From: "Peter Hessler via tech" Subject: Re: net80211: ignore Rx BA agreements while link is down To: tech@openbsd.org Date: Fri, 15 Mar 2024 11:02:15 +0100 OK On 2024 Mar 15 (Fri) at 10:52:50 +0100 (+0100), Stefan Sperling wrote: :The net80211 stack should not accept Rx Block Ack before the WPA handshake :has completed. Otherwise an AP which sends this BA request very early can :trigger a firmware error on iwx, and presumably iwm as well. : :Found by zxystd from the OpenIntelWireless project: : :[ 139.589544]: itlwm: taskq task_add iwx_newstate_task thread: 464 :[ 139.589548]: itlwm: taskq worker thread=764 work=iwx_newstate_task :[ 139.589551]: itlwm: iwx_newstate_task :[ 139.589552]: itlwm: iwx_newstate_task sc->sc_flags & IWX_FLAG_SHUTDOWN false :[ 139.589553]: itlwm: iwx_run :[ 139.589553]: itlwm: iwx_phy_ctxt_cmd :[ 139.589554]: itlwm: iwx_phy_ctxt_cmd_v3: 2ghz=0, channel=149, channel_width=2 pos=1 chains static=0x2, dynamic=0x2, rx_ant=0x3, tx_ant=0x3 :[ 139.589559]: itlwm: iwx_send_cmd: Sending command (1.8), 32 bytes at [23]:0 ver: 0 tid: 764 :[ 139.592141]: itlwm: iwx_cmd_done: command 0x8 done :[ 139.592150]: itlwm: iwx_add_task iwx_ba_task :[ 139.592151]: itlwm: taskq task_add iwx_ba_task thread: 464 :[ 139.592165]: itlwm: taskq worker thread=763 work=iwx_ba_task :[ 139.592174]: itlwm: iwx_ba_task ba_rx_start tid=0, ssn=0 :[ 139.592177]: itlwm: iwx_sta_rx_agg start=1 tid=0 ssn=0 winsize=64 :[ 139.592184]: itlwm: iwx_send_cmd: Sending command (1.18), 48 bytes at [24]:0 ver: 0 tid: 764 :[ 139.592198]: itlwm: iwx_send_cmd: Sending command (1.18), 48 bytes at [24]:0 ver: 0 tid: 763 :[ 139.592273]: itlwm: ieee80211_eapol_key_input :[ 139.592274]: itlwm: ieee80211_recv_4way_msg1 :[ 139.592288]: itlwm: : received msg 1/4 of the 4-way handshake from 68:db:54:44:68:a1 :[ 139.592289]: itlwm: ieee80211_send_4way_msg2 :[ 139.592290]: itlwm: : sending msg 2/4 of the 4-way handshake to 68:db:54:44:68:a1, type=RSN :[ 139.592290]: itlwm: ieee80211_send_eapol_key :[ 139.592291]: itlwm: ieee80211_eapol_key_mic :[ 139.622322]: itlwm: : dumping device error log :[ 139.622380]: itlwm: : Start Error Log Dump: : :""" :tid 764 is new state thread and 763 is the systq thread, :we can see it is racing on sending IWX_ADD_STA/IWX_MAC_CONTEXT command. :""" : :ok? : :diff /usr/src :commit - f7f881b4a39de104b5ea5d5653e0d5bae009b248 :path + /usr/src :blob - ff43a9a80610bdc2fbda10a4dc90f6d362549b65 :file + sys/net80211/ieee80211_input.c :--- sys/net80211/ieee80211_input.c :+++ sys/net80211/ieee80211_input.c :@@ -2838,6 +2838,11 @@ ieee80211_recv_addba_req(struct ieee80211com *ic, stru : u_int8_t token, tid; : int err = 0; : :+ /* Ignore if we are not ready to receive data frames. */ :+ if (ic->ic_state != IEEE80211_S_RUN || :+ ((ic->ic_flags & IEEE80211_F_RSNON) && !ni->ni_port_valid)) :+ return; :+ : if (!(ni->ni_flags & IEEE80211_NODE_HT)) { : DPRINTF(("received ADDBA req from non-HT STA %s\n", : ether_sprintf(ni->ni_macaddr))); : -- "I stayed up all night playing poker with tarot cards. I got a full house and four people died." -- Steven Wright