[PATCH 00/18] Various bugfixes and small improvements for debugging

Benjamin Berg benjamin at sipsolutions.net
Thu Oct 30 03:44:21 PDT 2025 

Hi,

After the merge, I also started seeing the below use-after-free. It
happens only when I have some other bug that causes the usual hwsim
test flow to fail. For example, I just broke
eht_mld_owe_two_links_one_disabled with a mac80211 patch and triggered
it that way.

So, it seems like there are some MLD association failure flows that do
not have proper test coverage currently. If I find a way to reproduce
the issue, then I'll post the test to help with debugging.

Benjamin

=================================================================
==614==ERROR: AddressSanitizer: heap-use-after-free on address 0x51c00000c940 at pc 0x0000005774a2 bp 0x7f7fffb69310 sp 0x7f7fffb69308
READ of size 8 at 0x51c00000c940 thread T0
    #0 0x5774a1 in wpa_auth_sta_deinit ../src/ap/wpa_auth.c:1168
    #1 0x5531b5 in ap_free_sta ../src/ap/sta_info.c:395
    #2 0x558bc1 in ap_sta_remove_link_sta ../src/ap/sta_info.c:2026
    #3 0x559149 in ap_sta_re_add ../src/ap/sta_info.c:2060
    #4 0xb4e9b8 in handle_auth ../src/ap/ieee802_11.c:3527
    #5 0xb6084d in ieee802_11_mgmt ../src/ap/ieee802_11.c:6911
    #6 0x4d754b in hostapd_mgmt_rx ../src/ap/drv_callbacks.c:2061
    #7 0x4ea517 in wpa_supplicant_event ../src/ap/drv_callbacks.c:2702
    #8 0x824a44 in mlme_event_mgmt ../src/drivers/driver_nl80211_event.c:1475
    #9 0x825afe in mlme_event ../src/drivers/driver_nl80211_event.c:1913
    #10 0x832bd7 in process_bss_event ../src/drivers/driver_nl80211_event.c:4878
    #11 0x4113b6b8 in nl_recvmsgs_report (/nix/store/635dz3p1afjwym9snp2r9hm0vaznwngy-libnl-3.11.0/lib/libnl-3.so.200+0x146b8)
    #12 0x4113bb38 in nl_recvmsgs (/nix/store/635dz3p1afjwym9snp2r9hm0vaznwngy-libnl-3.11.0/lib/libnl-3.so.200+0x14b38)
    #13 0x78b80b in wpa_driver_nl80211_event_receive ../src/drivers/driver_nl80211.c:2096
    #14 0x60ea5e in eloop_sock_table_dispatch ../src/utils/eloop.c:603
    #15 0x611feb in eloop_run ../src/utils/eloop.c:1234
    #16 0x437f71 in hostapd_global_run /home/bergbenj/Projects/intel/iwlwifi-vlab/hostap/hostapd/main.c:591
    #17 0x43dd26 in main /home/bergbenj/Projects/intel/iwlwifi-vlab/hostap/hostapd/main.c:1069
    #18 0x4216247d in __libc_start_call_main (/nix/store/svgs03522r9qndw6j9kljafjq3w34rwa-glibc-multi-2.40-66/lib/libc.so.6+0x2a47d) (BuildId: 295697e46737532f05317823a9a421b7e462a933)
    #19 0x42162538 in __libc_start_main_alias_1 (/nix/store/svgs03522r9qndw6j9kljafjq3w34rwa-glibc-multi-2.40-66/lib/libc.so.6+0x2a538) (BuildId: 295697e46737532f05317823a9a421b7e462a933)
    #20 0x434be4 in _start (/tmp/.host/tmp/vlab_mnt/iwlwifi-vlab/hostap/hostapd/hostapd+0x434be4)

0x51c00000c940 is located 192 bytes inside of 1728-byte region [0x51c00000c880,0x51c00000cf40)
freed by thread T0 here:
    #0 0x401373f8 in free.part.0 (/nix/store/4h2hwl6gf5b8dwk379b55270cbdakrrn-gcc-14.2.1.20250322-lib/lib64/libasan.so.8+0xfb3f8)
    #1 0x623394 in os_free ../src/utils/os_unix.c:784
    #2 0x619fda in bin_clear_free ../src/utils/common.c:1061
    #3 0x5626f0 in wpa_free_sta_sm ../src/ap/wpa_auth.c:1157
    #4 0x5777ec in wpa_auth_sta_deinit ../src/ap/wpa_auth.c:1201
    #5 0xb4e344 in handle_auth ../src/ap/ieee802_11.c:3460
    #6 0xb6084d in ieee802_11_mgmt ../src/ap/ieee802_11.c:6911
    #7 0x4d754b in hostapd_mgmt_rx ../src/ap/drv_callbacks.c:2061
    #8 0x4ea517 in wpa_supplicant_event ../src/ap/drv_callbacks.c:2702
    #9 0x824a44 in mlme_event_mgmt ../src/drivers/driver_nl80211_event.c:1475
    #10 0x825afe in mlme_event ../src/drivers/driver_nl80211_event.c:1913
    #11 0x832bd7 in process_bss_event ../src/drivers/driver_nl80211_event.c:4878
    #12 0x4113b6b8 in nl_recvmsgs_report (/nix/store/635dz3p1afjwym9snp2r9hm0vaznwngy-libnl-3.11.0/lib/libnl-3.so.200+0x146b8)

