Cherry-pick a bunch of patches from the upstream.debian/2.6-3

 - WPS: Force BSSID for WPS provisioning step connection
 - Check for NULL qsort() base pointers
 - Always propagate scan results to all interfaces
 - wpa_supplicant: Restore permanent MAC address on reassociation
 - nl80211: Update channel information after channel switch notification
 - Extend ieee80211_freq_to_channel_ext() to cover channels 52-64
 - Use estimated throughput to avoid signal based roaming decision
 - Use random MAC address for scanning only in non-connected state

10 files changed, 537 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 2b80092..9afa0b3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+wpa (2.6-3) unstable; urgency=medium
+
+  * Cherry-pick the following patches from the upstream:
+    - WPS: Force BSSID for WPS provisioning step connection
+    - Check for NULL qsort() base pointers
+    - Always propagate scan results to all interfaces
+    - wpa_supplicant: Restore permanent MAC address on reassociation
+    - nl80211: Update channel information after channel switch notification
+    - Extend ieee80211_freq_to_channel_ext() to cover channels 52-64
+    - Use estimated throughput to avoid signal based roaming decision
+    - Use random MAC address for scanning only in non-connected state
+
+ -- Andrew Shadura <andrewsh@debian.org>  Thu, 26 Jan 2017 17:53:41 +0100
+
 wpa (2.6-2) unstable; urgency=medium
 
   * Upload to unstable.
diff --git a/debian/patches/0001-WPS-Force-BSSID-for-WPS-provisioning-step-connection.patch b/debian/patches/0001-WPS-Force-BSSID-for-WPS-provisioning-step-connection.patch
new file mode 100644
index 0000000..db3f2c4
--- /dev/null
+++ b/debian/patches/0001-WPS-Force-BSSID-for-WPS-provisioning-step-connection.patch
@@ -0,0 +1,51 @@
+From 4b5b8a53a145edd9e6486322689c93f5f426f3e9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Tue, 11 Oct 2016 00:25:20 +0300
+Subject: [PATCH] WPS: Force BSSID for WPS provisioning step connection
+
+This was already done for most driver cases, but it is possible that the
+BSSID/frequency is not forced if the driver reports BSS selection
+capability (e.g., NL80211_ATTR_ROAM_SUPPORT). That could potentially
+result in the driver ignoring the BSSID/frequency hint and associating
+with another (incorrect) AP for the WPS provisioning step if that
+another AP in the same ESS is more preferred (e.g., better signal
+strength) by the driver and only one of the APs (the not preferred one)
+is in active WPS registrar state.
+
+While most drivers follow the BSSID hint for the initial connection to
+an ESS, not doing it here for the WPS provisioning would break the
+protocol. Fix this by enforcing a single BSSID/frequency to disallow the
+driver from selecting an incorrect AP for the WPS provisioning
+association.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: Andrew Shadura <andrew.shadura@collabora.co.uk>
+---
+ wpa_supplicant/wpa_supplicant.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
+index c939321..2479432 100644
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -2461,12 +2461,14 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
+ 	if (bss) {
+ 		params.ssid = bss->ssid;
+ 		params.ssid_len = bss->ssid_len;
+-		if (!wpas_driver_bss_selection(wpa_s) || ssid->bssid_set) {
++		if (!wpas_driver_bss_selection(wpa_s) || ssid->bssid_set ||
++		    wpa_s->key_mgmt == WPA_KEY_MGMT_WPS) {
+ 			wpa_printf(MSG_DEBUG, "Limit connection to BSSID "
+ 				   MACSTR " freq=%u MHz based on scan results "
+-				   "(bssid_set=%d)",
++				   "(bssid_set=%d wps=%d)",
+ 				   MAC2STR(bss->bssid), bss->freq,
+-				   ssid->bssid_set);
++				   ssid->bssid_set,
++				   wpa_s->key_mgmt == WPA_KEY_MGMT_WPS);
+ 			params.bssid = bss->bssid;
+ 			params.freq.freq = bss->freq;
+ 		}
+-- 
+2.9.3
+
diff --git a/debian/patches/0002-Check-for-NULL-qsort-base-pointers.patch b/debian/patches/0002-Check-for-NULL-qsort-base-pointers.patch
new file mode 100644
index 0000000..bb0edea
--- /dev/null
+++ b/debian/patches/0002-Check-for-NULL-qsort-base-pointers.patch
@@ -0,0 +1,52 @@
+From 33111c910bf8c138f3be1cef99b318e26fb28a04 Mon Sep 17 00:00:00 2001
+From: Joel Cunningham <joel.cunningham@me.com>
+Date: Sat, 8 Oct 2016 12:04:15 -0500
+Subject: [PATCH] Check for NULL qsort() base pointers
+
+There are a couple of places in wpa_supplicant/hostapd where qsort() can
+be called with a NULL base pointer. This results in undefined behavior
+according to the C standard and with some standard C libraries (ARM RVCT
+2.2) results in a data abort/memory exception. Fix this by skipping such
+calls since there is nothing needing to be sorted.
