Benjamin Berg [Tue, 22 Jul 2025 07:30:45 +0000 (09:30 +0200)]
test: dbus: Unregister timeout source at end of test
Using timeout_add registers the GSource with the default GMainContext.
This GMainContext will remain the same between tests, and the registered
sources will therefore not be destroyed at the end of the test and will
only be removed after they have triggered and returned False.
Change the test timeout code to use a helper and ensure the GSource is
unregistered again when the test exits. While this is not an actual
problem, it does mean that python can garbage collect the TestDbus
instance earlier as it is otherwise kept alive until the GSource is
free'ed and the reference to the timeout method has been dropped.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:29 +0000 (14:35 +0200)]
BSS: MLD: Add verification for the pairwise cipher
Check that there is a valid pairwise cipher for an EHT AP. Also verify
that each potential link has a pairwise cipher in common with the
association link.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:28 +0000 (14:35 +0200)]
BSS: Verify the ML common info for links
Add a check that the AP MLD MAC address, the link ID, the MLD
Capabilities and Operations, the Extended MLD Capabilities as well as
the EML Capabilities match between links. If this is not the case,
refuse to use the offending link.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Ilan Peer [Wed, 18 Jun 2025 12:35:27 +0000 (14:35 +0200)]
defs: Add MLE definitions for Extended MLD operations and capabilities
They will be needed later.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:26 +0000 (14:35 +0200)]
BSS: Parse ML information when updating the BSS
There is no point in re-parsing the MLE all the time if the relevant
information is being cached in the BSS anyway. As such, move the parsing
part to be done when adding/updating the BSS and add a separate function
to retrieve the links that are usable or missing in the BSS cache.
Overall, this is not going to save work, but it means that the
multi-link information in the BSS is always up-to-date and also
detangles the RNR/MLE parsing from the later runtime checks whether the
links are valid for the selected SSID.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:25 +0000 (14:35 +0200)]
BSS: Set valid_links for all links and return usable links
This commit is a preparation to better define valid_links in struct
wpa_bss and move parsing to wpa_bss_update(). Before this, the value of
valid_links would depend on whether a neighbor is known and if a struct
wpa_ssid was passed to the parser.
With this change, valid_links is purely defined on whether there is an
entry in the RNR for the corresponding link.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:24 +0000 (14:35 +0200)]
BSS: Drop AP MLD MAC address from return parameters for MLE parsing
The AP MLD MAC address is already parsed out when updating the BSS and
stored within the structure. As such, there is no point in parsing it
out again and adding a separate argument just for that.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:23 +0000 (14:35 +0200)]
BSS: Use correct AP MLD ID
We need to be more careful about the ID used when resolving the RNR and
doing an ML probe request. The thing to keep in mind is that the AP MLD
ID is local to the reported beacon and can change depending on who is
reporting the information. On the other hand, the Multiple BSSID-Index
is static.
As such, the AP MLD ID that is local to the information should be used
for parsing the RNR. This AP MLD ID can simply be retrieved from the
Multi-Link element. However, if an AP MLD ID is not included, then it
must be assumed to be identical to the Multiple-BSSID Index element.
Note that an AP MLD ID will only ever be included if the underlying code
that does the inheritance chooses to include it in the Multi-Link
element that it inserts. This code may also rewrite the RNR entries to
ensure they match the expected value and leave out the AP MLD ID in the
Multi-Link element.
In contrast, for the purpose of sending a Multi-Link Probe Request we
need to know whether or not the AP is transmitting. For this information
we must purely rely on the Multiple-BSSID Index element.
Fixes: de5e01010cb2 ("wpa_supplicant: Support ML probe request") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
David Spinadel [Thu, 24 Jul 2025 12:00:45 +0000 (14:00 +0200)]
RRM: Don't request LCI and civic if not supported
Check that FTM responder capability bit in Extended Capabilities element
and LCI and Location Civic bits in RM Enabled capabilities element are
set before sending LCI and location civic request in neighbor report
request. If they are not set, don't include the corresponding
sub-elements in the neighbor report request. This change is according to
IEEE Std 802.11-2024, 11.10.10.2 (Requesting a neighbor report).
Signed-off-by: David Spinadel <david.spinadel@intel.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Peer, Ilan <ilan.peer@intel.com>
Add a get() function for the global freq_list configuration value. This
allow `wpa_cli dump` and `wpa_cli get freq_list` return the current
value. If the value isn't set, the `wpa_cli dump` will output
"freq_list=null" and `wpa_cli get freq_list` will fail, similar to STR()
values.
Signed-off-by: Clemens Famulla-Conrad <cfamullaconrad@suse.com>
Add a get() function for the global bgscan configuration value. This
allow `wpa_cli dump` and `wpa_cli get bgscan` return the current value.
If the value isn't set, the `wpa_cli dump` will output "bgscan=null" and
`wpa_cli get bgscan` will fail, similar to STR() values.
