Search Linux Wireless

Re: [PATCHv3 2/2] mac80211: in IBSS use the Auth frame to trigger STA reinsertion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 16/01/2012 19:12, Antonio Quartulli wrote:
> -static struct sta_info *ieee80211_ibss_finish_sta(struct sta_info *sta)
> +static struct sta_info *ieee80211_ibss_finish_sta(struct sta_info *sta,
> +						  bool auth)
>  	__acquires(RCU)
>  {
>  	struct ieee80211_sub_if_data *sdata = sta->sdata;
> @@ -289,13 +265,15 @@ static struct sta_info *ieee80211_ibss_finish_sta(struct sta_info *sta)
>  		    addr, sdata->name);
>  #endif
>  
> +	if (auth) {
>  #ifdef CONFIG_MAC80211_IBSS_DEBUG
> -	printk(KERN_DEBUG "TX Auth SA=%pM DA=%pM BSSID=%pM"
> -	       "(auth_transaction=1)\n", sdata->vif.addr,
> -	       sdata->u.ibss.bssid, addr);
> +		printk(KERN_DEBUG "TX Auth SA=%pM DA=%pM BSSID=%pM"
> +		       "(auth_transaction=1)\n", sdata->vif.addr,
> +		       sdata->u.ibss.bssid, addr);
>  #endif
> -	ieee80211_send_auth(sdata, 1, WLAN_AUTH_OPEN, NULL, 0,
> -			    addr, sdata->u.ibss.bssid, NULL, 0, 0);
> +		ieee80211_send_auth(sdata, 1, WLAN_AUTH_OPEN, NULL, 0,
> +				    addr, sdata->u.ibss.bssid, NULL, 0, 0);
> +	}
>  
>  	sta_info_move_state(sta, IEEE80211_STA_AUTH);
>  	sta_info_move_state(sta, IEEE80211_STA_ASSOC);
[added context]
	sta_info_move_state(sta, IEEE80211_STA_AUTHORIZED);

	rate_control_rate_init(sta);

	/* If it fails, maybe we raced another insertion? */
	if (sta_info_insert_rcu(sta))
		return sta_info_get(sdata, addr);
	return sta;
}


I tested your patch, but quickly run into a race condition where i would
get Auth frame multiplication.

The worst case apparently happen when A boots for the first time and the
first message that B receives is an Auth frame.  In that case, there are
several ieee80211_ibss_add_sta() calls running concurrently on B  (A and
B are SMP systems)  but only one succeeds,  except that your patch sends
Auth frames before the check, so B sends several Auth frames to A.

Then A proceed to reset B.  After A deletes B's sta_info,  but before
it reinserts it, some other code (ieee80211_ibss_rx_no_sta?) may call
ieee80211_ibss_add_sta()  concurrently,  sending more Auth frames...
increasing the odds of another race condition...

By calling send_auth only when sta_info_insert_rcu() succeeds, i'm no
longer able to reproduce the Auth flood.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux