From: Karthik M Date: Tue, 18 Mar 2025 11:20:33 +0000 (+0530) Subject: AP MLD: Fix ACS and HT scan related issues X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76f8cfd6a20661196c64096dcca23756231c3075;p=thirdparty%2Fhostap.git AP MLD: Fix ACS and HT scan related issues 1. hostapd crash due to NULL pointer access: When the AP is configured with auto channel selection in the 2.4 GHz band and a static channel in the 5 GHz band with a bandwidth greater than 20 MHz, hostapd crashes due to a NULL pointer access in the hostapd_event_get_survey() function. The ACS is activated for the 2.4 GHz band, initiating a scan with a 20-second timeout. The 2.4 GHz band updates the scan context accordingly. When the 5 GHz band is initialized, a 5 GHz HT40 scan is attempted due to the bandwidth exceeding 20 MHz. However, the driver returns a "Resource busy" message because of the ongoing ACS scan. A 5 GHz HT40 scan starts an eloop timer for a retry. The 5 GHz HT40 scan retry timer is triggered, and in the meantime, ACS scan results for the 2.4 GHz band are received. The 5 GHz HT40 scan is then prioritized, and the driver initiates a scan, overriding the scan context of the 5 GHz band. When the ACS event survey is processed, it uses the updated scan context. During the survey event processing, the scan callback for the partner link (2.4 GHz ACS) is handled, which leads to a crash. Crash backtrace: 0x00000055851dce94 in dl_list_add (list=0x0, item=0x7f87e82378) 0x00000055851dcef4 in dl_list_add_tail (list=0x7f8802baa8, item=0x7f87e82378) 0x00000055851e2ac8 in hostapd_event_get_survey (iface=0x7f8805c020, survey_results=0x7ff1940ef8) 0x00000055851e4de4 in hostapd_wpa_event (ctx=0x7f88060b50, event=EVENT_SURVEY, data=0x7ff1940ef8) 0x00000055852bd918 in wpa_driver_nl80211_get_survey (priv=0x7f880c7390, freq=0, acs_exclude_6ghz_non_psc=false) 0x0000005585378e84 in hostapd_set_oper_centr_freq_seg0_idx (conf=0x7f886e7070, oper_centr_freq_seg0_idx=0 '\000') 0x000000558537bf8c in acs_study (iface=0x7f886f0030) 0x00000055851e48a0 in hostapd_wpa_event (ctx=0x7f88060b50, event=EVENT_SCAN_RESULTS, data=0x7ff19411e8) 0x00000055852d3364 in send_scan_event (bss=0x7f880c7390, aborted=0, tb=0x7ff1941878, external_scan=0) 0x00000055852d8570 in do_process_drv_event (bss=0x7f880c7390, cmd=34, tb=0x7ff1941878) 0x00000055852d8fec in process_global_event (msg=0x7f87fbddb0, arg=0x7f88119540) 2. Intermittent 5 GHz link bringup failure: In a 16 AP MLD and one monitor VAP configuration, there is an intermittent 5 GHz low or 5 GHz high link bringup failure observed on a 5 GHz low - 5 GHz high supported RDP due to CAC start failure. When a scan trigger is done by hostapd for link 0 (low radio), bss->scan_link is of link 0. Since the scan of link 0 is completed in kernel/MAC80211, -EBUSY is not returned by hostapd_driver_scan() function. A scan trigger is done by hostapd for link 2 (high radio). Now, bss->scan_link is of link 2. Meanwhile, scan results are received in the hostapd from the kernel for low radio frequencies. Since bss->scan_link is of link 2, mld_link ctx is stored for link 2 instead of link 0. This leads to interface bringup of the high radio frequencies, and CAC start is done, leading to a scan in progress error from the kernel. Fix both the issues by starting the driver scan within hostapd_driver_scan() function only if the scan is completed in the partner links. If the scan is still in progress, return -EBUSY. The callers of hostapd_driver_scan, which are ieee80211n_check_40mhz() function and ap_ht40_scan_retry() function in this case, will call ap_ht40_scan_retry() function after a timeout. Signed-off-by: Karthik M --- diff --git a/src/ap/ap_drv_ops.c b/src/ap/ap_drv_ops.c index d342132db..213342636 100644 --- a/src/ap/ap_drv_ops.c +++ b/src/ap/ap_drv_ops.c @@ -21,6 +21,7 @@ #include "p2p_hostapd.h" #include "hs20.h" #include "wpa_auth.h" +#include "hw_features.h" #include "ap_drv_ops.h" @@ -788,6 +789,31 @@ int hostapd_driver_scan(struct hostapd_data *hapd, #ifdef CONFIG_IEEE80211BE if (hapd->conf->mld_ap) params->link_id = hapd->mld_link_id; + + if (!hapd->iface->scan_cb && hapd->conf->mld_ap && + hapd->iface->interfaces) { + /* Other links may be waiting for scan results */ + unsigned int i; + + for (i = 0; i < hapd->iface->interfaces->count; i++) { + struct hostapd_iface *h_iface = + hapd->iface->interfaces->iface[i]; + struct hostapd_data *h_hapd; + + if (!h_iface || h_iface == hapd->iface || + h_iface->num_bss == 0) + continue; + + h_hapd = h_iface->bss[0]; + + if (hostapd_is_ml_partner(hapd, h_hapd) && + h_hapd->iface->state == HAPD_IFACE_ACS) { + wpa_printf(MSG_INFO, + "ACS in progress in a partner link - try to scan later"); + return -EBUSY; + } + } + } #endif /* CONFIG_IEEE80211BE */ if (hapd->driver && hapd->driver->scan2)