[PATCH] hostapd: keep HE capability after channel switch in AP+STA/Mesh
The auto-ht option already kept HT and VHT support, but wasn't updated to support HE (11ax). Signed-off-by: Arnout Vandecappelle (Essensium/Mind) --- This is a drive-by contribution that I just noticed while looking at the patch. I haven't even build tested. --- .../network/services/hostapd/patches/370-ap_sta_support.patch | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package/network/services/hostapd/patches/370-ap_sta_support.patch b/package/network/services/hostapd/patches/370-ap_sta_support.patch index c5cad3bb8d..535164d802 100644 --- a/package/network/services/hostapd/patches/370-ap_sta_support.patch +++ b/package/network/services/hostapd/patches/370-ap_sta_support.patch @@ -235,13 +235,14 @@ --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c -@@ -2883,6 +2883,11 @@ static int hostapd_ctrl_iface_chan_switc +@@ -2883,6 +2883,12 @@ static int hostapd_ctrl_iface_chan_switc return 0; } + if (os_strstr(pos, " auto-ht")) { + settings.freq_params.ht_enabled = iface->conf->ieee80211n; + settings.freq_params.vht_enabled = iface->conf->ieee80211ac; ++ settings.freq_params.he_enabled = iface->conf->ieee80211ax; + } + for (i = 0; i < iface->num_bss; i++) { -- 2.31.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v3 1/2] ubusd: convert tx_queue to linked list
ubusd maintains a per-client tx_queue containing references to message buffers that have not been sent yet (due to the socket blocking). This is a fixed-size, 64-element queue. When more than 64 elements are queued, subsequent elements are simply dropped. Thus, a client that is waiting for those messages will block indefinitely. In particular, this happens when more than +- 250 objects are registered on the bus and either "ubus list" or "ubus wait_for" is called. The responses to these requests consist of a message buffer per object. Since in practice, ubusd will not yield between the sends of these message buffers, the client has no time to process them and eventually the output socket blocks. After 64 more objects, the rest is dropped, including the final message that indicates termination. Thus, the client waits indefinitely for the termination message. To solve this, turn the tx_queue into a variable-sized linked list instead of a fixed-size queue. To maintain the linked list, an additional structure ubus_msg_buf_list is created. It is not possible to add the linked list to ubus_msg_buf, because that is shared between clients. Note that this infinite tx_queue opens the door to a DoS attack. You can open a client and a server connection, then send messages from the client to the server without ever reading anything on the server side. This will eventually lead to an out-of-memory. However, such a DoS already existed anyway, it just requires opening multiple server connections and filling up the fixed-size queue on each one. To protect against such DoS attacks, we'd need to: - keep a global maximum queue size that applies to all rx and tx queues together; - stop reading from any connection when the maximum is reached; - close any connection when it hasn't become writeable after some timeout. Fixes: https://bugs.openwrt.org/index.php?do=details_id=1525 Signed-off-by: Arnout Vandecappelle (Essensium/Mind) --- v3: - remove the txq_ofs change - reduce the diff a bit by adding "ub = ubl->msg;" v2: workarounds for clang static analysis false positives: - use list_for_each_safe instead of a while loop; - hide the free() by moving it to ubusd.c. --- ubusd.c | 20 ubusd.h | 11 --- ubusd_main.c | 33 + ubusd_proto.c | 1 + 4 files changed, 34 insertions(+), 31 deletions(-) diff --git a/ubusd.c b/ubusd.c index 5993653..c324c70 100644 --- a/ubusd.c +++ b/ubusd.c @@ -133,13 +133,25 @@ ssize_t ubus_msg_writev(int fd, struct ubus_msg_buf *ub, size_t offset) return ret; } +void ubus_msg_list_free(struct ubus_msg_buf_list *ubl) +{ + list_del_init(>list); + ubus_msg_free(ubl->msg); + free(ubl); +} + static void ubus_msg_enqueue(struct ubus_client *cl, struct ubus_msg_buf *ub) { - if (cl->tx_queue[cl->txq_tail]) + struct ubus_msg_buf_list *ubl; + + ubl = calloc(1, sizeof(struct ubus_msg_buf_list)); + if (!ubl) return; - cl->tx_queue[cl->txq_tail] = ubus_msg_ref(ub); - cl->txq_tail = (cl->txq_tail + 1) % ARRAY_SIZE(cl->tx_queue); + INIT_LIST_HEAD(>list); + ubl->msg = ubus_msg_ref(ub); + + list_add_tail(>tx_queue, >list); } /* takes the msgbuf reference */ @@ -150,7 +162,7 @@ void ubus_msg_send(struct ubus_client *cl, struct ubus_msg_buf *ub) if (ub->hdr.type != UBUS_MSG_MONITOR) ubusd_monitor_message(cl, ub, true); - if (!cl->tx_queue[cl->txq_cur]) { + if (list_empty(>tx_queue)) { written = ubus_msg_writev(cl->sock.fd, ub, 0); if (written < 0) diff --git a/ubusd.h b/ubusd.h index 923e43d..f34cba1 100644 --- a/ubusd.h +++ b/ubusd.h @@ -23,7 +23,6 @@ #include "ubusmsg.h" #include "ubusd_acl.h" -#define UBUSD_CLIENT_BACKLOG 32 #define UBUS_OBJ_HASH_BITS 4 extern struct blob_buf b; @@ -36,6 +35,11 @@ struct ubus_msg_buf { int len; }; +struct ubus_msg_buf_list { + struct list_head list; + struct ubus_msg_buf *msg; +}; + struct ubus_client { struct ubus_id id; struct uloop_fd sock; @@ -48,8 +52,8 @@ struct ubus_client { struct list_head objects; - struct ubus_msg_buf *tx_queue[UBUSD_CLIENT_BACKLOG]; - unsigned int txq_cur, txq_tail, txq_ofs; + struct list_head tx_queue; + unsigned int txq_ofs; struct ubus_msg_buf *pending_msg; struct ubus_msg_buf *retmsg; @@ -72,6 +76,7 @@ struct ubus_msg_buf *ubus_msg_new(void *data, int len, bool shared); void ubus_msg_send(struct ubus_client *cl, struct ubus_msg_buf *ub); ssize_t ubus_msg_writev(int fd, struct ubus_msg_buf *ub, size_t offset); void ubus_msg_free(struct ubus_msg_buf *ub); +void ubus_msg_list_free(struct ubus_msg_buf_list *ubl); struct blob_attr **ubus_parse_msg(struct blob_attr *msg, size
[PATCH v3 2/2] ubusd: add per-client tx queue limit
No new message can be enqueued if this brings the total queue length of that client over UBUS_CLIENT_MAX_TXQ_LEN. Set UBUS_CLIENT_MAX_TXQ_LEN to UBUS_MAX_MSGLEN, i.e. 1MB. This limit should be plenty for any practical use case. Signed-off-by: Arnout Vandecappelle (Essensium/Mind) --- v3: new patch I've tested this patch by creating about 40K objects on the bus, which should be more than enough to reach the 1MB limit. And indeed, if I do "ubus list | wc", I get 40K lines, but if I do "ubus list | less", it stops at around 1000 lines (1K per object, is that realistic? Feels a bit high to me...). --- ubusd.c | 5 + ubusd.h | 2 ++ ubusd_main.c | 1 + 3 files changed, 8 insertions(+) diff --git a/ubusd.c b/ubusd.c index c324c70..0e1b0c9 100644 --- a/ubusd.c +++ b/ubusd.c @@ -144,6 +144,9 @@ static void ubus_msg_enqueue(struct ubus_client *cl, struct ubus_msg_buf *ub) { struct ubus_msg_buf_list *ubl; + if (cl->txq_len + ub->len > UBUS_CLIENT_MAX_TXQ_LEN) + return; + ubl = calloc(1, sizeof(struct ubus_msg_buf_list)); if (!ubl) return; @@ -152,6 +155,7 @@ static void ubus_msg_enqueue(struct ubus_client *cl, struct ubus_msg_buf *ub) ubl->msg = ubus_msg_ref(ub); list_add_tail(>tx_queue, >list); + cl->txq_len += ub->len; } /* takes the msgbuf reference */ @@ -172,6 +176,7 @@ void ubus_msg_send(struct ubus_client *cl, struct ubus_msg_buf *ub) return; cl->txq_ofs = written; + cl->txq_len = -written; /* get an event once we can write to the socket again */ uloop_fd_add(>sock, ULOOP_READ | ULOOP_WRITE | ULOOP_EDGE_TRIGGER); diff --git a/ubusd.h b/ubusd.h index f34cba1..c5d6d2a 100644 --- a/ubusd.h +++ b/ubusd.h @@ -24,6 +24,7 @@ #include "ubusd_acl.h" #define UBUS_OBJ_HASH_BITS 4 +#define UBUS_CLIENT_MAX_TXQ_LENUBUS_MAX_MSGLEN extern struct blob_buf b; @@ -54,6 +55,7 @@ struct ubus_client { struct list_head tx_queue; unsigned int txq_ofs; + unsigned int txq_len; struct ubus_msg_buf *pending_msg; struct ubus_msg_buf *retmsg; diff --git a/ubusd_main.c b/ubusd_main.c index 3728a42..d298b51 100644 --- a/ubusd_main.c +++ b/ubusd_main.c @@ -74,6 +74,7 @@ static void client_cb(struct uloop_fd *sock, unsigned int events) } cl->txq_ofs += written; + cl->txq_len -= written; if (cl->txq_ofs < ub->len + sizeof(ub->hdr)) break; -- 2.30.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2] ubusd: convert tx_queue to linked list
