Shivani Baranwal [Thu, 21 Aug 2025 09:10:20 +0000 (14:40 +0530)]
Add QCA vendor attribute to allow SCC with STA connected indoor channel
Define config attributes to support STA connected indoor channel for
peer network like SAP, P2P GO, and NAN. Add a new feature flag
@QCA_WLAN_VENDOR_FEATURE_SUPPORT_STA_INDOOR_CH_SCC for the driver to
indicate STA connected indoor channel SCC support.
When a BSS is deinitialized, the bss->in_deinit flag may not be set if
it is not the final BSS being processed. This oversight can lead to
nl_preq handle remaining active and undestroyed for a logically
deinitialized BSS. Consequently, if subsequent events related to this
BSS arrive and are handled by wpa_driver_nl80211_event_receive(), they
are handled for a BSS that is no longer operational, leading to
unexpected behavior or potential crashes.
Ensure bss->in_deinit is consistently set to 1 within
wpa_driver_nl80211_if_remove() to correctly mark the BSS as under
deinitialization, allowing for proper cleanup and preventing event
handling for stale BSS contexts.
Shivani Baranwal [Wed, 20 Aug 2025 15:59:15 +0000 (21:29 +0530)]
Add QCA vendor attribute to configure SAR V5 support
Define attributes to support SAR version 5 (Time Averaged SAR). Add a
new attribute QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SPEC_USER_SCENARIO to map
user scenarios to device state indexes. Add enum qca_wlan_power_scenario
to enumerate various device usage positions and radio combinations. Add
a feature flag for the driver to indicate support for user scenario to
DSI index mapping.
AP MLD: Remove unused argument from send_assoc_resp()
Remove the unused argument allow_mld_addr_trans from the function
send_assoc_resp(). The only user for this was removed in commit fd1a35e14a1b ("AP MLD: Handle authentication and association on link
address").
Signed-off-by: Adil Saeed Musthafa <adilm@qti.qualcomm.com>
sunilravi [Fri, 29 Aug 2025 19:35:14 +0000 (19:35 +0000)]
NAN USD: Update NMI when MAC address changes
The NAN Management Interface (NMI) address in the NAN Discovery Engine
(nan_de) was only set during initialization. This address would become
stale if the interface's MAC address changed later, for example, due to
MAC address randomization.
When `wpa_supplicant_update_mac_addr()` updated `wpa_s->own_addr`, the
corresponding `wpa_s->nan_de->nmi` field was not updated. This could
lead to failures in Wi-Fi Aware USD operations as they would be using
an incorrect source MAC address.
This commit fixes this by:
1. Introducing a new function, `nan_de_update_nmi()`, to allow the NMI
to be updated after initialization.
2. Calling this new function from `wpa_supplicant_update_mac_addr()` to
ensure the NMI is always synchronized with the interface's current
MAC address.
This ensures the NAN Discovery Engine operates with the correct MAC
address, improving the reliability of Wi-Fi Aware USD functionality.
AP MLD: Fix memory leak in control interface initialization path
If initialization of the MLD-level control interface fails, the current
code exits and frees the mld object without releasing mld->ctrl_interface,
resulting in a memory leak.
Aloka Dixit [Wed, 3 Sep 2025 20:27:23 +0000 (13:27 -0700)]
AP MLD: Reset beacon state after stop_ap
Each MLD link reload results in ieee802_11_set_beacon() sending
NL80211_CMD_START_AP to the kernel for partner links as well. The kernel
may reject it based on which parameters changed. For example, SSID
changes between stop_ap() and reload_config result in an error because
the kernel compares the new link SSID with the old configured SSID for
partner links even though the links are stopped.
Set 'beacon_set_done' to 0 for each link when stop_ap() succeeds
to avoid setting beacon for stopped links.
Signed-off-by: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
P2P2: Fix potential buffer overflow in PBMA parsing
Received cookie length wasn't checked resulting in a heap overflow with
an arbitrary data received in the frame if the contents was larger than
a fixed size buffer. Fix this by explicitly checking there buffer to be
sufficient large.
Fixes: 59299a8a7d59 ("P2P2: Add bootstrapping support with PD frames") Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Shivani Baranwal [Tue, 19 Aug 2025 08:20:11 +0000 (13:50 +0530)]
P2P2: Check PASN PMKSA being available to prevent crash during invitation
Add a NULL check for device PASN PMKSA in p2p_invitation_resp_cb(). This
is to ensure stability and prevent a crash in wpa_supplicant triggered
by a P2P invitation request that reinvokes an unknown group.
Fixes: ff02a87c1931 ("P2P2: Fetch PMK and PMKID for invitation using pairing verification") Signed-off-by: Shivani Baranwal <shivbara@qti.qualcomm.com>
nl80211: Fix handling of highest supported authentication algorithm
NL80211_AUTHTYPE_MAX represents the highest valid authentication
algorithm enum value, not an invalid or out-of-range value. The previous
logic for auth type boundary check incorrectly treats this value as
invalid, resulting in failures when the highest supported authentication
type is used during authentication frame exchange.
To fix this, update the validation logic to correctly recognize all
defined authentication algorithm enum values, including the last one,
and only reject values outside the defined range.