Signed-off-by: Clemens Famulla-Conrad <cfamullaconrad@suse.com>
Benjamin Berg [Fri, 1 Aug 2025 07:47:16 +0000 (09:47 +0200)]
tests: Fix mbo_assoc_disallow on old tshark
Older tshark seems to be a bit inconsistent. It returns the timestamp
with a timezone qualifier, but then doesn't accept it when passed in the
same format. Use the frame number instead of the timestamp to work
around that.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
wpa_supplicant: Bump DEFAULT_BSS_MAX_COUNT to 1000
Many congested areas have more than 200 APs in range of a typical
device. When the number of APs exceeds BSS_MAX_COUNT, even nearby APs
can be absent from the scanning device's AP list. Bump the default to
1000 to be more in line with a realistic modern maximum number of APs in
a given area.
RRM: Do not set DELAYED_BA and IMM_BA bits in neighbor report
The bits `Delayed Block Ack` and `Immediate Block Ack` in the
Capabilities subfield of the Neighbor Report element became reserved
bits between IEEE Std 802.11-2016 and IEEE Std 802.11-2020. Do not set
those reserved bits.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
Add support for null encryption (ENC_NULL) in IKEv2, as described in RFC
2410.
Implement the null cipher by reusing the OpenSSL EVP_enc_null()
function, adding support for ENC_NULL in both encrypt and decrypt
operations.
As specified in RFC 2410:
- The cipher does not use an IV, so an explicit check prevents
a potential floating point exception.
- Padding is not required; so a pad length field with value 0
is appended to the ciphertext.
Null encryption can be useful for (1) debugging purposes and (2)
supporting emerging scenarios, such as 5G networks, where the TNGF
(Trusted Non-3GPP Gateway Function) leverages IKEv2 with null
encryption.
Tested with Free5GC (v4.0.1) using wpa_supplicant.
NAN USD: Fix state machine stall seen with listen failure
If the driver returns -EBUSY for remain_on_channel operation, NAN USD
state-machine gets stuck and no further listen is configured from
wpa_supplicant. Clear the states and re-triggers the nan_de_timer to
restart the listen operation in such case.
In virtual AP mode, driver nl80211 did not handle RTM link events for
non-first BSSs. This leads to the situation when the non-first BSS does
not move into DOWN/UP/LOWER_UP state when netlink reports it and the
interface is left in NO-CARRIER state (e.g., after CAC finished). Also
fix ifindex updating for non-first BSS when it changes, for example,
after rmmod/insmod a wireless driver.
Signed-off-by: Alexander Savchenko <oleksandr.savchenko.dn@bp.renesas.com>
Muna Sinada [Mon, 9 Jun 2025 18:06:16 +0000 (11:06 -0700)]
VLAN: Use VLAN group keys for EAPOL frames and FT reassoc for MLO
When MLO Dynamic VLAN is enabled and non-AP MLDs in a VLAN group are
exchanging EAPOL messages, the AP MLD was providing the primary
authenticator's GTKs instead of the VLAN's GTKs. This results in STAs
being unable to decrypt the VLAN's multicast frames due to incorrect
keys.
In wpa_auth_ml_get_key_info(), if vlan_id is provided, traverse through
the wpa_group list and select the one that matches the vlan_id. From the
matched wpa_group, the correct GTKs are taken.
Similarly in the case of FT + MLO + Dynamic VLAN, handle selecting
VLAN's wpa_group for the FT protocol Reassociation Response frame.
Muna Sinada [Mon, 9 Jun 2025 18:06:15 +0000 (11:06 -0700)]
VLAN: Enable Dynamic VLAN for MLO
Enable Dynamic VLAN for Multi-Link Operation (MLO) in hostapd.
When Dynamic VLAN is enabled for AP MLD (Multi-Link Device), VLAN
list will be maintained in the first BSS (Basic Service Set).
Key changes include:
- Access the VLAN list from the first BSS for the AP MLD.
- When setting Group Temporal Key (GTK) per link, reference the
first BSS for the VLAN list.
- Pass the first BSS when calling functions that iterate through the
VLAN list such as vlan_add_dynamic() and vlan_remove_dynamic().
Benjamin Berg [Mon, 23 Jun 2025 11:28:11 +0000 (13:28 +0200)]
AP MLD: Never keep a per-link wpa_sm
The __checK_assoc_ies() function needs to create a per-link wpa_sm
temporarily. However, later on sta->wpa_sm should just be a reference to
the main wpa_sm.
Change the code so that the temporary state is self-contained to
__check_assoc_ies(). This fixes a memory leak should __check_assoc_ies()
return an error.
Also change the function to pass the wpa_sm for the assoc_link instead
of just a link boolean. The internal lookup appears to not have worked
and this also simplifies the code.
