[PATCH] nl80211: Previous MAC isn't a foreign address

Andrzej Ostruszka amo at semihalf.com
Mon Jun 13 06:36:58 PDT 2022 

On 6/13/22 14:29, Michał Kazior wrote:
> On Mon, 13 Jun 2022 at 14:13, Andrzej Ostruszka <amo at semihalf.com> wrote:
>>
>> When using MAC randomization suppliant can change local MAC address
>> during roaming scenario:
> [...]
> 
> This sounds to me like it's not necessarily an issue related to
> randomized addresses. With the patch it's still possible to suffer
> packet loss of the AP->STA deauth which would fail to clear the flag
> leading to the same kind of issue.

This is not AP->STA deauth that is being ignored, it is our own one.
The scenario is more or less like this call flow:

wpa_supplicant_deauthenticate        <===== (supplicant wants deauth)
   wpa_drv_deauthenticate             <===== (calls driver deauth)
     wpa_driver_nl80211_mlme(NL80211_CMD_DEAUTHENTICATE)
     ignore_next_local_deauth = drv_associated && "no driver error"
   wpa_supplicant_event(EVENT_DEAUTH) <===== (signals event)

Note that we handle/signal this event right away (last line). That is 
the reason why we mark this flag, cause now we expect to see the same 
deauth being "announced" by the driver over netlink socket that we are 
subscribed to.  When it comes then we will clear the flag in the 
relevant callback.

However with randomization we don't even get to the callback, since we 
are being filtered out by the address checks which conclude that MAC1 is 
a "foreign" address (we've changed to MAC2 due to randomization) and 
drops the message.

Just for the background information, concrete scenario where this has 
been observed is the ChromeOS wifi.MARSSIDRoam test.  In there we 
connect to AP1 then force roam to AP2 and then shutdown AP2 and expect 
DUT to roam back to AP1.  With randomization turned on we end up at AP2 
with flag set.  When shutting down AP2 it broadcasts Deauthentication 
and we observe basically two behaviours:
- either this is reported by the driver as a broadcast and supplicant
   says "Was expecting local deauth but got another ..." and proceeds
   with handling of it or
- it is reported as a "locally generated" (either driver misses the
   message and generates it based on lost beacon, or there is some error
   in driver) and in that case supplicant says "Ignore deauth event
   triggered due to own deauth" and nothing happens which causes test to
   fail waiting for the DUT to roam back to AP1.

I hope that clarifies.  If not, please let me know.

With regards
Andrzej

More information about the Hostap mailing list