Fixes: 3c67e977dec5 ("nl80211: Add support to send updated connection parameters") Signed-off-by: Ainy Kumari <ainy.kumari@oss.qualcomm.com>
Jouni Malinen [Thu, 28 Aug 2025 08:50:21 +0000 (11:50 +0300)]
GAS: Remove pending radio work, if any, when freeing a GAS query
The pending radio works maintain a pointer to pending GAS queries. While
the earlier design was to try to make sure the matching radio work gets
deleted in all cases, this was getting complex to make robust.
Forcefully remove any potentially remaining radio work when a GAS query
gets freed without the matching radio work being scheduled at that point
in time.
Jouni Malinen [Thu, 28 Aug 2025 08:29:24 +0000 (11:29 +0300)]
GAS: Do not select pending query that has not yet been sent
An unexpected GAS response for a query that was scheduled to be sent,
but not yet actually transmitted, could result in unexpected behavior.
This could end up selecting the pending query for which the radio work
had not yet been started when processing the received frame and that
could result in freeing the pending query but not being able to
terminate the radio work that still has a reference to the pending
query.
Do not allow a pending GAS query to match a received frame if that query
has not yet been transmitted to avoid this corner case.
Hu Wang [Wed, 13 Aug 2025 02:54:49 +0000 (19:54 -0700)]
Ignore BSS temporary on PSK mismatch
In a controlled test environment, using two APs with the same SSID but
different passwords, connection to the correct AP (AP#2) failed. This
was particularly evident when AP#2 utilized a WPA/WPA2 TKIP+AES
configuration (CCMP pairwise, TKIP group cipher), highlighting challenges
in correctly discerning PSK mismatches across varied security types.
To resolve this, the ignore the BSS resulting in a PSK mismatch
temporarily. This forces wpa_supplicant to consider and attempt
connection to other available BSSs for the same ESS, allowing it to
eventually reach the correct access point accepting the locally
configured parameters.
This enhances connection reliability in dense or complex Wi-Fi
environments where multiple APs share an SSID but have varying security
credentials.
Jouni Malinen [Wed, 27 Aug 2025 09:58:24 +0000 (12:58 +0300)]
GAS: Prefer unique dialog token value across all pending queries
Previously, the dialog token for a new GAS query was selected in a
manner that would be random and unique for the specific peer. However,
with the introduction of support for AP MLDs, multiple different
addresses could have ended up using the same dialog token value for the
same peer.
Make duplicate dialog token uses for AP MLDs less likely by first trying
to find a random dialog token value that is not used in any pending GAS
query for any peer. Only if that does not succeed, fall back to unique
value for the specific peer address to maintain previous behavior.
Jouni Malinen [Wed, 27 Aug 2025 09:51:42 +0000 (12:51 +0300)]
GAS: Use more careful matching of pending queries
The earlier change to accept a response from an AP MLD MAC address ended
up opening an unlikely case where a single dialog token value might end
up mapping to more than a one pending query entry if one of those
entries was for a link address and another one for the MLD MAC address.
This could result in processing of a response freeing a pending query
that did not match the current radio work and with that, leaving behind
a radio work that points to freed memory. That could then result in
dereferencing that freed memory.
Avoid this corner case by picking the pending query that matches the
current radio work in a case where more than a single pending query
would match the received GAS response.
Fixes: bef417152190 ("GAS: Accept GAS response using AP MLD MAC address") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Jouni Malinen [Wed, 27 Aug 2025 08:40:42 +0000 (11:40 +0300)]
SAE: Allow use of wpa_passphrase to be disabled for SAE
hostapd used to allow the configured wpa_passphrase value to be used for
either WPA2-Personal or WPA3-Personal (SAE). This was allowed in all
cases for SAE other than when there was a matching sae_password entry
for the STA.
Add a new configuration option, sae_password_psk=1, to allow use of
wpa_passphrase for SAE to be disabled. This leaves wpa_passphrase to be
used only for WPA2-Personal cases while WPA3-Personal will use only the
SAE-specific password configuration options.
nl80211: Fix crash by setting the drv->ctx properly
During nl80211_stop_ap(), the active_links bitmap is updated, and the
flink is reassigned to the next available active link in an MLD.
active_links becomes zero when nl80211_stop_ap() is called for the last
remaining link.
For example:
Consider a 3-link MLD (2.4 GHz, 5 GHz, and 6 GHz), with flink initially
pointing to 2.4 GHz:
nl80211_stop_ap() is called for 2.4 GHz -> flink is updated to 5 GHz.
Then for 5 GHz -> flink is updated to 6 GHz.
Finally for 6 GHz -> all links are stopped, and active_links becomes
zero.
Following this, when driver_nl80211_link_remove() is called and links
are removed in a specific order (say 2.4 GHz first, then 6 GHz), the
flink (which was pointing to 6 GHz) gets removed. However, the driver
context (drv->ctx) still points to bss->ctx, which was associated with
the now-deleted flink.
If an event arrives from the driver after this removal, it tries to
access drv->ctx, which now points to freed memory. This results in a
crash due to invalid memory access.
Fix by ensuring that flink is updated only during nl80211_remove_link()
and not during nl80211_stop_ap(). Also ensure that drv->ctx is properly
updated with flink->ctx during link removal and ensure that eloop timers
are properly cancelled before changing the drv->ctx.
Fixes: 2fe31050c248 ("nl80211: Use active_links to notify start/stop state of links") Signed-off-by: Dhanavandhana Kannan <dhanavandhana.kannan@oss.qualcomm.com>
nl80211: Fix crash by cancelling scan timeout before a BSS is removed
In wpa_driver_nl80211_deinit(), eloop_cancel_timeout() is called to
cancel any pending scan timeouts. However, the scan is typically
initiated using the first BSS context, while the timeout cancellation is
attempted using the last BSS being removed. This mismatch causes the
scan timeout to remain active.
The crash occurs after deinit, when the pending scan_timeout callback is
triggered and attempts to access the BSS context that has already been
freed.
Fix by ensuring that eloop_cancel_timeout() is called before any BSS
links are removed, so the correct context is still valid during
cancellation. Also, reset scan_link to NULL if the link being removed
matches the one used for scanning, preventing access to freed memory.
Jouni Malinen [Tue, 26 Aug 2025 08:59:20 +0000 (11:59 +0300)]
SAE: Assign VLAN when using PMKSA caching
SAE passwords in hostapd can be configured with a specific VLAN ID.
Store that VLAN ID into PMKSA cache entries generated from SAE
authentication and assign it to the STA whenever using PMKSA caching
instead of new SAE authentication for an association. This is needed to
be able to use SAE to assign VLANs without having to disable PMKSA
cahcing.
AP MLD: Rename hostapd_is_mld_ap() to hostapd_is_multiple_link_mld()
hostapd_is_mld_ap() returns true only when there is more than one link
affiliated with the AP MLD despite the fact that one link AP MLD is also
an MLD. So rename the function to hostapd_is_multiple_link_mld() to make
the code using this helper function easier to understand.
hostapd_is_mld_ap() added in commit 5f5db9366cde ("AP: MLO: Process
Multi-Link element from (Re)Association Request frame") is used to check
whether there is need to process partner links' Association/Connection/
Authorization.
An issue was found in the previous hostapd_is_mld_ap() logic when the
interface count is larger than one and even when another interface is
not affiliated to the same MLD or is not even affiliated with any MLD,
hostapd_is_mld_ap() still returns true which makes hostapd try to
process an unexisting partner link.
Fix this by enhancing the logic of this helper function by returning
false when no other partner link affiliated with the AP MLD exist.
Jouni Malinen [Fri, 22 Aug 2025 09:47:48 +0000 (12:47 +0300)]
tests: Make dbus_connect_oom more robust
Retry RemoveNetwork() and SelectNetwork() if they fail due to
InvalidArgs error. That error is returned if a memory allocation fails
and that is indeed what this test case is trying to trigger.
In addition, dump any potential hostapd event messages between each test
interation to keep the logs clearer and the socket buffer smaller.
Hu Wang [Tue, 19 Aug 2025 06:43:40 +0000 (23:43 -0700)]
wpa_supplicant: Add option to disable 80+80 MHz opclass advertisement
Introduce a new global configuration parameter,
disable_op_classes_80_80_mhz, to wpa_supplicant. When set to 1, this
option prevents the advertisement of 80+80 MHz channel capabilities in
the Supported Operating Classes element sent in (Re)Association Request
frames.
This addresses a specific compatibility issue reported with certain
legacy or less compliant Soft AP implementations (e.g., on Windows PCs)
which may misinterpret or fail to process the specific octet sequence
used for 80+80 MHz channel advertisements within this element.
Not all implementations set mld_id as a user configuration to identify
partner BSS in an AP MLD, hence use hostapd_is_ml_partner() instead that
checks for interface name to identify partner BSSs.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
AP MLD: Remove redundant outer loop in hostapd_notif_disassoc_mld()
The outer loop in hostapd_notif_disassoc_mld() is not required to
iterate through affiliated AP links in an AP MLD. The inner loop alone
is sufficient for this. So cleanup the outer loop.
No functional changes involved.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
Hu Wang [Wed, 6 Aug 2025 06:28:17 +0000 (23:28 -0700)]
hostapd: Prevent blocking sends on control interface monitor socket
hostapd could experience prolonged blocking when sending events
to its control interface monitor clients via sendmsg. This was
particularly problematic when a client disconnected abruptly,
leaving a stale socket file, causing sendmsg to block for extended
periods (e.g., over a minute) before returning an error.
An initial attempt to mitigate this involved setting the SO_SNDTIMEO
socket option. However, testing on Android/Linux platforms revealed
that SO_SNDTIMEO did not reliably prevent the blocking behavior for
this specific Unix domain socket use case.
Use the MSG_DONTWAIT flag in the sendmsg() calls to ensure that sendmsg
operates in a non-blocking mode. This guarantees that hostapd's event
processing loop will not become unresponsive due to stuck send
operations. This matches what wpa_supplicant was already doing in
wpa_supplicant_ctrl_iface_send() as well.