+
+Signed-off-by: Joel Cunningham <joel.cunningham@me.com>
+Signed-off-by: Andrew Shadura <andrew.shadura@collabora.co.uk>
+---
+ hostapd/config_file.c | 3 ++-
+ wpa_supplicant/scan.c | 6 ++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/hostapd/config_file.c b/hostapd/config_file.c
+index 9c744de..8e7bcc7 100644
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -208,7 +208,8 @@ static int hostapd_config_read_maclist(const char *fname,
+ 
+ 	fclose(f);
+ 
+-	qsort(*acl, *num, sizeof(**acl), hostapd_acl_comp);
++	if (*acl)
++		qsort(*acl, *num, sizeof(**acl), hostapd_acl_comp);
+ 
+ 	return 0;
+ }
+diff --git a/wpa_supplicant/scan.c b/wpa_supplicant/scan.c
+index fb8ebdf..bfde0af 100644
+--- a/wpa_supplicant/scan.c
++++ b/wpa_supplicant/scan.c
+@@ -2177,8 +2177,10 @@ wpa_supplicant_get_scan_results(struct wpa_supplicant *wpa_s,
+ 	}
+ #endif /* CONFIG_WPS */
+ 
+-	qsort(scan_res->res, scan_res->num, sizeof(struct wpa_scan_res *),
+-	      compar);
++	if (scan_res->res) {
++		qsort(scan_res->res, scan_res->num,
++		      sizeof(struct wpa_scan_res *), compar);
++	}
+ 	dump_scan_res(scan_res);
+ 
+ 	wpa_bss_update_start(wpa_s);
+-- 
+2.9.3
+
diff --git a/debian/patches/0003-Always-propagate-scan-results-to-all-interfaces.patch b/debian/patches/0003-Always-propagate-scan-results-to-all-interfaces.patch
new file mode 100644
index 0000000..8ca88cb
--- /dev/null
+++ b/debian/patches/0003-Always-propagate-scan-results-to-all-interfaces.patch
@@ -0,0 +1,111 @@
+From e3e2fe3a42a510d20ebbef8abc5dcd8da5e93959 Mon Sep 17 00:00:00 2001
+From: Avraham Stern <avraham.stern@intel.com>
+Date: Mon, 10 Oct 2016 18:22:09 +0300
+Subject: [PATCH] Always propagate scan results to all interfaces
+
+Scan results were not propagated to all interfaces if scan results
+started a new operation, in order to prevent concurrent operations. But
+this can cause other interfaces to trigger a new scan when scan results
+are already available. Instead, always notify other interfaces of the
+scan results, but note that new operations are not allowed.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Andrew Shadura <andrew.shadura@collabora.co.uk>
+---
+ wpa_supplicant/events.c | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
+index abe3b47..e15109c 100644
+--- a/wpa_supplicant/events.c
++++ b/wpa_supplicant/events.c
+@@ -1474,11 +1474,18 @@ static int wpa_supplicant_need_to_roam(struct wpa_supplicant *wpa_s,
+ }
+ 
+ 
+-/* Return != 0 if no scan results could be fetched or if scan results should not
+- * be shared with other virtual interfaces. */
++/*
++ * Return a negative value if no scan results could be fetched or if scan
++ * results should not be shared with other virtual interfaces.
