qcacld-3.0: Fixes in populate T2LM frame and clear negotiation

1. While populating t2lm ie use dynamic memory allocation
instead of static and free after usage.

2. If AP rejects T2LM action req frame, sends status code
anything other than 0(success) or 134(preferred mapping),
clear ongoing negotiation.

Change-Id: I50fbf34f3e95bbeaf13c2e1a74374b22837dffa8
CRs-Fixed: 3496677

components/umac/mlme/mlo_mgr/inc/wlan_t2lm_api.h

@@ -26,6 +26,14 @@
 #include "parser_api.h"
 #include "lim_send_messages.h"
 
+/* T2LM IE Length =
+ * Size of header (2 bytes) +
+ * Length (1 bytes) + t2lm mapping control (2 bytes) +
+ * mapping switch time (2 bytes) + expected duration (3 bytes) +
+ * link mapping of tids (16 bytes)
+ */
+#define T2LM_IE_ACTION_FRAME_MAX_LEN 26
+
 /**
  * struct t2lm_event_data - TID to Link mapping event data
  * @status: qdf status used to indicate if t2lm action frame status

components/umac/mlme/mlo_mgr/src/wlan_t2lm_api.c

@@ -276,7 +276,7 @@ QDF_STATUS t2lm_handle_rx_resp(struct wlan_objmgr_vdev *vdev,
 					break;
 				}
 			} else if (t2lm_rsp.dialog_token == t2lm_req->dialog_token &&
-				   t2lm_rsp.t2lm_resp_type == WLAN_T2LM_RESP_TYPE_DENIED_TID_TO_LINK_MAPPING) {
+				   t2lm_rsp.t2lm_resp_type != WLAN_T2LM_RESP_TYPE_PREFERRED_TID_TO_LINK_MAPPING) {
 				t2lm_debug("T2LM rsp status denied, clear ongoing tid mapping");
 				wlan_t2lm_clear_ongoing_negotiation(peer);
 			}

core/mac/src/pe/lim/lim_send_management_frames.c

@@ -61,6 +61,7 @@
 #include "wlan_connectivity_logging.h"
 #include "lim_mlo.h"
 #include "wlan_mlo_mgr_sta.h"
+#include "wlan_t2lm_api.h"
 
 /**
  *
@@ -6439,7 +6440,7 @@ lim_send_t2lm_action_req_frame(struct wlan_objmgr_vdev *vdev,
 	uint8_t vdev_id = 0;
 	uint8_t tx_flag = 0;
 	struct wlan_ie_tid_to_link_mapping *t2lm_ie;
-	struct wlan_ie_tid_to_link_mapping ie_buf = {0};
+	struct wlan_ie_tid_to_link_mapping *ie_buf;
 	uint8_t *t2lm_frame;
 
 	mac_ctx = cds_get_context(QDF_MODULE_ID_PE);
@@ -6456,24 +6457,34 @@ lim_send_t2lm_action_req_frame(struct wlan_objmgr_vdev *vdev,
 
 	qdf_mem_zero((uint8_t *)&frm, sizeof(frm));
 
+	ie_buf = qdf_mem_malloc(sizeof(uint8_t) * T2LM_IE_ACTION_FRAME_MAX_LEN);
+
+	if (!ie_buf) {
+		pe_err("Malloc failed");
+		return QDF_STATUS_E_NULL_VALUE;
+	}
+
 	t2lm_ie = (struct wlan_ie_tid_to_link_mapping *)&frm.t2lm_ie[0].data;
-	t2lm_frame = wlan_mlo_add_t2lm_ie((uint8_t *)&ie_buf,
+	t2lm_frame = wlan_mlo_add_t2lm_ie((uint8_t *)ie_buf,
 					  t2lm_neg,
 					  vdev);
 	if (!t2lm_frame) {
 		pe_debug("Failed to populate T2LM IE");
+		qdf_mem_free(ie_buf);
 		return QDF_STATUS_E_FAILURE;
 	}
 
-	frm.t2lm_ie[0].num_data = ie_buf.elem_len - 1;
+	frm.t2lm_ie[0].num_data = ie_buf->elem_len - 1;
 
-	pe_debug("Dump T2LM IE buff len %d", ie_buf.elem_len);
-	qdf_trace_hex_dump(QDF_MODULE_ID_PE, QDF_TRACE_LEVEL_DEBUG, &ie_buf,
-			   ie_buf.elem_len +  sizeof(struct ie_header));
+	pe_debug("Dump T2LM IE buff len %d", ie_buf->elem_len);
+	qdf_trace_hex_dump(QDF_MODULE_ID_PE, QDF_TRACE_LEVEL_DEBUG, ie_buf,
+			   ie_buf->elem_len +  sizeof(struct ie_header));
 
-	qdf_mem_copy(&frm.t2lm_ie[0].data, &ie_buf.data,
+	qdf_mem_copy(&frm.t2lm_ie[0].data, ie_buf->data,
 		     frm.t2lm_ie[0].num_data);
 
+	qdf_mem_free(ie_buf);
+
 	frm.Category.category = args->category;
 	frm.Action.action = args->action;
 	frm.DialogToken.token = args->arg1;