Apr 16, 7:24 PM
Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptWed, Apr 16, 7:24 PM
bz requested review of this revision.Wed, Apr 16, 7:24 PM
Harbormaster completed remote builds in B63550: Diff 153752.Wed, Apr 16, 7:24 PM
bz added a reviewer: wireless.Wed, Apr 16, 7:26 PM
bz added a subscriber: adrian.

@adrian, does this also fix your problem from D49514 or is that a similar yet different problem?

rm added a comment.Thu, Apr 17, 9:00 PM

Bjoern, as I said in the beginning I wasn't able to reproduce the panic, it only happened once. I tested with your patch, and can say everything works smoothly on my side.
Please let me know if you need any additional info, command outputs etc. Thank you!

rm added inline comments.Thu, Apr 17, 9:03 PM
sys/net80211/ieee80211_ioctl.c
1558

There is a typo in a word "everything"

bz added a subscriber: thj.Fri, Apr 18, 1:53 AM
In D49865#1137332, @rm wrote:

Bjoern, as I said in the beginning I wasn't able to reproduce the panic, it only happened once. I tested with your patch, and can say everything works smoothly on my side.
Please let me know if you need any additional info, command outputs etc. Thank you!

Thanks. I could reliably reproduce it (at some point) before this patch. Given it's a race it happens .. or not and a change to system may just make it happen. I had enabled lots of debugging to console at that point.

@adrian @thj does this make sense here?

@adrian I do not think this fixes your problem from D49514. Need to look into that. I need an AP supporting WEP and GCMP anyway so ... maybe I'll hit it too.

Revision Contents
Changeset List

PathSize
sys/
net80211/
26 lines

Diff 153752

View Options

sys/net80211/ieee80211_ioctl.c

Loading...