Yu Wang [Tue, 12 Aug 2025 12:30:02 +0000 (05:30 -0700)]
Add QCA vendor attributes for MSDU TX statistics
Add vendor attributes for MSDU TX statistics, including:
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_RETRY_MSDU_CNT: Unsigned 32 bit value.
It represents the number of MSDUs sent by the driver that were
retransmitted and eventually transmitted successfully.
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_SUCC_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that were
successfully transmitted by the driver, including those that were
retransmitted and eventually succeeded.
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_FW_DROP_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that were
handed off by the driver for transmission but were ultimately dropped by
the firmware.
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_DRIVER_DROP_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that were
intended for transmission but were dropped by the driver before being
handed off to the firmware.
hostapd_cli: Open a new hostapd connection on ping failure when using -a
When hostapd_cli is started with the -a option, the process enters an
eloop. Every ping interval (five seconds) hostapd_cli sends a PING to
hostapd and waits to receive a response. In a particular issue scenario,
the hostapd_cli control interface socket file in /tmp/wpa_ctrl_xx gets
deleted due to which hostapd is no longer able respond to the PING.
hostapd_cli times out waiting for the socket to become ready for read
and terminates from eloop causing the hostapd_cli process to exit.
hostapd_cli in interactive mode handles a PING response failure by
closing the current connection and opening a new connection using
hostapd_cli_reconnect(). Adopt the same approach for the action file
case instead of terminating the process.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
DPP: Avoid generating DPP shared secret(z) for non-association links
In an AP, DPP shared secret (z) for Network Introduction Protocol with
PFS is generated using the public key of a station (M) received in the
Public Key field of Diffie-Hellman Parameter element in the
(Re)Association Request frame and the AP's private key (n). In a STA,
DPP shared secret (z) is generated using the public key of the AP (N)
received in the Public Key field of Diffie-Hellman Parameter element in
the (Re)Association Response frame and the station's private key (m).
When a (Re)Association Request frame is received for ML association, the
AP MLD parses the elements in __check_assoc_ies() for the association
link and then for each of the other setup links. When the Diffie-Hellman
Parameter element is parsed on the association link, the AP MLD
generates a private key, a public key, and a shared secret (n,N,
z(n,M)). When the Diffie-Hellman Parameter element is parsed on other
links, another set of a different private key, public key, and shared
secret is derived (n1,N1, z1(n1,M)). This is not correct behavior.
In wpa_state_machine (sta->wpa_sm), store the DPP shared secret (z)
generated for the association link and skip generating it for other
partner BSS links. This will ensure that the public key shared with the
station in the (Re)Association Response is derived from the same private
key that is used to derive the DHss component used in PTK calculation.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
Khanjan Desai [Wed, 4 Dec 2024 13:05:39 +0000 (18:35 +0530)]
PASN: Clear driver/firwmare ranging context if PASN Auth 1 fails
When PASN auth 1 frame does not get an ack or gets failure, the call to
ap_free_sta() clears the hostapd context but the driver/firmware is not
aware of this and as such, still holds the context making it impossible
to initiate next PASN request.
Clear PASN context in underlying drivers by setting NULL context with
hostapd_drv_set_secure_ranging_ctx().
Use SCS reconfiguration logic under CONFIG_NO_ROBUST_AV
Fix build failure caused by missing SCS renegotiation logic under
CONFIG_NO_ROBUST_AV. Commit 1adffc200 (SCS: Renegotiate configured SCS
policies with new AP after roaming) introduced logic for SCS
renegotiation for roaming but did not include corresponding changes
for CONFIG_NO_ROBUST_AV.
Add the necessary handling to ensure consistent behavior and successful
builds when this flag is enabled.
Fixes: 1adffc200 ("SCS: Renegotiate configured SCS policies with new AP after roaming") Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Increase buffer size to handle long freq_list entries in config
When all common frequency bands (2.4 GHz, 5 GHz, and 6 GHz) are included
in the freq_list configuration, parsing might fail due to the buffer
being too small to accommodate the full list. This results in partial
and incorrect frequency values being read, which might be subsequently
rejected by the kernel as it cannot find a valid channel for the
malformed frequency.
Fix this by increasing the buffer size to a sufficient length in
wpa_config_read().
AP MLD: Fix STA's flag wrongly updated in SME-in-driver cases
In ieee802_1x_ml_set_sta_authorized() when trying to update partner link
STA's flag, AID checking is not sufficient enough as AID is always 0 for
SME-in-driver cases.
Check for STA MLD address to avoid wrongly update other STA's flag.
AP MLD: Properly deinit sm of non-ML STA connected to ML AP
Currently, when a non-ML client connects to an ML AP and the connection
is not fully established, ap_sta_disconnect_common() is triggered.
However, the state machine (sm) is not deinitialized because the AP is
an MLD and the assoc link ID does not match the connected link ID. This
results in sm being set to NULL, and later during ap_free_sta(), the
deinit function exits early due to sm being NULL, causing a memory leak.
Fix this issue by checking whether the connected client is an ML client
instead of checking if the AP is an ML AP just like how it is done in
ap_free_sta() as well.
QCA vendor attribute to configure BTM MLD Recommendation For Multiple APs support
Define a QCA vendor attribute to configure BTM MLD Recommendation For
Multiple APs support within the Extended MLD capability of Multi-link
element in the Association Request frame for testing purposes.