previously allocated by thread T0 here:
    #0 0x40138757 in malloc (/nix/store/4h2hwl6gf5b8dwk379b55270cbdakrrn-gcc-14.2.1.20250322-lib/lib64/libasan.so.8+0xfc757)
    #1 0x622edb in os_malloc ../src/utils/os_unix.c:726
    #2 0x6238eb in os_zalloc ../src/utils/os_unix.c:790
    #3 0x576cf2 in wpa_auth_sta_init ../src/ap/wpa_auth.c:1032
    #4 0xb2de65 in __check_assoc_ies ../src/ap/ieee802_11.c:4503
    #5 0xb323f0 in check_assoc_ies ../src/ap/ieee802_11.c:4861
    #6 0xb5b15d in handle_assoc ../src/ap/ieee802_11.c:6098
    #7 0xb60887 in ieee802_11_mgmt ../src/ap/ieee802_11.c:6916
    #8 0x4d754b in hostapd_mgmt_rx ../src/ap/drv_callbacks.c:2061
    #9 0x4ea517 in wpa_supplicant_event ../src/ap/drv_callbacks.c:2702
    #10 0x824a44 in mlme_event_mgmt ../src/drivers/driver_nl80211_event.c:1475
    #11 0x825afe in mlme_event ../src/drivers/driver_nl80211_event.c:1913
    #12 0x832bd7 in process_bss_event ../src/drivers/driver_nl80211_event.c:4878
    #13 0x4113b6b8 in nl_recvmsgs_report (/nix/store/635dz3p1afjwym9snp2r9hm0vaznwngy-libnl-3.11.0/lib/libnl-3.so.200+0x146b8)

SUMMARY: AddressSanitizer: heap-use-after-free ../src/ap/wpa_auth.c:1168 in wpa_auth_sta_deinit
Shadow bytes around the buggy address:
  0x51c00000c680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51c00000c700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51c00000c780: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x51c00000c800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x51c00000c880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x51c00000c900: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x51c00000c980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51c00000ca00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51c00000ca80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51c00000cb00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x51c00000cb80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==614==ABORTING


On Thu, 2025-10-30 at 09:24 +0100, Benjamin Berg wrote:
> From: Benjamin Berg <benjamin.berg at intel.com>
> 
> Hi,
> 
> We are finally updating our internal hostap tree to the latest
> upstream
> version. These patches address the issues that I ran into which seem
> to
> be applicable to upstream. Note that with some of the patches in the
> series I have taken the approach of just fixing the immediate issue.
> In
> those cases, I have added comments into the patch as we may want to
> solve the underlying issues differently.
> 
> Benjamin
> 
> Benjamin Berg (18):
>   AP: fix use after free in link reconfiguration
>   nl80211: put nl_cb in error paths
>   eloop: remove references before destroying socket table
>   WNM: Clear the target BSS on reset
>   int_array: Only iterate existing elements in equality check
>   wpa_supplicant: define last_scan_freqs as int array
>   tests: Fetch BSS from P2P device interface
>   utils: Provide hexdump stubs as inline functions
>   wpa_debug: use separate buffer for path and improve error checking
>   tests: check for WPA_TRACE messages in hostapd log
>   utils: Keep the last NOTE message as context for backtraces
>   wpa_supplicant: Accept NOTE command on global socket
>   tests: Issue TEST-START NOTE to hostapd instance
>   tests: Issue TEST-START NOTE to extra wpa_suplicant instances
>   P2P2: Handle identity ID consistently within files
>   tests: add network to P2P device
>   common: Fix definition of EHT_ML_EML_CAPA_RESERVED
>   common: Use signed return value for ieee802_11_defrag_mle_subelem
> 
>  hostapd/ctrl_iface.c                 |  2 ++
>  src/ap/ieee802_11_eht.c              |  2 +-
>  src/common/ieee802_11_common.c       |  6 ++---
>  src/common/ieee802_11_common.h       |  6 ++---
>  src/common/ieee802_11_defs.h         |  2 +-
>  src/drivers/driver_nl80211.c         |  2 ++
>  src/utils/common.c                   |  2 +-
>  src/utils/eloop.c                    |  1 +
>  src/utils/trace.c                    | 34 +++++++++++++++++++++++++-
>  src/utils/trace.h                    | 25 +++++++++++++++----
>  src/utils/wpa_debug.c                | 23 ++++++++++--------
>  src/utils/wpa_debug.h                | 36 +++++++++++++++++++++++---
> --
>  tests/hwsim/run-tests.py             | 16 +++++++++++++
>  tests/hwsim/test_eht.py              | 10 ++++++--
>  tests/hwsim/test_p2p2.py             | 10 ++++----
>  tests/hwsim/test_p2p_wifi_display.py |  3 ++-
>  tests/hwsim/wpasupplicant.py         |  6 ++---
>  wpa_supplicant/config_file.c         | 28 ++++++++++++++++++----
>  wpa_supplicant/ctrl_iface.c          |  5 ++++
>  wpa_supplicant/dpp_supplicant.c      |  9 +++----
>  wpa_supplicant/events.c              |  7 +++---
>  wpa_supplicant/wnm_sta.c             |  2 ++
>  wpa_supplicant/wpa_supplicant_i.h    |  1 -
>  23 files changed, 181 insertions(+), 57 deletions(-)

More information about the Hostap mailing list