ubusd maintains a per-client tx_queue containing references to message buffers that have not been sent yet (due to the socket blocking). This is a fixed-size, 64-element queue. When more than 64 elements are queued, subsequent elements are simply dropped. Thus, a client that is waiting for those messages will block indefinitely. In particular, this happens when more than +- 250 objects are registered on the bus and either "ubus list" or "ubus wait_for" is called. The responses to these requests consist of a message buffer per object. Since in practice, ubusd will not yield between the sends of these message buffers, the client has no time to process them and eventually the output socket blocks. After 64 more objects, the rest is dropped, including the final message that indicates termination. Thus, the client waits indefinitely for the termination message. To solve this, turn the tx_queue into a variable-sized linked list instead of a fixed-size queue. To maintain the linked list, an additional structure ubus_msg_buf_list is created. We could also have added the linked list to the ubus_msg_buf struct itself, but it is not relevant in the many other uses of the ubus_msg_buf struct so it would just complicate things. The txq_off variable was used to keep track of which part of the current message was already written, in case only a partial write was possible. We take this opportunity to also move that variable under the ubus_msg_buf_list structure (and rename it to "offset", and change its type to size_t). This makes it clearer that it is related to that particular queued message and not to the queue as a whole. Note that this infinite tx_queue opens the door to a DoS attack. You can open a client and a server connection, then send messages from the client to the server without ever reading anything on the server side. This will eventually lead to an out-of-memory. However, such a DoS already existed anyway, it just requires opening multiple server connections and filling up the fixed-size queue on each one. To protect against such DoS attacks, we'd need to: - keep a global maximum queue size that applies to all rx and tx queues together; - stop reading from any connection when the maximum is reached; - close any connection when it hasn't become writeable after some timeout. Fixes: https://bugs.openwrt.org/index.php?do=details_id=1525 Signed-off-by: Arnout Vandecappelle (Essensium/Mind) --- v2: workarounds for clang static analysis false positives: - use list_for_each_safe instead of a while loop; - hide the free() by moving it to ubusd.c. --- ubusd.c | 30 +- ubusd.h | 11 --- ubusd_main.c | 38 +++--- ubusd_proto.c | 1 + 4 files changed, 41 insertions(+), 39 deletions(-) diff --git a/ubusd.c b/ubusd.c index 5993653..f8e33f8 100644 --- a/ubusd.c +++ b/ubusd.c @@ -133,24 +133,38 @@ ssize_t ubus_msg_writev(int fd, struct ubus_msg_buf *ub, size_t offset) return ret; } -static void ubus_msg_enqueue(struct ubus_client *cl, struct ubus_msg_buf *ub) +void ubus_msg_list_free(struct ubus_msg_buf_list *ubl) { - if (cl->tx_queue[cl->txq_tail]) + list_del_init(>list); + ubus_msg_free(ubl->msg); + free(ubl); +} + +static void ubus_msg_enqueue(struct ubus_client *cl, struct ubus_msg_buf *ub, +size_t offset) +{ + struct ubus_msg_buf_list *ubl; + + ubl = calloc(1, sizeof(struct ubus_msg_buf_list)); + if (!ubl) return; - cl->tx_queue[cl->txq_tail] = ubus_msg_ref(ub); - cl->txq_tail = (cl->txq_tail + 1) % ARRAY_SIZE(cl->tx_queue); + INIT_LIST_HEAD(>list); + ubl->msg = ubus_msg_ref(ub); + ubl->offset = offset; + + list_add_tail(>tx_queue, >list); } /* takes the msgbuf reference */ void ubus_msg_send(struct ubus_client *cl, struct ubus_msg_buf *ub) { - ssize_t written; + ssize_t written = 0; if (ub->hdr.type != UBUS_MSG_MONITOR) ubusd_monitor_message(cl, ub, true); - if (!cl->tx_queue[cl->txq_cur]) { + if (list_empty(>tx_queue)) { written = ubus_msg_writev(cl->sock.fd, ub, 0); if (written < 0) @@ -159,10 +173,8 @@ void ubus_msg_send(struct ubus_client *cl, struct ubus_msg_buf *ub) if (written >= (ssize_t) (ub->len + sizeof(ub->hdr))) return; - cl->txq_ofs = written; - /* get an event once we can write to the socket again */ uloop_fd_add(>sock, ULOOP_READ | ULOOP_WRITE | ULOOP_EDGE_TRIGGER); } - ubus_msg_enqueue(cl, ub); + ubus_msg_enqueue(cl, ub, written); } diff --git a/ubusd.h b/ubusd.h index 923e43d..e20e55a 100644 --- a/ubusd.h +++ b/ubusd.h @@ -23,7 +23,6 @@ #include "ubusmsg.h&qu
[PATCH] ubusd: convert tx_queue to linked list