++ * Return 0 if scan results were fetched and may be shared with other
++ * interfaces.
++ * Return 1 if scan results may be shared with other virtual interfaces but may
++ * not trigger any operations.
++ * Return 2 if the interface was removed and cannot be used.
++ */
+ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
+ 					      union wpa_event_data *data,
+-					      int own_request)
++					      int own_request, int update_only)
+ {
+ 	struct wpa_scan_results *scan_res = NULL;
+ 	int ret = 0;
+@@ -1528,6 +1535,11 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
+ 	}
+ #endif /* CONFIG_NO_RANDOM_POOL */
+ 
++	if (update_only) {
++		ret = 1;
++		goto scan_work_done;
++	}
++
+ 	if (own_request && wpa_s->scan_res_handler &&
+ 	    !(data && data->scan_info.external_scan)) {
+ 		void (*scan_res_handler)(struct wpa_supplicant *wpa_s,
+@@ -1536,7 +1548,7 @@ static int _wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
+ 		scan_res_handler = wpa_s->scan_res_handler;
+ 		wpa_s->scan_res_handler = NULL;
+ 		scan_res_handler(wpa_s, scan_res);
+-		ret = -2;
++		ret = 1;
+ 		goto scan_work_done;
+ 	}
+ 
+@@ -1672,8 +1684,9 @@ static int wpas_select_network_from_last_scan(struct wpa_supplicant *wpa_s,
+ 		if (new_scan)
+ 			wpa_supplicant_rsn_preauth_scan_results(wpa_s);
+ 		/*
+-		 * Do not notify other virtual radios of scan results since we do not
+-		 * want them to start other associations at the same time.
++		 * Do not allow other virtual radios to trigger operations based
++		 * on these scan results since we do not want them to start
++		 * other associations at the same time.
+ 		 */
+ 		return 1;
+ 	} else {
+@@ -1757,7 +1770,7 @@ static int wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
+ 	struct wpa_supplicant *ifs;
+ 	int res;
+ 
+-	res = _wpa_supplicant_event_scan_results(wpa_s, data, 1);
++	res = _wpa_supplicant_event_scan_results(wpa_s, data, 1, 0);
+ 	if (res == 2) {
+ 		/*
+ 		 * Interface may have been removed, so must not dereference
+@@ -1765,7 +1778,8 @@ static int wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
+ 		 */
+ 		return 1;
+ 	}
+-	if (res != 0) {
++
++	if (res < 0) {
+ 		/*
+ 		 * If no scan results could be fetched, then no need to
+ 		 * notify those interfaces that did not actually request
+@@ -1785,7 +1799,10 @@ static int wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
+ 		if (ifs != wpa_s) {
+ 			wpa_printf(MSG_DEBUG, "%s: Updating scan results from "
+ 				   "sibling", ifs->ifname);
+-			_wpa_supplicant_event_scan_results(ifs, data, 0);
++			res = _wpa_supplicant_event_scan_results(ifs, data, 0,
++								 res > 0);
++			if (res < 0)
++				return 0;
+ 		}
+ 	}
+ 
+-- 
+2.9.3
+
diff --git a/debian/patches/0004-wpa_supplicant-Restore-permanent-MAC-address-on-reas.patch b/debian/patches/0004-wpa_supplicant-Restore-permanent-MAC-address-on-reas.patch
new file mode 100644
index 0000000..c270545
--- /dev/null
+++ b/debian/patches/0004-wpa_supplicant-Restore-permanent-MAC-address-on-reas.patch
@@ -0,0 +1,39 @@
+From 5d30f927ea5a67bb6605af6c65eb52f900c0da4b Mon Sep 17 00:00:00 2001
+From: Benjamin Richter <br@waldteufel.eu>
+Date: Tue, 11 Oct 2016 05:57:38 +0200
+Subject: [PATCH] wpa_supplicant: Restore permanent MAC address on
+ reassociation
+
+With mac_addr=0 and preassoc_mac_addr=1, the permanent MAC address
+should be restored for association. Previously this did not happen when
+reassociating to the same ESS.
