From nobody Thu Sep 11 15:16:17 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cN1Nd2SNNz66nYY; Thu, 11 Sep 2025 15:16:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cN1Nd1xV7z42f7; Thu, 11 Sep 2025 15:16:17 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1757603777; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=YzYZmlBvmXrQcCsoLVQPDxmrpTGfYYEh/Rt55G9DI2A=; b=uq8cwbUq+C8s0dr8Bj8rGd4GI3wFy4irJvxPDRjIH1jMqyiNMhypPz7D3LjdmV+sFvigqK 5HaBmZtJMpW6DZ992eFoshNvUJxgLHqlo9ENii/CjKD3Iu6JmqEbdGJ304Jv2j2raHJofr NkGliHU60s/q2n0Y9XZjnmcLrcitqfq4sEsiabYeFwAGsDbmNDCCvAmrHEjIvlfFuwqjSt 6+HAGyquh9Ws7UgUZSlXT9fWyqD5SgC9lUJtkJ660lxAGxY0f2xsFsAsKI2p2epl1+pMtS qP/JXxA3Qm/rCLRKVaJRrqtJjbjxYph92ESE2t0BZTKu6U+J8O75urEYuKGhqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1757603777; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=YzYZmlBvmXrQcCsoLVQPDxmrpTGfYYEh/Rt55G9DI2A=; b=EWFJqudc53QjhHFZ132Hok9rNLi62RlQLQvn/Lm7pUDmmZO6Xil8nZDsBYSOLIcox7Dj2G nCBJPCHv5yF7VV36i0T0m3kFaxshA9mqc9mUHRWWHb7U3dlu/ylS8goMmYT4N+qs1opJt2 bRPjgofUD5BbMOOknr14RtB9CQxoKPBaWC3dLHI/oBG4XBMpkZsMuOpw9hlVmYs+MLQD6S fyjyhFwwDfb3YYs0q28dAXT0ZMWl2JkEf0pXX/23MpZLxl2hhZRDmmNomuAy/nP5PGYj0S j5C5TBUihiBeEnr35qRGqCGlatKMrheJevLVUEFuuB13199bvv1+htx8Tm2scA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1757603777; a=rsa-sha256; cv=none; b=rqVIVROpQAiNViS1OAwznUGFb8qRxUX2FtFBWgZaHvWyi23sJql72nED7QfJV4pHHcVfZI uOpG10ETRBNMs+1lMDLHnLTDX5djXcWXnEwsnxrrUTrmI1B27BZCRJCcJhDhTqVsKrk8GB cyA/DDxySHWQGt4BjdoKBTmGhDAsjnSywShZAIBlmzpH+BT7J1oeEPeUEUn0BCRH5yteD7 aUklp5aJ+lVz6SaDQhLpHdvgYkN+zCXb35RKJPP/+iztkPWjLHOELhJdKLk8vbpPD5//T3 hj4G8djjDUcHEGbaYCrh+bt3C3BX9ZyXu6B5H7YGY/Vyw+Ft1Xe6V4/CItFfHQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cN1Nd1XPBz1CBS; Thu, 11 Sep 2025 15:16:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58BFGHs2089861; Thu, 11 Sep 2025 15:16:17 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58BFGHvs089858; Thu, 11 Sep 2025 15:16:17 GMT (envelope-from git) Date: Thu, 11 Sep 2025 15:16:17 GMT Message-Id: <202509111516.58BFGHvs089858@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Bjoern A. Zeeb" Subject: git: 3c38dce87ecd - main - LinuxKPI: 802.11: avoid recursive wiphy lock List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bz X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3c38dce87ecd2c87744e4b7ff1904ee841f88a47 Auto-Submitted: auto-generated The branch main has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=3c38dce87ecd2c87744e4b7ff1904ee841f88a47 commit 3c38dce87ecd2c87744e4b7ff1904ee841f88a47 Author: Bjoern A. Zeeb AuthorDate: 2025-09-11 14:44:10 +0000 Commit: Bjoern A. Zeeb CommitDate: 2025-09-11 15:13:34 +0000 LinuxKPI: 802.11: avoid recursive wiphy lock When freeing the last reference of the net80211 node the net80211 node_free() code may directly call into the crypto code to delete the keys. While we still holding the wiphy lock this would lead to a recursion on the non-recursive wiphy lock. Defer freeing the reference until we are back under the net80211 com lock. Reported by: Mark Phillips (mark freebsdfoundation.org) on 15.0-ALPHA1 MFC after: 3 days --- sys/compat/linuxkpi/common/src/linux_80211.c | 54 ++++++++++++++++++---------- 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/sys/compat/linuxkpi/common/src/linux_80211.c