Fixes: 5f5db9366cde ("AP: MLO: Process Multi-Link element from (Re)Association Request frame") Fixes: 84d2a36da02a ("AP MLD: Require same AKM and pairwise cipher for all links") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 26 Jun 2025 08:51:24 +0000 (10:51 +0200)]
tests: Disable IPv6 in protected keep-alive test
When the new protected_keep_alive test was added, the @disable_ipv6
decorator was not moved. Disable IPv6 for both keep alive tests by
moving it to the run_ function.
Also remove the @remote_compatible decorator as it does not work with
IPv6 disablement. It was not removed in the patch to disable IPv6 in the
original test.
Fixes: fdf23679f823 ("tests: More coverage for WNM BSS max idle period management") Fixes: 1bd5e35b8733 ("tests: Disable IPv6 in WNM keep-alive test") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
If you have two peers using wpa_supplicant, right now the client can get
both the GO interface and device addresses, but you can't know your own
device address. Knowing your own device address is useful to coordinate
to the GO and map the interface address to a Peer object once the P2P
connection has been established.
This is already exposed, in a round-about way, via the "PeerGO" property
of the P2PDevice interface.
However, that is rather broken, in the sense that it logically doesn't
belong there, (see the docs which already point it out), and also in the
sense that wpa_supplicant doesn't notify when the property changes,
which confuses clients which cache DBus properties (all of them?).
Instead, expose the GO dev address directly. This is useful to be able
to map back from the group to the GO's peer object (or self).
I didn't manage to get the hwsim tests running on my machine, though
testing this should be trivial-ish. I did test this manually, too...
P2P: Update wpa_s->go_dev_addr on GO during group started notification
Some of the sequences for starting a GO did no update
wpa_s->go_dev_addr. Set that here to keep things more consistent when
this variable gets exposed externally.
AP: Check a STA is HE before copying EHT/6 GHz capabilities
A EHT STA and/or a 6 GHz capable STA is a HE STA. If a STA has an
invalid HE capabilities, the HE capability of the STA is deactivated but
the EHT/6 GHz capability is still activated and their elements copied.
Deactivate the EHT/6 GHz capability of a STA if it is not a HE STA.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
AP: Check a STA is VHT before copying VHT operation element
If a VHT STA has an invalid VHT Capabilities element, the VHT capability
of the STA is deactivated but the VHT operation element might still be
copied without the VHT Capabilities element being present.
Only copy the VHT operation element if a STA is VHT.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
AP: Check a STA is HT before copying VHT capabilities
A VHT STA is a HT STA. If a VHT STA has an invalid HT Capabilities
element, the HT capability of the STA is deactivated but the VHT
capability is still activated and the element copied.
Deactivate the VHT capability of a STA if it is not a HT STA.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
Johannes Berg [Thu, 28 Aug 2025 12:15:00 +0000 (14:15 +0200)]
wpa_debug: Prefer tracefs over debugfs
With Linux 6.17, having /sys/kernel/debug/tracing/ is now optional
(CONFIG_TRACEFS_AUTOMOUNT_DEPRECATED), since tracefs has been around for
a long time. Prefer tracefs when finding the trace_marker file.
Note the "!buf[0]" condition which serves to keep the logic identical to
before when tracefs isn't present, using the first debugfs rather than
the last. That is not likely to matter, but still.
Also mount tracefs in the scripts for running in VMs.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
AP: Fix Supported EHT-MCS And NSS Set field advertisement
The current implementation incorrectly derives the 'Supported EHT-MCS and
NSS Set' field based on the operating HE bandwidth. This is inaccurate, as
the field is part of the EHT Capabilities element and should represent the
full hardware capabilities, not the current operating configuration.
Runtime parameters already have dedicated fields within the EHT Operation
element for their representation.
Hence, resolve the issue by referencing the bandwidth from the HE PHY
Capabilities and using it to correctly derive the Supported EHT-MCS and NSS
Set values.
The current implementation incorrectly derives the 'Supported Channel
Width Set' in the HE PHY Capabilities Information field based on the
operating bandwidth. This, in turn, affects the advertisement of the
'Supported HE-MCS and NSS Set' field. Such behavior is flawed, as
capability advertisement should reflect the full hardware capabilities,
not the current operating configuration. Runtime parameters already have
designated fields in the HE Operation element for their representation.
Hence, fix this now by using the HE PHY Capabilities and Supported
HE-MCS and NSS Set values as advertised by the driver.
AP: Do not set reserved bits in HE Capabilities elements
Currently, bits are set in the Supported Channel Width Set subfields in
the HE Capabilities elements regardless of the current band. However,
IEEE Std 802.11ax-2021, Table 9-322b indicates that some bits are
reserved depending on the current band. Convention states that reserved
bits shall be set to zero unless otherwise stated.
Set bits according to current band and supported widths.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
QCA vendor attribute to allow P2P SCC with STA connected DFS channel
Define config attributes to support STA connected DFS channel for P2P.
