[PATCH] nl80211: delay event processing during cmd handling
Jouni Malinen
j at w1.fi
Mon Oct 6 14:20:15 PDT 2025
On Thu, Aug 07, 2025 at 01:25:57PM +0200, Benjamin Berg wrote:
> Unrelated nl80211 events may arrive while the driver is waiting for the
> confirmation of another command. These events must not be delivered
> immediately as they may confuse the internal state machine. They also
> must be delivered, but some commands would cause them to be dropped.
>
> Fix this up by queuing all events for later processing. Note that this
> code is not very elegant as libnl does not export the nl_cb_call
> function. Add a hook into the two relevant functions that process
> events. This hook will forward command replies to the correct handler
> and queue the event if they should not be immediately processed.
>
> Note that in a lot of cases this cannot happen because different nl80211
> sockets are used for different purposes. However, the EAPOL frames
> specifically have to be delivered over the same socket that all
> connection related commands are done. So these notifications the race
> condition can happen and could cause a state confusion in the
> supplicant.
>
> An example of this happening was observed in the autogo_pbc test where
> the supplicant would initiate a deauth and during that time also handle
> an EAPOL frame that itself caused another deauthentication. This
> resulted in a double free of wpa_s->current_ssid.
Thanks, applied.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list