Move beacon transmit rate configuration from radio level to BSS level
This enables control of the beacon transmission rate on a per-BSS basis.
Refactor beacon rate handling by moving the beacon_rate and rate_type
fields from struct hostapd_config to the per-BSS struct
hostapd_bss_config structure. This change ensures that beacon rate
settings are applied at BSS level, allowing multiple BSS instances to
have independent configurations. This updates the configuration parsing
logic to set these values in BSS context and adjusts beacon parameter
building to reference the BSS-level fields.
Move supported/basic rate set configuration to be per-BSS
hostapd currently handles supported and basic rate sets at the
radio/interface level, causing all BSSs on the same interface to share
the same configuration. This prevents per‑BSS customization of rate
advertising and enforcement.
Move supported_rates and basic_rates from the per-interface struct
hostapd_config into per-BSS struct hostapd_bss_config and prepare
filtered, per‑BSS rate tables in struct hostapd_data. The per‑BSS rates
are then used when configuring basic rate set to the driver, when
constructing Beacon and Probe Response frames, when initializing station
defaults, and when reporting via ctrl_iface status. AP/mesh paths in
wpa_supplicant are updated to set BSS‑level rate arrays, and memory
management is adjusted accordingly to avoid iface‑level storage.
If a BSS does not explicitly configure basic_rates, defaults are chosen
based on the current hardware mode in the same manner as was done
previously at per-interface level.
Yu Tian [Tue, 16 Dec 2025 03:17:20 +0000 (19:17 -0800)]
Add QCA vendor attributes for MSDU/MPDU RX statistics
Add vendor attributes for MPDU/MSDU RX statistics:
QCA_WLAN_VENDOR_ATTR_LL_STATS_RX_DRIVER_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that
were received from hardware fast receiving rings.
QCA_WLAN_VENDOR_ATTR_LL_STATS_RX_DRIVER_MPDU_CNT:
Unsigned 32 bit value. It represents the number of MPDUs that
were received from hardware fast receiving rings.
Add vendor specific config actions to allow/disallow NSS > 2
Introduce two actions in enum qca_wlan_vendor_feature_config_action to
control spatial stream (NSS) usage for STA connections:
- QCA_WLAN_VENDOR_FEATURE_CONFIG_ACTION_ALLOW_NSS_GT_2:
Permit RX/TX NSS greater than 2 only if the AP matches an entry in the
configuration data list.
- QCA_WLAN_VENDOR_FEATURE_CONFIG_ACTION_DISALLOW_NSS_GT_2:
Restrict RX/TX NSS to 2 or below if the AP matches an entry in the
configuration data list.
- Configuring allow clears any existing disallow configuration.
- Configuring disallow clears any existing allow configuration.
- Default NSS negotiation applies when neither action is configured.
Signed-off-by: Venkata Sai Teja Bathini <vbathini@qti.qualcomm.com>
Ainy Kumari [Thu, 27 Nov 2025 00:16:16 +0000 (05:46 +0530)]
PASN: Support specifying variable length KCK
The current PASN definition uses a fixed length KCK, but that does not
feel ideal for some use cases, e.g., with the PASN-based EPPKE. Add
support for specifying the KCK length when calculating the MIC for PASN
Authentication frames. The actual calculation of the MIC is still
requiring the hardcoded 32 octet length to be used, i.e., this does not
change the actual behavior yet, but is a step towards making it easier
to support variable length KCK in the future, if needed.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com> Signed-off-by: Ainy Kumari <ainy.kumari@oss.qualcomm.com>
Ainy Kumari [Thu, 27 Nov 2025 00:16:16 +0000 (05:46 +0530)]
PASN: Extend hash algorithm selection to cover SAE-EXT-KEY AKMs
Updates PASN key derivation to support SAE-EXT-KEY AKMs and hash
algorithm selection in line with IEEE Std 802.11-2024, 12.13.8, 12.13.9
and 12.4.2. Select the appropriate hash algorithm
(SHA-256/SHA-384/SHA-512) for PTK derivation based on the PMK length
when using SAE-EXT-KEY so that the longer key length cases with groups
20 and 21 are covered.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com> Signed-off-by: Ainy Kumari <ainy.kumari@oss.qualcomm.com>
Jouni Malinen [Thu, 18 Dec 2025 09:26:55 +0000 (11:26 +0200)]
PASN: Specify hash algorithm in calls to helper functions
Instead of determine which hash algorithm to use separately for
calculating the MIC and Auth1 hash values, specify the hash algorithm in
the function calls using the algorithm selected during PTK derivation.
