Merge android-msm-pixel-4.19-rvc-qpr3 into android-msm-pixel-4.19android-s-preview-3_r0.5android-s-beta-1_r0.5android-msm-redbull-4.19-s-preview-3android-msm-redbull-4.19-s-beta-1

SBMerger: 351186807
Change-Id: I77717eec29b380244e28cf68397b7fefbe6493fe
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>

19 files changed, 290 insertions, 68 deletions

diff --git a/components/blacklist_mgr/core/inc/wlan_blm_core.h b/components/blacklist_mgr/core/inc/wlan_blm_core.h
index a89c8e5457..6dba887634 100644
--- a/components/blacklist_mgr/core/inc/wlan_blm_core.h
+++ b/components/blacklist_mgr/core/inc/wlan_blm_core.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2020 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -265,6 +265,14 @@ blm_get_bssid_reject_list(struct wlan_objmgr_pdev *pdev,
 			  enum blm_reject_ap_type reject_ap_type);
 
 /**
+ * blm_dump_blacklist_bssid - Dump blacklisted bssids
+ * @pdev: pdev object
+ *
+ * Return: None
+ */
+void blm_dump_blacklist_bssid(struct wlan_objmgr_pdev *pdev);
+
+/**
  * blm_get_rssi_blacklist_threshold() - Get rssi blacklist threshold value
  * @pdev: pdev object
  *
diff --git a/components/blacklist_mgr/core/inc/wlan_blm_main.h b/components/blacklist_mgr/core/inc/wlan_blm_main.h
index 7a290c06ec..d046eeecff 100644
--- a/components/blacklist_mgr/core/inc/wlan_blm_main.h
+++ b/components/blacklist_mgr/core/inc/wlan_blm_main.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2019-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -37,6 +37,8 @@
 		QDF_TRACE_INFO(QDF_MODULE_ID_BLACKLIST_MGR, params)
 #define blm_debug(params...)\
 		QDF_TRACE_DEBUG(QDF_MODULE_ID_BLACKLIST_MGR, params)
+#define blm_nofl_debug(params...)\
+		QDF_TRACE_DEBUG_NO_FL(QDF_MODULE_ID_BLACKLIST_MGR, params)
 
 /**
  * struct blm_pdev_priv_obj - Pdev priv struct to store list of blacklist mgr.
diff --git a/components/blacklist_mgr/core/src/wlan_blm_core.c b/components/blacklist_mgr/core/src/wlan_blm_core.c
index 06a0011c6f..6070179a6b 100644
--- a/components/blacklist_mgr/core/src/wlan_blm_core.c
+++ b/components/blacklist_mgr/core/src/wlan_blm_core.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2020 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -617,6 +617,121 @@ blm_remove_lowest_delta_entry(qdf_list_t *reject_ap_list,
 	return QDF_STATUS_E_FAILURE;
 }
 
+/**
+ * blm_find_reject_type_string() - Function to convert int to string
+ * @reject_ap_type:   blm_reject_ap_type
+ *
+ * This function is used to convert int value of enum blm_reject_ap_type
+ * to string format.
+ *
+ * Return: String
+ *
+ */
+static const char *
+blm_find_reject_type_string(enum blm_reject_ap_type reject_ap_type)
+{
+	switch (reject_ap_type) {
+	CASE_RETURN_STRING(USERSPACE_AVOID_TYPE);
+	CASE_RETURN_STRING(USERSPACE_BLACKLIST_TYPE);
+	CASE_RETURN_STRING(DRIVER_AVOID_TYPE);
+	CASE_RETURN_STRING(DRIVER_BLACKLIST_TYPE);
+	CASE_RETURN_STRING(DRIVER_RSSI_REJECT_TYPE);
+	CASE_RETURN_STRING(DRIVER_MONITOR_TYPE);
+	default:
+		return "REJECT_REASON_UNKNOWN";
+	}
+}
+
+/**
+ * blm_get_reject_ap_type() - Function to find reject ap type
+ * @blm_entry:   blm_reject_ap
+ *
+ * This function is used to get reject ap type.
+ *
+ * Return: blm_reject_ap_type
+ *
+ */
+static enum blm_reject_ap_type
+blm_get_reject_ap_type(struct blm_reject_ap *blm_entry)
+{
+	if (BLM_IS_AP_AVOIDED_BY_USERSPACE(blm_entry))
+		return USERSPACE_AVOID_TYPE;
+	if (BLM_IS_AP_BLACKLISTED_BY_USERSPACE(blm_entry))
+		return USERSPACE_BLACKLIST_TYPE;
+	if (BLM_IS_AP_AVOIDED_BY_DRIVER(blm_entry))
+		return DRIVER_AVOID_TYPE;
+	if (BLM_IS_AP_BLACKLISTED_BY_DRIVER(blm_entry))
+		return DRIVER_BLACKLIST_TYPE;
+	if (BLM_IS_AP_IN_RSSI_REJECT_LIST(blm_entry))
+		return DRIVER_RSSI_REJECT_TYPE;
+	if (BLM_IS_AP_IN_MONITOR_LIST(blm_entry))
+		return DRIVER_MONITOR_TYPE;
+
+	return REJECT_REASON_UNKNOWN;
+}
+
+/**
+ * blm_dump_blacklist_bssid() - Function to dump blacklisted bssid
+ * @pdev:  pdev object
+ *
+ * This function is used to dump blacklisted bssid along with reject
+ * ap type, source, delay and required rssi
+ *
+ * Return: None
+ *
+ */
+void blm_dump_blacklist_bssid(struct wlan_objmgr_pdev *pdev)
+{
+	struct blm_reject_ap *blm_entry = NULL;
+	qdf_list_node_t *cur_node = NULL, *next_node = NULL;
+	struct blm_pdev_priv_obj *blm_ctx;
+	struct blm_psoc_priv_obj *blm_psoc_obj;
+	uint32_t reject_duration;
+	enum blm_reject_ap_type reject_ap_type;
+	qdf_list_t *reject_db_list;
+	QDF_STATUS status;
+
+	blm_ctx = blm_get_pdev_obj(pdev);
+	blm_psoc_obj = blm_get_psoc_obj(wlan_pdev_get_psoc(pdev));
+
+	if (!blm_ctx || !blm_psoc_obj) {
+		blm_err("blm_ctx or blm_psoc_obj is NULL");
+		return;
+	}
+
+	status = qdf_mutex_acquire(&blm_ctx->reject_ap_list_lock);
+	if (QDF_IS_STATUS_ERROR(status)) {
+		blm_err("failed to acquire reject_ap_list_lock");
+		return;
+	}
+
+	reject_db_list = &blm_ctx->reject_ap_list;
+	qdf_list_peek_front(reject_db_list, &cur_node);
+	while (cur_node) {
+		qdf_list_peek_next(reject_db_list, cur_node, &next_node);
+
+		blm_entry = qdf_container_of(cur_node, struct blm_reject_ap,
+					     node);
+
+		reject_ap_type = blm_get_reject_ap_type(blm_entry);
+
+		reject_duration = blm_get_delta_of_bssid(
+						reject_ap_type, blm_entry,
+						&blm_psoc_obj->blm_cfg);
+
+			blm_nofl_debug("BLACKLIST BSSID %pM type %s retry delay %dms expected RSSI %d",
+				blm_entry->bssid.bytes,
+				blm_find_reject_type_string(reject_ap_type),
+				reject_duration,
+				blm_entry->rssi_reject_params.expected_rssi);
+
+		cur_node = next_node;
+		next_node = NULL;
+	}
+
+	qdf_mutex_release(&blm_ctx->reject_ap_list_lock);
+}
+
 static void blm_fill_reject_list(qdf_list_t *reject_db_list,
 				 struct reject_ap_config_params *reject_list,
 				 uint8_t *num_of_reject_bssid,
diff --git a/components/blacklist_mgr/dispatcher/inc/wlan_blm_api.h b/components/blacklist_mgr/dispatcher/inc/wlan_blm_api.h
index 75ba78d04e..16149a5c15 100644
--- a/components/blacklist_mgr/dispatcher/inc/wlan_blm_api.h
+++ b/components/blacklist_mgr/dispatcher/inc/wlan_blm_api.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2019-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -104,6 +104,18 @@ wlan_blm_get_bssid_reject_list(struct wlan_objmgr_pdev *pdev,
 }
 
 /**
+ * wlan_blm_dump_blcklist_bssid() - dump the blacklisted BSSIDs from BLM
+ * @pdev: pdev object
+ *
+ * Return: None
+ */
+static inline void
+wlan_blm_dump_blcklist_bssid(struct wlan_objmgr_pdev *pdev)
+{
+	return blm_dump_blacklist_bssid(pdev);
+}
+
+/**
  * wlan_blm_get_rssi_blacklist_threshold() - Get the RSSI blacklist threshold
  * @pdev: pdev object
  *
diff --git a/components/blacklist_mgr/dispatcher/inc/wlan_blm_public_struct.h b/components/blacklist_mgr/dispatcher/inc/wlan_blm_public_struct.h
index 6bc2b052ae..f6b8b044e3 100644
--- a/components/blacklist_mgr/dispatcher/inc/wlan_blm_public_struct.h
+++ b/components/blacklist_mgr/dispatcher/inc/wlan_blm_public_struct.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -46,6 +46,7 @@ struct blm_rssi_disallow_params {
  * @DRIVER_BLACKLIST_TYPE: driver wants the AP to be blacklisted.
  * @DRIVER_RSSI_REJECT_TYPE: driver wants the AP to be in driver rssi reject.
  * @DRIVER_MONITOR_TYPE: driver wants the AP to be in monitor list.
+ * @REJECT_REASON_UNKNOWN: Rejection reason unknown
  */
 enum blm_reject_ap_type {
 	USERSPACE_AVOID_TYPE =     0,
@@ -53,7 +54,8 @@ enum blm_reject_ap_type {
 	DRIVER_AVOID_TYPE    =     2,
 	DRIVER_BLACKLIST_TYPE    = 3,
 	DRIVER_RSSI_REJECT_TYPE =  4,
-	DRIVER_MONITOR_TYPE =      5
+	DRIVER_MONITOR_TYPE =      5,
+	REJECT_REASON_UNKNOWN = 6,
 };
 
 /**
diff --git a/components/blacklist_mgr/dispatcher/inc/wlan_blm_ucfg_api.h b/components/blacklist_mgr/dispatcher/inc/wlan_blm_ucfg_api.h
index a6cd763531..b4c9d6118f 100644
--- a/components/blacklist_mgr/dispatcher/inc/wlan_blm_ucfg_api.h
+++ b/components/blacklist_mgr/dispatcher/inc/wlan_blm_ucfg_api.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -84,6 +84,16 @@ ucfg_blm_add_userspace_black_list(struct wlan_objmgr_pdev *pdev,
 				  uint8_t num_of_bssid);
 
 /**
+ * ucfg_blm_dump_black_list_ap() - get blacklisted bssid.
+ * @pdev: pdev object
+ *
+ * This API dumps blacklist ap
+ *
+ * Return: None
+ */
+void ucfg_blm_dump_black_list_ap(struct wlan_objmgr_pdev *pdev);
+
+/**
  * ucfg_blm_update_bssid_connect_params() - Inform the BLM about connect or
  * disconnect with the current AP.
  * @pdev: pdev object
@@ -154,6 +164,10 @@ QDF_STATUS ucfg_blm_psoc_close(struct wlan_objmgr_psoc *psoc)
 }
 
 static inline
+void ucfg_blm_dump_black_list_ap(struct wlan_objmgr_pdev *pdev)
+{}
+
+static inline
 QDF_STATUS
 ucfg_blm_add_bssid_to_reject_list(struct wlan_objmgr_pdev *pdev,
 				  struct reject_ap_info *ap_info)
diff --git a/components/blacklist_mgr/dispatcher/src/wlan_blm_ucfg_api.c b/components/blacklist_mgr/dispatcher/src/wlan_blm_ucfg_api.c
index b53d5f3ddb..22cded7a44 100644
--- a/components/blacklist_mgr/dispatcher/src/wlan_blm_ucfg_api.c
+++ b/components/blacklist_mgr/dispatcher/src/wlan_blm_ucfg_api.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019-2020 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2019-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -133,6 +133,12 @@ ucfg_blm_add_userspace_black_list(struct wlan_objmgr_pdev *pdev,
 }
 
 void
+ucfg_blm_dump_black_list_ap(struct wlan_objmgr_pdev *pdev)
+{
+	return wlan_blm_dump_blcklist_bssid(pdev);
+}
+
+void
 ucfg_blm_update_bssid_connect_params(struct wlan_objmgr_pdev *pdev,
 				     struct qdf_mac_addr bssid,
 				     enum blm_connection_state con_state)
diff --git a/components/cmn_services/policy_mgr/src/wlan_policy_mgr_action.c b/components/cmn_services/policy_mgr/src/wlan_policy_mgr_action.c
index c064747331..a21c4dfe5a 100644
--- a/components/cmn_services/policy_mgr/src/wlan_policy_mgr_action.c
+++ b/components/cmn_services/policy_mgr/src/wlan_policy_mgr_action.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -323,8 +323,9 @@ QDF_STATUS policy_mgr_update_connection_info(struct wlan_objmgr_psoc *psoc,
 		}
 		conn_index++;
 	}
-	qdf_mutex_release(&pm_ctx->qdf_conc_list_lock);
+
 	if (!found) {
+		qdf_mutex_release(&pm_ctx->qdf_conc_list_lock);
 		/* err msg */
 		policy_mgr_err("can't find vdev_id %d in pm_conc_connection_list",
 			vdev_id);
@@ -334,11 +335,13 @@ QDF_STATUS policy_mgr_update_connection_info(struct wlan_objmgr_psoc *psoc,
 		status = pm_ctx->wma_cbacks.wma_get_connection_info(
 				vdev_id, &conn_table_entry);
 		if (QDF_STATUS_SUCCESS != status) {
+			qdf_mutex_release(&pm_ctx->qdf_conc_list_lock);
 			policy_mgr_err("can't find vdev_id %d in connection table",
 			vdev_id);
 			return status;
 		}
 	} else {
+		qdf_mutex_release(&pm_ctx->qdf_conc_list_lock);
 		policy_mgr_err("wma_get_connection_info is NULL");
 		return QDF_STATUS_E_FAILURE;
 	}
@@ -369,6 +372,7 @@ QDF_STATUS policy_mgr_update_connection_info(struct wlan_objmgr_psoc *psoc,
 			chain_mask,
 			nss, vdev_id, true, true);
 