+
+Signed-off-by: Benjamin Richter <br@waldteufel.eu>
+Signed-off-by: Andrew Shadura <andrew.shadura@collabora.co.uk>
+---
+ wpa_supplicant/wpa_supplicant.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
+index 2479432..d9e2851 100644
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -1691,11 +1691,13 @@ void wpa_supplicant_associate(struct wpa_supplicant *wpa_s,
+ 			wmm_ac_save_tspecs(wpa_s);
+ 			wpa_s->reassoc_same_bss = 1;
+ 		}
+-	} else if (rand_style > 0) {
++	}
++
++	if (rand_style > 0 && !wpa_s->reassoc_same_ess) {
+ 		if (wpas_update_random_addr(wpa_s, rand_style) < 0)
+ 			return;
+ 		wpa_sm_pmksa_cache_flush(wpa_s->wpa, ssid);
+-	} else if (wpa_s->mac_addr_changed) {
++	} else if (rand_style == 0 && wpa_s->mac_addr_changed) {
+ 		if (wpa_drv_set_mac_addr(wpa_s, NULL) < 0) {
+ 			wpa_msg(wpa_s, MSG_INFO,
+ 				"Could not restore permanent MAC address");
+-- 
+2.9.3
+
diff --git a/debian/patches/0005-nl80211-Update-channel-information-after-channel-swi.patch b/debian/patches/0005-nl80211-Update-channel-information-after-channel-swi.patch
new file mode 100644
index 0000000..0403776
--- /dev/null
+++ b/debian/patches/0005-nl80211-Update-channel-information-after-channel-swi.patch
@@ -0,0 +1,35 @@
+From c2ad5b9218f33d6f4b97d779c4928d71d82ad02c Mon Sep 17 00:00:00 2001
+From: Peng Xu <pxu@qca.qualcomm.com>
+Date: Mon, 24 Oct 2016 16:54:36 -0700
+Subject: [PATCH] nl80211: Update channel information after channel switch
+ notification
+
+When channel switch happens, driver wrapper's internal channel
+information needs to be updated so that the new frequency will be used
+in operations using drv->assoc_freq. Previously, only bss->freq was
+updated and the new frequency was also indicated in the EVENT_CH_SWITCH
+event. This could potentially leave out couple of cases that use
+drv->assoc_freq at least as a fallback mechanism for getting the current
+operating frequency.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: Andrew Shadura <andrew.shadura@collabora.co.uk>
+---
+ src/drivers/driver_nl80211_event.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/drivers/driver_nl80211_event.c b/src/drivers/driver_nl80211_event.c
+index dc7d5f1..c77e21e 100644
+--- a/src/drivers/driver_nl80211_event.c
++++ b/src/drivers/driver_nl80211_event.c
+@@ -518,6 +518,7 @@ static void mlme_event_ch_switch(struct wpa_driver_nl80211_data *drv,
+ 		data.ch_switch.cf2 = nla_get_u32(cf2);
+ 
+ 	bss->freq = data.ch_switch.freq;
++	drv->assoc_freq = data.ch_switch.freq;
+ 
+ 	wpa_supplicant_event(bss->ctx, EVENT_CH_SWITCH, &data);
