--- /dev/null
+From 6588f712220797c69dbd019daa19b82a50d92782 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 14 Oct 2018 19:57:22 +0300
+Subject: Reduce undesired logging of ACL rejection events from AP mode
+
+When Probe Request frame handling was extended to use MAC ACL through
+ieee802_11_allowed_address(), the MSG_INFO level log print ("Station
+<addr> not allowed to authenticate") from that function ended up getting
+printed even for Probe Request frames. That was not by design and it can
+result in excessive logging and MSG_INFO level if MAC ACL is used.
+
+Fix this by printing this log entry only for authentication and
+association frames. In addition, drop the priority of that log entry to
+MSG_DEBUG since this is not really an unexpected behavior in most MAC
+ACL use cases.
+
+Fixes: 92eb00aec2a0 ("Extend ACL check for Probe Request frames")
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/ieee802_11.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -1636,9 +1636,11 @@ ieee802_11_allowed_address(struct hostap
+ is_probe_req);
+
+ if (res == HOSTAPD_ACL_REJECT) {
+- wpa_printf(MSG_INFO,
+- "Station " MACSTR " not allowed to authenticate",
+- MAC2STR(addr));
++ if (!is_probe_req)
++ wpa_printf(MSG_DEBUG,
++ "Station " MACSTR
++ " not allowed to authenticate",
++ MAC2STR(addr));
+ return HOSTAPD_ACL_REJECT;
+ }
+
--- /dev/null
+From dc1b1c8db7905639be6f4de8173e2d97bf6df90d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 14 Oct 2018 20:03:55 +0300
+Subject: Drop logging priority for handle_auth_cb no-STA-match messages
+
+This message was printed and MSG_INFO level which would be more
+reasonable for error cases where hostapd has accepted authentication.
+However, this is not really an error case for the cases where
+authentication was rejected (e.g., due to MAC ACL). Drop this to use
+MSG_DEBUG level.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/ieee802_11.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4018,7 +4018,8 @@ static void handle_auth_cb(struct hostap
+
+ sta = ap_get_sta(hapd, mgmt->da);
+ if (!sta) {
+- wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found",
++ wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
++ " not found",
+ MAC2STR(mgmt->da));
+ return;
+ }
__func__, driver, drv_priv);
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
-@@ -1712,12 +1712,13 @@ ieee802_11_set_radius_info(struct hostap
+@@ -1714,12 +1714,13 @@ ieee802_11_set_radius_info(struct hostap
static void handle_auth(struct hostapd_data *hapd,
u16 fc;
const u8 *challenge = NULL;
u32 session_timeout, acct_interim_interval;
-@@ -1728,6 +1729,11 @@ static void handle_auth(struct hostapd_d
+@@ -1730,6 +1731,11 @@ static void handle_auth(struct hostapd_d
char *identity = NULL;
char *radius_cui = NULL;
u16 seq_ctrl;
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
-@@ -1888,6 +1894,13 @@ static void handle_auth(struct hostapd_d
+@@ -1890,6 +1896,13 @@ static void handle_auth(struct hostapd_d
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto fail;
}
if (res == HOSTAPD_ACL_PENDING)
return;
-@@ -3167,12 +3180,12 @@ void fils_hlp_timeout(void *eloop_ctx, v
+@@ -3169,12 +3182,12 @@ void fils_hlp_timeout(void *eloop_ctx, v
static void handle_assoc(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len,
struct sta_info *sta;
u8 *tmp = NULL;
struct hostapd_sta_wpa_psk_short *psk = NULL;
-@@ -3181,6 +3194,11 @@ static void handle_assoc(struct hostapd_
+@@ -3183,6 +3196,11 @@ static void handle_assoc(struct hostapd_
#ifdef CONFIG_FILS
int delay_assoc = 0;
#endif /* CONFIG_FILS */
if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
sizeof(mgmt->u.assoc_req))) {
-@@ -3352,6 +3370,14 @@ static void handle_assoc(struct hostapd_
+@@ -3354,6 +3372,14 @@ static void handle_assoc(struct hostapd_
}
#endif /* CONFIG_MBO */
/*
* sta->capability is used in check_assoc_ies() for RRM enabled
* capability element.
-@@ -3565,6 +3591,7 @@ static void handle_disassoc(struct hosta
+@@ -3567,6 +3593,7 @@ static void handle_disassoc(struct hosta
wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
MAC2STR(mgmt->sa),
le_to_host16(mgmt->u.disassoc.reason_code));
sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) {
-@@ -3630,6 +3657,8 @@ static void handle_deauth(struct hostapd
+@@ -3632,6 +3659,8 @@ static void handle_deauth(struct hostapd
" reason_code=%d",
MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) {
wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
-@@ -3949,7 +3978,7 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -3951,7 +3980,7 @@ int ieee802_11_mgmt(struct hostapd_data
if (stype == WLAN_FC_STYPE_PROBE_REQ) {
return 1;
}
-@@ -3969,17 +3998,17 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -3971,17 +4000,17 @@ int ieee802_11_mgmt(struct hostapd_data
switch (stype) {
case WLAN_FC_STYPE_AUTH:
wpa_printf(MSG_DEBUG, "mgmt::auth");