Add a new feature flag
@QCA_WLAN_VENDOR_FEATURE_SUPPORT_STA_DFS_CH_SCC_P2P for the driver to
indicate STA connected DFS channel SCC support.
Karthik M [Thu, 25 Sep 2025 07:31:15 +0000 (13:01 +0530)]
AP MLD: Fix SA query timeout during MLD reassociation
If an AP MLD receives a (Re)Association Request frame from an associated
non-AP MLD and if SA query has already timed out for the existing
station entry, the link address should be updated since the non-AP MLD
might have changed its link address in the new association.
Signed-off-by: Karthik M <karthik.m@oss.qualcomm.com>
Karthik M [Thu, 25 Sep 2025 07:31:14 +0000 (13:01 +0530)]
AP MLD: Add Timeout Interval element for MLD reassociation rejection
The AP MLD with an associated non-AP MLD receiving an (Re)Association
Request frame that uses the same MLD MAC address as that of the
associated non-AP MLD may reject association temporarily and include the
Timeout Interval element to indicate the association comeback time.
However, the Timeout Interval element is not included currently as
mld_addrs_not_translated flag is true in this case which causes NULL sta
object to be passed to send_assoc_resp().
Fix this by not setting mld_addrs_not_translated if the station is found
in the same link where an (Re)Association Request frame is received, so
that the Timeout Interval element is added into the (Re)Association
Response frame when requesting association comeback.
Signed-off-by: Karthik M <karthik.m@oss.qualcomm.com>
AP: Ignore radar event when frequency range is mismatched
In split-MAC enabled cases, radar events which don't have the interface
ID set (like NOP_FINISHED) will be sent to matching 5 GHz frequency BSSs
if the AP MLD has a 5 GHz link. Though, the frequency info is not
matching that of the event received, the event gets currently parsed for
these cases as well. Because of this, other applications might
misinterpret the event wrongly for other interface as well.
Address this by checking that the frequency info received lies within
the interface start and end frequency, and ignore the event if it
doesn't match the interface frequency range.
PASN: Reorder elements in PASN Authentication frames per IEEE 802.11
Reorder the elements in the PASN Authentication frame body to comply
with the order defined in IEEE Std 802.11-2024, Table 9-70
(Authentication frame body). Previously, the PASN Parameters element was
placed before the Wrapped Data element and RSNXE, which violated the
required ordering.
AP MLD: Deinitialize BSS link on interface setup failure
Fix a segmentation fault in hostapd when interface setup fails in
hostapd_add_iface() due to invalid channel information. In this case,
the driver is deinitialized but the BSS link is not, leading to a crash
when the interface is brought down and up during stability testing.
Deinitialize the BSS link if interface setup fails to ensure proper
cleanup and prevent the crash.
Khanjan Desai [Mon, 9 Jun 2025 09:58:38 +0000 (15:28 +0530)]
Configuration of the I2R LMR Feedback policy
Allow I2R LMR policy to be configured in hostapd.conf and advertised the
configured policy in the Extended Capabilities field in Beacon and Probe
Response frames.
Khanjan Desai [Mon, 9 Jun 2025 09:55:56 +0000 (15:25 +0530)]
Add support for configuring URNM_MFPR and URNM_MFPR_X20 (AP)
Add support for configuring Management Frame Protection flags URNM_MFPR
and URNM_MFPR_X20 through hostapd.conf, targeting AP deployments aligned
with IEEE 802.11az.
For drivers that default to URNM_MFPR=1 and URNM_MFPR_X20=0 in the RSNXE
this change enables initializing the AP with URNM_MFPR=0 and
URNM_MFPR_X20=1.
This configuration allows unassociated negotiation and measurement
operations on 20 MHz bandwidth channels without requiring PTKSA.
However, for bandwidths greater than 20 MHz, PTKSA is still required
when URNM_MFPR=0 and URNM_MFPR_X20=1.
When URNM_MFPR=1, PTKSA is mandatory across all supported bandwidths,
regardless of URNM_MFPR_X20.
This enhancement improves flexibility and standards compliance for IEEE
802.11az-based ranging and measurement procedures in AP scenarios.
Khanjan Desai [Mon, 9 Jun 2025 09:54:13 +0000 (15:24 +0530)]
Add support to configure URNM_MFPR and URNM_MFPR_X20 (STA)
Add support for configuring Management Frame Protection flags via
control interface commands, specifically targeting use cases defined in
IEEE 802.11az.
For drivers that set URNM_MFPR (Unassociated Range Negotiation and
Measurement Management Frame Protection Required) to true and
URNM_MFPR_X20 (20 MHz exemption for URNM_MFPR) to false in the RSNXE
this change enables initializing the MFP configuration with relaxed
constraints.
The new behavior allows setting URNM_MFPR_X20 to true while keeping
URNM_MFPR as false, facilitating unassociated ranging and measurement
operations over 20 MHz channels without enforcing strict MFP
requirements.
This provides flexibility for devices operating in bandwidth-constrained
environments or requiring adaptive protection policies during initial
negotiation.
Add QCA vendor attributes for new TX and RX telemetry statistics
Extend telemetry support by adding attributes for new TX and RX
statistics. Introduce per-ring statistics for applicable attributes,
with corresponding TCL and REO ring-specific definitions.
New RX statistics:
1. RX WBM software drop statistics,
2. REO software drop statistics (Per REO ring),
3. RX per packet statistics (Per REO ring).
4. New attributes for RXDMA drop reasons.
Add special testing value skip_inactivity_poll=-1 to be able to test the
exact STA inactivity timeout behavior without having to disconnect the
STA for that. Use this to verify inactivity timer with SAE and PMF.
Karthik M [Thu, 11 Sep 2025 22:02:07 +0000 (03:32 +0530)]
AP MLD: Enable SA Query handling for all the MLD links
Introduce an ap_sta_set_sa_query_timeout() helper function to propagate
the SA Query timeout state across all affiliated STAs of a non-AP MLD.
Extend functionality beyond just introducing the helper by enabling SA
Query handling for all the MLD links.
Signed-off-by: Karthik M <karthik.m@oss.qualcomm.com>
Karthik M [Thu, 11 Sep 2025 22:02:07 +0000 (03:32 +0530)]
Use a helper function to set SA Query timeout
Introduce an ap_sta_set_sa_query_timeout() helper function to set the SA
Query timeout state. This is in preparation for extending this
functionality to cover MLD cases.
Signed-off-by: Karthik M <karthik.m@oss.qualcomm.com>
nl80211: Fix NULL pointer dereference for elems in NAN USD offload cases
Add a NULL pointer check for the elems buffer before attempting to
dereference it with wpabuf_len(elems) and wpabuf_head(elems). This
prevents a potential NULL pointer dereference in the
nl80211_nan_publish() and nl80211_nan_subscribe() functions if NAN USD
offload is used without the element container.
Yuvarani V [Fri, 19 Sep 2025 07:21:54 +0000 (12:51 +0530)]
AP MLD: Fix context for ML PMKSA cache in link disabling cases
When the primary_auth link is disabled, its context remains assigned to
the MLD-level PMKSA cache via pmksa_cache_auth_init(). This results in
an invalid pointer being retained, which causes hostapd to crash when
the disabled link is enabled.
Fix this issue by updating the PMKSA cache context to point to the next
valid primary authenticator using pmksa_cache_auth_set_ctx() when the
primary_auth link is disabled.
Fixes: 799cc8eca9ef ("AP MLD: Define a new MLD-level PMKSA cache shared by all links") Signed-off-by: Yuvarani V <yuvarani.v@oss.qualcomm.com>
nl80211: Use i802_bss for correct ifindex in command/event handling
Replace usage of wpa_driver_nl80211_data with i802_bss for nl80211
operations following commit 00c2c20d74ee ("hostapd: Maintain single
wpa_driver_nl80211_data (drv) object across interfaces"), which
introduced a shared drv across interfaces.
Use the i802_bss context to construct nl80211 messages with the
correct ifindex.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Shivani Baranwal [Thu, 21 Aug 2025 09:10:20 +0000 (14:40 +0530)]
Add QCA vendor attribute to allow SCC with STA connected indoor channel
Define config attributes to support STA connected indoor channel for
peer network like SAP, P2P GO, and NAN. Add a new feature flag
@QCA_WLAN_VENDOR_FEATURE_SUPPORT_STA_INDOOR_CH_SCC for the driver to
indicate STA connected indoor channel SCC support.
When a BSS is deinitialized, the bss->in_deinit flag may not be set if
it is not the final BSS being processed. This oversight can lead to
nl_preq handle remaining active and undestroyed for a logically
deinitialized BSS. Consequently, if subsequent events related to this
BSS arrive and are handled by wpa_driver_nl80211_event_receive(), they
are handled for a BSS that is no longer operational, leading to
unexpected behavior or potential crashes.
Ensure bss->in_deinit is consistently set to 1 within
wpa_driver_nl80211_if_remove() to correctly mark the BSS as under
deinitialization, allowing for proper cleanup and preventing event
handling for stale BSS contexts.
Shivani Baranwal [Wed, 20 Aug 2025 15:59:15 +0000 (21:29 +0530)]
Add QCA vendor attribute to configure SAR V5 support
Define attributes to support SAR version 5 (Time Averaged SAR). Add a
new attribute QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SPEC_USER_SCENARIO to map
user scenarios to device state indexes. Add enum qca_wlan_power_scenario
to enumerate various device usage positions and radio combinations. Add
a feature flag for the driver to indicate support for user scenario to
DSI index mapping.