Ainy Kumari [Thu, 27 Nov 2025 00:16:16 +0000 (05:46 +0530)]
PASN: Move MIC element check to be after PTK derivation
This makes it more convenient to determine which hash algorithm to use
during PTK derivation instead of having to figure that out multiple
times based on different information.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com> Signed-off-by: Ainy Kumari <ainy.kumari@oss.qualcomm.com>
Jouni Malinen [Wed, 17 Dec 2025 20:06:14 +0000 (22:06 +0200)]
PASN: Calculate Auth1 hash after PTK derivation
It is more convenient to wait with the Auth1 hash calculation to avoid
having to figure out which hash algorithm to use before the PTK is
derived. Auth1 hash is defined to use the same hash algorithm as the one
that was used during PTK derivation. This requires a bit more memory,
but that is justifiable with the simplified implementation.
Correct the logic in p2p_pref_channel_filter() to ensure that operating
classes are added contiguously to the result pref_chanlist. Previously,
if an operating class had no matching channels after filtering, its slot
in the result was effectively skipped, leading to incorrect indexing and
potential loss of valid subsequent operating classes.
Fixes: 4383528e0195 ("P2P: Use weighted preferred channel list for channel selection") Signed-off-by: Shivani Baranwal <shivbara@qti.qualcomm.com>
Miaoqing Pan [Thu, 11 Dec 2025 07:07:31 +0000 (15:07 +0800)]
defconfig: Uncomment CONFIG_IEEE80211BE=y
wpa_supplicant has supported IEEE 802.11be (Wi-Fi 7) for over three
years. With growing market demand for Wi-Fi 7, it is now an appropriate
time to enable IEEE 802.11be support. This is needed mainly to enable AP
mode functionality in wpa_supplicant.
Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
Miaoqing Pan [Thu, 11 Dec 2025 07:07:30 +0000 (15:07 +0800)]
defconfig: Document IEEE 802.11be as a published amendment
The comment about the IEEE 802.11be functionality being experimental
and based on a not yet finalized standard is not accurate anymore
since IEEE Std 802.11be-2024 has already been published. Remove this
outdated comment.
Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
Miaoqing Pan [Thu, 11 Dec 2025 06:11:05 +0000 (14:11 +0800)]
defconfig: Update Opportunistic Wireless Encryption (OWE) state
OWE enhances privacy in public and enterprise environments where open
networks are prevalent. Enabling OWE aligns with modern security best
practices and supports the testing and development of OWE-capable
devices.
OWE is now standardized in IEEE Std 802.11-2024 while it was originally
specified in IETF RFC 8110 (updated by RFC 9672). It is not experimental
anymore, i.e., there has been significant interoperability testing and
there are deployed cases.
Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
Jouni Malinen [Thu, 11 Dec 2025 18:39:37 +0000 (20:39 +0200)]
proc_coord: Testing and example use of process coordination
Add hwsim testing for proc_coord to enable automated testing of this
functionality. In addition, this shows a simple example on how the
defined proc_coord API can be used.
Jouni Malinen [Wed, 10 Dec 2025 10:38:23 +0000 (12:38 +0200)]
proc_coord: Process coordination for hostapd and wpa_supplicant instances
Add a framework for coordinating operations between multiple hostapd and
wpa_supplicant processes running on the same CPU. This provides
functionality for performing request/response operations and sending
event messages between the processes. This could be used, e.g., to
coordinate channel selection between multiple hostapd instances
operating BSSs on the same radio or between hostapd and wpa_supplicant
processes to coordinate channel switching of the AP interface based on
backhaul connection switching its operating channel.
UNIX domain sockets are used for sending the messages between processes.
The new command line argument -z<directory> can be used to enable this
functionality in hostapd and wpa_supplicant. The directory needs to be
created before starting hostapd/wpa_supplicant and the permissions for
that directory should be set in a manner that prevents access from
untrusted processes. There is no additional access control for this
within hostapd/wpa_supplicant.