Add QCA vendor attribute to configure EHT RTWT support
Define a QCA vendor attribute to configure RTWT support subfield within
the EHT capabilities element of the Association Request frame for
testing purposes.
Add test case ap_acs_exclude_6g_non_psc to verify ACS behavior when
acs_exclude_6ghz_non_psc configuration option is enabled.
The test validates whether, in the 6 GHz band, AP comes up in a
preferred scanning channel (PSC), when acs_exclude_6ghz_non_psc
configuration option is enabled.
Signed-off-by: Suraj P Kizhakkethil <suraj.kizhakkethil@oss.qualcomm.com>
ACS: Extend support to exclude 6 GHz non-PSC in non-offloaded ACS
Currently, support to exclude non-PSC 6 GHz channels is implemented
only for offloaded ACS. Extend the support to non-offloaded ACS using
the acs_exclude_6ghz_non_psc configuration option.
Signed-off-by: Suraj P Kizhakkethil <suraj.kizhakkethil@oss.qualcomm.com>
ACS: Validate all channels in a segment before selection
Currently, ACS validates only the first channel in a segment against
the current configuration. If this validation passes, the channel
with the lowest interference factor within that segment is selected
as the potential primary channel. However, this can result in selecting
a primary channel that does not comply with the current configuration.
For example, in 6 GHz band with 320 MHz bandwidth, if the chanlist is
set to 33-93, ACS may select a primary channel outside the given
chanlist, in the range 97-125.
Additionally, if the first channel fails validation, the other channels
in the segment are ignored, even if they have a lower interference
factor and meets the requirements of the current configuration.
For example, in 5 GHz band with 80 MHz bandwidth, if the chanlist is
set to 153-161, the AP fails to come up because the first channel of
the segment (149) is not present in the chanlist.
Fix this issue by validating all channels in a segment. If DFS,
max_tx_power or indoor channel validation fails for any channel in
a segment, skip the segment. If chanlist/freqlist validation fails for
any channel in a segment, choose another channel in the same segment.
Signed-off-by: Suraj P Kizhakkethil <suraj.kizhakkethil@oss.qualcomm.com>
ACS: Fix incorrect index calculation for primary channel
Currently, in the calculation of the index of the primary channel,
the best frequency, which is the primary channel frequency, is
always greater than the frequency of the first channel in
the bandwidth. As a result, the computed value of the index of
the primary channel would be negative, which is incorrect.
Fix bug in the calculation of the index of the primary channel.
Fixes: 627b67f29b1e ("ACS: Fix primary channel puncturing in ACS") Signed-off-by: Suraj P Kizhakkethil <suraj.kizhakkethil@oss.qualcomm.com>
nl80211: Use i802_bss in qca_set_allowed_ap_freqs() to use correct ifindex
With commit 00c2c20d74ee ("hostapd: Maintain single
wpa_driver_nl80211_data (drv) object across interfaces"), allowed
frequencies are configured only on the first interface.
Use i802_bss context for preparing nlmsg with correct ifindex.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Girish Kumar M P [Thu, 12 Jun 2025 11:25:23 +0000 (16:55 +0530)]
Add QCA vendor attribute to disable A-MSDU address check validation
Add a new u8 vendor attribute in the subcommand,
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION,
QCA_WLAN_VENDOR_ATTR_CONFIG_AMSDU_ADDR_CHECK_VALIDATION, which enables
or disables additional validation for Destination Address (DA) and
Receiver Address (RA) for A-MSDUs. Such validation may have
interoperability issues with deployed devices that intentionally send
3-address frames with different SA and DA, which are being dropped due
to this additional validation.
To work around this, the additional checks can be disabled using the MAC
address of the peer. The separate LLC/SNAP validation for A-MSDUs
mitigates the PP A-MSDU not protected vulnerability. This extra layer of
protection, we check the SA/DA against the TA/RA respectively. Enabling
that by default ensures enhanced security while allowing flexibility for
specific already deployed device behavior to function correctly by
disabling the additional validation as needed.
Signed-off-by: Girish Kumar M P <gmp@qti.qualcomm.com>
P2P: Fix preferred frequency list size handling in p2p_check_pref_chan()
Currently, the P2P GO (Group Owner) prefers the PCL (Preferred Channel
List) from the driver to select the operating channel for group
formation. However, wpa_supplicant is limiting the maximum allowed
channels to "num_pref_freq", even though the driver may return a longer
list.
To fix this, update the logic in p2p_check_pref_chan() to use
ARRAY_SIZE(p2p->pref_freq_list) when passing the size to
get_pref_freq_list(), and update p2p->num_pref_freq based on the value
returned by the driver function. This ensures the preferred frequency
list is sized correctly according to the driver response.
Cancel pending connect radio work when network is removed
When a network is removed it is not desired to proceed the connect
process. So cancel corresponding pending connect work when the related
network is removed.
Jay Shukla [Mon, 9 Jun 2025 18:25:04 +0000 (23:55 +0530)]
Add QCA vendor interface for configuring feature control configurations
Add QCA_NL80211_VENDOR_SUBCMD_FEATURE_CONFIG to control the features
enablement based on the OUI data and capabilities advertised by the AP
in its Beacon and Probe Response frames.