AP MLD: Remove unused argument from send_assoc_resp()
Remove the unused argument allow_mld_addr_trans from the function
send_assoc_resp(). The only user for this was removed in commit fd1a35e14a1b ("AP MLD: Handle authentication and association on link
address").
Signed-off-by: Adil Saeed Musthafa <adilm@qti.qualcomm.com>
sunilravi [Fri, 29 Aug 2025 19:35:14 +0000 (19:35 +0000)]
NAN USD: Update NMI when MAC address changes
The NAN Management Interface (NMI) address in the NAN Discovery Engine
(nan_de) was only set during initialization. This address would become
stale if the interface's MAC address changed later, for example, due to
MAC address randomization.
When `wpa_supplicant_update_mac_addr()` updated `wpa_s->own_addr`, the
corresponding `wpa_s->nan_de->nmi` field was not updated. This could
lead to failures in Wi-Fi Aware USD operations as they would be using
an incorrect source MAC address.
This commit fixes this by:
1. Introducing a new function, `nan_de_update_nmi()`, to allow the NMI
to be updated after initialization.
2. Calling this new function from `wpa_supplicant_update_mac_addr()` to
ensure the NMI is always synchronized with the interface's current
MAC address.
This ensures the NAN Discovery Engine operates with the correct MAC
address, improving the reliability of Wi-Fi Aware USD functionality.
AP MLD: Fix memory leak in control interface initialization path
If initialization of the MLD-level control interface fails, the current
code exits and frees the mld object without releasing mld->ctrl_interface,
resulting in a memory leak.
Aloka Dixit [Wed, 3 Sep 2025 20:27:23 +0000 (13:27 -0700)]
AP MLD: Reset beacon state after stop_ap
Each MLD link reload results in ieee802_11_set_beacon() sending
NL80211_CMD_START_AP to the kernel for partner links as well. The kernel
may reject it based on which parameters changed. For example, SSID
changes between stop_ap() and reload_config result in an error because
the kernel compares the new link SSID with the old configured SSID for
partner links even though the links are stopped.
Set 'beacon_set_done' to 0 for each link when stop_ap() succeeds
to avoid setting beacon for stopped links.
Signed-off-by: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
P2P2: Fix potential buffer overflow in PBMA parsing
Received cookie length wasn't checked resulting in a heap overflow with
an arbitrary data received in the frame if the contents was larger than
a fixed size buffer. Fix this by explicitly checking there buffer to be
sufficient large.
Fixes: 59299a8a7d59 ("P2P2: Add bootstrapping support with PD frames") Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Shivani Baranwal [Tue, 19 Aug 2025 08:20:11 +0000 (13:50 +0530)]
P2P2: Check PASN PMKSA being available to prevent crash during invitation
Add a NULL check for device PASN PMKSA in p2p_invitation_resp_cb(). This
is to ensure stability and prevent a crash in wpa_supplicant triggered
by a P2P invitation request that reinvokes an unknown group.
Fixes: ff02a87c1931 ("P2P2: Fetch PMK and PMKID for invitation using pairing verification") Signed-off-by: Shivani Baranwal <shivbara@qti.qualcomm.com>
nl80211: Fix handling of highest supported authentication algorithm
NL80211_AUTHTYPE_MAX represents the highest valid authentication
algorithm enum value, not an invalid or out-of-range value. The previous
logic for auth type boundary check incorrectly treats this value as
invalid, resulting in failures when the highest supported authentication
type is used during authentication frame exchange.
To fix this, update the validation logic to correctly recognize all
defined authentication algorithm enum values, including the last one,
and only reject values outside the defined range.
Fixes: 3c67e977dec5 ("nl80211: Add support to send updated connection parameters") Signed-off-by: Ainy Kumari <ainy.kumari@oss.qualcomm.com>
Jouni Malinen [Thu, 28 Aug 2025 08:50:21 +0000 (11:50 +0300)]
GAS: Remove pending radio work, if any, when freeing a GAS query
The pending radio works maintain a pointer to pending GAS queries. While
the earlier design was to try to make sure the matching radio work gets
deleted in all cases, this was getting complex to make robust.
Forcefully remove any potentially remaining radio work when a GAS query
gets freed without the matching radio work being scheduled at that point
in time.
Jouni Malinen [Thu, 28 Aug 2025 08:29:24 +0000 (11:29 +0300)]
GAS: Do not select pending query that has not yet been sent
An unexpected GAS response for a query that was scheduled to be sent,
but not yet actually transmitted, could result in unexpected behavior.
This could end up selecting the pending query for which the radio work
had not yet been started when processing the received frame and that
could result in freeing the pending query but not being able to
terminate the radio work that still has a reference to the pending
query.
Do not allow a pending GAS query to match a received frame if that query
has not yet been transmitted to avoid this corner case.
