From nobody Fri Jan 16 19:41:04 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dt9FY42kLz6NlmT for ; Fri, 16 Jan 2026 19:41:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dt9FY0Wsvz3xb6 for ; Fri, 16 Jan 2026 19:41:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768592465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jhwVe4X4aGjEvehaIiuYfVJ7b8yh/tG8SGslvU7cyrY=; b=apBBKJ10Zx8dUtdcIorwnuKZADsKB0TPQ75FkR/EC0tFyzLh8YZV26cVGuchSE4V0e8xPF dL+iVLNfTsFZtTzsIlRGmnjTId8oYXauMK2viMs/yTnAPvXINqF53rPrCoUZJnImv55Nv7 PkeUze8ahYkby799q2L5yJmp6PWgF68PyDpp4MQLF1g15FGWjB6guyaH1gVkc2kkrlX16t b13xQLF889y6S1XfunaYo83d6l1qnEjFKJ1RinEfsgdTSX7jqXo4cbcbM/ol26wt8vyubq /7iiDOmU4GIsPXbOpVeLxrlpKtCpONoJHrwk7+wkIt+KerX7L13kDiNh3ZAbPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768592465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jhwVe4X4aGjEvehaIiuYfVJ7b8yh/tG8SGslvU7cyrY=; b=Zdt7Mxv58jpIVovxPlcyaIKwqXzfpu9P1uehPFL4R306M/01EWeQjebd3U2Kq03s+RlgRL I5icWxDSYceruVl58uERuws6OssYEGHLHUQy3w3+CJJDSwsuRMe8B0ZpbWoE4bTCb3wjN7 PUwOgKpQdbT3khhlazjnKkXigiswTU3UmUd59VqBF3YkldHZPzFYySA4k75Af9EoV64Go4 YYCadFnThZiRHvKBX3SDn8ynfHG/x0h8KbYINIpA69afN1AurpRPQqwZ5Hz5owBRUFzsDb eJSJBlVSkbm24kopc7dPikqeJHmU7ydNX/xdbz5JzFHlxhg5tGAvQUKWwH9Qxg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1768592465; a=rsa-sha256; cv=none; b=E8K+hP2lWVZZa05J/r+EugrwTj3SDZ0ch+zljpIGW4c4mp8G17uFtK1i/CFuo/i8KtBSda 4TVFJo9sEqx1gDI+XYb+FSUaZxilOMapvJhZPWN2/4lSVhvvfjVScQMKR3epUo8cNeqjiO eFRWQy22WZ1VdUTpqaFkbSufqW6C5K0xPMhTJKCzOSXKtky7F3KavFNRVuMBqXG5VdCptT h7ycaHSH/2qsIWLVihyqDAcBVrB6+IIJYd4TwkIAdAu7p++W58EZxlSRooEODCCqoKvdn5 IddH1yeME77guPfsAiXEVMVosBhkf86G9OUYsOOl2dzCpRkxbWImL6J4gIjOkQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dt9FX6n9wzCKH for ; Fri, 16 Jan 2026 19:41:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id bb68 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 16 Jan 2026 19:41:04 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Bjoern A. Zeeb Subject: git: 64075d536466 - stable/14 - LinuxKPI: 802.11: avoid recursive wiphy lock List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bz X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 64075d53646679554c6b62911076b6b26e862acf Auto-Submitted: auto-generated Date: Fri, 16 Jan 2026 19:41:04 +0000 Message-Id: <696a9450.bb68.64f3f9f9@gitrepo.freebsd.org> The branch stable/14 has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=64075d53646679554c6b62911076b6b26e862acf commit 64075d53646679554c6b62911076b6b26e862acf Author: Bjoern A. Zeeb AuthorDate: 2025-09-11 14:44:10 +0000 Commit: Bjoern A. Zeeb CommitDate: 2026-01-16 19:37:50 +0000 LinuxKPI: 802.11: avoid recursive wiphy lock When freeing the last reference of the net80211 node the net80211 node_free() code may directly call into the crypto code to delete the keys. While we still holding the wiphy lock this would lead to a recursion on the non-recursive wiphy lock. Defer freeing the reference until we are back under the net80211 com lock. Reported by: Mark Phillips (mark freebsdfoundation.org) on 15.0-ALPHA1 (cherry picked from commit 3c38dce87ecd2c87744e4b7ff1904ee841f88a47) (cherry picked from commit b0469fa7f10f9fe5510a5445f38d1bf0b832c1e7) --- sys/compat/linuxkpi/common/src/linux_80211.c | 54 ++++++++++++++++++---------- 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/sys/compat/linuxkpi/common/src/linux_80211.c