Bug 1752780
| Summary: | [abrt] [faf] wpa_supplicant: offchannel_pending_action_tx(): /usr/sbin/wpa_supplicant killed by 11 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Vladimir Benes <vbenes> | ||||||
| Component: | wpa_supplicant | Assignee: | Davide Caratti <dcaratti> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Ken Benoit <kbenoit> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 8.1 | CC: | bberg, bgalvani, rvr, sukulkar | ||||||
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
||||||
| Target Release: | 8.0 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| URL: | https://faf.lab.eng.brq.redhat.com/faf/reports/bthash/d9e5d4e88435a3c91754941f32821c6398e314f4/ | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | wpa_supplicant-2.9-2.el8 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2020-04-28 16:44:21 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Vladimir Benes
2019-09-17 08:32:23 UTC
Simple reproducer:
# modprobe mac80211_hwsim
Then, check that wifi devices are managed by NM and p2p-wifi devices
are present:
# nmcli device
DEVICE TYPE STATE CONNECTION
wlan0 wifi disconnected --
wlan1 wifi disconnected --
p2p-dev-wlan0 wifi-p2p disconnected --
p2p-dev-wlan1 wifi-p2p disconnected --
Now the the device that appeared first (usually wlan1) also sets
wpa_global->p2p_init_wpa_s to point to itself. If the device is
removed, the member in the global struct is cleared (despite there is
still another p2p device).
# nmcli device set wlan1 managed no
(this remove the interface from wpa_supplicant).
Call a P2P Find() on the remaining interface:
# busctl call fi.w1.wpa_supplicant1 /fi/w1/wpa_supplicant1/Interfaces/1 fi.w1.wpa_supplicant1.Interface.P2PDevice Find a{sv} 0
Message recipient disconnected from message bus without replying
# journalctl -u wpa_supplicant -e
wpa_supplicant[11526]: dbus: fi.w1.wpa_supplicant1.Interface.P2PDevice.Find (/fi/w1/wpa_supplicant1/Interfaces/1) [a{sv}]
wpa_supplicant[11526]: wpa_dbus_dict_open_read: start reading a dict entry
systemd[1]: wpa_supplicant.service: Main process exited, code=dumped, status=11/SEGV
systemd[1]: wpa_supplicant.service: Failed with result 'core-dump'.
Now wpa_supplicant crashes because the Find() D-Bus handler accesses
global->p2p_init_wpa_s (which is NULL) and passes it to
wpas_p2p_find(), which dereferences it.
Created attachment 1616287 [details]
gdb log
it seems that the value of p2p_init_wpa_s is set to NULL after a device removal, but it's not updated to the other p2p interface.
Created attachment 1616305 [details]
gdb log 1
the root cause is probably in the design of p2p: there is a single
interface used for p2p scans, and that interface is "probed" when interfaces
are added. When the interface is removed, wpa_supplicant de-inits p2p, and
prints out this message:
P2P: Disable P2P since removing the management interface is being removed"
From now on, p2p stays disabled even it could (theoretivcally) rely on another
management interface. Users of nmcli can overcome this situation by removing
that other interface and adding it again. The same behavior can be reproduced
using wpa_cli instead of d-bus:
Interactive mode
> interface_add wlan0
OK
> interface_add wlan1
OK
> p2p_find 10
OK
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
<3>P2P-FIND-STOPPED
>
> interface_remove wlan0
OK
> p2p_find 10
UNKNOWN COMMAND
>
but here the SIGSEGV does not happen because the ctrl_iface does a
NULL check before running any P2P - related command:
(ctrl_iface.c, in wpas_global_ctrl_iface_redir_p2p() )
11111 if (global->p2p_init_wpa_s == NULL)
11112 return NULL;
11113
so, I think we should do a similar fix in the d-bus handler.
And, we should consider enhancing the supplicant in a way that
it re-discovers p2p once the management interface is removed
(but this latter one is more an RFE than a bug).
Tested against RHEL-8.1.0 on a system with two p2p-capable interfaces. Was able to reproduce the SEGV event from the instructions provided in comment 1. Retested on the same system using RHEL-8.2.0-20200220.n.0 and performing the same steps did not cause the SEGV event. As stated in comment 4, this also causes a situation of the busctl command coming back with "Could not find P2P mgmt interface" since it de-inits p2p as soon as one of the interfaces moves to unmanaged. P2PDevice Find does succeed if the interface is switched back to managed after though. Marking as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1788 |