The messages exchanged between the processes are assuming the same
source code snapshot and build parameters are used in all participating
processes. The encoding of the messages and the performed functions can
be modified from one snapshot to another and from one build
configuration to another and any kind of mixing of different versions or
build configurations is not supported and can result in unexpected
behavior.
Benjamin Berg [Thu, 30 Oct 2025 08:24:49 +0000 (09:24 +0100)]
common: Use signed return value for ieee802_11_defrag_mle_subelem
The function returns -1 on error which is not a valid value for size_t.
Fix this by returning ssize_t.
Fixes: 88f7d4cedfea ("Helper function for defragmenting of Multi-Link element subelements") CC: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:48 +0000 (09:24 +0100)]
common: Fix definition of EHT_ML_EML_CAPA_RESERVED
The 0x0080 bit was accidentally added in commit d0bd79a2d684 ("BSS:
Verify the ML common info for links") even though it is not reserved
and maps to EHT_ML_EML_CAPA_EMLMR_SUPP already.
Fixes: d0bd79a2d684 "BSS: Verify the ML common info for links") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:47 +0000 (09:24 +0100)]
tests: Add network to P2P device
If this test is run with a P2P Device Interface, the network must be
specified in the commands. Change the test to use the appropriate
functions so that it works in all cases.
Fixes: 24a33f7ca4cf ("tests: Verify P2P2 PCC Auto GO and PCC client join") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:46 +0000 (09:24 +0100)]
P2P2: Handle identity ID consistently within files
Using an ID to reference a specific identity= block within the same file
for the DIK has the problem that it requires the IDs to be stable.
However, we also use a static int for the ID enumeration in case
multiple files are read.
Overall, it seems like it could be better to use the DIK as an
identifier. However, we do not, so the numbering needs to be restored
consistently within the file. The straight forward way to achieve this
is to store the base of the counter as a static variable and adding it
to both the go_dik_id and the id of the identity= blocks.
For all of this to work, we also need to make sure that we write out the
values with file-local indices. As such, we need to use the position in
the internal list rather than the assigned ID when writing the values.
Fixes: 417c67468b8d ("P2P2: Add device identity block to wpa_supplicant configuration") Fixes: ec4569174750 ("P2P2: Store ID of Device Identity block in network block") CC: Shivani Baranwal <quic_shivbara@quicinc.com> CC: Vinay Gannevaram <quic_vganneva@quicinc.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:43 +0000 (09:24 +0100)]
wpa_supplicant: Accept NOTE command on global socket
This is needed because we want to send a NOTE with the current test to
all wpa_supplicant instances, and not all of them may have an interface
configured at the time.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:42 +0000 (09:24 +0100)]
utils: Keep the last NOTE message as context for backtraces
When storing a backtrace, keep the string that was last used in a NOTE
message as context information. Keep all past strings in a list so that
they will remain available.
With this, we are able to show in leak reports which test did the
allocation. This is useful to more quickly solve issues as it can be
hard to find the triggering test otherwise.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:41 +0000 (09:24 +0100)]
tests: Check for WPA_TRACE messages in hostapd log
Otherwise the tests will simply pass even though, e.g., a memory leak or
other error is reported. So read the log file and raise an exception
when it contains the 'WPA_TRACE:' string.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:40 +0000 (09:24 +0100)]
wpa_debug: Use separate buffer for path and improve error checking
Using the same buffer for output and input could already result in
an overlapping source and destination in snprintf. This was working
fine, however, with the patch to also find tracefs, we continue to parse
the buffer. In that case, the continued parsing can corrupt the found
path causing an error.
Fix this problem and reshuffle the code a bit to make it a bit more
clear and improve the condition to skip lines that could not be parsed
properly.
Fixes: 0a76c7ed64de ("wpa_debug: Prefer tracefs over debugfs") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:39 +0000 (09:24 +0100)]
utils: Provide hexdump stubs as inline functions
Otherwise the compiler may emit a warning if there are no other users of
a variable passed to one of them.