ubusd maintains a per-client tx_queue containing references to message buffers that have not been sent yet (due to the socket blocking). This is a fixed-size, 64-element queue. When more than 64 elements are queued, subsequent elements are simply dropped. Thus, a client that is waiting for those messages will block indefinitely. In particular, this happens when more than +- 250 objects are registered on the bus and either "ubus list" or "ubus wait_for" is called. The responses to these requests consist of a message buffer per object. Since in practice, ubusd will not yield between the sends of these message buffers, the client has no time to process them and eventually the output socket blocks. After 64 more objects, the rest is dropped, including the final message that indicates termination. Thus, the client waits indefinitely for the termination message. To solve this, turn the tx_queue into a variable-sized linked list instead of a fixed-size queue. To maintain the linked list, an additional structure ubus_msg_buf_list is created. We could also have added the linked list to the ubus_msg_buf struct itself, but it is not relevant in the many other uses of the ubus_msg_buf struct so it would just complicate things. The txq_off variable was used to keep track of which part of the current message was already written, in case only a partial write was possible. We take this opportunity to also move that variable under the ubus_msg_buf_list structure (and rename it to "offset", and change its type to size_t). This makes it clearer that it is related to that particular queued message and not to the queue as a whole. Note that this infinite tx_queue opens the door to a DoS attack. You can open a client and a server connection, then send messages from the client to the server without ever reading anything on the server side. This will eventually lead to an out-of-memory. However, such a DoS already existed anyway, it just requires opening multiple server connections and filling up the fixed-size queue on each one. To protect against such DoS attacks, we'd need to: - keep a global maximum queue size that applies to all rx and tx queues together; - stop reading from any connection when the maximum is reached; - close any connection when it hasn't become writeable after some timeout. Fixes: https://bugs.openwrt.org/index.php?do=details_id=1525 Signed-off-by: Arnout Vandecappelle (Essensium/Mind) --- ubusd.c | 23 ++- ubusd.h | 10 +++--- ubusd_main.c | 45 + ubusd_proto.c | 1 + 4 files changed, 43 insertions(+), 36 deletions(-) diff --git a/ubusd.c b/ubusd.c index 5993653..b7cafaf 100644 --- a/ubusd.c +++ b/ubusd.c @@ -133,24 +133,31 @@ ssize_t ubus_msg_writev(int fd, struct ubus_msg_buf *ub, size_t offset) return ret; } -static void ubus_msg_enqueue(struct ubus_client *cl, struct ubus_msg_buf *ub) +static void ubus_msg_enqueue(struct ubus_client *cl, struct ubus_msg_buf *ub, +size_t offset) { - if (cl->tx_queue[cl->txq_tail]) + struct ubus_msg_buf_list *ubl; + + ubl = calloc(1, sizeof(struct ubus_msg_buf_list)); + if (!ubl) return; - cl->tx_queue[cl->txq_tail] = ubus_msg_ref(ub); - cl->txq_tail = (cl->txq_tail + 1) % ARRAY_SIZE(cl->tx_queue); + INIT_LIST_HEAD(>list); + ubl->msg = ubus_msg_ref(ub); + ubl->offset = offset; + + list_add_tail(>tx_queue, >list); } /* takes the msgbuf reference */ void ubus_msg_send(struct ubus_client *cl, struct ubus_msg_buf *ub) { - ssize_t written; + ssize_t written = 0; if (ub->hdr.type != UBUS_MSG_MONITOR) ubusd_monitor_message(cl, ub, true); - if (!cl->tx_queue[cl->txq_cur]) { + if (list_empty(>tx_queue)) { written = ubus_msg_writev(cl->sock.fd, ub, 0); if (written < 0) @@ -159,10 +166,8 @@ void ubus_msg_send(struct ubus_client *cl, struct ubus_msg_buf *ub) if (written >= (ssize_t) (ub->len + sizeof(ub->hdr))) return; - cl->txq_ofs = written; - /* get an event once we can write to the socket again */ uloop_fd_add(>sock, ULOOP_READ | ULOOP_WRITE | ULOOP_EDGE_TRIGGER); } - ubus_msg_enqueue(cl, ub); + ubus_msg_enqueue(cl, ub, written); } diff --git a/ubusd.h b/ubusd.h index 923e43d..4131274 100644 --- a/ubusd.h +++ b/ubusd.h @@ -23,7 +23,6 @@ #include "ubusmsg.h" #include "ubusd_acl.h" -#define UBUSD_CLIENT_BACKLOG 32 #define UBUS_OBJ_HASH_BITS 4 extern struct blob_buf b; @@ -36,6 +35,12 @@ struct ubus_msg_buf { int len; }; +struct ubus_msg_buf_list { + struct list_head list; + struct ubus_msg_buf *msg; + size_