Signed-off-by: Jay Shukla <jayshukl@qti.qualcomm.com>
AP MLD: Deinitt BSS link if starting beaconing fails
In the current implementation, when hostapd_start_beacon() fails during
AP MLD setup, it flushes old station entries, deauthentcates all
stations, and frees hapd data. However, it does not unlink the
associated BSS from the AP MLD structure.
While performing wifi stability testing during interface down/up, this
retains a stale reference to the freed BSS. Subsequent attempts to
access MLD links post-failure lead to a segmentation fault due to this
use-after-free condition.
Fix this by unlinking the BSS from the AP MLD on failure paths to
prevent potential use-after-free scenarios.
Kashish Awasthi [Wed, 25 Jun 2025 09:02:51 +0000 (14:32 +0530)]
Add QCA vendor attributes for DAR configurations
Add Dynamic Analytics Report (DAR) configuration subcommand based on
Wi-Fi Alliance QoS Management specification to initiate DAR request or
terminate existing DAR session.
Implementation and scheduling of DAR statistics is present in the
driver/firmware. DAR reports and control plane events attribute are
filled in the driver. This interface is used to configure the required
parameters to the driver/firmware for DAR request and DAR session
terminate frames.
Add QCA_NL80211_VENDOR_SUBCMD_LINK_STATE_CHANGE event to notify the
current active and inactive links among the affiliated MLO links. This
event is sent to userspace when there is a change in the status of the
links along with the reason for the link status change.
Add QCA vendor subcommand/event and attributes for telemetry statistics
Add two new vendor subcommand/events for telemetry statistics request.
1. QCA_NL80211_VENDOR_SUBCMD_WLAN_TELEMETRY_WIPHY
2. QCA_NL80211_VENDOR_SUBCMD_WLAN_TELEMETRY_WDEV
Currently in the vendor subcmd processing one subcommand can support
either wireless_dev(WDEV) or WIPHY based on the flags set in
wiphy_vendor_command. Hence to support both WDEV and WIPHY two vendor NL
subcommands were added.
This vendor subcommand/event enables the collection of WLAN statistics
across multiple hierarchical levels listed below within the driver.
This is a non-blocking request where the driver responds asynchronously
with a vendor event containing the requested statistics.
In this initial phase, only the attributes for basic RX statistics such
as RXDMA errors and REO errors are included. Keeping this as a base,
additional statistics and attributes will be added incrementally in the
future.
ACS: Fix incorrect call to hostapd_config_check_bss_6g()
In ap_drv_ops.c, the call to hostapd_config_check_bss_6g() is executed
unconditionally. However, it should only be used when the BSS is
actually configured on a 6 GHz operating class. This leads to false
configuration errors in setups where the 6 GHz BSS has proper settings
but other bands (2.4/5 GHz) share the same config structure.
Add the missing is_6ghz_op_class() condition, mirroring how it's already
used elsewhere in the codebase (e.g., in ap_config.c).
Fix verified on OpenWRT 24.10-SNAPSHOT using Mediatek Wi-Fi 7 hardware.
Fixes: 02a8d40c9ffb ("ACS: Validate 6 GHz AP criteria before ACS") Signed-off-by: Christopher Söllinger <christopher.soellinger@gmail.com>
SCS: Renegotiate configured SCS policies with new AP after roaming
After STA roams to a new AP, previously configured SCS policies were not
automatically reapplied, as neither IEEE 802.11 nor WFA mandates policy
persistence across roaming events. However, it can be better for real
use cases to maintain the same configuration whenever possible.
Furthermore, the previously negotiated SCS session might still appear to
be active in wpa_supplicant status after roaming even when it was not
really in use anymore.
Ensures that active SCS rules are retriggered post-roaming to maintain
the agreed QoS levels, preserving consistent performance.
tests: Add PASN tests with user-specified authentication parameters
Introduce test cases for PASN authentication using user-preferred
network parameters such as AKMP, cipher, password, and comeback
cookie data.
These tests validate the ability to initiate PASN from the driver
with full parameter control, ensuring compatibility with recent
control interface enhancements.
PASN: Testing support for PASN with user-specified parameters
Extend control interface support to allow PASN authentication with
user-defined network parameters such as AKMP, cipher, password, and
comeback cookie to be tested with the PASN_AUTH driver event.
Update the pasn_sae_driver test case to align with these control
interface changes.
This enhancement modifies the existing PASN_DRIVER command to accept
additional parameters beyond just the peer BSSID, which was a limitation
in the earlier implementation. This command is included only in
CONFIG_TESTING_OPTIONS builds.
Allow PASN Authentication with a comeback request after the AP's
requested comeback time, as indicated in the status report of the PASN
handshake. Also enable the comeback mechanism by including comeback time
and cookie in the status report to extend PASN Authentication with
comeback.
PASN: Authentication with user-specified network parameters
Allow PASN Authentication with user requested network parameters such
as AKMP, cipher, and password in driver initiated cases.
