nl80211: Use active_links to notify start/stop state of links

During nl80211_stop_ap(), the link map for all valid links is being
cleared. Following this, in the remove interface sequence, since
valid links are not set, driver_nl80211_link_remove() is called,
which removes the BSS for all links, leading to a dangling pointer
access and causing hostapd to crash.

To address this, introduce a separate active_links link map for
struct i802_bss and update this link map only during nl80211_stop_ap()
and when bringing the link back up. The valid_links link map of
struct i802_bss should be used only during the initialization and
deinitialization of the links.

Fixes: e1bf37022e01 ("nl80211: MLO: Process stop AP event on link basis")
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index d54c3e07844d034a5fb5646e0d26903a93ba7c94..f26fdb449b7e33f4b77f5d1b9e3f97f940dc78d5 100644 (file)
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -2403,6 +2403,7 @@ skip_wifi_status:
         * Use link ID 0 for the single "link" of a non-MLD.
         */
        bss->valid_links = 0;
+       bss->active_links = 0;
        bss->flink = &bss->links[0];
        os_memcpy(bss->flink->addr, bss->addr, ETH_ALEN);
 
@@ -9622,7 +9623,8 @@ fail:
 }
 
 
-int nl80211_remove_link(struct i802_bss *bss, int link_id)
+int nl80211_remove_link(struct i802_bss *bss, int link_id,
+                       bool skip_link_removal)
 {
        struct wpa_driver_nl80211_data *drv = bss->drv;
        struct i802_link *link;
@@ -9630,6 +9632,7 @@ int nl80211_remove_link(struct i802_bss *bss, int link_id)
        size_t i;
        int ret;
        u8 link_addr[ETH_ALEN];
+       u16 links;
 
        wpa_printf(MSG_DEBUG, "nl80211: Remove link (ifindex=%d link_id=%u)",
                   bss->ifindex, link_id);
@@ -9645,20 +9648,33 @@ int nl80211_remove_link(struct i802_bss *bss, int link_id)
        wpa_driver_nl80211_del_beacon(bss, link_id);
 
        os_memcpy(link_addr, link->addr, ETH_ALEN);
-       /* First remove the link locally */
-       bss->valid_links &= ~BIT(link_id);
+       /* First remove the link locally if !skip_link_removal */
+       if (!skip_link_removal) {
+               bss->valid_links &= ~BIT(link_id);
+               bss->active_links &= ~BIT(link_id);
+               links = bss->valid_links;
+       } else {
+               /* active_links are cleared when the link goes to down state */
+               bss->active_links &= ~BIT(link_id);
+               links = bss->active_links;
+       }
+
        os_memset(link->addr, 0, ETH_ALEN);
 
        /* Choose new deflink if we are removing that link */
        if (bss->flink == link) {
-               for_each_link_default(bss->valid_links, i, 0) {
+               for_each_link_default(links, i, 0) {
+                       /* The link should be present else check for another
+                        * link */
+                       if (!(bss->valid_links & BIT(i)))
+                               continue;
                        bss->flink = &bss->links[i];
                        break;
                }
        }
 
        /* If this was the last link, reset default link */
-       if (!bss->valid_links) {
+       if (!skip_link_removal && !links) {
                /* TODO: Does keeping freq/bandwidth make sense? */
                if (bss->flink != link)
                        os_memcpy(bss->flink, link, sizeof(*link));
@@ -9666,6 +9682,12 @@ int nl80211_remove_link(struct i802_bss *bss, int link_id)
                os_memcpy(bss->flink->addr, bss->addr, ETH_ALEN);
        }
 
+       /* Link should not be removed if nl80211_stop_ap() was received from the
+        * driver since this doesn't physically remove the link and maintain the
+        * interfaces in down state. */
+       if (skip_link_removal)
+               return 0;
+
        /* Remove the link from the kernel */
        msg = nl80211_bss_msg(bss, 0, NL80211_CMD_REMOVE_LINK);
        if (!msg ||
@@ -9695,7 +9717,7 @@ static void nl80211_remove_links(struct i802_bss *bss)
        u8 link_id;
 
        for_each_link(bss->valid_links, link_id) {
-               ret = nl80211_remove_link(bss, link_id);
+               ret = nl80211_remove_link(bss, link_id, false);
                if (ret)
                        break;
        }
@@ -10987,7 +11009,7 @@ static int driver_nl80211_link_remove(void *priv, enum wpa_driver_if_type type,
                   "nl80211: Teardown AP(%s) link %d (type=%d ifname=%s links=0x%x)",
                   bss->ifname, link_id, type, ifname, bss->valid_links);
 
