From nobody Mon Sep 15 19:11:22 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cQZQ25Znzz67skb; Mon, 15 Sep 2025 19:11:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cQZQ23jWbz4Fxm; Mon, 15 Sep 2025 19:11:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1757963482; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7AFSANaG7Q/6M9HARXrcPO8HeSZlrDL1Hm6ra0bOKr0=; b=JZmQ/cEmnmmr/8f5TRa7GFpuhB7x9JOSsipdVr/rQvLlscteI2eRP2Da3mG1mDyYB1qJN7 AEooc3UNHhBmPsKkpQXFUdUlP0qj6Z7tFVn4V2pWHDOqQQS9Flwk1u2G7P+Zk3qbq6cwxZ 2roqBT0lvh7CvexmTUpAspw8ad6lhUp3/LcgVqGrihyzYyGNk3KtBqe0ghbjKXE5u7R1eQ zob0AyF5m8Ct9sKHR8H34Okcfwvk3MZk+vVV3kI6MYafNxuA6wN9PyyslHh76F3OaYRRdD AdZVdCspfrrI9Cw4ZdX/FHqyuNycp+nYSia7UeYd+ZKTom1Ngi+sTCpqoumNhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1757963482; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7AFSANaG7Q/6M9HARXrcPO8HeSZlrDL1Hm6ra0bOKr0=; b=shzzVlifKeU6h9/YGvoYboWRiTruOGsHBHxI2UyfLrFJBzaU4KfZRn/p6rNO3N6U9ssW9n KrNokFzPYlYlU0XqxQCkBYDmnTub2Pp9asGOQc6aBXJmBnJY6aMRzK4zeVODvgpH3dlOJZ kjpbqQyBIXC1N0SbxWeP3p6WtfFrzDpzHA+pVQnYlW/Ny2g4wXVPaijKxZnx6+6FuCt8ak DtLOoug7HeT5zlZ/R6dRbGUEk2XHIZnDd2oJnmUYKQiWGT9MfMDkuq0vj30zsWcxlMUq6p 5fo6TchncHUokFjZroz76CewyybfAmQMYMQvUwl3ITa1ZC7iMecGbP9m4wU/cw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1757963482; a=rsa-sha256; cv=none; b=rAJBfi2hbT51kEx1eRbuyoA7JyPljmainOwvQFVmWz4ae2sFLgpp8CosU+E57J+fxE+bs7 XK1bos07KnhkSw9rjVYNwkAkiNFPWjFTPprKORVY6OEFGWcMr0of4Fi6g45EupllxaFa4W JrAwG/PEbhtEwrxzUwYu2B9vw+YluygVxRnZ88yzP3hpthOZjiV2hBAdvTL7YKLLYpyhdE P+S46jVTK2nWSoj7tJQn3QItjcz0rabeSrlDF/JOTXhi1JP4+F05L22NV9Do1N37G/R+zx mxXpnp6cwG3cHfzZqmX9r/TwldxU3TwOGryxpM3rHtXZ7PzZ2/fKu8xNu1eS7w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cQZQ23Jvmz16jD; Mon, 15 Sep 2025 19:11:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58FJBMcV051194; Mon, 15 Sep 2025 19:11:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58FJBMPL051191; Mon, 15 Sep 2025 19:11:22 GMT (envelope-from git) Date: Mon, 15 Sep 2025 19:11:22 GMT Message-Id: <202509151911.58FJBMPL051191@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: "Bjoern A. Zeeb" Subject: git: b0469fa7f10f - stable/15 - LinuxKPI: 802.11: avoid recursive wiphy lock List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bz X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: b0469fa7f10f9fe5510a5445f38d1bf0b832c1e7 Auto-Submitted: auto-generated The branch stable/15 has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=b0469fa7f10f9fe5510a5445f38d1bf0b832c1e7 commit b0469fa7f10f9fe5510a5445f38d1bf0b832c1e7 Author: Bjoern A. Zeeb AuthorDate: 2025-09-11 14:44:10 +0000 Commit: Bjoern A. Zeeb CommitDate: 2025-09-15 14:53:07 +0000 LinuxKPI: 802.11: avoid recursive wiphy lock When freeing the last reference of the net80211 node the net80211 node_free() code may directly call into the crypto code to delete the keys. While we still holding the wiphy lock this would lead to a recursion on the non-recursive wiphy lock. Defer freeing the reference until we are back under the net80211 com lock. Reported by: Mark Phillips (mark freebsdfoundation.org) on 15.0-ALPHA1 (cherry picked from commit 3c38dce87ecd2c87744e4b7ff1904ee841f88a47) --- sys/compat/linuxkpi/common/src/linux_80211.c | 54 ++++++++++++++++++---------- 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/sys/compat/linuxkpi/common/src/linux_80211.c