b/sys/compat/linuxkpi/common/src/linux_80211.c index d00734001a59..bc4b334de28e 100644 --- a/sys/compat/linuxkpi/common/src/linux_80211.c +++ b/sys/compat/linuxkpi/common/src/linux_80211.c @@ -2568,12 +2568,6 @@ lkpi_sta_auth_to_scan(struct ieee80211vap *vap, enum ieee80211_state nstate, int lvif->lvif_bss_synched = false; LKPI_80211_LVIF_UNLOCK(lvif); lkpi_lsta_remove(lsta, lvif); - /* - * The very last release the reference on the ni for the ni/lsta on - * lvif->lvif_bss. Upon return from this both ni and lsta are invalid - * and potentially freed. - */ - ieee80211_free_node(ni); /* conf_tx */ @@ -2582,6 +2576,18 @@ lkpi_sta_auth_to_scan(struct ieee80211vap *vap, enum ieee80211_state nstate, int out: wiphy_unlock(hw->wiphy); IEEE80211_LOCK(vap->iv_ic); + if (error == 0) { + /* + * We do this outside the wiphy lock as net80211::node_free() may call + * into crypto code to delete keys and we have a recursed on + * non-recursive sx panic. Also only do this if we get here w/o error. + * + * The very last release the reference on the ni for the ni/lsta on + * lvif->lvif_bss. Upon return from this both ni and lsta are invalid + * and potentially freed. + */ + ieee80211_free_node(ni); + } return (error); } @@ -2906,12 +2912,6 @@ _lkpi_sta_assoc_to_down(struct ieee80211vap *vap, enum ieee80211_state nstate, i lvif->lvif_bss_synched = false; LKPI_80211_LVIF_UNLOCK(lvif); lkpi_lsta_remove(lsta, lvif); - /* - * The very last release the reference on the ni for the ni/lsta on - * lvif->lvif_bss. Upon return from this both ni and lsta are invalid - * and potentially freed. - */ - ieee80211_free_node(ni); /* conf_tx */ @@ -2921,6 +2921,18 @@ _lkpi_sta_assoc_to_down(struct ieee80211vap *vap, enum ieee80211_state nstate, i out: wiphy_unlock(hw->wiphy); IEEE80211_LOCK(vap->iv_ic); + if (error == EALREADY) { + /* + * We do this outside the wiphy lock as net80211::node_free() may call + * into crypto code to delete keys and we have a recursed on + * non-recursive sx panic. Also only do this if we get here w/o error. + * + * The very last release the reference on the ni for the ni/lsta on + * lvif->lvif_bss. Upon return from this both ni and lsta are invalid + * and potentially freed. + */ + ieee80211_free_node(ni); + } outni: return (error); } @@ -3522,12 +3534,6 @@ lkpi_sta_run_to_init(struct ieee80211vap *vap, enum ieee80211_state nstate, int lvif->lvif_bss = NULL; lvif->lvif_bss_synched = false; LKPI_80211_LVIF_UNLOCK(lvif); - /* - * The very last release the reference on the ni for the ni/lsta on - * lvif->lvif_bss. Upon return from this both ni and lsta are invalid - * and potentially freed. - */ - ieee80211_free_node(ni); /* conf_tx */ @@ -3537,6 +3543,18 @@ lkpi_sta_run_to_init(struct ieee80211vap *vap, enum ieee80211_state nstate, int out: wiphy_unlock(hw->wiphy); IEEE80211_LOCK(vap->iv_ic); + if (error == EALREADY) { + /* + * We do this outside the wiphy lock as net80211::node_free() may call + * into crypto code to delete keys and we have a recursed on + * non-recursive sx panic. Also only do this if we get here w/o error. + * + * The very last release the reference on the ni for the ni/lsta on + * lvif->lvif_bss. Upon return from this both ni and lsta are invalid + * and potentially freed. + */ + ieee80211_free_node(ni); + } outni: return (error); }