These changes will allow user to choose which AKMP and cipher to use
with PASN Authentication and also to specified the password in case of
PASN-SAE. When the password is supplied a temporary network block is
created and used to perform PASN. Any temporary network block that is
created will be destroyed after PASN regardless of whether PASN succeeds
or fails.
nl80211: Propagate newly introduced parameters for PASN events
Allow the driver to initiate PASN Authentication using user-preferred
AKMP, cipher for secure ranging, and password for SAE-tunneled PASN
authentication in the cases that use driver event to trigger PASN.
These helper functions for converting between cipher/AKM suites and
internal bitmaps should not be limited to cases where a pointer to a
buffer containing the suite selector is used. Split them into separate
functions that enable more convenient reuse in other places.
Shivani Baranwal [Wed, 11 Jun 2025 05:35:30 +0000 (11:05 +0530)]
tests: Remove setting of P2P pairing setup and pairing cache config
The P2P_SET control interface command for manual configuration of P2P2
pairing setup and caching has been removed. Remove setting of these
parameters from test cases.
Shivani Baranwal [Wed, 11 Jun 2025 05:09:46 +0000 (10:39 +0530)]
P2P2: Remove P2P_SET setting of pairing_setup and pairing_cache
Pairing setup and cache are now derived from driver capabilities. Remove
the control iface P2P_SET commands to set P2P pairing_setup and
pairing_cache.
Shivani Baranwal [Wed, 28 May 2025 09:58:11 +0000 (15:28 +0530)]
P2P2: Remove configuration params p2p_pairing_setup and p2p_pairing_cache
These configuration parameters were added initially to configure them
through wpa_supplicant configutation files. These are not being used as
now the p2p_pairing_setup and p2p_pairing_cache are being configured
based on driver capabilities.
Nirav Shah [Fri, 30 May 2025 16:30:06 +0000 (22:00 +0530)]
Add QCA vendor attributes for latency based power save mode
Add QCA vendor attributes
QCA_WLAN_VENDOR_ATTR_CONFIG_OPM_LATENCY_TOLERANCE and
QCA_WLAN_VENDOR_ATTR_CONFIG_OPM_LEVEL to configure
latency based power save mode.
Shubham Joshi [Tue, 17 Jun 2025 05:46:48 +0000 (11:16 +0530)]
Preserve user roaming configuration across connection state changes
Prevent unintended roaming re-enablement after connection state
changes, even when user configuration disables it.
If user disables roaming, but after each state change post-connection,
wpa_supplicant re-enables roaming when bssid_set is false. This migh
cause the driver to send a roam enable configuration to the firmware,
overriding the user's intent.
Fix this by ensuring wpa_supplicant logic to check both bssid_set and
the user’s roaming configuration (`SET roaming`) after each connection
state change. Ensure roaming is only re-enabled if explicitly
configured, allowing the driver to maintain the intended roaming state
throughout the connection.
Mohan Kumar G [Tue, 17 Jun 2025 15:01:01 +0000 (20:31 +0530)]
Avoid set beacon operations when color change is in progress
Avoid setting beacon during BSS Color Change Announcement (CCA), similar
to Channel Switch Announcement (CSA), as beacon updates to the
corresponding BSSes are not allowed during this period.
Signed-off-by: Mohan Kumar G <mkumarg@qti.qualcomm.com>
Kavita Kavita [Thu, 19 Jun 2025 08:20:47 +0000 (13:50 +0530)]
PASN: Check auth alg to avoid unnecessary Authentication frames parsing
PASN authentication frames are processed before SAE authentication
frames for driver-to-userspace offloased case without verifying the
authentication algorithm in the received frame. This results in
unnecessary frame parsing for non-PASN frames and potentially confusing
debug log entries.
Check the the authentication algorithm before the PASN frame parsing to
ensure only PASN Authentication frames are processed, avoiding
unnecessary parsing.
Benjamin Berg [Wed, 18 Jun 2025 12:22:04 +0000 (14:22 +0200)]
tests: Use logger.exception to dump full traceback
The log sometimes does not contain relevant information. Switch to use
logger.exception which dumps the full exception information. Note that
the logging happens with level ERROR, so it will be dumped to the
stdout/stderr by default.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 12 Jun 2025 08:10:21 +0000 (10:10 +0200)]
tests: Permit multiple GO negotiation failures
In this test the station will do a P2P find and then send a GO
negotiation request. However, the other station may not be on the listen
channel at the time when the action frame is transmitted. In this case,
the find/GO neg request sequence is restarted.
The test currently times out if this sequence fails twice in a row. Be
more tolerant to this type of failure and increase the timeout.
It may also be possible to improve the retransmit strategy.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Thu, 12 Jun 2025 08:10:20 +0000 (10:10 +0200)]
RRM: Send a refuse reply if the measurement scan failed
If the scan is aborted or missing the expected TSF BSSID, then still
send a REFUSED reply to the AP to let it know. It can request another
measurement if it wants to.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Benjamin Berg [Thu, 12 Jun 2025 08:10:19 +0000 (10:10 +0200)]
WPS: Fix leak of dh_ctx in error cases
Usually the dh_ctx is passed into the WPS state and is freed in that
case. However, under some circumstances this may not happen and then a
leak can occur.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:29 +0000 (10:47 +0200)]
tests: Permit encryption of Deauthentication frame
The test does not intentionally send an unencrypted frame. This seems to
simply be done because the parameter value is not obvious. Change it to
permit encryption so that the frame can be sent directly rather than
going through the monitor interface.
