qcacld-3.0: Validate SAP context before access in callback

Ensure that the SAP context is validated before access in
its callback. The global SAP context is now an array of
contexts rather than a single global context to help
validate the session. Increasing the SAP open session
timeout helps to configure all the commands to the FW and
helps to further avoid any crashes.

Change-Id: I6f722dcc4ab671fef010c816a7c7d38fc1bdebe4
CRs-Fixed: 1031855

core/hdd/src/wlan_hdd_main.c

@@ -4180,6 +4180,8 @@ void hdd_wlan_exit(hdd_context_t *hdd_ctx)
 		/* Proceed and complete the clean up */
 	}
 
+	wlansap_global_deinit();
+
 free_hdd_ctx:
 
 	wlan_hdd_deinit_tx_rx_histogram(hdd_ctx);
@@ -6622,13 +6624,17 @@ int hdd_wlan_startup(struct device *dev, void *hif_sc)
 		status = wlan_hdd_disable_all_dual_mac_features(hdd_ctx);
 		if (status != QDF_STATUS_SUCCESS) {
 			hdd_err("Failed to disable dual mac features");
-			goto err_exit_nl_srv;
+			goto err_debugfs_exit;
 		}
 	}
 
 	ret = hdd_register_notifiers(hdd_ctx);
 	if (ret)
-		goto err_exit_nl_srv;
+		goto err_debugfs_exit;
+
+	status = wlansap_global_init();
+	if (QDF_IS_STATUS_ERROR(status))
+		goto err_debugfs_exit;
 
 	memdump_init();
 

core/hdd/src/wlan_hdd_power.c

@@ -1442,6 +1442,8 @@ QDF_STATUS hdd_wlan_shutdown(void)
 	   so setting it to NULL in hdd context */
 	pHddCtx->hHal = (tHalHandle) NULL;
 
+	wlansap_global_deinit();
+
 	hddLog(QDF_TRACE_LEVEL_FATAL, "%s: WLAN driver shutdown complete",
 	       __func__);
 	return QDF_STATUS_SUCCESS;
@@ -1664,6 +1666,7 @@ QDF_STATUS hdd_wlan_re_init(void *hif_sc)
 				  pHddCtx->target_hw_version,
 				  pHddCtx->target_hw_name);
 #endif
+	wlansap_global_init();
 
 	hddLog(LOGE,
 		"%s: WLAN host driver reinitiation completed!", __func__);

core/sap/inc/sap_api.h

@@ -804,8 +804,9 @@ QDF_STATUS wlansap_set_wps_ie(void *p_cds_gctx, tSap_WPSIE *pWPSIe);
 QDF_STATUS wlansap_update_wps_ie(void *p_cds_gctx);
 QDF_STATUS wlansap_stop_Wps(void *p_cds_gctx);
 QDF_STATUS wlansap_get_wps_state(void *p_cds_gctx, bool *pbWPSState);
-
 void *wlansap_open(void *p_cds_gctx);
+QDF_STATUS wlansap_global_init(void);
+QDF_STATUS wlansap_global_deinit(void);
 QDF_STATUS wlansap_start(void *p_cds_gctx, enum tQDF_ADAPTER_MODE mode,
 			 uint8_t *addr, uint32_t *session_id);
 QDF_STATUS wlansap_stop(void *p_cds_gctx);

core/sap/src/sap_api_link_cntl.c

@@ -824,6 +824,9 @@ wlansap_roam_callback(void *ctx, tCsrRoamInfo *csr_roam_info, uint32_t roamId,
 		return qdf_ret_status;
 	}
 
+	if (QDF_IS_STATUS_ERROR(wlansap_context_get(sap_ctx)))
+		return QDF_STATUS_E_FAILURE;
+
 	mac_ctx = PMAC_STRUCT(hal);
 	QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_INFO_HIGH,
 		  FL("Before switch on roam_status = %d\n"), roam_status);
@@ -1214,5 +1217,6 @@ wlansap_roam_callback(void *ctx, tCsrRoamInfo *csr_roam_info, uint32_t roamId,
 			  roam_result);
 		break;
 	}
+	wlansap_context_put(sap_ctx);
 	return qdf_ret_status;
 }

core/sap/src/sap_fsm.c

@@ -2375,7 +2375,7 @@ QDF_STATUS sap_goto_channel_sel(ptSapContext sap_context,
  * Return: QDF_STATUS
  */
 
-#define SAP_OPEN_SESSION_TIMEOUT 500
+#define SAP_OPEN_SESSION_TIMEOUT 2000
 QDF_STATUS sap_open_session(tHalHandle hHal, ptSapContext sapContext,
 			    uint32_t *session_id)
 {

core/sap/src/sap_internal.h

@@ -269,8 +269,6 @@ typedef struct sSapContext {
 /*----------------------------------------------------------------------------
  *  External declarations for global context
  * -------------------------------------------------------------------------*/
-/*  The main per-Physical Link (per WLAN association) context. */
-extern ptSapContext gp_sap_ctx;
 
 /*----------------------------------------------------------------------------
  *  SAP state machine event definition
@@ -290,6 +288,8 @@ typedef struct sWLAN_SAPEvent {
 /*----------------------------------------------------------------------------
  * Function Declarations and Documentation
  * -------------------------------------------------------------------------*/
+QDF_STATUS wlansap_context_get(ptSapContext ctx);
+void wlansap_context_put(ptSapContext ctx);
 
