From nobody Wed May 7 11:50:34 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zstqv18YLz5wBDP; Wed, 07 May 2025 11:50:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Zstqt2W1bz3Vrl; Wed, 07 May 2025 11:50:34 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1746618634; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xiyJWBG6Nvwb8g/KpchxDoQ6xEgLTJFAD2mmtTd5JJ4=; b=EKjJg9QT0qTjn16M4DuFOQtiKLo2esszD4ur8MOpt2V897a1BmMIZkWWZHQPFU+nBEhEqL mkHgWf7BWTE7wbLlinzURiW9+15pmhwr6PrtY0X1owh+Yz1+cPASybpxwDT4mmkeO3Hsqd sOw4ZVkn2Rkjhmz1+uls7uGoLJjjqzSzrQG7XimN7nDOkkL9js78h0t2foMh9I3oplVyBI x9ircBDeiXUgckgyJCJMVEZz85opILmrW4DTCR2QP5sxL+ifY0TF8hApw/ZG05KVgcoxFb uBjKRlKcRGLBwyoXKfPjUULMSjVDUX82M1d3BwwO+HLyZ3TDN/FChLEMqyt0Pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1746618634; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xiyJWBG6Nvwb8g/KpchxDoQ6xEgLTJFAD2mmtTd5JJ4=; b=cty6vQQyGSfJnozUO31fsWrurXgqJP3lxDJESn2B1uH4dsrgc2KnnmiSuOy3qc6RUOg6Uc oEzJHCo4EzBULVJYJH1oPnnY/YK3f2op0Le9Jph0tHtXs8eaOUl88Xnl+U1R+7FWp/pCOA XSUSVStL506NH5gpvNfw6ox+9e1/r87rMQym45q48y/fXnS3oLIz4dD/SFvZSn/0xmlxnL fEeuBfYCWd4y6sd7yp666WY2cXMBUx70QNLXizAMt4hM9CPNuId3FGWkRJo0g+V8Rx9oWz V/eZSl0CasYixmc/N+YTqhJf4S4GdVnQihrB0cPZoQYKfbaCoRywxRjUk0s0RQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1746618634; a=rsa-sha256; cv=none; b=gvw5gQDt6FB+VLJxZD74D9q7YQxvbyW/ut2sFU0CfKOZznI4tUaZUJhBly3SDk9GfCRMVN msJ37VFRGmdCYFmPnM/qntXfU8mzzYKjqEcBa4QPiC4UNjiLHqJaHceW1xZskGW5A3wjXn 85ELYAgUmS/hcKSac4eBKh8V/MeYiy92Fvedmg3r5vCDg8HeYCmu5ilsSWxP95vQsRkNrS wv52UdSxYicrzGRXzFZ2vr4fblPx1WIyJSZs/sLnJU+oT+7JPDDXO6+p9f6EyO5RUUDDrM OnsOemIyzqaSmcdfjeK2B10N4BMmMA6KIizc0dYJcJQTNFq3ATjU5UiWfBADtw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Zstqt1YflzC7B; Wed, 07 May 2025 11:50:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 547BoYC0089311; Wed, 7 May 2025 11:50:34 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 547BoYYe089308; Wed, 7 May 2025 11:50:34 GMT (envelope-from git) Date: Wed, 7 May 2025 11:50:34 GMT Message-Id: <202505071150.547BoYYe089308@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: "Bjoern A. Zeeb" Subject: git: 34cd36918652 - stable/14 - net80211: fix a race between ieee80211_sta_join and scan entries List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bz X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 34cd36918652f07ea8a36a62115349781e457fc6 Auto-Submitted: auto-generated The branch stable/14 has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=34cd36918652f07ea8a36a62115349781e457fc6 commit 34cd36918652f07ea8a36a62115349781e457fc6 Author: Bjoern A. Zeeb AuthorDate: 2025-04-16 19:10:58 +0000 Commit: Bjoern A. Zeeb CommitDate: 2025-05-07 08:52:29 +0000 net80211: fix a race between ieee80211_sta_join and scan entries We were seeing panics during ieee80211_sta_join() which seemed that the ni->ni_chan was not valid anymore, which was true. We also saw errors indicating data put into ni_ies became inalid. The problem was that the ieee80211_scan_entry passed into ieee80211_sta_join() (in the observed case from setmlme_assoc_sta()) became invalid during ieee80211_alloc_node(). As a result for the ni_chan case the the rateset and len in rates[1] became invalid. Similarly for the IEs. Make a (deep)copy of the scan entry in setmlme_assoc_sta() and return the copy as once we leave ieee80211_scan_iterate() we can no longer rely on the scan entry to be valid. Sponsored by: The FreeBSD Foundation Reported by: rm, ziaee, bz Tested by: rm, ziaee, bz PR: 286063 Reviewed by: adrian (,emaste) Differential Revision: https://reviews.freebsd.org/D49865 (cherry picked from commit aff56b4f0b25c44c9c2cae9a3f816c4277057a71) --- sys/net80211/ieee80211_ioctl.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c index 3b57e7d8cd8e..7447e3a05ed3 100644 --- a/sys/net80211/ieee80211_ioctl.c +++ b/sys/net80211/ieee80211_ioctl.c @@ -1534,7 +1534,8 @@ struct scanlookup { const uint8_t *mac; int esslen; const uint8_t *essid; - const struct ieee80211_scan_entry *se; + bool found; + struct ieee80211_scan_entry se; }; /* @@ -1544,6 +1545,10 @@ static void mlmelookup(void *arg, const struct ieee80211_scan_entry *se) { struct scanlookup *look = arg; + int rv; + + if (look->found) + return; if (!IEEE80211_ADDR_EQ(look->mac, se->se_macaddr)) return; @@ -1553,7 +1558,14 @@ mlmelookup(void *arg, const struct ieee80211_scan_entry *se) if (memcmp(look->essid, se->se_ssid+2, look->esslen)) return; } - look->se = se; + /* + * First copy everything and then ensure we get our own copy of se_ies. */ + look->se = *se; + look->se.se_ies.data = 0; + look->se.se_ies.len = 0; + rv = ieee80211_ies_init(&look->se.se_ies, se->se_ies.data, se->se_ies.len); + if (rv != 0) /* No error */ + look->found = true; } static int @@ -1562,21 +1574,25 @@ setmlme_assoc_sta(struct ieee80211vap *vap, const uint8_t ssid[IEEE80211_NWID_LEN]) { struct scanlookup lookup; + int rv; KASSERT(vap->iv_opmode == IEEE80211_M_STA, ("expected opmode STA not %s", ieee80211_opmode_name[vap->iv_opmode])); /* NB: this is racey if roaming is !manual */ - lookup.se = NULL; lookup.mac = mac; lookup.esslen = ssid_len; lookup.essid = ssid; + memset(&lookup.se, 0, sizeof(lookup.se)); + lookup.found = false; ieee80211_scan_iterate(vap, mlmelookup, &lookup); - if (lookup.se == NULL) + if (!lookup.found) return ENOENT; mlmedebug(vap, mac, IEEE80211_MLME_ASSOC, 0); - if (!ieee80211_sta_join(vap, lookup.se->se_chan, lookup.se)) + rv = ieee80211_sta_join(vap, lookup.se.se_chan, &lookup.se); + ieee80211_ies_cleanup(&lookup.se.se_ies); + if (rv == 0) return EIO; /* XXX unique but could be better */ return 0; }