+	qdf_mutex_release(&pm_ctx->qdf_conc_list_lock);
 	/* do we need to change the HW mode */
 	policy_mgr_check_n_start_opportunistic_timer(psoc);
 
diff --git a/components/mlme/dispatcher/inc/cfg_mlme_btm.h b/components/mlme/dispatcher/inc/cfg_mlme_btm.h
index 56353fe1b8..94d1f7c864 100644
--- a/components/mlme/dispatcher/inc/cfg_mlme_btm.h
+++ b/components/mlme/dispatcher/inc/cfg_mlme_btm.h
@@ -100,7 +100,14 @@
  *
  * BIT 8: BTM query preference over 11k neighbor report request
  *
- * BIT 9-31: Reserved
+ * BIT 9: BTM query with candidate list
+ *
+ * BIT 10: When this bit is set, Firmware will forward BTM Request Frame to
+ * driver when the frame contains MBO assoc retry attribute. Driver will send
+ * this frame to supplicant and supplicant will use the frame info for
+ * blacklisting the AP so for the next connection framework will avoid this AP.
+ *
+ * BIT 11-31: Reserved
  *
  * Supported Feature: STA
  *
diff --git a/components/mlme/dispatcher/src/wlan_mlme_ucfg_api.c b/components/mlme/dispatcher/src/wlan_mlme_ucfg_api.c
index a3372078a5..91dfd10c36 100644
--- a/components/mlme/dispatcher/src/wlan_mlme_ucfg_api.c
+++ b/components/mlme/dispatcher/src/wlan_mlme_ucfg_api.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2018-2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
diff --git a/core/hdd/src/wlan_hdd_assoc.c b/core/hdd/src/wlan_hdd_assoc.c
index 4e61f4ccfb..4ac687a95f 100644
--- a/core/hdd/src/wlan_hdd_assoc.c
+++ b/core/hdd/src/wlan_hdd_assoc.c
@@ -146,8 +146,8 @@ static const
 u8 ccp_rsn_oui_13[HDD_RSN_OUI_SIZE] = {0x50, 0x6F, 0x9A, 0x01};
 
 /* Offset where the EID-Len-IE, start. */
-#define FT_ASSOC_RSP_IES_OFFSET 6  /* Capability(2) + AID(2) + Status Code(2) */
-#define FT_ASSOC_REQ_IES_OFFSET 4  /* Capability(2) + LI(2) */
+#define ASSOC_RSP_IES_OFFSET 6  /* Capability(2) + AID(2) + Status Code(2) */
+#define ASSOC_REQ_IES_OFFSET 4  /* Capability(2) + LI(2) */
 
 #define HDD_PEER_AUTHORIZE_WAIT 10
 
@@ -1077,7 +1077,7 @@ hdd_send_ft_assoc_response(struct net_device *dev,
 	unsigned int len = 0;
 	u8 *assoc_rsp = NULL;
 
-	if (roam_info->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) {
+	if (roam_info->nAssocRspLength < ASSOC_RSP_IES_OFFSET) {
 		hdd_debug("Invalid assoc rsp length %d",
 			  roam_info->nAssocRspLength);
 		return;
@@ -1091,10 +1091,10 @@ hdd_send_ft_assoc_response(struct net_device *dev,
 		return;
 	}
 	/* assoc_rsp needs to point to the IEs */
-	assoc_rsp += FT_ASSOC_RSP_IES_OFFSET;
+	assoc_rsp += ASSOC_RSP_IES_OFFSET;
 
 	/* Send the Assoc Resp, the supplicant needs this for initial Auth. */
-	len = roam_info->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
+	len = roam_info->nAssocRspLength - ASSOC_RSP_IES_OFFSET;
 	if (len > IW_GENERIC_IE_MAX) {
 		hdd_err("Invalid Assoc resp length %d", len);
 		return;
@@ -2304,7 +2304,7 @@ static void hdd_send_re_assoc_event(struct net_device *dev,
 		goto done;
 	}
 
