Daemon.err hostapd: nl80211: kernel reports: key addition failed - is this a problem?

Here is the TODO excerpt:

 * The ASSOC test makes sure the driver is ready to
 * receive the key. When wpa_supplicant has roamed
 * using FT, it attempts to set the key before
 * association has completed, this rejects that attempt
 * so it will set the key again after association.
 * TODO: accept the key if we have a station entry and
 *       add it to the device after the station.

I've included patch 100-allow_key_without_assoc.patch under

patch content
Used to remove FT key addition failed error on Archer C7 v2

Index: backports-5.15.58-1/net/mac80211/cfg.c
--- backports-5.15.58-1.orig/net/mac80211/cfg.c
+++ backports-5.15.58-1/net/mac80211/cfg.c
@@ -466,11 +466,15 @@ static int ieee80211_add_key(struct wiph
                 * TODO: accept the key if we have a station entry and
                 *       add it to the device after the station.
-               if (!sta || !test_sta_flag(sta, WLAN_STA_ASSOC)) {
+               if (!sta) {
+                       sdata_info(sdata, "mwv1 - no sta\n");
                        err = -ENOENT;
                        goto out_unlock;
+               if (!test_sta_flag(sta, WLAN_STA_ASSOC)) {
+                       sdata_info(sdata, "mwv2 - no sta assoc\n");
+               }

        switch (sdata->vif.type) {

This will automatically sourced in when (re)-building source.

Also, now have my ath10k driver ftrace enabled to increase my understanding on how to follow the TODO properly.


How can we get this pulled into the main release?
How can we build this for each of our own?

I'd be happy to supply a patch file, it's code-wise trivial .

Not sure if this will be accepted as a patch for main release, as it may have the side effect of non-hardware decryption.

For what it's worth, I am tracing the hostapd-mac80211 interplay. It's clear that there is provision for fail-retry settings (depending on ASSOC state), which I need to have a closer look at... Will update here once I understand this better.

---- update ----
the patch above removes the need for the retry cycle in my 802.1x + VLAN setup.


@fodiator understand that it might take longer to get this to a patch that will be accepted.

Meantime, how might we replicate what you have done to get it onto our own setups? Some pointers on where to get going would be helpful. Is it sufficient to follow the Developer Guide on the Wiki?

Any thoughts as to why this hasn't been corrected some time ago already?

@andybjackson building the patch should be fairly straightforward.

Assuming your build environment is set up as per Wiki, you can build the release equivalent as described here:

If you copy the patch content from above

and place it in [buildroot]/openwrt/package/kernel/mac80211/patches/subsys

and run make world you should get the sysupgrade.bin under [buildroot]/bin/targets/[path to your device]

You can confirm the patch is part of your build strings [buildroot]/[yourtarget]/[yourlinux]/backports-5.15.58-1/net/mac80211/mac80211.ko | grep mwv .

In the meantime I am still looking to improve the solution by adding the STA to the driver as per the note above. I have been able to get insight into the hostapd code. Hoping to have an implementation within a few weeks.

The reason this code was 'corrected' seems to be - according to a comment - about hardware decryption not being active when the key is added without being associated on some systems.


@fodiator did you actually submit the patch?
If so, could you please update this thread with that information?

Haven’t made a pull request yet. Instead I’ve been tracing the mac80211 code to understand how to follow the TODO suggestion.

I think I understand now what to do (accept key on first offer, then on assoc replace key and load to hw if not already done).

Unfortunately I have not yet had time to implement and test this. Hopefully in the next week or so. If succesfull, I’ll make that a PR.

If you want the patch right now, you can just copy the contents above :+1:.


Does this happen with WPA2/3-PSK as well? Because I certainly have the issue with WPA2/3-EAP. Have currently turned 802.11r off in my production environment.

Yes. Happens also there.

@fodiator Am now up to speed on building OpenWRT myself. How are you getting on with the patch. Can I help in any way, for example with testing?

PS Some advice for anyone also else getting up to speed with OpenWRT build following the openwrt.org Build System guidance in anticipation of @fodiator's patch:

  • Use the fastest computer you can - else the process is slow
  • git tag is a step that I don't yet fully understand. It displays a list of available build choices, but isn't clear how one might choose on. "q" gets you past the step and I use git checkout master rather than the release version so this seems redundant to me.

Still having to make the final test.

In the meantime I’d be interested to learn if the code above improves your roaming, and - if so - if you see any throughput degradation (I don’t)…

Will take this up and notify you once I got the new patch working.

Sorry for not replying already. Have been fighting the LUA bug in recent days. Thus not making progress with testing the patch.