Fixes: 7a1893fd3aa8 ("MLD: Handle link reconfiguration updates from the driver") CC: Kavita Kavita <quic_kkavita@quicinc.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:38 +0000 (09:24 +0100)]
tests: Fetch BSS from P2P device interface
The wifi_display test needs to fetch the BSS from the P2P device
interface when a separate interface is in use. Adjust the test so that
it works in all configurations.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:37 +0000 (09:24 +0100)]
wpa_supplicant: Define last_scan_freqs as int_array
Since commit 4435bc1b8abc ("Fix sibling scan results update criteria for
different channels") it is assumed that last_scan_freqs is an int array.
However, it was not so that the comparison would read memory past the
end of the array.
Fixes: 4435bc1b8abc ("Fix sibling scan results update criteria for different channels") CC: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:36 +0000 (09:24 +0100)]
int_array: Only iterate existing elements in equality check
Fix the upper bound of the for loop to terminate before the final
element is reached. Without this fix, the loop would try to find the
trailing zero in the second array, resulting in the comparison to be
always false.
Fixes: 56f7d76d745a ("int_array: Add a function to check for equality") CC: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:35 +0000 (09:24 +0100)]
WNM: Clear the target BSS on reset
Otherwise it might never be cleared in some cases and the BSS has to be
kept alive even though it is not needed anymore. This can result in a
memory leak at shutdown.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:34 +0000 (09:24 +0100)]
eloop: Remove references before destroying socket table
If the table is not yet empty, there are still references stored inside
the table and inserted into the global reference list. Clean these up
before freeing the table to avoid an use-after-free if a socket was not
removed and tracing is enabled.
Fixes: a6ff0e0810b4 ("trace: Add active reference tracking") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:32 +0000 (09:24 +0100)]
AP: Fix use after free in link reconfiguration
Print the station MAC address before freeing the data.
Fixes: e166a37632d4 ("AP MLD: Control interface events for ML Setup Link Reconfiguration) CC: Mohan Kumar G <quic_mkumarg@quicinc.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Older mount with newer hostfs doesn't correctly interpret the
parameters. Specify the mounted dir exlicitly with hostfs=.
This way it works both with old an newer kernels.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Jouni Malinen [Sat, 13 Dec 2025 19:22:49 +0000 (21:22 +0200)]
tests: Fix nan_usd_provisioning
This test case had swapped the subscribe and publish IDs for some of the
operations and expected values and that resulted in this failing
whenever dev[0] and dev[1] did not have the exact same current ID value
in their NAN state. For example, this failed in this test case sequence:
nan_usd_publish nan_usd_provisioning
Fix this by using the correct handle IDs for the service on each device.
Ilan Peer [Fri, 17 Oct 2025 14:00:36 +0000 (16:00 +0200)]
nl80211: Support scanning as AP when not beaconing
If the kernel indicated support for scanning on AP interface, set
NL80211_SCAN_FLAG_AP in the scan request when the interface is not yet
beaconing. In that case, it is possible to do a scan without interfering
with normal AP operation so it is safe to set the flag.
This is important because otherwise it may not be possible to do the
appropriate scans required to bring up an interface that is part of an
MLD.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Fri, 17 Oct 2025 14:00:35 +0000 (16:00 +0200)]
nl80211: Only do station mode fallback for -EOPNOTSUPP
If the AP interface does not support scanning (or if
NL80211_SCAN_FLAG_AP is not set), then mac80211 will report -EOPNOTSUPP.
Only in this case it makes sense to try switching the interface type. So
change the restriction and drop the now unreachable code. Note that in
the case of MLD we will still never try to do an interface switch as
there is a check for valid_links later on.
This replaces the earlier changes from commit 666d695bbd04 ("nl80211:
Fix simultaneous scanning failure in case of MLO") with a simpler design
for avoiding the undesired change to STA mode in the AP MLD case.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 15 Oct 2025 15:44:01 +0000 (17:44 +0200)]
tests: Verify that changing p2p_disabled removes/adds P2P device
Add a test to verify that if p2p_disabled is changed on the (possible)
parent device for a dedicated P2P device, then the dedicated P2P device
is added or removed as appropriate.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Benjamin Berg [Wed, 15 Oct 2025 15:44:00 +0000 (17:44 +0200)]
P2P: Add/remove dedicated P2P Device when p2p_disabled is toggled
Having a dedicated P2P Device interface can interfere with the operation
of other interface types (in particular NAN). As such, it is useful to
be able to toggle at runtime whether the dedicated P2P Device interface
exists.
