From patchwork Tue Sep  6 06:47:35 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
X-Patchwork-Id: 666336
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2001:1868:205::9])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3sSxxM5CpNz9s4n
	for <incoming@patchwork.ozlabs.org>;
	Tue,  6 Sep 2016 16:47:51 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux))
	id 1bhAAP-0002xz-Mf; Tue, 06 Sep 2016 06:47:33 +0000
Received: from mga05.intel.com ([192.55.52.43])
	by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat
	Linux)) id 1bhAAN-0002ob-Da
	for hostap@lists.infradead.org; Tue, 06 Sep 2016 06:47:32 +0000
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
	by fmsmga105.fm.intel.com with ESMTP; 05 Sep 2016 23:47:10 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.30,290,1470726000"; d="scan'208";a="4978825"
Received: from unknown (HELO TEMPHOSTNAME.ger.corp.intel.com)
	([10.12.217.205])
	by fmsmga006.fm.intel.com with ESMTP; 05 Sep 2016 23:47:09 -0700
From: andrei.otcheretianski@intel.com
To: hostap@lists.infradead.org
Subject: [PATCH 03/18] wpa_supplicant: Don't stop conn. radio work on DEAUTH
Date: Tue,  6 Sep 2016 09:47:35 +0300
Message-Id: <1473144455-5267-1-git-send-email-andrei.otcheretianski@intel.com>
X-Mailer: git-send-email 1.9.1
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20160905_234731_522230_D5F2ED6B 
X-CRM114-Status: UNSURE (   8.90  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -3.3 (---)
X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary:
	Content analysis details:   (-3.3 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay
	domain
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
MIME-Version: 1.0
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

If DEAUTH event is received while authenticating, wpas_connection_failed()
is invoked cancelling the radio work. However, the flow might continue
calling sme_disassoc_while_authenticating() which leaves the wpa_supplicant
in the AUTHENTICATING state,  thus allowing the continuation of the connection
flow (without radio work protection) in case AUTH frame is received.

This issue was seen during EAPOL connection, when the client starts the fast
association in wpas_wps_eapol_cb, where the following race occurs:

1. DEAUTH after initial EAPOL HS
2. Start fast associate and send AUTH
3. DEAUTH event rebound from kernel -> wpas_connection_failed() is called,
   stopping the connect radio work
4. SCAN is started
5. AUTH is received, and the connection flow is continued without
   radio work protection
6. SCAN_RESULTS received in the middle of association.
7. Failure in wpa_driver_nl80211_check_bss_status due to
   state mismatch - > DEAUTH with reason code 2.

Fix this by not calling wpas_connection_failed() in step 4, if the
wpa_supplicant is in authenticating state and using SME (same conditions
that result in calling sme_disassoc_while_authenticating()).

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
---
 wpa_supplicant/events.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index ba30780..1058115 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -2572,8 +2572,19 @@ static void wpa_supplicant_event_disassoc_finish(struct wpa_supplicant *wpa_s,
 	bssid = wpa_s->bssid;
 	if (is_zero_ether_addr(bssid))
 		bssid = wpa_s->pending_bssid;
-	if (wpa_s->wpa_state >= WPA_AUTHENTICATING)
-		wpas_connection_failed(wpa_s, bssid);
+
+	if (wpa_s->wpa_state >= WPA_AUTHENTICATING) {
+		/*
+		 * The connection shouldn't be failed if we will call
+		 * sme_disassoc_while_authenticating, otherwise we may
+		 * continue the connection, without radio work
+		 * protection.
+		 */
+		if (!authenticating ||
+		    !(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME))
+			wpas_connection_failed(wpa_s, bssid);
+	}
+
 	wpa_sm_notify_disassoc(wpa_s->wpa);
 	if (locally_generated)
 		wpa_s->disconnect_reason = -reason_code;