Hu Wang [Wed, 13 Aug 2025 02:54:49 +0000 (19:54 -0700)]
Ignore BSS temporary on PSK mismatch
In a controlled test environment, using two APs with the same SSID but
different passwords, connection to the correct AP (AP#2) failed. This
was particularly evident when AP#2 utilized a WPA/WPA2 TKIP+AES
configuration (CCMP pairwise, TKIP group cipher), highlighting challenges
in correctly discerning PSK mismatches across varied security types.
To resolve this, the ignore the BSS resulting in a PSK mismatch
temporarily. This forces wpa_supplicant to consider and attempt
connection to other available BSSs for the same ESS, allowing it to
eventually reach the correct access point accepting the locally
configured parameters.
This enhances connection reliability in dense or complex Wi-Fi
environments where multiple APs share an SSID but have varying security
credentials.
Jouni Malinen [Wed, 27 Aug 2025 09:58:24 +0000 (12:58 +0300)]
GAS: Prefer unique dialog token value across all pending queries
Previously, the dialog token for a new GAS query was selected in a
manner that would be random and unique for the specific peer. However,
with the introduction of support for AP MLDs, multiple different
addresses could have ended up using the same dialog token value for the
same peer.
Make duplicate dialog token uses for AP MLDs less likely by first trying
to find a random dialog token value that is not used in any pending GAS
query for any peer. Only if that does not succeed, fall back to unique
value for the specific peer address to maintain previous behavior.
Jouni Malinen [Wed, 27 Aug 2025 09:51:42 +0000 (12:51 +0300)]
GAS: Use more careful matching of pending queries
The earlier change to accept a response from an AP MLD MAC address ended
up opening an unlikely case where a single dialog token value might end
up mapping to more than a one pending query entry if one of those
entries was for a link address and another one for the MLD MAC address.
This could result in processing of a response freeing a pending query
that did not match the current radio work and with that, leaving behind
a radio work that points to freed memory. That could then result in
dereferencing that freed memory.
Avoid this corner case by picking the pending query that matches the
current radio work in a case where more than a single pending query
would match the received GAS response.
Fixes: bef417152190 ("GAS: Accept GAS response using AP MLD MAC address") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Jouni Malinen [Wed, 27 Aug 2025 08:40:42 +0000 (11:40 +0300)]
SAE: Allow use of wpa_passphrase to be disabled for SAE
hostapd used to allow the configured wpa_passphrase value to be used for
either WPA2-Personal or WPA3-Personal (SAE). This was allowed in all
cases for SAE other than when there was a matching sae_password entry
for the STA.
Add a new configuration option, sae_password_psk=1, to allow use of
wpa_passphrase for SAE to be disabled. This leaves wpa_passphrase to be
used only for WPA2-Personal cases while WPA3-Personal will use only the
SAE-specific password configuration options.
nl80211: Fix crash by setting the drv->ctx properly
During nl80211_stop_ap(), the active_links bitmap is updated, and the
flink is reassigned to the next available active link in an MLD.
active_links becomes zero when nl80211_stop_ap() is called for the last
remaining link.
For example:
Consider a 3-link MLD (2.4 GHz, 5 GHz, and 6 GHz), with flink initially
pointing to 2.4 GHz:
nl80211_stop_ap() is called for 2.4 GHz -> flink is updated to 5 GHz.
Then for 5 GHz -> flink is updated to 6 GHz.
Finally for 6 GHz -> all links are stopped, and active_links becomes
zero.
Following this, when driver_nl80211_link_remove() is called and links
are removed in a specific order (say 2.4 GHz first, then 6 GHz), the
flink (which was pointing to 6 GHz) gets removed. However, the driver
context (drv->ctx) still points to bss->ctx, which was associated with
the now-deleted flink.
If an event arrives from the driver after this removal, it tries to
access drv->ctx, which now points to freed memory. This results in a
crash due to invalid memory access.
Fix by ensuring that flink is updated only during nl80211_remove_link()
and not during nl80211_stop_ap(). Also ensure that drv->ctx is properly
updated with flink->ctx during link removal and ensure that eloop timers
are properly cancelled before changing the drv->ctx.
Fixes: 2fe31050c248 ("nl80211: Use active_links to notify start/stop state of links") Signed-off-by: Dhanavandhana Kannan <dhanavandhana.kannan@oss.qualcomm.com>
nl80211: Fix crash by cancelling scan timeout before a BSS is removed
In wpa_driver_nl80211_deinit(), eloop_cancel_timeout() is called to
cancel any pending scan timeouts. However, the scan is typically
initiated using the first BSS context, while the timeout cancellation is
attempted using the last BSS being removed. This mismatch causes the
scan timeout to remain active.
The crash occurs after deinit, when the pending scan_timeout callback is
triggered and attempts to access the BSS context that has already been
freed.