Add the logic to add or remove the dependent dedicated P2P Device
interface when the p2p_disabled option is toggled on its parent
interface.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Ilan Peer <ilan.peer@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 15 Oct 2025 15:43:59 +0000 (17:43 +0200)]
tests: Permit autogo_scan to work with dedicated P2P device removal
The next commit will end up removing the dedicated P2P device when
p2p_disabled is set. The test will trigger this when
support_p2p_device=1 is used and that would lead to a test failure as
the device is not configured correctly and may have changed its address.
Fix this by repeating the setup after the dedicated P2P device has been
recreated.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Jouni Malinen [Sat, 13 Dec 2025 16:54:21 +0000 (18:54 +0200)]
Fix a compiler warning on unused function wpa_scan_get_bssid()
This new function was used only if CONFIG_IEEE80211BE=y is used in build
configuration. Fix the function to be within consistent conditional
compilation.
Fixes: f7f21ab7f0cf ("wpa_supplicant: Update enhanced throughput for AP MLDs") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Benjamin Berg [Wed, 30 Jul 2025 12:44:42 +0000 (14:44 +0200)]
tests: vm: Hide /var and /run entirely
The systemd/udev code checks whether udev is running by looking for
/run/udev/control. If that is visible from the host, then it thinks that
udev works. With a proposed addition of waiting for udev to be ready in
a future commit, wpa_supplicant would wait indefinitely for the udev add
event after creating a new interface.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 30 Jul 2025 12:44:41 +0000 (14:44 +0200)]
eloop: Dump a trace when exiting due to SIGALRM
We configure a SIGALRM when receiving a signal to exit. If this SIGALRM
is fired, then the process did not properly exit. When this happens,
dump a trace to help with debugging.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Nevet, Eran [Tue, 9 Dec 2025 06:05:04 +0000 (08:05 +0200)]
RSNO: Fix RSNXE override length check
The RSNXE override element verification checked that the element
length is at least 6 octets. However, since the minimal length
of the RSNXE is only 1 octet, change the verification to verify
at least 5 octets.
Commit a826ff2d95b9 ("Ignore group-addressed SA Query frames") started
discarding group-addressed SA Query frames. Extend that approach for
additional Robust Action frames that do not have a clearly defined use
case for group-addressed frames. Some of these cases are explicitly
defined to be using individually addressed frames, but even for cases
where no such explicit definition is in the standard, it seems safer to
discard these to avoid risk of undesired behavior.
Jouni Malinen [Tue, 9 Dec 2025 13:52:11 +0000 (15:52 +0200)]
Updated IEEE P802.11be references to point to the published amendment
These references were pointing to various draft versions of IEEE
P802.11be mostly based on when the functionality was added during the
development of this standards amendment. Update these to reference the
published amendment to make things easier to find.
Henry Yen [Thu, 16 Oct 2025 16:11:03 +0000 (16:11 +0000)]
Determine NSS and bandwidth for connection on association event
Parse HT/VHT/HE/EHT capabilities and operation elements from the
(Re)Association Request and Response frames. This is used to get the
max_nss_rx, max_nss_tx, and channel_bandwidth capabilities of the
current association.
Signed-off-by: sunilravi <sunilravi@google.com> Signed-off-by: Henry Yen <henryyen@google.com>
Henry Yen [Thu, 16 Oct 2025 16:11:03 +0000 (16:11 +0000)]
Include the mandatory part of MCS of HE Capabilities in struct
struct ieee80211_he_capabilities included the first four octets of the
Supported HE-MCS And NSS Set field in the optional[] array. However,
those four octets are actually required to be present. Add them as
mandatory fields into the struct to match the minimum set of fields and
to make them somewhat more convenient for parsing purposes.
Signed-off-by: sunilravi <sunilravi@google.com> Signed-off-by: Henry Yen <henryyen@google.com>
Jouni Malinen [Mon, 8 Dec 2025 10:15:29 +0000 (12:15 +0200)]
Move connection information parsing into a helper function
wpa_supplicant_event_associnfo() is already overly large, so split area
on determining connection information into a helper function that can be
extended more easily.
