From: Johannes Berg <johannes@sipsolutions.net>
To: Alexander Wetzel <alexander.wetzel@web.de>
Cc: linux-wireless@vger.kernel.org, greearb@candelatech.com,
s.gottschall@dd-wrt.com
Subject: Re: [PATCH v2] mac80211: Fix wlan freezes under load at rekey
Date: Fri, 15 Jun 2018 13:33:12 +0200 [thread overview]
Message-ID: <1529062392.10037.7.camel@sipsolutions.net> (raw)
In-Reply-To: <20180515102202.2021-1-alexander.wetzel@web.de> (sfid-20180515_204001_215652_02257D78)
On Tue, 2018-05-15 at 12:22 +0200, Alexander Wetzel wrote:
> Rekeying a pairwise key with encryption offload and only keyid 0 has two
> potential races which can freeze the wlan conection till rekeyed again:
>
> 1) For incomming packets:
> If the local STA installs the key prior to the remote STA we still
> have the old key active in the hardware for a short time after
> mac80211 switched to the new key.
> The card can still hand over packets decoded with the old key to
> mac80211, bumping the new PN (IV) value to an incorrect high number and
> tricking the local replay detection to drop all packets really sent
> with the new key.
>
> 2) For outgoing packets:
> If mac80211 is providing the PN (IV) and hands over the cleartext
> packets for encryption to the hardware immediately prior to a key
> change the driver/card may process the queued packets after
> switching to the new key.
> This will immediatelly bump the PN (IV) value on the remote STA to
> an incorrect high number, also freezing the connection.
>
> Both issues can be prevented by first replacing the key in the HW and
> makeing sure no aggregation sessions are running during the rekey.
Getting back to this, am I understanding correctly that in the latter
(outgoing) case this would cause
Also, I think you should probably describe better why the aggregation
session stuff is needed. I'm already thinking there times about it again
...
> + ieee80211_sta_tear_down_BA_sessions(
> + sta, AGG_STOP_LOCAL_REQUEST);
minor indentation issue here
> + ieee80211_flush_queues(key->local, key->sdata, false);
> + ieee80211_key_disable_hw_accel(key);
I'm not sure all drivers implement drv_flush() [correctly], what happens
if they don't? I guess some packets end up being transmitted in clear
text or a dummy key, unless the hardware/firmware knows about this and
drops them?
Perhaps that means we should make this whole thing opt-in, and leave it
up to driver authors to first validate that they handle the flushing
correctly?
Regarding the code: the whole dance you do with ieee80211_key_link() and
ieee80211_key_replace() seems to be a little pointless because you still
add the key to debugfs and then free it, on errors that is?
johannes
next prev parent reply other threads:[~2018-06-15 11:33 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-24 10:29 [PATCH] mac80211: Fix wlan freezes under load at rekey Alexander Wetzel
2018-03-24 15:29 ` Ben Greear
2018-03-25 19:45 ` Alexander Wetzel
2018-03-25 21:59 ` Ben Greear
2018-03-26 7:43 ` Sebastian Gottschall
2018-03-26 12:22 ` Sebastian Gottschall
2018-03-26 20:24 ` Alexander Wetzel
2018-03-27 13:03 ` Johannes Berg
2018-03-27 13:13 ` Johannes Berg
2018-04-08 20:31 ` Alexander Wetzel
2018-04-09 7:25 ` Johannes Berg
2018-05-15 10:22 ` [PATCH v2] " Alexander Wetzel
2018-05-15 15:50 ` Johannes Berg
2018-05-15 22:41 ` Alexander Wetzel
2018-05-16 6:56 ` Johannes Berg
2018-06-15 11:33 ` Johannes Berg [this message]
2018-06-18 21:03 ` Alexander Wetzel
2018-06-18 21:27 ` Johannes Berg
2018-06-19 20:12 ` Alexander Wetzel
2018-06-29 10:12 ` Johannes Berg
2018-06-29 21:14 ` Alexander Wetzel
2018-07-03 9:51 ` Johannes Berg
2018-07-03 19:54 ` Alexander Wetzel
2018-07-04 0:06 ` Johannes Berg
2018-07-08 8:10 ` Alexander Wetzel
2018-07-09 7:13 ` Johannes Berg
2018-07-11 16:59 ` Alexander Wetzel
2018-07-15 9:10 ` [PATCH v2] mac80211: Fix wlan freezes/clear text packet leaks " Alexander Wetzel
2018-07-10 21:05 ` [PATCH v2] mac80211: Fix wlan freezes under load " Denis Kenzior
2018-07-11 17:08 ` Alexander Wetzel
2018-07-11 19:43 ` Denis Kenzior
2018-06-30 21:27 ` [PATCH v3] mac80211: Fix PTK rekey freezes and cleartext leaks Alexander Wetzel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1529062392.10037.7.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=alexander.wetzel@web.de \
--cc=greearb@candelatech.com \
--cc=linux-wireless@vger.kernel.org \
--cc=s.gottschall@dd-wrt.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.