Fix by ensuring that eloop_cancel_timeout() is called before any BSS
links are removed, so the correct context is still valid during
cancellation. Also, reset scan_link to NULL if the link being removed
matches the one used for scanning, preventing access to freed memory.
Jouni Malinen [Tue, 26 Aug 2025 08:59:20 +0000 (11:59 +0300)]
SAE: Assign VLAN when using PMKSA caching
SAE passwords in hostapd can be configured with a specific VLAN ID.
Store that VLAN ID into PMKSA cache entries generated from SAE
authentication and assign it to the STA whenever using PMKSA caching
instead of new SAE authentication for an association. This is needed to
be able to use SAE to assign VLANs without having to disable PMKSA
cahcing.
AP MLD: Rename hostapd_is_mld_ap() to hostapd_is_multiple_link_mld()
hostapd_is_mld_ap() returns true only when there is more than one link
affiliated with the AP MLD despite the fact that one link AP MLD is also
an MLD. So rename the function to hostapd_is_multiple_link_mld() to make
the code using this helper function easier to understand.
hostapd_is_mld_ap() added in commit 5f5db9366cde ("AP: MLO: Process
Multi-Link element from (Re)Association Request frame") is used to check
whether there is need to process partner links' Association/Connection/
Authorization.
An issue was found in the previous hostapd_is_mld_ap() logic when the
interface count is larger than one and even when another interface is
not affiliated to the same MLD or is not even affiliated with any MLD,
hostapd_is_mld_ap() still returns true which makes hostapd try to
process an unexisting partner link.
Fix this by enhancing the logic of this helper function by returning
false when no other partner link affiliated with the AP MLD exist.
Jouni Malinen [Fri, 22 Aug 2025 09:47:48 +0000 (12:47 +0300)]
tests: Make dbus_connect_oom more robust
Retry RemoveNetwork() and SelectNetwork() if they fail due to
InvalidArgs error. That error is returned if a memory allocation fails
and that is indeed what this test case is trying to trigger.
In addition, dump any potential hostapd event messages between each test
interation to keep the logs clearer and the socket buffer smaller.
Hu Wang [Tue, 19 Aug 2025 06:43:40 +0000 (23:43 -0700)]
wpa_supplicant: Add option to disable 80+80 MHz opclass advertisement
Introduce a new global configuration parameter,
disable_op_classes_80_80_mhz, to wpa_supplicant. When set to 1, this
option prevents the advertisement of 80+80 MHz channel capabilities in
the Supported Operating Classes element sent in (Re)Association Request
frames.
This addresses a specific compatibility issue reported with certain
legacy or less compliant Soft AP implementations (e.g., on Windows PCs)
which may misinterpret or fail to process the specific octet sequence
used for 80+80 MHz channel advertisements within this element.
Not all implementations set mld_id as a user configuration to identify
partner BSS in an AP MLD, hence use hostapd_is_ml_partner() instead that
checks for interface name to identify partner BSSs.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
AP MLD: Remove redundant outer loop in hostapd_notif_disassoc_mld()
The outer loop in hostapd_notif_disassoc_mld() is not required to
iterate through affiliated AP links in an AP MLD. The inner loop alone
is sufficient for this. So cleanup the outer loop.
No functional changes involved.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
Hu Wang [Wed, 6 Aug 2025 06:28:17 +0000 (23:28 -0700)]
hostapd: Prevent blocking sends on control interface monitor socket
hostapd could experience prolonged blocking when sending events
to its control interface monitor clients via sendmsg. This was
particularly problematic when a client disconnected abruptly,
leaving a stale socket file, causing sendmsg to block for extended
periods (e.g., over a minute) before returning an error.
An initial attempt to mitigate this involved setting the SO_SNDTIMEO
socket option. However, testing on Android/Linux platforms revealed
that SO_SNDTIMEO did not reliably prevent the blocking behavior for
this specific Unix domain socket use case.
Use the MSG_DONTWAIT flag in the sendmsg() calls to ensure that sendmsg
operates in a non-blocking mode. This guarantees that hostapd's event
processing loop will not become unresponsive due to stuck send
operations. This matches what wpa_supplicant was already doing in
wpa_supplicant_ctrl_iface_send() as well.
Yu Wang [Tue, 12 Aug 2025 12:30:02 +0000 (05:30 -0700)]
Add QCA vendor attributes for MSDU TX statistics
Add vendor attributes for MSDU TX statistics, including:
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_RETRY_MSDU_CNT: Unsigned 32 bit value.
It represents the number of MSDUs sent by the driver that were
retransmitted and eventually transmitted successfully.
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_SUCC_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that were
successfully transmitted by the driver, including those that were
retransmitted and eventually succeeded.
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_FW_DROP_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that were
handed off by the driver for transmission but were ultimately dropped by
the firmware.
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_DRIVER_DROP_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that were
intended for transmission but were dropped by the driver before being
handed off to the firmware.
projects / thirdparty / hostap.git / log