Jouni Malinen [Tue, 9 Dec 2025 10:06:12 +0000 (12:06 +0200)]
Fix the check for valid supported VHT-MCS values
These 16-bit fields consist of eight 2-bit fields and the comparison
here was supposed to check whether each such 2-bit field is set to 3
(i.e., not supported). Masking was shifted, but the comparison against 3
did not have matching shift. Fix this by shifting the field to the two
LSBs for the comparison.
In addition, the special vendor_vht=1 case on 2.4 GHz was not taken into
account in check_valid_vht_mcs(). It needs to use the 5 GHz mode
hardware capability similarly to the way hostapd_eid_vht_capabilities()
works. Fix this by using a shared helper function for both cases.
Fixes: d988ff76bfa9 ("hostapd: Disable VHT caps for STAs when no valid VHT MCS found") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Add QCA vendor attribute to configure MLE reserved fields
Add vendor attribute to set the reserved fields within the MLE
starting from Multi-Link Control to STA control within Per-STA
profile. It does not set the subsequent STA Info or HT/HE/EHT
Capabilities elements. This configuration is for Probe Request
variant in Multi-link Probe Request frames and Basic variant in
Association Request frames for testbed STA.
Extend QCA vendor command for early TWT SP termination for AP mode
Add vendor attribute QCA_WLAN_VENDOR_ATTR_TWT_EARLY_TERM_PEER_MAC_ADDR
to specify the peer MAC address for operation
QCA_WLAN_TWT_EARLY_TERMINATION_IND for AP mode.
Jouni Malinen [Tue, 2 Dec 2025 14:00:45 +0000 (16:00 +0200)]
SAE: More specific initial auth trans seq check
Practically ignoring the check of the authentication transaction
sequence number for SAE here is overly permissive. While the unknown
values will result in same behavior at a later point in the process,
this initial check could as well handle those cases without needing any
additional processing.
Jouni Malinen [Tue, 2 Dec 2025 13:49:35 +0000 (15:49 +0200)]
PASN: Use defines for authentication transaction sequence number
Use defined values instead of hardcoded 1, 2, and 3 for the
authentication transaction sequence number of the PASN frames. This
makes the implementation easier to read and has a bit more context on
uses of this field for PASN-specific vs. general (i.e., applied to all
authentication algorithms) cases.
Jouni Malinen [Tue, 2 Dec 2025 13:37:54 +0000 (15:37 +0200)]
SAE: Use defines for authentication transaction sequence number
Use defined values instead of hardcoded 1 and 2 for the authentication
transaction sequence number of the SAE commit and confirm messages. This
makes the implementation easier to read and has a bit more context on
uses of this field for SAE-specific vs. general (i.e., applied to all
authentication algorithms) cases.
Jouni Malinen [Tue, 2 Dec 2025 13:25:43 +0000 (15:25 +0200)]
Simplify sta_auth driver interface call
This seemed to be originally added with some kind of expectation of
future extension, but the resp_ies[] buffer has not really been used and
there is no need to maintain such complexity, so get rid of it.
dbus: Add SaePasswordMismatch signal on AP indication of failed SAE auth
Per the IEEE 802.11 standard, status code 15
(WLAN_STATUS_CHALLENGE_FAIL), when returned in an Authentication frame
of an SAE exchange, is indicative of a password mismatch.
Add a new dbus signal "SaePasswordMismatch" and emit it when a password
mismatch is detected as defined by that scenario.
Burvin Shi [Fri, 21 Nov 2025 07:07:04 +0000 (07:07 +0000)]
DPP: Fix error path processing in decryption of E-id
If any of the operations on a successfully allocated e_id fails
dpp_decrypt_e_id() freed e_id, but forgot to clear the pointer that gets
returned to the caller. This could result in at least a theoretical use
of freed memory. Fix this by clearing the pointer to return an
appropriate indication of the failed operation.
Burvin Shi [Fri, 21 Nov 2025 07:07:04 +0000 (07:07 +0000)]
WPS: Avoid double closing of a socket in an HTTP server error path
http_request_init() would have returned NULL if httpread_create() fails
and that case would result in http_request_deinit() closing the accepted
socket in addition to http_server_cb(). Avoid this by moving
responsibility for closing of the socket into http_request_init().