This really doesn't make a difference overall, but it is closer to what
was intended here.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:28 +0000 (10:47 +0200)]
tests: Ensure the RoC is setup when the NAN frame arrives
At least in UML it could sometimes happen that the RoC is ready only
slightly after the NAN frame is TXed (a few microseconds). Insert
a short sleep to prevent this race from happening.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:27 +0000 (10:47 +0200)]
tests: Generate proper dependencies for all tests
The object files were not getting any dependency information as they
were using BUILDOBJ directly. Move the rules into a separate include
file and also generate the proper dependency include so that the tests
are rebuild correctly.
This changes building of some tests slightly as their rules were using
$< instead of $^. However, it should not cause any harm.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:26 +0000 (10:47 +0200)]
tests: Improve tshark boolean output support
Newer tshark versions are exporting some values as boolean with a
False/True string value. Add a helper that accepts an integer of any
base and also a "True"/"False" string.
Update various places to use the new helper.
Fixes: bf67d09e587a ("tests: Handle newer tshark version returning boolean values") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:25 +0000 (10:47 +0200)]
tests: Add sleep to ensure wlantest processed packets
At least with EEVDF it appears to occasionally happen that wlantest has
not processed all packets but does respond to the command to query the
BSS counter. Fix this by inserting a sleep.
An alternative approach could be to force command handling into a
timeout or introducing a priority concept to eloop.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:24 +0000 (10:47 +0200)]
tests: Ensure D-Bus property change notifications happen in VM
When running in a VM (UML time-travel to be exact), it may happen that
not enough time passes and the 5 ms timeout for property notification
causes compression of events. However, some tests will check that all
property notifications were done and this compression can cause test
failures.
Work around this by simply inserting a 5 ms sleep for any signal handler
call.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:23 +0000 (10:47 +0200)]
tests: Use clear_regdom ()helper in ap_vht tests
In some places, the code did not wait for the regulatory domain change.
Replace the cleanup code with calls to clear_regdom as that does the
right thing, which should avoid errors in UML with time-travel mode.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Mohan Kumar G [Mon, 16 Jun 2025 11:22:51 +0000 (16:52 +0530)]
AP MLD: Include BPCC only in (Re)Associtiation Response frames
Currently in ML Probe response, the per-STA Profile STA control has BSS
Parameters Change Count (BPCC) present by default for all frames.
As per IEEE P802.11be/D7.0, 9.4.2.322.2.4, AP sets this field to 1 in
(Re)Association Response frame and sets to 0 in other frames.
Hence, update this by including the BPCC present bitmask and BPCC value
in STA Info field for ML (Re)Association Response frames only. However,
since this seems to break interoperability with the current mac80211
implementation for processing Link Reconfiguration Response frames,
leave BPCC present in the Basic MLE in those frames as a workaround for
now.
Signed-off-by: Mohan Kumar G <mkumarg@qti.qualcomm.com> Signed-off-by: Yuvarani V <yuvarani@qti.qualcomm.com> Signed-off-by: Manish Dharanenthiran <manish.dharanenthiran@oss.qualcomm.com>
For calculation ML STA profile, currently there are two macros,
EHT_ML_STA_INFO_LEN and EHT_ML_STA_INFO_LENGTH. Both points to same
length, hence remove the later and use EHT_ML_STA_INFO_LEN macro length
definition only.
PASN: Reuse existing PTKSA cache keys instead of redoing PASN
When a successful PASN exchange has already occurred with a peer,
the derived keys are stored in the PTKSA cache. If another PASN
request is received for the same peer, these cached keys should
be reused. However, the cache was previously bypassed due to the
incorrect pairwise cipher argument.
Ensure the correct parameters are set in advance, from the RSNE data
allowing the cache to be used when appropriate.
tests: Fix pasn_sae_driver to clear PTKSA cache after first PASN exchange
The test pasn_sae_driver triggers PASN for the same peers twice. In the
current implementation, when PASN succeeds, the keys generated are
stored in the PTKSA cache.
The function wpas_pasn_configure_next_peer() shows an issue where it
does not reuse keys from a previous PASN exchange, even when those keys
are available in the cache. Instead, it initiates a new PASN exchange
unnecessarily.
Fix the test case by deleting the keys from the cache after the first
PASN attempt. This ensures a full PASN exchange can occur again. A
subsequent commit will address the API behavior to reuse keys from the
cache when available.
Benjamin Berg [Tue, 10 Jun 2025 15:08:57 +0000 (17:08 +0200)]
tests: Try next tshark filter for UnknownFieldsException
The intention in commit cc35ed3e257a ("tests: Permit passing multiple
valid tshark filters") was to permit passing multiple filters in order
to permit compatibility with older tshark versions. However, this did
not work as expected for the UnknownFieldsException.
Fix that by storing it in last_exception as for other errors. This fixes
running some EHT tests with older tshark versions.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
projects / thirdparty / hostap.git / log
