RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1752780 - [abrt] [faf] wpa_supplicant: offchannel_pending_action_tx(): /usr/sbin/wpa_supplicant killed by 11
Summary: [abrt] [faf] wpa_supplicant: offchannel_pending_action_tx(): /usr/sbin/wpa_su...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: wpa_supplicant
Version: 8.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.0
Assignee: Davide Caratti
QA Contact: Ken Benoit
URL: https://faf.lab.eng.brq.redhat.com/fa...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-17 08:32 UTC by Vladimir Benes
Modified: 2023-06-09 09:59 UTC (History)
4 users (show)

Fixed In Version: wpa_supplicant-2.9-2.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:44:21 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)
gdb log (14.24 KB, text/plain)
2019-09-18 15:51 UTC, Davide Caratti 		no flags Details
gdb log 1 (8.81 KB, text/plain)
2019-09-18 16:38 UTC, Davide Caratti 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker NMT-606 0 None None None 2023-06-09 09:59:05 UTC
Red Hat Issue Tracker RHELPLAN-28803 0 None None None 2023-06-09 09:49:08 UTC
Red Hat Product Errata RHBA-2020:1788 0 None None None 2020-04-28 16:44:40 UTC

Description Vladimir Benes 2019-09-17 08:32:23 UTC 
This bug has been created based on an anonymous crash report requested by the package maintainer.

Report URL: https://faf.lab.eng.brq.redhat.com/faf/reports/bthash/d9e5d4e88435a3c91754941f32821c6398e314f4/
Comment 1 Beniamino Galvani 2019-09-17 14:46:04 UTC 
Simple reproducer:

    # modprobe mac80211_hwsim

Then, check that wifi devices are managed by NM and p2p-wifi devices
are present:

    # nmcli device
    DEVICE         TYPE      STATE         CONNECTION
    wlan0          wifi      disconnected  --
    wlan1          wifi      disconnected  --
    p2p-dev-wlan0  wifi-p2p  disconnected  --
    p2p-dev-wlan1  wifi-p2p  disconnected  --

Now the the device that appeared first (usually wlan1) also sets
wpa_global->p2p_init_wpa_s to point to itself. If the device is
removed, the member in the global struct is cleared (despite there is
still another p2p device).

    # nmcli device set wlan1 managed no

(this remove the interface from wpa_supplicant).
Call a P2P Find() on the remaining interface:

    # busctl call fi.w1.wpa_supplicant1 /fi/w1/wpa_supplicant1/Interfaces/1 fi.w1.wpa_supplicant1.Interface.P2PDevice Find a{sv} 0
    Message recipient disconnected from message bus without replying

    # journalctl -u wpa_supplicant -e
    wpa_supplicant[11526]: dbus: fi.w1.wpa_supplicant1.Interface.P2PDevice.Find (/fi/w1/wpa_supplicant1/Interfaces/1) [a{sv}]
    wpa_supplicant[11526]: wpa_dbus_dict_open_read: start reading a dict entry
    systemd[1]: wpa_supplicant.service: Main process exited, code=dumped, status=11/SEGV
    systemd[1]: wpa_supplicant.service: Failed with result 'core-dump'.

Now wpa_supplicant crashes because the Find() D-Bus handler accesses
global->p2p_init_wpa_s (which is NULL) and passes it to
wpas_p2p_find(), which dereferences it.
Comment 2 Davide Caratti 2019-09-18 15:51:28 UTC 
Created attachment 1616287 [details]
gdb log

it seems that the value of p2p_init_wpa_s is set to NULL after a device removal, but it's not updated to the other p2p interface.
Comment 3 Davide Caratti 2019-09-18 16:38:23 UTC 
Created attachment 1616305 [details]
gdb log 1
Comment 4 Davide Caratti 2019-09-20 15:56:33 UTC 
the root cause is probably in the design of p2p: there is a single
interface used for p2p scans, and that interface is "probed" when interfaces
are added. When the interface is removed, wpa_supplicant de-inits p2p, and
prints out this message:

P2P: Disable P2P since removing the management interface is being removed"

From now on, p2p stays disabled even it could (theoretivcally) rely on another
management interface. Users of nmcli can overcome this situation by removing
that other interface and adding it again. The same behavior can be reproduced
using wpa_cli instead of d-bus:

Interactive mode                                                                               
                                                                                               
> interface_add wlan0
OK
> interface_add wlan1
OK
> p2p_find 10
OK
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
IFNAME=p2p-dev-wlan0 <3>CTRL-EVENT-SCAN-STARTED
<3>P2P-FIND-STOPPED
>
> interface_remove wlan0
OK
> p2p_find 10
UNKNOWN COMMAND
> 

but here the SIGSEGV does not happen because the ctrl_iface does a 
NULL check before running any P2P - related command:

(ctrl_iface.c, in wpas_global_ctrl_iface_redir_p2p() )

11111         if (global->p2p_init_wpa_s == NULL)
11112                 return NULL;
11113 

so, I think we should do a similar fix in the d-bus handler.
And, we should consider enhancing the supplicant in a way that
it re-discovers p2p once the management interface is removed
(but this latter one is more an RFE than a bug).
Comment 5 Davide Caratti 2019-10-02 20:53:23 UTC 
http://lists.infradead.org/pipermail/hostap/2019-October/040630.html
Comment 7 Ken Benoit 2020-02-24 15:43:53 UTC 
Tested against RHEL-8.1.0 on a system with two p2p-capable interfaces. Was able to reproduce the SEGV event from the instructions provided in comment 1. Retested on the same system using RHEL-8.2.0-20200220.n.0 and performing the same steps did not cause the SEGV event. As stated in comment 4, this also causes a situation of the busctl command coming back with "Could not find P2P mgmt interface" since it de-inits p2p as soon as one of the interfaces moves to unmanaged. P2PDevice Find does succeed if the interface is switched back to managed after though. Marking as verified.
Comment 9 errata-xmlrpc 2020-04-28 16:44:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1788
Note You need to log in before you can comment on or make changes to this bug.