+ }
+-- 
+2.9.3
+
diff --git a/debian/patches/0006-Extend-ieee80211_freq_to_channel_ext-to-cover-channe.patch b/debian/patches/0006-Extend-ieee80211_freq_to_channel_ext-to-cover-channe.patch
new file mode 100644
index 0000000..018fc7f
--- /dev/null
+++ b/debian/patches/0006-Extend-ieee80211_freq_to_channel_ext-to-cover-channe.patch
@@ -0,0 +1,47 @@
+From e4b48b7b0f0a9370032945a5a0423f0da2ef6616 Mon Sep 17 00:00:00 2001
+From: Avraham Stern <avraham.stern@intel.com>
+Date: Thu, 27 Oct 2016 15:18:29 +0300
+Subject: [PATCH] Extend ieee80211_freq_to_channel_ext() to cover channels
+ 52-64
+
+Add frequency to channel conversion for the 5 GHz channels 52-64.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Andrew Shadura <andrew.shadura@collabora.co.uk>
+---
+ src/common/ieee802_11_common.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
+index 603b961..26e08b7 100644
+--- a/src/common/ieee802_11_common.c
++++ b/src/common/ieee802_11_common.c
+@@ -794,6 +794,25 @@ enum hostapd_hw_mode ieee80211_freq_to_channel_ext(unsigned int freq,
+ 		return HOSTAPD_MODE_IEEE80211A;
+ 	}
+ 
++	/* 5 GHz, channels 52..64 */
++	if (freq >= 5260 && freq <= 5320) {
++		if ((freq - 5000) % 5)
++			return NUM_HOSTAPD_MODES;
++
++		if (vht_opclass)
++			*op_class = vht_opclass;
++		else if (sec_channel == 1)
++			*op_class = 119;
++		else if (sec_channel == -1)
++			*op_class = 120;
++		else
++			*op_class = 118;
++
++		*channel = (freq - 5000) / 5;
++
++		return HOSTAPD_MODE_IEEE80211A;
++	}
++
+ 	/* 5 GHz, channels 149..169 */
+ 	if (freq >= 5745 && freq <= 5845) {
+ 		if ((freq - 5000) % 5)
+-- 
+2.9.3
+
diff --git a/debian/patches/0007-Use-estimated-throughput-to-avoid-signal-based-roami.patch b/debian/patches/0007-Use-estimated-throughput-to-avoid-signal-based-roami.patch
new file mode 100644
index 0000000..bd0cc58
--- /dev/null
+++ b/debian/patches/0007-Use-estimated-throughput-to-avoid-signal-based-roami.patch
@@ -0,0 +1,124 @@
+From 8d1e693186336f85bf5d86bd094b5c9bd6f8fd02 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 13 Nov 2016 17:46:00 +0200
+Subject: [PATCH] Use estimated throughput to avoid signal based roaming
+ decision
+
+Previously, the estimated throughput was used to enable roaming to a
+better AP. However, this information was not used when considering a
+roam to an AP that has better signal strength, but smaller estimated
+throughput. This could result in allowing roaming from 5 GHz band to 2.4
+GHz band in cases where 2.4 GHz band has significantly higher signal
+strength, but still a lower throughput estimate.