Jouni Malinen [Mon, 1 Dec 2025 21:30:34 +0000 (23:30 +0200)]
eapol_test: Fix functionality with SCS list
Commit 1adffc2003ff ("SCS: Renegotiate configured SCS policies with new
AP after roaming") started using wpa_s->active_scs_ids from a location
that gets executed in eapol_test and that resulted in the process
getting terminated due to that list being uninitialized. Fix this by
initializing the list in eapol_test similarly to how this gets done in
wpa_supplicant_alloc().
AP MLD: Fix use of a wrong list during link reconf response ack failure
When an ADD_LINK reconfiguration response is not ACKed by the STA, added
links must be reverted. The revert path in
hostapd_link_reconf_resp_tx_status() incorrectly iterates the del_req
list instead of add_req, preventing proper cleanup of station.
Fix this by iterating over req_list->add_req to remove added link STAs
on ack failure instead of del_req.
Fixes: ea7af69a2369 ("AP MLD: Process TX status for Link Reconfiguration Response frame") Signed-off-by: Govindaraj Saminathan <gsaminat@qti.qualcomm.com> Signed-off-by: Manish Dharanenthiran <manish.dharanenthiran@oss.qualcomm.com>
Jouni Malinen [Mon, 1 Dec 2025 17:17:18 +0000 (19:17 +0200)]
Abandon PMKSA caching attempt based on incompatible selected AKM
There might be a PMKSA cache entry for the target AP, but the current
connection is trying to use PSK (which does not use PMKSA caching) or an
AKM that does not match the one that was used to generate the selected
PMKSA entry. The previously selected PMKSA cache entry needs to be
cleared in such cases to avoid indicating an incorrect PMKID and
exchange that would likely end up failing with the AP attempting to use
a different PMK. This is not really supposed to happen in normal use
cases, but it is possible that some corner cases of the AP changing its
configuration might trigger a failure due to mismatching PMK.
Huang Chenming [Thu, 7 Aug 2025 12:10:27 +0000 (17:40 +0530)]
nl80211: Consolidate puncturing bitmap in frequency parameter setting
Consolidate puncturing bitmap into nl80211_put_freq_params() to
eliminate code duplication across multiple functions.
This also fixes an issue where BSS setup fails when disabled channels
exist within the configured bandwidth. The problem occurs because while
hostapd correctly marks disabled channels as punctured, it fails to set
the puncturing bitmap to the kernel during frequency configuration.
Add QCA vendor attributes for flow classification insights
Introduce a new nested attribute to support flow classification
insights.
Key additions:
QCA_WLAN_VENDOR_ATTR_FLOW_CLASSIFY_RESULT_INSIGHTS: New attribute in
flow_classify_result enum to encapsulate flow classify results insights.
qca_wlan_vendor_attr_classify_insights:
- PROBABLE_TRAFFIC_TYPE: Probable traffic type for each insight entry.
- PROBABILITY: Probability percentage for each corresponding traffic type.
The INSIGHTS attribute contains an array of nested elements, where each
element includes both traffic type and probability information.
wpa_supplicant: Update enhanced throughput for AP MLDs
Implement MLO-aware throughput estimation in scan results.
- Non-AP EMLSR + AP EMLSR: Pick partner link with highest throughput.
- Non-AP EMLSR + AP non-EMLSR: Keep original throughput unchanged.
- Otherwise (MLMR): Sum throughput across all partner links.
Parse RNR to discover partner links using MBSSID index and link ID;
add a helper to find partner BSS entries in the scan cache.
Add mlo_tput_accumulated to struct wpa_scan_res to mark aggregated
entries and avoid double counting; reuse an already accumulated
partner value when encountered.
No change for non-MLD devices.
Co-developed-by: Rohan Dutta <drohan@qti.qualcomm.com> Signed-off-by: Rohan Dutta <drohan@qti.qualcomm.com> Reviewed-by: Pooventhiran G <pooventh@qti.qualcomm.com> Signed-off-by: Pooventhiran G <pooventh@qti.qualcomm.com> Signed-off-by: Abishek Ganapathy <abishekg@qti.qualcomm.com>
Fetch the driver EML/MLD capabilities for wpa_supplicant use
Add a new helper function wpa_drv_get_mld_capa() to fetch MLD
capabilities based on interface type and store eml_capa and mld_capa in
wpa_supplicant and use eml_capa to decide STA EMLSR support.
