From nobody Mon May 05 14:59:10 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zrl6Q2jX6z5vcWw; Mon, 05 May 2025 14:59:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Zrl6Q1Tjwz3kWZ; Mon, 05 May 2025 14:59:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1746457150; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aQf7c5e+SIpRNLWOuqF+M5Qbh+mLqTZZN8/imE97oAI=; b=Njeg0hWaCui4zxtTY9wbERaUOMZ7InpeeTo8WwAXK+4u9byGe50jGXeL+TDrBSKw/w1MLA tYnHyDHivlamETHzn7Ji9BvSxGR+rJxbDQTY/RIMn3bZDc1fu8u44wB51J8YrvUrvqaKJe SmJ4E+AT3o4DQETRYvoGdwJfLtI8c+KN9EKo7h2DPHybrzEZHWG5o5S+j9BtkJCdE2TAhB YI7Xz+BsIdkTFUqhSc6mqz1AC0prs+bZ5eo4ctvx7fY6bbtsYprf3NXB9AYTtOJwxFABMf vyWshr3Que+b6+h1KuWUQ2QBe7dwsQc0posEd+SXUc4x3+tWuWAC9B2SjPa1GA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1746457150; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aQf7c5e+SIpRNLWOuqF+M5Qbh+mLqTZZN8/imE97oAI=; b=p4qA4B91PbDRIuEwr6z1QkyG3YJx+3JpgFiJupCQy1s7QaFFOByO7h17WI4+MfHGzRAyae DaFMXddhKgxba7AginbSRkbwr3unCdVn0W7PgNrIfXsgZ1dHb/tQZdNBWvVbZ+qOVgejyq S7ca0OX3svPhZJC754e0KQA815hLl70yHnOlHfWMfWQ7K3d9RBRhgOv+BX1LFZ1IxkSzBq hUzKEGGT78VvfLj8fxbf+pLN/anFhH8O4JBhgb4M984T017ynTGyH6zmp9fkuJCEI7RKvX i84QzOFZuXJ3tT7hkNP2p3BQgohLuEW9pYxWxL+A2fJFkbFVwkUh1BEdP71+YA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1746457150; a=rsa-sha256; cv=none; b=xMQdItX5G6RJ2Q/fFX+182UzVnztaxIZpmCp4AZguNgW8gd29iTmk7m66z9JNDIkKTt+dk ZOZUdSjgQ6bhA+HoU/ZpxkCebwNTJS0ANK0K4GrskmQahMteK7p5VfuTVO8eNTjT25RQFX IoOvWP1hk9i9VNrhQfo9trPbC7TuXXjyjUjQlZI+Su6sqGPYtvpNutCYubMz/SYW82HZjY rJ4BG2YfpCiej5OvSjrqZ2G8AC5s7ESZUubaILy7+EvoYaLzkPosOd9ODmP/PRaj9gDJbT aMkJ8UdZeo5zh+zfHzbzgux1+xLlA8Og+S9J+RnzuEJHON6mOaPQbqeNsNXqZA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Zrl6Q12Qqz3Ys; Mon, 05 May 2025 14:59:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 545ExASG021091; Mon, 5 May 2025 14:59:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 545ExAeW021088; Mon, 5 May 2025 14:59:10 GMT (envelope-from git) Date: Mon, 5 May 2025 14:59:10 GMT Message-Id: <202505051459.545ExAeW021088@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Bjoern A. Zeeb" Subject: git: aff56b4f0b25 - main - net80211: fix a race between ieee80211_sta_join and scan entries List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bz X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: aff56b4f0b25c44c9c2cae9a3f816c4277057a71 Auto-Submitted: auto-generated The branch main has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=aff56b4f0b25c44c9c2cae9a3f816c4277057a71 commit aff56b4f0b25c44c9c2cae9a3f816c4277057a71 Author: Bjoern A. Zeeb AuthorDate: 2025-04-16 19:10:58 +0000 Commit: Bjoern A. Zeeb CommitDate: 2025-05-05 14:58:59 +0000 net80211: fix a race between ieee80211_sta_join and scan entries We were seeing panics during ieee80211_sta_join() which seemed that the ni->ni_chan was not valid anymore, which was true. We also saw errors indicating data put into ni_ies became inalid. The problem was that the ieee80211_scan_entry passed into ieee80211_sta_join() (in the observed case from setmlme_assoc_sta()) became invalid during ieee80211_alloc_node(). As a result for the ni_chan case the the rateset and len in rates[1] became invalid. Similarly for the IEs. Make a (deep)copy of the scan entry in setmlme_assoc_sta() and return the copy as once we leave ieee80211_scan_iterate() we can no longer rely on the scan entry to be valid. Sponsored by: The FreeBSD Foundation MFC after: 3 days Reported by: rm, ziaee, bz Tested by: rm, ziaee, bz PR: 286063 Reviewed by: adrian (,emaste) Differential Revision: https://reviews.freebsd.org/D49865 --- sys/net80211/ieee80211_ioctl.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c index caa0c77e2897..6c30325e5e32 100644 --- a/sys/net80211/ieee80211_ioctl.c +++ b/sys/net80211/ieee80211_ioctl.c @@ -1530,7 +1530,8 @@ struct scanlookup { const uint8_t *mac; int esslen; const uint8_t *essid; - const struct ieee80211_scan_entry *se; + bool found; + struct ieee80211_scan_entry se; }; /* @@ -1540,6 +1541,10 @@ static void mlmelookup(void *arg, const struct ieee80211_scan_entry *se) { struct scanlookup *look = arg; + int rv; + + if (look->found) + return; if (!IEEE80211_ADDR_EQ(look->mac, se->se_macaddr)) return; @@ -1549,7 +1554,14 @@ mlmelookup(void *arg, const struct ieee80211_scan_entry *se) if (memcmp(look->essid, se->se_ssid+2, look->esslen)) return; } - look->se = se; + /* + * First copy everything and then ensure we get our own copy of se_ies. */ + look->se = *se; + look->se.se_ies.data = 0; + look->se.se_ies.len = 0; + rv = ieee80211_ies_init(&look->se.se_ies, se->se_ies.data, se->se_ies.len); + if (rv != 0) /* No error */ + look->found = true; } static int @@ -1558,21 +1570,25 @@ setmlme_assoc_sta(struct ieee80211vap *vap, const uint8_t ssid[IEEE80211_NWID_LEN]) { struct scanlookup lookup; + int rv; KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("expected opmode STA not %s", ieee80211_opmode_name[vap->iv_opmode])); /* NB: this is racey if roaming is !manual */ - lookup.se = NULL; lookup.mac = mac; lookup.esslen = ssid_len; lookup.essid = ssid; + memset(&lookup.se, 0, sizeof(lookup.se)); + lookup.found = false; ieee80211_scan_iterate(vap, mlmelookup, &lookup); - if (lookup.se == NULL) + if (!lookup.found) return ENOENT; mlmedebug(vap, mac, IEEE80211_MLME_ASSOC, 0); - if (!ieee80211_sta_join(vap, lookup.se->se_chan, lookup.se)) + rv = ieee80211_sta_join(vap, lookup.se.se_chan, &lookup.se); + ieee80211_ies_cleanup(&lookup.se.se_ies); + if (rv == 0) return EIO; /* XXX unique but could be better */ return 0; }