+
+Make this less likely to happen by increasing/reducing the minimum
+required signal strength difference based on the estimated throughputs
+of the current and selected AP. In addition, add more details about the
+selection process to the debug log to make it easier to determine whaty
+happened and why.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Andrew Shadura <andrew.shadura@collabora.co.uk>
+---
+ wpa_supplicant/events.c | 52 +++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 42 insertions(+), 10 deletions(-)
+
+diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
+index 17f057a..210b45c 100644
+--- a/wpa_supplicant/events.c
++++ b/wpa_supplicant/events.c
+@@ -1396,8 +1396,9 @@ static int wpa_supplicant_need_to_roam(struct wpa_supplicant *wpa_s,
+ {
+ 	struct wpa_bss *current_bss = NULL;
+ #ifndef CONFIG_NO_ROAMING
+-	int min_diff;
++	int min_diff, diff;
+ 	int to_5ghz;
++	int cur_est, sel_est;
+ #endif /* CONFIG_NO_ROAMING */
+ 
+ 	if (wpa_s->reassociate)
+@@ -1431,12 +1432,13 @@ static int wpa_supplicant_need_to_roam(struct wpa_supplicant *wpa_s,
+ #ifndef CONFIG_NO_ROAMING
+ 	wpa_dbg(wpa_s, MSG_DEBUG, "Considering within-ESS reassociation");
+ 	wpa_dbg(wpa_s, MSG_DEBUG, "Current BSS: " MACSTR
+-		" level=%d snr=%d est_throughput=%u",
+-		MAC2STR(current_bss->bssid), current_bss->level,
++		" freq=%d level=%d snr=%d est_throughput=%u",
++		MAC2STR(current_bss->bssid),
++		current_bss->freq, current_bss->level,
+ 		current_bss->snr, current_bss->est_throughput);
+ 	wpa_dbg(wpa_s, MSG_DEBUG, "Selected BSS: " MACSTR
+-		" level=%d snr=%d est_throughput=%u",
+-		MAC2STR(selected->bssid), selected->level,
++		" freq=%d level=%d snr=%d est_throughput=%u",
++		MAC2STR(selected->bssid), selected->freq, selected->level,
+ 		selected->snr, selected->est_throughput);
+ 
+ 	if (wpa_s->current_ssid->bssid_set &&
+@@ -1462,6 +1464,14 @@ static int wpa_supplicant_need_to_roam(struct wpa_supplicant *wpa_s,
+ 		return 0;
+ 	}
+ 
++	if (current_bss->est_throughput > selected->est_throughput + 5000) {
++		wpa_dbg(wpa_s, MSG_DEBUG,
++			"Skip roam - Current BSS has better estimated throughput");
++		return 1;
++	}
++
++	cur_est = current_bss->est_throughput;
++	sel_est = selected->est_throughput;
+ 	min_diff = 2;
+ 	if (current_bss->level < 0) {
+ 		if (current_bss->level < -85)
+@@ -1474,20 +1484,42 @@ static int wpa_supplicant_need_to_roam(struct wpa_supplicant *wpa_s,
+ 			min_diff = 4;
+ 		else
+ 			min_diff = 5;
++		if (cur_est > sel_est * 1.5)
++			min_diff += 10;
++		else if (cur_est > sel_est * 1.2)
++			min_diff += 5;
++		else if (cur_est > sel_est * 1.1)
++			min_diff += 2;
++		else if (cur_est > sel_est)
++			min_diff++;
+ 	}
+ 	if (to_5ghz) {
++		int reduce = 2;
++
+ 		/* Make it easier to move to 5 GHz band */
+-		if (min_diff > 2)
+-			min_diff -= 2;
++		if (sel_est > cur_est * 1.5)
++			reduce = 5;
++		else if (sel_est > cur_est * 1.2)
++			reduce = 4;
++		else if (sel_est > cur_est * 1.1)
++			reduce = 3;
++
++		if (min_diff > reduce)
++			min_diff -= reduce;
+ 		else
+ 			min_diff = 0;
+ 	}
+-	if (abs(current_bss->level - selected->level) < min_diff) {
+-		wpa_dbg(wpa_s, MSG_DEBUG, "Skip roam - too small difference "
+-			"in signal level");
++	diff = abs(current_bss->level - selected->level);
++	if (diff < min_diff) {
++		wpa_dbg(wpa_s, MSG_DEBUG,
++			"Skip roam - too small difference in signal level (%d < %d)",
++			diff, min_diff);
+ 		return 0;
+ 	}
+ 
++	wpa_dbg(wpa_s, MSG_DEBUG,
++		"Allow reassociation due to difference in signal level (%d >= %d)",
++		diff, min_diff);
+ 	return 1;
+ #else /* CONFIG_NO_ROAMING */
+ 	return 0;
+-- 
+2.9.3
+
diff --git a/debian/patches/0008-Use-random-MAC-address-for-scanning-only-in-non-conn.patch b/debian/patches/0008-Use-random-MAC-address-for-scanning-only-in-non-conn.patch
new file mode 100644
index 0000000..f3cf296
--- /dev/null
+++ b/debian/patches/0008-Use-random-MAC-address-for-scanning-only-in-non-conn.patch
@@ -0,0 +1,56 @@
+From 346b333d9a57155e5a32a31d951ada38b3c899fc Mon Sep 17 00:00:00 2001
+From: Srinivas Dasari <dasaris@qti.qualcomm.com>
+Date: Mon, 21 Nov 2016 17:40:36 +0530
+Subject: [PATCH] Use random MAC address for scanning only in non-connected
+ state
+
+cfg80211 rejects the scans issued with random MAC address if the STA is
+in connected state. This resulted in failures when using MAC_RAND_SCAN
+while connected (CTRL-EVENT-SCAN-FAILED ret=-95). Enable random MAC
+address functionality only if the STA is not in connected state to avoid
+this. The real MAC address of the STA is already revealed in the
+association, so this is an acceptable fallback mechanism for now.