MBSSID: Check the SSIDs of all the non-transmitting BSSs
Currently, when configured with MBSSID, a Probe Request frame is dropped
when its A3 is set to the transmitting BSS and the SSID is set to any
non-TX BSS's SSID. This is because only the SSID of the transmitting BSS
is checked against the requested SSID, ignoring the other MBSSID
members.
According to IEEE Std 802.11-2020, 11.1.4.3.4 (Criteria for sending a
response), a Probe Response frame can be sent if the SSID in the Probe
Request frame matches any SSID in the MBSSID set.
Fix this by ensuring the SSID of a non-TX BSS is also checked when
either A1 or A3 is set to an individual address in an MBSSID scenario.
Beacon frames transmitted by the AP are per BSS and not per VLAN. So
skip BIGTK generation and configuration to the driver for groups that
have a non-zero VLAN ID. For stations associating on non-zero VLAN IDs,
in EAPOL-Key msg 3/4 and group handshake message 1, populate the BIGTK
from the default VLAN group.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
Shubham Joshi [Fri, 7 Nov 2025 11:19:01 +0000 (16:49 +0530)]
MSCS: Reject MSCS ADD request when the MSCS session already is active
Add a check to block sending an MSCS ADD request if an MSCS session is
already active as this may lead to termination of the existing MSCS
session. This prevents termination of an existing MSCS session and
ensures robust handling of MSCS requests.
Also log a clear message indicating the reason for rejection.
PR: Move DIK set and clear commands out of testing scope
The commands PR_SET_DIK_CONTEXT and PR_CLEAR_DIK_CONTEXT should not
be under CONFIG_TESTING_OPTIONS since their usage is not limited to
testing only.
Fixes: 7c262f94ff80 ("PR: Control interface support to set and clear PR device identity context") Signed-off-by: Peddolla Harshavardhan Reddy <peddolla@qti.qualcomm.com>
Karthik M [Fri, 21 Nov 2025 07:20:04 +0000 (12:50 +0530)]
Update beacon information in RNR/MSSID on interface unavailability
When an interface (legacy or MLD link) is deleted via userspace
tools (e.g., iw or ifconfig), the kernel indicates this through an
NL80211_CMD_STOP_AP event. hostapd marks the interface as stopped
and, for MLD, removes the corresponding link from the BSS list.
In MBSSID setups, if the deleted interface is the TX BSS,
the associated non‑TX BSSs are also removed.
However, hostapd does not update beacons of the remaining partner links
after this event. As a result, information about deleted/stopped BSSs
can persist in other beacons (e.g., as Reduced Neighbor Report entries),
which is incorrect.
Use the beacon_set_done flag to manage RNR/MBSSID beacon updates during
interface stop (NL_STOP_AP) and fix the issue by marking the stopped BSS
with beacon_set_done as zero, refreshing beacons for all active
interfaces, and ensuring stopped BSSs are excluded from RNR.
Signed-off-by: Karthik M <karthik.m@oss.qualcomm.com>
The new "auth_alg" entry in hostapd "STA <addr>" control interface
output can be used to determine the authentication algorithm used by the
non-AP STA to authenticate with the AP.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
Add CFR stop reason enum and peer attribute for a QCA vendor command
Introduce enum qca_wlan_vendor_cfr_stop_reason to standardize reason
codes for CFR collection stops. Add
QCA_WLAN_VENDOR_ATTR_PEER_CFR_STOP_REASON to the peer CFR capture
attributes. Use this attribute to indicate that CFR collection for a
peer has stopped and to carry the corresponding reason code from the new
enum. Apply this attribute for peer CFR events with CFR data format
version 3.
FILS: Remove unused arguments from writing Association Response elements
The elements from the (Re)Association Request frame were never needed
for the FILS case and were likely originally included just because a
similar function for FT included them.
Signed-off-by: Adil Saeed Musthafa <adilm@qti.qualcomm.com>
projects / thirdparty / hostap.git / log
