2021-03-25 03:28:47

by James Prestwood

[permalink] [raw]
Subject: BUG: brcmfmac fails to connect after offload connection


I discovered this bug where, after an offloaded connection (SAE/WPA3 in
my case), the kernel/driver/firmware can no longer connect via non-
offload means. This is due to the firmware no longer forwarding eapol
frames so the supplicant cannot complete the 4-way handshake. I am
testing on a Raspberry Pi 3 B+ (BCM43438). To reproduce:

1. Connect initially to a WPA3 network using SAE_OFFLOAD. This is done
with CMD_CONNECT using the SAE_PASSWORD attribute. This works as

2. Disconnect from WPA3 network

3. Connect to another network without using offload. In my case I am
connecting to a WPA2 network using CMD_CONNECT but not including
ATTR_PMK. This will rely on the supplicant doing the 4-way in

Expected behavior: Connecting to the 2nd WPA2 network using non-offload
should work.

Actual behavior: Connection/4-way times out due to the firmware not
forwarding any eapol frames to userspace.

The only way to 'fix' this situation is to fully reboot the device and
reload the firmware. Once the firmware is 'fresh' it can do non-offload
connections without issues. It is only after you do a single offload
connection the firmware gets stuck in this state where it no longer
forwards eapol frames to userspace.

I asked a question some time ago about a suspicious wording in the
nl80211 docs regarding offload and that some hardware may not support
the 4-way in userspace. I'm curious if maybe offload/non-offload is not
intended to be used together. It would sure be nice to get an answer to
that question. Maybe this issue is not really a bug, but a consequence
of using non-offload/offload together? Anyways, hopefully this reaches
the right people.