-	if (roam_info->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) {
+	if (roam_info->nAssocRspLength < ASSOC_RSP_IES_OFFSET) {
 		hdd_err("Invalid assoc rsp length %d",
 			roam_info->nAssocRspLength);
 		goto done;
@@ -2317,7 +2317,7 @@ static void hdd_send_re_assoc_event(struct net_device *dev,
 		goto done;
 
 	/* assoc_rsp needs to point to the IEs */
-	assoc_rsp += FT_ASSOC_RSP_IES_OFFSET;
+	assoc_rsp += ASSOC_RSP_IES_OFFSET;
 
 	/*
 	 * Active session count is decremented upon disconnection, but during
@@ -2335,7 +2335,7 @@ static void hdd_send_re_assoc_event(struct net_device *dev,
 	}
 
 	/* Send the Assoc Resp, the supplicant needs this for initial Auth */
-	len = roam_info->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
+	len = roam_info->nAssocRspLength - ASSOC_RSP_IES_OFFSET;
 	if (len > IW_GENERIC_IE_MAX) {
 		hdd_err("Invalid Assoc resp length %d", len);
 		goto done;
@@ -3006,10 +3006,10 @@ hdd_association_completion_handler(struct hdd_adapter *adapter,
 				/*
 				 * assoc_rsp needs to point to the IEs
 				 */
-				assoc_rsp += FT_ASSOC_RSP_IES_OFFSET;
+				assoc_rsp += ASSOC_RSP_IES_OFFSET;
 				assoc_rsp_len =
 					roam_info->nAssocRspLength -
-					FT_ASSOC_RSP_IES_OFFSET;
+					ASSOC_RSP_IES_OFFSET;
 
 				hdd_debug("assoc_rsp_len %d", assoc_rsp_len);
 			} else {
@@ -3026,11 +3026,10 @@ hdd_association_completion_handler(struct hdd_adapter *adapter,
 					 * assoc_req needs to point to
 					 * the IEs
 					 */
-					assoc_req +=
-						FT_ASSOC_REQ_IES_OFFSET;
+					assoc_req += ASSOC_REQ_IES_OFFSET;
 					assoc_req_len =
 					    roam_info->nAssocReqLength -
-						FT_ASSOC_REQ_IES_OFFSET;
+						ASSOC_REQ_IES_OFFSET;
 				} else {
 					/*
 					 * This should contain only the
@@ -3381,21 +3380,47 @@ hdd_association_completion_handler(struct hdd_adapter *adapter,
 		    && !hddDisconInProgress) {
 			u8 *assoc_rsp = NULL;
 			u8 *assoc_req = NULL;
+			unsigned int assoc_rsp_len = 0;
+			unsigned int assoc_req_len = 0;
 
 			if (roam_info) {
 				if (roam_info->pbFrames) {
-				/* Association Request */
+					/* Association Request */
 					assoc_req =
 						(u8 *)(roam_info->pbFrames +
-						      roam_info->nBeaconLength);
+						       roam_info->nBeaconLength);
+					if (assoc_req) {
+						/*
+						 * assoc_req needs to point to
+						 * the IEs
+						 */
+						assoc_req +=
+							ASSOC_REQ_IES_OFFSET;
+						assoc_req_len =
+						    roam_info->nAssocReqLength -
+							ASSOC_REQ_IES_OFFSET;
+					} else {
+						assoc_req_len = 0;
+					}
+
 					/* Association Response */
 					assoc_rsp =
 						(u8 *)(roam_info->pbFrames +
 						      roam_info->nBeaconLength +
 						    roam_info->nAssocReqLength);
-					hdd_debug("assoc_req_len %d assoc resp len %d",
-						  roam_info->nAssocReqLength,
-						  roam_info->nAssocRspLength);
+					if (assoc_rsp) {
+						/*
+						 * assoc_rsp needs to point to the IEs
+						 */
+						assoc_rsp += ASSOC_RSP_IES_OFFSET;
+						assoc_rsp_len =
+							roam_info->nAssocRspLength -
+							ASSOC_RSP_IES_OFFSET;
+					} else {
+						assoc_rsp_len = 0;
+					}
+					hdd_debug("Assoc req len:%d rsp len:%d",
+						  assoc_req_len, assoc_rsp_len);
 				}
 				hdd_err("send connect failure to nl80211: for bssid "
 					QDF_MAC_ADDR_STR
@@ -3422,12 +3447,10 @@ hdd_association_completion_handler(struct hdd_adapter *adapter,
 					hdd_connect_result(dev,
 						roam_info->bssid.bytes,
 						roam_info, assoc_req,
-						roam_info->nAssocReqLength,
-						assoc_rsp,
-						roam_info->nAssocRspLength,
+						assoc_req_len,
+						assoc_rsp, assoc_rsp_len,
 						WLAN_STATUS_ASSOC_DENIED_UNSPEC,
-						GFP_KERNEL,
-						connect_timeout,
+						GFP_KERNEL, connect_timeout,
 						roam_info->status_code);
 				else
 					hdd_connect_result(dev,
@@ -3442,9 +3465,8 @@ hdd_association_completion_handler(struct hdd_adapter *adapter,
 					hdd_connect_result(dev,
 						roam_info->bssid.bytes,
 						roam_info, assoc_req,
-						roam_info->nAssocReqLength,
-						assoc_rsp,
-						roam_info->nAssocRspLength,
+						assoc_req_len,
+						assoc_rsp, assoc_rsp_len,
 						roam_info->reasonCode ?
 						roam_info->reasonCode :
 						WLAN_STATUS_UNSPECIFIED_FAILURE,
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
index 26e609747e..c35867e2be 100644
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -19949,6 +19949,8 @@ static int __wlan_hdd_cfg80211_connect(struct wiphy *wiphy,
 	else if (bssid_hint)
 		bssid = bssid_hint;
 
