From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [PATCH 2/3] station: transition to ft-roaming on NETDEV_EVENT_ASSOCIATING
Date: Fri, 15 Aug 2025 08:26:03 -0700 [thread overview]
Message-ID: <20250815152604.175977-2-prestwoj@gmail.com> (raw)
In-Reply-To: <20250815152604.175977-1-prestwoj@gmail.com>
This is the station portion of a 2 part patch (netdev being the
other piece).
After CSA IE parsing was added to the kernel this opened up the
possibility that associations could be rejected locally based on
the contents of this CSA IE in the AP's beacons. Overall, it was
always possible for a local rejection but this case was never
considered by IWD. The CSA-based rejection is something that can
and does happen out in the wild.
When this association rejection happens it desync's IWD and the
kernel's state:
1. IWD begins an FT roam. Authenticates successfully, then proceeds
to calling netdev_ft_reassociate().
2. Immediately IWD transitions to a ft-roaming state and waits for
an association response.
3. CMD_ASSOCIATE is rejected by the kernel in the ACK which IWD
handles by sending a deauthenticate command to the kernel (since
we have a valid authentication to the new BSS).
4. Due to a bug IWD uses the target BSSID to deauthenticate which
the kernel rejects since it has no knowledge of this auth. This
error is not handled or logged.
5. IWD proceeds, assuming its deauthenticated, and transitions to a
disconnected state. The kernel remains "connected" which of course
prevents any future connections.
This patch addresses IWD's recovery behavior when the kernel rejects
a CMD_ASSOCIATION (for any reason, not just CSA-rejection)
- Now IWD will not change state until netdev signals that
CMD_ASSOCIATE was accepted (in subsequent patch). This signal will
come via the NETDEV_EVENT_ASSOCIATING event. If this event arrives,
and IWD is still in a "preparing_roam" state, we can proceed to
ft-roaming.
- If station_reassociate_cb() is called with a failure result but
IWD is still in a "preparing_roam" state the connection to the
current AP is assumed to be maintained and IWD can proceed to
trying more BSS's. Otherwise this indicates a failed roam.
Notes:
- The station_ft_work_ready() callback did need to be reworked to
keep the target roam_bss in the list when FT-Association is
started. This required modifying some of the other paths to pop
and free the roam_bss rather than doing that by default.
---
src/station.c | 61 +++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 49 insertions(+), 12 deletions(-)
diff --git a/src/station.c b/src/station.c
index d4bfe0e6..cc6cbe8b 100644
--- a/src/station.c
+++ b/src/station.c
@@ -2477,6 +2477,8 @@ delayed_retry:
station_roam_retry(station);
}
+static void station_transition_start(struct station *station);
+
static void station_reassociate_cb(struct netdev *netdev,
enum netdev_result result,
void *event_data,
@@ -2487,13 +2489,25 @@ static void station_reassociate_cb(struct netdev *netdev,
l_debug("%u, result: %d", netdev_get_ifindex(station->netdev), result);
if (station->state != STATION_STATE_ROAMING &&
- station->state != STATION_STATE_FT_ROAMING)
+ station->state != STATION_STATE_FT_ROAMING &&
+ !station->preparing_roam)
return;
if (result == NETDEV_RESULT_OK)
station_roamed(station);
- else
- station_roam_failed(station);
+ else {
+ /*
+ * If we are still in a preparing_roam state this means that
+ * the CMD_ASSOCIATE was rejected in the ACK. This rejection is
+ * recoverable since the kernel should not have changed any
+ * internal state. We can pop the current and try another BSS.
+ */
+ if (station->preparing_roam) {
+ l_free(l_queue_pop_head(station->roam_bss_list));
+ station_transition_start(station);
+ } else
+ station_roam_failed(station);
+ }
}
static void station_netdev_event(struct netdev *netdev, enum netdev_event event,
@@ -2606,13 +2620,10 @@ static void station_preauthenticate_cb(struct netdev *netdev,
station->hs = handshake_state_ref(new_hs);
}
-static void station_transition_start(struct station *station);
-
static bool station_ft_work_ready(struct wiphy_radio_work_item *item)
{
struct station *station = l_container_of(item, struct station, ft_work);
- _auto_(l_free) struct roam_bss *rbss = l_queue_pop_head(
- station->roam_bss_list);
+ struct roam_bss *rbss = l_queue_peek_head(station->roam_bss_list);
struct scan_bss *bss;
int ret;
@@ -2637,6 +2648,11 @@ static bool station_ft_work_ready(struct wiphy_radio_work_item *item)
l_debug("Re-inserting BSS "MAC" using reassociation, rank: %u",
MAC_STR(rbss->addr), rbss->rank);
+ /*
+ * Pop off the roam bss, then re-insert as there isn't a
+ * guarantee that it will end up back at the head
+ */
+ l_queue_pop_head(station->roam_bss_list);
l_queue_insert(station->roam_bss_list, rbss,
roam_bss_rank_compare, NULL);
@@ -2645,13 +2661,14 @@ static bool station_ft_work_ready(struct wiphy_radio_work_item *item)
MMPDU_STATUS_CODE_INVALID_PMKID);
station_transition_start(station);
- l_steal_ptr(rbss);
break;
case -ENOENT:
station_debug_event(station, "ft-roam-failed");
iwd_notice(IWD_NOTICE_FT_ROAM_FAILED,
"status: authentication timeout");
try_next:
+ l_queue_pop_head(station->roam_bss_list);
+ l_free(rbss);
station_transition_start(station);
break;
case 0:
@@ -2662,10 +2679,6 @@ try_next:
if (ret < 0)
goto disassociate;
- station->connected_bss = bss;
- station->preparing_roam = false;
- station_enter_state(station, STATION_STATE_FT_ROAMING);
-
break;
case -EINVAL:
/*
@@ -3901,6 +3914,8 @@ static void station_netdev_event(struct netdev *netdev, enum netdev_event event,
void *event_data, void *user_data)
{
struct station *station = user_data;
+ _auto_(l_free) struct roam_bss *rbss = NULL;
+ struct scan_bss *bss;
switch (event) {
case NETDEV_EVENT_AUTHENTICATING:
@@ -3908,6 +3923,28 @@ static void station_netdev_event(struct netdev *netdev, enum netdev_event event,
break;
case NETDEV_EVENT_ASSOCIATING:
station_debug_event(station, "associating");
+
+ if (!station->preparing_roam)
+ break;
+
+ /* Both !rbss and !bss should NEVER happen */
+ rbss = l_queue_pop_head(station->roam_bss_list);
+ if (L_WARN_ON(!rbss)) {
+ station_roam_failed(station);
+ return;
+ }
+
+ bss = network_bss_find_by_addr(station->connected_network,
+ rbss->addr);
+ if (L_WARN_ON(!bss)) {
+ station_roam_failed(station);
+ return;
+ }
+
+ station->connected_bss = bss;
+ station->preparing_roam = false;
+ station_enter_state(station, STATION_STATE_FT_ROAMING);
+
break;
case NETDEV_EVENT_DISCONNECT_BY_AP:
case NETDEV_EVENT_DISCONNECT_BY_SME:
--
2.34.1
next prev parent reply other threads:[~2025-08-15 15:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-15 15:26 [PATCH 1/3] netdev: check connected in channel switch event James Prestwood
2025-08-15 15:26 ` James Prestwood [this message]
2025-08-15 15:26 ` [PATCH 3/3] netdev: handle local CMD_ASSOCIATE failures (for FT) James Prestwood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250815152604.175977-2-prestwoj@gmail.com \
--to=prestwoj@gmail.com \
--cc=iwd@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox