ath10k: drop beacon and probe response which leak from other channel

When scan request on channel 1, it also receive beacon from other
channels, and the beacon also indicate to mac80211 and wpa_supplicant,
and then the bss info appears in radio measurement report of radio
measurement sent from wpa_supplicant, thus lead RRM case fail.

This is to drop the beacon and probe response which is not the same
channel of scanning.

Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049

Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20211208061752.16564-1-quic_wgong@quicinc.com

diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index 7c1c265..4733fd7 100644 (file)
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -2611,9 +2611,30 @@ int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
                ath10k_mac_handle_beacon(ar, skb);
 
        if (ieee80211_is_beacon(hdr->frame_control) ||
-           ieee80211_is_probe_resp(hdr->frame_control))
+           ieee80211_is_probe_resp(hdr->frame_control)) {
+               struct ieee80211_mgmt *mgmt = (void *)skb->data;
+               u8 *ies;
+               int ies_ch;
+
                status->boottime_ns = ktime_get_boottime_ns();
 
+               if (!ar->scan_channel)
+                       goto drop;
+
+               ies = mgmt->u.beacon.variable;
+
+               ies_ch = cfg80211_get_ies_channel_number(mgmt->u.beacon.variable,
+                                                        skb_tail_pointer(skb) - ies,
+                                                        sband->band);
+
+               if (ies_ch > 0 && ies_ch != channel) {
+                       ath10k_dbg(ar, ATH10K_DBG_MGMT,
+                                  "channel mismatched ds channel %d scan channel %d\n",
+                                  ies_ch, channel);
+                       goto drop;
+               }
+       }
+
        ath10k_dbg(ar, ATH10K_DBG_MGMT,
                   "event mgmt rx skb %pK len %d ftype %02x stype %02x\n",
                   skb, skb->len,
@@ -2627,6 +2648,10 @@ int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
        ieee80211_rx_ni(ar->hw, skb);
 
        return 0;
+
+drop:
+       dev_kfree_skb(skb);
+       return 0;
 }
 
 static int freq_to_idx(struct ath10k *ar, int freq)