-       nl80211_remove_link(bss, link_id);
+       nl80211_remove_link(bss, link_id, false);
 
        bss->ctx = bss->flink->ctx;
 
@@ -14479,7 +14501,8 @@ static int nl80211_link_add(void *priv, u8 link_id, const u8 *addr,
                return -EINVAL;
        }
 
-       if (bss->valid_links & BIT(link_id)) {
+       if ((bss->valid_links & BIT(link_id)) &&
+           (bss->active_links & BIT(link_id))) {
                wpa_printf(MSG_DEBUG,
                           "nl80211: MLD: Link %u already set", link_id);
                return -EINVAL;
@@ -14511,14 +14534,16 @@ static int nl80211_link_add(void *priv, u8 link_id, const u8 *addr,
        os_memcpy(bss->links[link_id].addr, addr, ETH_ALEN);
 
        /* The new link is the first one, make it the default */
-       if (!bss->valid_links)
+       if (!bss->valid_links || !bss->active_links)
                bss->flink = &bss->links[link_id];
 
        bss->valid_links |= BIT(link_id);
+       bss->active_links |= BIT(link_id);
        bss->links[link_id].ctx = bss_ctx;
 
-       wpa_printf(MSG_DEBUG, "nl80211: MLD: valid_links=0x%04x on %s",
-                  bss->valid_links, bss->ifname);
+       wpa_printf(MSG_DEBUG,
+                  "nl80211: MLD: valid_links=0x%04x active_links=0x%04x on %s",
+                  bss->valid_links, bss->active_links, bss->ifname);
 
        if (drv->rtnl_sk)
                rtnl_neigh_add_fdb_entry(bss, addr, true);

diff --git a/src/drivers/driver_nl80211.h b/src/drivers/driver_nl80211.h
index 9c4aedd7acf094667caa65a4b3624a01c0fe80e7..bbf693c3bb2e718de77a698f99e362c3a5d1f7cd 100644 (file)
--- a/src/drivers/driver_nl80211.h
+++ b/src/drivers/driver_nl80211.h
@@ -65,7 +65,11 @@ struct i802_bss {
        struct wpa_driver_nl80211_data *drv;
        struct i802_bss *next;
 
+       /* The links which are physically present */
        u16 valid_links;
+       /* The links which are in down state updated via nl80211_stop_ap() from
+        * the driver. */
+       u16 active_links;
        struct i802_link links[MAX_NUM_MLD_LINKS];
        struct i802_link *flink, *scan_link;
 
@@ -364,7 +368,8 @@ const char * nl80211_iftype_str(enum nl80211_iftype mode);
 void nl80211_restore_ap_mode(struct i802_bss *bss);
 struct i802_link * nl80211_get_link(struct i802_bss *bss, s8 link_id);
 u8 nl80211_get_link_id_from_link(struct i802_bss *bss, struct i802_link *link);
-int nl80211_remove_link(struct i802_bss *bss, int link_id);
+int nl80211_remove_link(struct i802_bss *bss, int link_id,
+                       bool skip_link_removal);
 
 static inline bool nl80211_link_valid(u16 links, s8 link_id)
 {

diff --git a/src/drivers/driver_nl80211_event.c b/src/drivers/driver_nl80211_event.c
index cb37a500449f2292c172bb5693e85ab2292deea0..b5ba39a4f0e2b7e06e2769f645c626c0324b8eaf 100644 (file)
--- a/src/drivers/driver_nl80211_event.c
+++ b/src/drivers/driver_nl80211_event.c
@@ -2467,10 +2467,10 @@ static void nl80211_stop_ap(struct i802_bss *bss, struct nlattr **tb)
                           "nl80211: STOP_AP event on link %d", link_id);
                ctx = mld_link->ctx;
 
-               /* The driver would have already deleted the link and this call
-                * will return an error. Ignore that since nl80211_remove_link()
-                * is called here only to update the bss->links[] state. */
-               nl80211_remove_link(bss, link_id);
+               /* nl80211_remove_link() is called here only to update the
+                * bss->links[] state by skipping link removal. With
+                * skip_link_removal true it returns 0 always. */
+               nl80211_remove_link(bss, link_id, true);
        }
 
        wpa_supplicant_event(ctx, EVENT_INTERFACE_UNAVAILABLE, NULL);