+	ucfg_blm_dump_black_list_ap(hdd_ctx->pdev);
+
 	if (bssid && hdd_get_adapter_by_macaddr(hdd_ctx, (uint8_t *)bssid)) {
 		hdd_err("adapter exist with same mac address " QDF_MAC_ADDR_STR,
 			QDF_MAC_ADDR_ARRAY(bssid));
diff --git a/core/mac/src/pe/lim/lim_assoc_utils.c b/core/mac/src/pe/lim/lim_assoc_utils.c
index 37c88e38ab..02ffbe1fee 100644
--- a/core/mac/src/pe/lim/lim_assoc_utils.c
+++ b/core/mac/src/pe/lim/lim_assoc_utils.c
@@ -618,9 +618,8 @@ lim_cleanup_rx_path(struct mac_context *mac, tpDphHashNode sta,
 			 * Release our assigned AID back to the free pool
 			 */
 			if (LIM_IS_AP_ROLE(pe_session)) {
-				lim_del_sta(mac, sta, false, pe_session);
-				lim_release_peer_idx(mac, sta->assocId,
-						     pe_session);
+				lim_del_sta(mac, sta, true, pe_session);
+				return retCode;
 			}
 			lim_delete_dph_hash_entry(mac, sta->staAddr,
 						  sta->assocId, pe_session);
diff --git a/core/mac/src/pe/lim/lim_process_assoc_req_frame.c b/core/mac/src/pe/lim/lim_process_assoc_req_frame.c
index dda6811c03..dc37384c9a 100644
--- a/core/mac/src/pe/lim/lim_process_assoc_req_frame.c
+++ b/core/mac/src/pe/lim/lim_process_assoc_req_frame.c
@@ -2864,19 +2864,9 @@ bool lim_fill_lim_assoc_ind_params(
 	return true;
 }
 
-/**
- * lim_send_mlm_assoc_ind() - Sends assoc indication to SME
- * @mac_ctx: Global Mac context
- * @sta_ds: Station DPH hash entry
- * @session_entry: PE session entry
- *
- * This function sends either LIM_MLM_ASSOC_IND
- * or LIM_MLM_REASSOC_IND to SME.
- *
- * Return: None
- */
-void lim_send_mlm_assoc_ind(struct mac_context *mac_ctx,
-	tpDphHashNode sta_ds, struct pe_session *session_entry)
+QDF_STATUS lim_send_mlm_assoc_ind(struct mac_context *mac_ctx,
+				  tpDphHashNode sta_ds,
+				  struct pe_session *session_entry)
 {
 	tpLimMlmAssocInd assoc_ind;
 	tpSirAssocReq assoc_req;
@@ -2886,7 +2876,7 @@ void lim_send_mlm_assoc_ind(struct mac_context *mac_ctx,
 
 	if (!session_entry->parsedAssocReq) {
 		pe_err(" Parsed Assoc req is NULL");
-		return;
+		return QDF_STATUS_E_INVAL;
 	}
 
 	/* Get a copy of the already parsed Assoc Request */
@@ -2895,7 +2885,7 @@ void lim_send_mlm_assoc_ind(struct mac_context *mac_ctx,
 
 	if (!assoc_req) {
 		pe_err("assoc req for assoc_id:%d is NULL", sta_ds->assocId);
-		return;
+		return QDF_STATUS_E_INVAL;
 	}
 