+
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: Andrew Shadura <andrew.shadura@collabora.co.uk>
+---
+ wpa_supplicant/scan.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/wpa_supplicant/scan.c b/wpa_supplicant/scan.c
+index 172772d..5698443 100644
+--- a/wpa_supplicant/scan.c
++++ b/wpa_supplicant/scan.c
+@@ -1047,7 +1047,8 @@ ssid_list_set:
+ 	}
+ #endif /* CONFIG_P2P */
+ 
+-	if (wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCAN) {
++	if ((wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCAN) &&
++	    wpa_s->wpa_state <= WPA_SCANNING) {
+ 		params.mac_addr_rand = 1;
+ 		if (wpa_s->mac_addr_scan) {
+ 			params.mac_addr = wpa_s->mac_addr_scan;
+@@ -1469,7 +1470,8 @@ scan:
+ 
+ 	wpa_setband_scan_freqs(wpa_s, scan_params);
+ 
+-	if (wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCHED_SCAN) {
++	if ((wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_SCHED_SCAN) &&
++	    wpa_s->wpa_state <= WPA_SCANNING) {
+ 		params.mac_addr_rand = 1;
+ 		if (wpa_s->mac_addr_sched_scan) {
+ 			params.mac_addr = wpa_s->mac_addr_sched_scan;
+@@ -2524,7 +2526,8 @@ int wpas_start_pno(struct wpa_supplicant *wpa_s)
+ 		params.freqs = wpa_s->manual_sched_scan_freqs;
+ 	}
+ 
+-	if (wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_PNO) {
++	if ((wpa_s->mac_addr_rand_enable & MAC_ADDR_RAND_PNO) &&
++	    wpa_s->wpa_state <= WPA_SCANNING) {
+ 		params.mac_addr_rand = 1;
+ 		if (wpa_s->mac_addr_pno) {
+ 			params.mac_addr = wpa_s->mac_addr_pno;
+-- 
+2.9.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 06c8941..de139dd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,11 @@
 12_wpa_gui_knotify_support.patch
 networkd-driver-fallback.patch
 wpa_supplicant_fix-dependency-odering-when-invoked-with-dbus.patch
+0001-WPS-Force-BSSID-for-WPS-provisioning-step-connection.patch
+0002-Check-for-NULL-qsort-base-pointers.patch
+0003-Always-propagate-scan-results-to-all-interfaces.patch
+0004-wpa_supplicant-Restore-permanent-MAC-address-on-reas.patch
+0005-nl80211-Update-channel-information-after-channel-swi.patch
+0006-Extend-ieee80211_freq_to_channel_ext-to-cover-channe.patch
+0007-Use-estimated-throughput-to-avoid-signal-based-roami.patch
+0008-Use-random-MAC-address-for-scanning-only-in-non-conn.patch