b/sys/compat/linuxkpi/common/src/linux_80211.c index 4fbf36f8c55c..0aba2d843106 100644 --- a/sys/compat/linuxkpi/common/src/linux_80211.c +++ b/sys/compat/linuxkpi/common/src/linux_80211.c @@ -2504,12 +2504,6 @@ lkpi_sta_auth_to_scan(struct ieee80211vap *vap, enum ieee80211_state nstate, int lvif->lvif_bss_synched = false; LKPI_80211_LVIF_UNLOCK(lvif); lkpi_lsta_remove(lsta, lvif); - /* - * The very last release the reference on the ni for the ni/lsta on - * lvif->lvif_bss. Upon return from this both ni and lsta are invalid - * and potentially freed. - */ - ieee80211_free_node(ni); /* conf_tx */ @@ -2518,6 +2512,18 @@ lkpi_sta_auth_to_scan(struct ieee80211vap *vap, enum ieee80211_state nstate, int out: wiphy_unlock(hw->wiphy); IEEE80211_LOCK(vap->iv_ic); + if (error == 0) { + /* + * We do this outside the wiphy lock as net80211::node_free() may call + * into crypto code to delete keys and we have a recursed on + * non-recursive sx panic. Also only do this if we get here w/o error. + * + * The very last release the reference on the ni for the ni/lsta on + * lvif->lvif_bss. Upon return from this both ni and lsta are invalid + * and potentially freed. + */ + ieee80211_free_node(ni); + } return (error); } @@ -2840,12 +2846,6 @@ _lkpi_sta_assoc_to_down(struct ieee80211vap *vap, enum ieee80211_state nstate, i lvif->lvif_bss_synched = false; LKPI_80211_LVIF_UNLOCK(lvif); lkpi_lsta_remove(lsta, lvif); - /* - * The very last release the reference on the ni for the ni/lsta on - * lvif->lvif_bss. Upon return from this both ni and lsta are invalid - * and potentially freed. - */ - ieee80211_free_node(ni); /* conf_tx */ @@ -2855,6 +2855,18 @@ _lkpi_sta_assoc_to_down(struct ieee80211vap *vap, enum ieee80211_state nstate, i out: wiphy_unlock(hw->wiphy); IEEE80211_LOCK(vap->iv_ic); + if (error == EALREADY) { + /* + * We do this outside the wiphy lock as net80211::node_free() may call + * into crypto code to delete keys and we have a recursed on + * non-recursive sx panic. Also only do this if we get here w/o error. + * + * The very last release the reference on the ni for the ni/lsta on + * lvif->lvif_bss. Upon return from this both ni and lsta are invalid + * and potentially freed. + */ + ieee80211_free_node(ni); + } outni: return (error); } @@ -3453,12 +3465,6 @@ lkpi_sta_run_to_init(struct ieee80211vap *vap, enum ieee80211_state nstate, int lvif->lvif_bss = NULL; lvif->lvif_bss_synched = false; LKPI_80211_LVIF_UNLOCK(lvif); - /* - * The very last release the reference on the ni for the ni/lsta on - * lvif->lvif_bss. Upon return from this both ni and lsta are invalid - * and potentially freed. - */ - ieee80211_free_node(ni); /* conf_tx */ @@ -3468,6 +3474,18 @@ lkpi_sta_run_to_init(struct ieee80211vap *vap, enum ieee80211_state nstate, int out: wiphy_unlock(hw->wiphy); IEEE80211_LOCK(vap->iv_ic); + if (error == EALREADY) { + /* + * We do this outside the wiphy lock as net80211::node_free() may call + * into crypto code to delete keys and we have a recursed on + * non-recursive sx panic. Also only do this if we get here w/o error. + * + * The very last release the reference on the ni for the ni/lsta on + * lvif->lvif_bss. Upon return from this both ni and lsta are invalid + * and potentially freed. + */ + ieee80211_free_node(ni); + } outni: return (error); }