 	/* Get the phy_mode */
@@ -2919,17 +2909,17 @@ void lim_send_mlm_assoc_ind(struct mac_context *mac_ctx,
 		if (!assoc_ind) {
 			lim_release_peer_idx(mac_ctx, sta_ds->assocId,
 					     session_entry);
-			return;
+			return QDF_STATUS_E_INVAL;
 		}
 		if (!lim_fill_lim_assoc_ind_params(assoc_ind, mac_ctx,
 						   sta_ds, session_entry)) {
 			qdf_mem_free(assoc_ind);
-			return;
+			return QDF_STATUS_E_INVAL;
 		}
 		lim_post_sme_message(mac_ctx, LIM_MLM_ASSOC_IND,
 				     (uint32_t *)assoc_ind);
 		qdf_mem_free(assoc_ind);
 	}
 
-	return;
+	return QDF_STATUS_SUCCESS;
 }
diff --git a/core/mac/src/pe/lim/lim_process_mlm_rsp_messages.c b/core/mac/src/pe/lim/lim_process_mlm_rsp_messages.c
index 34864d4f52..3445e9efe0 100644
--- a/core/mac/src/pe/lim/lim_process_mlm_rsp_messages.c
+++ b/core/mac/src/pe/lim/lim_process_mlm_rsp_messages.c
@@ -2007,7 +2007,14 @@ void lim_process_ap_mlm_add_sta_rsp(struct mac_context *mac,
 	 * 2) PE receives eWNI_SME_ASSOC_CNF from SME
 	 * 3) BTAMP-AP sends Re/Association Response to BTAMP-STA
 	 */
-	lim_send_mlm_assoc_ind(mac, sta, pe_session);
+	if (lim_send_mlm_assoc_ind(mac, sta, pe_session) != QDF_STATUS_SUCCESS)
+		lim_reject_association(mac, sta->staAddr,
+				       sta->mlmStaContext.subType,
+				       true, sta->mlmStaContext.authType,
+				       sta->assocId, true,
+				       eSIR_MAC_UNSPEC_FAILURE_STATUS,
+				       pe_session);
+
 	/* fall though to reclaim the original Add STA Response message */
 end:
 	if (0 != limMsgQ->bodyptr) {
diff --git a/core/mac/src/pe/lim/lim_types.h b/core/mac/src/pe/lim/lim_types.h
index 3a0910a88b..53a8dfbe43 100644
--- a/core/mac/src/pe/lim/lim_types.h
+++ b/core/mac/src/pe/lim/lim_types.h
@@ -434,8 +434,21 @@ lim_fill_sme_assoc_ind_params(
 	struct mac_context *mac_ctx,
 	tpLimMlmAssocInd assoc_ind, struct assoc_ind *sme_assoc_ind,
 	struct pe_session *session_entry);
-void lim_send_mlm_assoc_ind(struct mac_context *mac, tpDphHashNode sta,
-			    struct pe_session *pe_session);
+
+/**
+ * lim_send_mlm_assoc_ind() - Sends assoc indication to SME
+ * @mac_ctx: Global Mac context
+ * @sta_ds: Station DPH hash entry
+ * @session_entry: PE session entry
+ *
+ * This function sends either LIM_MLM_ASSOC_IND
+ * or LIM_MLM_REASSOC_IND to SME.
+ *
+ * Return: QDF_STATUS
+ */
+QDF_STATUS lim_send_mlm_assoc_ind(struct mac_context *mac,
+				  tpDphHashNode sta,
+				  struct pe_session *pe_session);
 
 void lim_process_assoc_rsp_frame(struct mac_context *, uint8_t *, uint8_t, struct pe_session *);
 void lim_process_disassoc_frame(struct mac_context *, uint8_t *, struct pe_session *);
diff --git a/core/sme/src/csr/csr_api_roam.c b/core/sme/src/csr/csr_api_roam.c
index af72d7e8e2..9b60209d63 100644
--- a/core/sme/src/csr/csr_api_roam.c
+++ b/core/sme/src/csr/csr_api_roam.c
@@ -19081,7 +19081,9 @@ static void csr_update_btm_offload_config(struct mac_context *mac_ctx,
 					  struct csr_roam_session *session)
 {
 	struct wlan_objmgr_peer *peer;
-	bool is_pmf_enabled;
+	struct wlan_objmgr_vdev *vdev;
+	bool is_pmf_enabled, is_open_connection = false;
+	int32_t cipher;
 
 	req_buf->btm_offload_config =
 			mac_ctx->mlme_cfg->btm.btm_offload_config;
@@ -19113,15 +19115,31 @@ static void csr_update_btm_offload_config(struct mac_context *mac_ctx,
 
