qcacld-3.0: Wait for ACS complete before undo acs

Currently the driver does undo acs which clears away
the acs cfg ch list, master ch list, and sap_ctx->ch_list
before the ACS is complete (race condition), which can
lead to pointer access after free.

Fix is to wait for ACS complete event, and then clear away
the above mentioned ch lists.

Change-Id: I55de1e94d1fc3ebb99891465131de11ea3204778
CRs-Fixed: 2519650

core/hdd/src/wlan_hdd_cfg80211.c

@@ -2981,7 +2981,6 @@ out:
 			return cfg80211_vendor_cmd_reply(temp_skbuff);
 	}
 	qdf_atomic_set(&adapter->session.ap.acs_in_progress, 0);
-	wlan_hdd_undo_acs(adapter);
 	clear_bit(ACS_IN_PROGRESS, &hdd_ctx->g_event_flags);
 
 	return ret;

core/hdd/src/wlan_hdd_hostapd.c

@@ -3385,7 +3385,6 @@ QDF_STATUS hdd_init_ap_mode(struct hdd_adapter *adapter, bool reinit)
 
 	if (!reinit) {
 		adapter->session.ap.sap_config.acs_cfg.acs_mode = false;
-		wlan_hdd_undo_acs(adapter);
 		qdf_mem_zero(&adapter->session.ap.sap_config.acs_cfg,
 			     sizeof(struct sap_acs_cfg));
 	}
@@ -3420,7 +3419,6 @@ void hdd_deinit_ap_mode(struct hdd_context *hdd_ctx,
 		clear_bit(WMM_INIT_DONE, &adapter->event_flags);
 	}
 	qdf_atomic_set(&adapter->session.ap.acs_in_progress, 0);
-	wlan_hdd_undo_acs(adapter);
 	hdd_softap_deinit_tx_rx(adapter);
 	/*
 	 * if we are being called during driver unload,
@@ -5658,7 +5656,6 @@ error:
 	}
 	clear_bit(SOFTAP_INIT_DONE, &adapter->event_flags);
 	qdf_atomic_set(&adapter->session.ap.acs_in_progress, 0);
-	wlan_hdd_undo_acs(adapter);
 	wlansap_reset_sap_config_add_ie(config, eUPDATE_IE_ALL);
 
 free:
@@ -5775,7 +5772,6 @@ static int __wlan_hdd_cfg80211_stop_ap(struct wiphy *wiphy,
 	cds_flush_work(&adapter->sap_stop_bss_work);
 	adapter->session.ap.sap_config.acs_cfg.acs_mode = false;
 	qdf_atomic_set(&adapter->session.ap.acs_in_progress, 0);
-	wlan_hdd_undo_acs(adapter);
 	qdf_mem_zero(&adapter->session.ap.sap_config.acs_cfg,
 						sizeof(struct sap_acs_cfg));
 	hdd_debug("Disabling queues");

core/hdd/src/wlan_hdd_main.c

@@ -6163,7 +6163,6 @@ static void hdd_reset_scan_operation(struct hdd_context *hdd_ctx,
 		break;
 	case QDF_SAP_MODE:
 		qdf_atomic_set(&adapter->session.ap.acs_in_progress, 0);
-		wlan_hdd_undo_acs(adapter);
 		break;
 	default:
 		break;

core/sap/src/sap_api_link_cntl.c

@@ -1267,6 +1267,7 @@ void sap_scan_event_callback(struct wlan_objmgr_vdev *vdev,
 	eCsrScanStatus scan_status = eCSR_SCAN_FAILURE;
 	mac_handle_t mac_handle;
 	QDF_STATUS status;
+	struct qdf_op_sync *op_sync;
 
 	/*
 	 * It may happen that the SAP was deleted before the scan
@@ -1301,7 +1302,11 @@ void sap_scan_event_callback(struct wlan_objmgr_vdev *vdev,
 	if (success)
 		scan_status = eCSR_SCAN_SUCCESS;
 
+	if (qdf_op_protect(&op_sync))
+		return;
+
 	wlansap_pre_start_bss_acs_scan_callback(mac_handle,
 						arg, session_id,
 						scan_id, scan_status);
+	qdf_op_unprotect(op_sync);
 }