b/sys/compat/linuxkpi/common/src/linux_80211.c index d00734001a59..bc4b334de28e 100644 --- a/sys/compat/linuxkpi/common/src/linux_80211.c +++ b/sys/compat/linuxkpi/common/src/linux_80211.c @@ -2568,12 +2568,6 @@ lkpi_sta_auth_to_scan(struct ieee80211vap *vap, enum ieee80211_state nstate, int lvif->lvif_bss_synched = false; LKPI_80211_LVIF_UNLOCK(lvif); lkpi_lsta_remove(lsta, lvif); - /* - * The very last release the reference on the ni for the ni/lsta on - * lvif->lvif_bss. Upon return from this both ni and lsta are invalid - * and potentially freed. - */ - ieee80211_free_node(ni); /* conf_tx */ @@ -2582,6 +2576,18 @@ lkpi_sta_auth_to_scan(struct ieee80211vap *vap, enum ieee80211_state nstate, int out: wiphy_unlock(hw->wiphy); IEEE80211_LOCK(vap->iv_ic); + if (error == 0) { + /* + * We do this outside the wiphy lock as net80211::node_free() may call + * into crypto code to delete keys and we have a recursed on + * non-recursive sx panic. Also only do this if we get here w/o error. + * + * The very last release the reference on the ni for the ni/lsta on + * lvif->lvif_bss. Upon return from this both ni and lsta are invalid + * and potentially freed. + */ + ieee80211_free_node(ni); + } return (error); } @@ -2906,12 +2912,6 @@ _lkpi_sta_assoc_to_down(struct ieee80211vap *vap, enum ieee80211_state nstate, i lvif->lvif_bss_synched = false; LKPI_80211_LVIF_UNLOCK(lvif); lkpi_lsta_remove(lsta, lvif); - /* - * The very last release the reference on the ni for the ni/lsta on - * lvif->lvif_bss. Upon return from this both ni and lsta are invalid - * and potentially freed. - */ - ieee80211_free_node(ni); /* conf_tx */ @@ -2921,6 +2921,18 @@ _lkpi_sta_assoc_to_down(struct ieee80211vap *vap, enum ieee80211_state nstate, i out: wiphy_unlock(hw->wiphy); IEEE80211_LOCK(vap->iv_ic); + if (error == EALREADY) { + /* + * We do this outside the wiphy lock as net80211::node_free() may call + * into crypto code to delete keys and we have a recursed on + * non-recursive sx panic. Also only do this if we get here w/o error. + * + * The very last release the reference on the ni for the ni/lsta on + * lvif->lvif_bss. Upon return from this both ni and lsta are invalid + * and potentially freed. + */ + ieee80211_free_node(ni); + } outni: return (error); } @@ -3522,12 +3534,6 @@ lkpi_sta_run_to_init(struct ieee80211vap *vap, enum ieee80211_state nstate, int lvif->lvif_bss = NULL; lvif->lvif_bss_synched = false; LKPI_80211_LVIF_UNLOCK(lvif); - /* - * The very last release the reference on the ni for the ni/lsta on - * lvif->lvif_bss. Upon return from this both ni and lsta are invalid - * and potentially freed. - */ - ieee80211_free_node(ni); /* conf_tx */ @@ -3537,6 +3543,18 @@ lkpi_sta_run_to_init(struct ieee80211vap *vap, enum ieee80211_state nstate, int out: wiphy_unlock(hw->wiphy); IEEE80211_LOCK(vap->iv_ic); + if (error == EALREADY) { + /* + * We do this outside the wiphy lock as net80211::node_free() may call + * into crypto code to delete keys and we have a recursed on + * non-recursive sx panic. Also only do this if we get here w/o error. + * + * The very last release the reference on the ni for the ni/lsta on + * lvif->lvif_bss. Upon return from this both ni and lsta are invalid + * and potentially freed. + */ + ieee80211_free_node(ni); + } outni: return (error); }