 	is_pmf_enabled = mlme_get_peer_pmf_status(peer);
 	wlan_objmgr_peer_release_ref(peer, WLAN_LEGACY_SME_ID);
-	sme_debug("get is_pmf_enabled %d for %pM", is_pmf_enabled,
-		  session->pConnectBssDesc->bssId);
+
+	vdev = wlan_objmgr_get_vdev_by_id_from_psoc(mac_ctx->psoc,
+						    session->vdev_id,
+						    WLAN_LEGACY_SME_ID);
+	if (!vdev) {
+		sme_err("vdev:%d is NULL", session->vdev_id);
+		return;
+	}
+
+	cipher = wlan_crypto_get_param(vdev, WLAN_CRYPTO_PARAM_UCAST_CIPHER);
+	if (!cipher || (cipher & (1 << WLAN_CRYPTO_CIPHER_NONE)))
+		is_open_connection = true;
+
+	wlan_objmgr_vdev_release_ref(vdev, WLAN_LEGACY_SME_ID);
 
 	/* If peer does not support PMF in case of OCE/MBO
 	 * Connection, Disable BTM offload to firmware.
 	 */
 	if (session->pConnectBssDesc->mbo_oce_enabled_ap &&
-	    !is_pmf_enabled)
+	    (!is_pmf_enabled && !is_open_connection))
 		req_buf->btm_offload_config = 0;
+
+	sme_debug("is_open:%d is_pmf_enabled:%d btm_offload_cfg:%d for %pM",
+		  is_open_connection, is_pmf_enabled,
+		  req_buf->btm_offload_config, session->pConnectBssDesc->bssId);
 }
 
 /**
diff --git a/core/sme/src/csr/csr_util.c b/core/sme/src/csr/csr_util.c
index 5843946cc6..8cc13a916b 100644
--- a/core/sme/src/csr/csr_util.c
+++ b/core/sme/src/csr/csr_util.c
@@ -4047,6 +4047,7 @@ uint8_t csr_construct_rsn_ie(struct mac_context *mac, uint32_t sessionId,
 						   pProfile->pRSNReqIE + 2,
 				  pProfile->nRSNReqIELength -2, &rsn_ie, false);
 			if (!DOT11F_FAILED(ret)) {
+				session->rsn_caps = *(struct rsn_caps *)rsn_ie.RSN_Cap;
 				pIesLocal->RSN.RSN_Cap[0] =
 						pIesLocal->RSN.RSN_Cap[0] &
 						rsn_ie.RSN_Cap[0];
@@ -4141,7 +4142,6 @@ uint8_t csr_construct_rsn_ie(struct mac_context *mac, uint32_t sessionId,
 		} else {
 			pPMK->cPMKIDs = 0;
 		}
-		session->rsn_caps = RSNCapabilities;
 
 		qdf_mem_zero(&pmkid_cache, sizeof(pmkid_cache));
 
diff --git a/core/wma/src/wma_dev_if.c b/core/wma/src/wma_dev_if.c
index f13ac6b2ed..c8d71cbf06 100644
--- a/core/wma/src/wma_dev_if.c
+++ b/core/wma/src/wma_dev_if.c
@@ -1162,6 +1162,7 @@ static void wma_vdev_start_rsp(tp_wma_handle wma,
 		 BSS_OPERATIONAL_MODE_IBSS ? "IBSS" : "non-IBSS");
 #endif /* QCA_IBSS_SUPPORT */
 
+	add_bss->bss_idx = resp_event->vdev_id;
 	if (resp_event->status) {
 		add_bss->status = QDF_STATUS_E_FAILURE;
 		goto send_fail_resp;
@@ -1199,7 +1200,6 @@ static void wma_vdev_start_rsp(tp_wma_handle wma,
 			 __func__, bcn, bcn->buf);
 	}
 	add_bss->status = QDF_STATUS_SUCCESS;
-	add_bss->bss_idx = resp_event->vdev_id;
 	add_bss->chainMask = resp_event->chain_mask;
 	if ((2 != resp_event->cfgd_rx_streams) ||
 		(2 != resp_event->cfgd_tx_streams)) {
@@ -4058,6 +4058,7 @@ wma_handle_add_bss_req_timeout(tp_wma_handle wma, struct wma_target_req *req)
 		wma_trigger_recovery_assert_on_fw_timeout(WMA_ADD_BSS_REQ);
 
 	iface = &wma->interfaces[req->vdev_id];
+	params->bss_idx = req->vdev_id;
 	wlan_vdev_mlme_sm_deliver_evt(iface->vdev,
 				      WLAN_VDEV_SM_EV_DOWN,
 				      sizeof(*params), params);