AP MLD: Fix ACS and HT scan related issues

1. hostapd crash due to NULL pointer access:

When the AP is configured with auto channel selection in the 2.4 GHz
band and a static channel in the 5 GHz band with a bandwidth greater
than 20 MHz, hostapd crashes due to a NULL pointer access in the
hostapd_event_get_survey() function. The ACS is activated for the 2.4
GHz band, initiating a scan with a 20-second timeout. The 2.4 GHz band
updates the scan context accordingly. When the 5 GHz band is
initialized, a 5 GHz HT40 scan is attempted due to the bandwidth
exceeding 20 MHz. However, the driver returns a "Resource busy" message
because of the ongoing ACS scan. A 5 GHz HT40 scan starts an eloop timer
for a retry. The 5 GHz HT40 scan retry timer is triggered, and in the
meantime, ACS scan results for the 2.4 GHz band are received. The 5 GHz
HT40 scan is then prioritized, and the driver initiates a scan,
overriding the scan context of the 5 GHz band.

When the ACS event survey is processed, it uses the updated scan
context. During the survey event processing, the scan callback for the
partner link (2.4 GHz ACS) is handled, which leads to a crash.

Crash backtrace:
   0x00000055851dce94 in dl_list_add
	(list=0x0, item=0x7f87e82378)
   0x00000055851dcef4 in dl_list_add_tail
	(list=0x7f8802baa8, item=0x7f87e82378)
   0x00000055851e2ac8 in hostapd_event_get_survey
	(iface=0x7f8805c020, survey_results=0x7ff1940ef8)
   0x00000055851e4de4 in hostapd_wpa_event
	(ctx=0x7f88060b50, event=EVENT_SURVEY, data=0x7ff1940ef8)
   0x00000055852bd918 in wpa_driver_nl80211_get_survey
	(priv=0x7f880c7390, freq=0, acs_exclude_6ghz_non_psc=false)
   0x0000005585378e84 in hostapd_set_oper_centr_freq_seg0_idx
	(conf=0x7f886e7070, oper_centr_freq_seg0_idx=0 '\000')
   0x000000558537bf8c in acs_study
	(iface=0x7f886f0030)
   0x00000055851e48a0 in hostapd_wpa_event
	(ctx=0x7f88060b50, event=EVENT_SCAN_RESULTS, data=0x7ff19411e8)
   0x00000055852d3364 in send_scan_event
	(bss=0x7f880c7390, aborted=0, tb=0x7ff1941878, external_scan=0)
   0x00000055852d8570 in do_process_drv_event
	(bss=0x7f880c7390, cmd=34, tb=0x7ff1941878)
   0x00000055852d8fec in process_global_event
	(msg=0x7f87fbddb0, arg=0x7f88119540)

2. Intermittent 5 GHz link bringup failure:

In a 16 AP MLD and one monitor VAP configuration, there is an
intermittent 5 GHz low or 5 GHz high link bringup failure observed on a
5 GHz low - 5 GHz high supported RDP due to CAC start failure.

When a scan trigger is done by hostapd for link 0 (low radio),
bss->scan_link is of link 0. Since the scan of link 0 is completed in
kernel/MAC80211, -EBUSY is not returned by hostapd_driver_scan()
function. A scan trigger is done by hostapd for link 2 (high radio).
Now, bss->scan_link is of link 2. Meanwhile, scan results are received
in the hostapd from the kernel for low radio frequencies. Since
bss->scan_link is of link 2, mld_link ctx is stored for link 2 instead
of link 0. This leads to interface bringup of the high radio
frequencies, and CAC start is done, leading to a scan in progress error
from the kernel.

Fix both the issues by starting the driver scan within
hostapd_driver_scan() function only if the scan is completed in the
partner links. If the scan is still in progress, return -EBUSY. The
callers of hostapd_driver_scan, which are ieee80211n_check_40mhz()
function and ap_ht40_scan_retry() function in this case, will call
ap_ht40_scan_retry() function after a timeout.

Signed-off-by: Karthik M <quic_karm@quicinc.com>

diff --git a/src/ap/ap_drv_ops.c b/src/ap/ap_drv_ops.c
index d342132dbcc91fed18dd571a24bfdbf7d41b879b..2133426368db78c85c8dba7a2d2f558198dba37b 100644 (file)
--- a/src/ap/ap_drv_ops.c
+++ b/src/ap/ap_drv_ops.c
@@ -21,6 +21,7 @@
 #include "p2p_hostapd.h"
 #include "hs20.h"
 #include "wpa_auth.h"
+#include "hw_features.h"
 #include "ap_drv_ops.h"
 
 
@@ -788,6 +789,31 @@ int hostapd_driver_scan(struct hostapd_data *hapd,
 #ifdef CONFIG_IEEE80211BE
        if (hapd->conf->mld_ap)
                params->link_id = hapd->mld_link_id;
+
+       if (!hapd->iface->scan_cb && hapd->conf->mld_ap &&
+           hapd->iface->interfaces) {
+               /* Other links may be waiting for scan results */
+               unsigned int i;
+
+               for (i = 0; i < hapd->iface->interfaces->count; i++) {
+                       struct hostapd_iface *h_iface =
+                               hapd->iface->interfaces->iface[i];
+                       struct hostapd_data *h_hapd;
+
+                       if (!h_iface || h_iface == hapd->iface ||
+                           h_iface->num_bss == 0)
+                               continue;
+
+                       h_hapd = h_iface->bss[0];
+
+                       if (hostapd_is_ml_partner(hapd, h_hapd) &&
+                           h_hapd->iface->state == HAPD_IFACE_ACS) {
+                               wpa_printf(MSG_INFO,
+                                          "ACS in progress in a partner link - try to scan later");
+                               return -EBUSY;
+                       }
+               }
+       }
 #endif /* CONFIG_IEEE80211BE */
 
        if (hapd->driver && hapd->driver->scan2)