Index | Thread | Search

From:
Stefan Sperling <stsp@stsp.name>
Subject:
net80211: ignore Rx BA agreements while link is down
To:
tech@openbsd.org
Date:
Fri, 15 Mar 2024 10:52:50 +0100

Download raw body.

Thread 
The net80211 stack should not accept Rx Block Ack before the WPA handshake
has completed. Otherwise an AP which sends this BA request very early can
trigger a firmware error on iwx, and presumably iwm as well.

Found by zxystd from the OpenIntelWireless project:

[  139.589544]: itlwm: taskq task_add iwx_newstate_task thread: 464
[  139.589548]: itlwm: taskq worker thread=764 work=iwx_newstate_task
[  139.589551]: itlwm: iwx_newstate_task
[  139.589552]: itlwm: iwx_newstate_task sc-&gt;sc_flags &amp; IWX_FLAG_SHUTDOWN false
[  139.589553]: itlwm: iwx_run
[  139.589553]: itlwm: iwx_phy_ctxt_cmd
[  139.589554]: itlwm: iwx_phy_ctxt_cmd_v3: 2ghz=0, channel=149, channel_width=2 pos=1 chains static=0x2, dynamic=0x2, rx_ant=0x3, tx_ant=0x3
[  139.589559]: itlwm: iwx_send_cmd: Sending command (1.8), 32 bytes at [23]:0 ver: 0 tid: 764
[  139.592141]: itlwm: iwx_cmd_done: command 0x8 done
[  139.592150]: itlwm: iwx_add_task iwx_ba_task
[  139.592151]: itlwm: taskq task_add iwx_ba_task thread: 464
[  139.592165]: itlwm: taskq worker thread=763 work=iwx_ba_task
[  139.592174]: itlwm: iwx_ba_task ba_rx_start tid=0, ssn=0
[  139.592177]: itlwm: iwx_sta_rx_agg start=1 tid=0 ssn=0 winsize=64
[  139.592184]: itlwm: iwx_send_cmd: Sending command (1.18), 48 bytes at [24]:0 ver: 0 tid: 764
[  139.592198]: itlwm: iwx_send_cmd: Sending command (1.18), 48 bytes at [24]:0 ver: 0 tid: 763
[  139.592273]: itlwm: ieee80211_eapol_key_input
[  139.592274]: itlwm: ieee80211_recv_4way_msg1
[  139.592288]: itlwm: : received msg 1/4 of the 4-way handshake from 68:db:54:44:68:a1
[  139.592289]: itlwm: ieee80211_send_4way_msg2
[  139.592290]: itlwm: : sending msg 2/4 of the 4-way handshake to 68:db:54:44:68:a1, type=RSN
[  139.592290]: itlwm: ieee80211_send_eapol_key
[  139.592291]: itlwm: ieee80211_eapol_key_mic
[  139.622322]: itlwm: : dumping device error log
[  139.622380]: itlwm: : Start Error Log Dump:

"""
tid 764 is new state thread and 763 is the systq thread,
we can see it is racing on sending IWX_ADD_STA/IWX_MAC_CONTEXT command.
"""

ok?

diff /usr/src
commit - f7f881b4a39de104b5ea5d5653e0d5bae009b248
path + /usr/src
blob - ff43a9a80610bdc2fbda10a4dc90f6d362549b65
file + sys/net80211/ieee80211_input.c
--- sys/net80211/ieee80211_input.c
+++ sys/net80211/ieee80211_input.c
@@ -2838,6 +2838,11 @@ ieee80211_recv_addba_req(struct ieee80211com *ic, stru
 	u_int8_t token, tid;
 	int err = 0;
 
+	/* Ignore if we are not ready to receive data frames. */
+	if (ic->ic_state != IEEE80211_S_RUN ||
+	    ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid))
+		return;
+
 	if (!(ni->ni_flags & IEEE80211_NODE_HT)) {
 		DPRINTF(("received ADDBA req from non-HT STA %s\n",
 		    ether_sprintf(ni->ni_macaddr)));