From: Stefan Sperling Subject: net80211: ignore Rx BA agreements while link is down To: tech@openbsd.org Date: Fri, 15 Mar 2024 10:52:50 +0100 The net80211 stack should not accept Rx Block Ack before the WPA handshake has completed. Otherwise an AP which sends this BA request very early can trigger a firmware error on iwx, and presumably iwm as well. Found by zxystd from the OpenIntelWireless project: [ 139.589544]: itlwm: taskq task_add iwx_newstate_task thread: 464 [ 139.589548]: itlwm: taskq worker thread=764 work=iwx_newstate_task [ 139.589551]: itlwm: iwx_newstate_task [ 139.589552]: itlwm: iwx_newstate_task sc->sc_flags & IWX_FLAG_SHUTDOWN false [ 139.589553]: itlwm: iwx_run [ 139.589553]: itlwm: iwx_phy_ctxt_cmd [ 139.589554]: itlwm: iwx_phy_ctxt_cmd_v3: 2ghz=0, channel=149, channel_width=2 pos=1 chains static=0x2, dynamic=0x2, rx_ant=0x3, tx_ant=0x3 [ 139.589559]: itlwm: iwx_send_cmd: Sending command (1.8), 32 bytes at [23]:0 ver: 0 tid: 764 [ 139.592141]: itlwm: iwx_cmd_done: command 0x8 done [ 139.592150]: itlwm: iwx_add_task iwx_ba_task [ 139.592151]: itlwm: taskq task_add iwx_ba_task thread: 464 [ 139.592165]: itlwm: taskq worker thread=763 work=iwx_ba_task [ 139.592174]: itlwm: iwx_ba_task ba_rx_start tid=0, ssn=0 [ 139.592177]: itlwm: iwx_sta_rx_agg start=1 tid=0 ssn=0 winsize=64 [ 139.592184]: itlwm: iwx_send_cmd: Sending command (1.18), 48 bytes at [24]:0 ver: 0 tid: 764 [ 139.592198]: itlwm: iwx_send_cmd: Sending command (1.18), 48 bytes at [24]:0 ver: 0 tid: 763 [ 139.592273]: itlwm: ieee80211_eapol_key_input [ 139.592274]: itlwm: ieee80211_recv_4way_msg1 [ 139.592288]: itlwm: : received msg 1/4 of the 4-way handshake from 68:db:54:44:68:a1 [ 139.592289]: itlwm: ieee80211_send_4way_msg2 [ 139.592290]: itlwm: : sending msg 2/4 of the 4-way handshake to 68:db:54:44:68:a1, type=RSN [ 139.592290]: itlwm: ieee80211_send_eapol_key [ 139.592291]: itlwm: ieee80211_eapol_key_mic [ 139.622322]: itlwm: : dumping device error log [ 139.622380]: itlwm: : Start Error Log Dump: """ tid 764 is new state thread and 763 is the systq thread, we can see it is racing on sending IWX_ADD_STA/IWX_MAC_CONTEXT command. """ ok? diff /usr/src commit - f7f881b4a39de104b5ea5d5653e0d5bae009b248 path + /usr/src blob - ff43a9a80610bdc2fbda10a4dc90f6d362549b65 file + sys/net80211/ieee80211_input.c --- sys/net80211/ieee80211_input.c +++ sys/net80211/ieee80211_input.c @@ -2838,6 +2838,11 @@ ieee80211_recv_addba_req(struct ieee80211com *ic, stru u_int8_t token, tid; int err = 0; + /* Ignore if we are not ready to receive data frames. */ + if (ic->ic_state != IEEE80211_S_RUN || + ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid)) + return; + if (!(ni->ni_flags & IEEE80211_NODE_HT)) { DPRINTF(("received ADDBA req from non-HT STA %s\n", ether_sprintf(ni->ni_macaddr)));