Index | Thread | Search

From:
"Peter Hessler via tech" <tech@openbsd.org>
Subject:
Re: net80211: ignore Rx BA agreements while link is down
To:
tech@openbsd.org
Date:
Fri, 15 Mar 2024 11:02:15 +0100

Download raw body.

Thread 
OK


On 2024 Mar 15 (Fri) at 10:52:50 +0100 (+0100), Stefan Sperling wrote:
:The net80211 stack should not accept Rx Block Ack before the WPA handshake
:has completed. Otherwise an AP which sends this BA request very early can
:trigger a firmware error on iwx, and presumably iwm as well.
:
:Found by zxystd from the OpenIntelWireless project:
:
:[  139.589544]: itlwm: taskq task_add iwx_newstate_task thread: 464
:[  139.589548]: itlwm: taskq worker thread=764 work=iwx_newstate_task
:[  139.589551]: itlwm: iwx_newstate_task
:[  139.589552]: itlwm: iwx_newstate_task sc-&gt;sc_flags &amp; IWX_FLAG_SHUTDOWN false
:[  139.589553]: itlwm: iwx_run
:[  139.589553]: itlwm: iwx_phy_ctxt_cmd
:[  139.589554]: itlwm: iwx_phy_ctxt_cmd_v3: 2ghz=0, channel=149, channel_width=2 pos=1 chains static=0x2, dynamic=0x2, rx_ant=0x3, tx_ant=0x3
:[  139.589559]: itlwm: iwx_send_cmd: Sending command (1.8), 32 bytes at [23]:0 ver: 0 tid: 764
:[  139.592141]: itlwm: iwx_cmd_done: command 0x8 done
:[  139.592150]: itlwm: iwx_add_task iwx_ba_task
:[  139.592151]: itlwm: taskq task_add iwx_ba_task thread: 464
:[  139.592165]: itlwm: taskq worker thread=763 work=iwx_ba_task
:[  139.592174]: itlwm: iwx_ba_task ba_rx_start tid=0, ssn=0
:[  139.592177]: itlwm: iwx_sta_rx_agg start=1 tid=0 ssn=0 winsize=64
:[  139.592184]: itlwm: iwx_send_cmd: Sending command (1.18), 48 bytes at [24]:0 ver: 0 tid: 764
:[  139.592198]: itlwm: iwx_send_cmd: Sending command (1.18), 48 bytes at [24]:0 ver: 0 tid: 763
:[  139.592273]: itlwm: ieee80211_eapol_key_input
:[  139.592274]: itlwm: ieee80211_recv_4way_msg1
:[  139.592288]: itlwm: : received msg 1/4 of the 4-way handshake from 68:db:54:44:68:a1
:[  139.592289]: itlwm: ieee80211_send_4way_msg2
:[  139.592290]: itlwm: : sending msg 2/4 of the 4-way handshake to 68:db:54:44:68:a1, type=RSN
:[  139.592290]: itlwm: ieee80211_send_eapol_key
:[  139.592291]: itlwm: ieee80211_eapol_key_mic
:[  139.622322]: itlwm: : dumping device error log
:[  139.622380]: itlwm: : Start Error Log Dump:
:
:"""
:tid 764 is new state thread and 763 is the systq thread,
:we can see it is racing on sending IWX_ADD_STA/IWX_MAC_CONTEXT command.
:"""
:
:ok?
:
:diff /usr/src
:commit - f7f881b4a39de104b5ea5d5653e0d5bae009b248
:path + /usr/src
:blob - ff43a9a80610bdc2fbda10a4dc90f6d362549b65
:file + sys/net80211/ieee80211_input.c
:--- sys/net80211/ieee80211_input.c
:+++ sys/net80211/ieee80211_input.c
:@@ -2838,6 +2838,11 @@ ieee80211_recv_addba_req(struct ieee80211com *ic, stru
: 	u_int8_t token, tid;
: 	int err = 0;
: 
:+	/* Ignore if we are not ready to receive data frames. */
:+	if (ic->ic_state != IEEE80211_S_RUN ||
:+	    ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid))
:+		return;
:+
: 	if (!(ni->ni_flags & IEEE80211_NODE_HT)) {
: 		DPRINTF(("received ADDBA req from non-HT STA %s\n",
: 		    ether_sprintf(ni->ni_macaddr)));
:

-- 
"I stayed up all night playing poker with tarot cards.  I got a full
house and four people died."
		-- Steven Wright