 QDF_STATUS
 wlansap_scan_callback

core/sap/src/sap_module.c

@@ -44,6 +44,7 @@
  * -------------------------------------------------------------------------*/
 #include "qdf_trace.h"
 #include "qdf_util.h"
+#include "qdf_atomic.h"
 /* Pick up the sme callback registration API */
 #include "sme_api.h"
 
@@ -73,11 +74,13 @@
  * -------------------------------------------------------------------------*/
 /*  No!  Get this from CDS. */
 /*  The main per-Physical Link (per WLAN association) context. */
-ptSapContext gp_sap_ctx;
+static ptSapContext gp_sap_ctx[SAP_MAX_NUM_SESSION];
+static qdf_atomic_t sap_ctx_ref_count[SAP_MAX_NUM_SESSION];
 
 /*----------------------------------------------------------------------------
  * Static Variable Definitions
  * -------------------------------------------------------------------------*/
+static qdf_mutex_t sap_context_lock;
 
 /*----------------------------------------------------------------------------
  * Static Function Declarations and Definitions
@@ -91,6 +94,159 @@ ptSapContext gp_sap_ctx;
  * Function Declarations and Documentation
  * -------------------------------------------------------------------------*/
 
+/**
+ * wlansap_global_init() - Initialize SAP globals
+ *
+ * Initializes the SAP global data structures
+ *
+ * Return: QDF_STATUS
+ */
+QDF_STATUS wlansap_global_init(void)
+{
+	uint32_t i;
+
+	if (QDF_IS_STATUS_ERROR(qdf_mutex_create(&sap_context_lock))) {
+		QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
+			  "failed to init sap_context_lock");
+		return QDF_STATUS_E_FAULT;
+	}
+
+	for (i = 0; i < SAP_MAX_NUM_SESSION; i++) {
+		gp_sap_ctx[i] = NULL;
+		qdf_atomic_init(&sap_ctx_ref_count[i]);
+	}
+
+	QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_INFO,
+			"%s: sap global context initialized", __func__);
+
+	return QDF_STATUS_SUCCESS;
+}
+
+/**
+ * wlansap_global_deinit() - De-initialize SAP globals
+ *
+ * De-initializes the SAP global data structures
+ *
+ * Return: QDF_STATUS
+ */
+QDF_STATUS wlansap_global_deinit(void)
+{
+	uint32_t i;
+
+	for (i = 0; i < SAP_MAX_NUM_SESSION; i++) {
+		if (gp_sap_ctx[i]) {
+			QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
+				"we could be leaking context:%d", i);
+		}
+		gp_sap_ctx[i] = NULL;
+		qdf_atomic_init(&sap_ctx_ref_count[i]);
+	}
+
+	if (QDF_IS_STATUS_ERROR(qdf_mutex_destroy(&sap_context_lock))) {
+		QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
+				"failed to destroy sap_context_lock");
+		return QDF_STATUS_E_FAULT;
+	}
+
+	QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_INFO,
+			"%s: sap global context deinitialized", __func__);
+
+	return QDF_STATUS_SUCCESS;
+}
+
+/**
+ * wlansap_save_context() - Save the context in global SAP context
+ * @ctx: SAP context to be stored
+ *
+ * Stores the given SAP context in the global SAP context array
+ *
+ * Return: QDF_STATUS
+ */
+static QDF_STATUS wlansap_save_context(ptSapContext ctx)
+{
+	uint32_t i;
+
+	qdf_mutex_acquire(&sap_context_lock);
+	for (i = 0; i < SAP_MAX_NUM_SESSION; i++) {
+		if (gp_sap_ctx[i] == NULL) {
+			gp_sap_ctx[i] = ctx;
+			qdf_atomic_inc(&sap_ctx_ref_count[i]);
+			qdf_mutex_release(&sap_context_lock);
+			QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_INFO,
+				"%s: sap context saved at index:%d",
+				__func__, i);
+			return QDF_STATUS_SUCCESS;
+		}
+	}
+	qdf_mutex_release(&sap_context_lock);
+
+	QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
+		"%s: failed to save sap context", __func__);
+
+	return QDF_STATUS_E_FAILURE;
+}
+
+/**
+ * wlansap_context_get() - Verify SAP context and increment ref count
+ * @ctx: Context to be checked
+ *
+ * Verifies the SAP context and increments the reference count maintained for
+ * the corresponding SAP context.
+ *
+ * Return: QDF_STATUS
+ */
+QDF_STATUS wlansap_context_get(ptSapContext ctx)
+{
+	uint32_t i;
+
+	qdf_mutex_acquire(&sap_context_lock);
+	for (i = 0; i < SAP_MAX_NUM_SESSION; i++) {
+		if (ctx && (gp_sap_ctx[i] == ctx)) {
+			qdf_atomic_inc(&sap_ctx_ref_count[i]);
+			qdf_mutex_release(&sap_context_lock);
+			return QDF_STATUS_SUCCESS;
+		}
+	}
+	qdf_mutex_release(&sap_context_lock);
+
+	QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
+			"%s: sap session is not valid", __func__);
+	return QDF_STATUS_E_FAILURE;
+}
+
+/**
+ * wlansap_context_put() - Check the reference count and free SAP context
+ * @ctx: SAP context to be checked and freed
+ *
+ * Checks the reference count and frees the SAP context
+ *
+ * Return: None
+ */
+void wlansap_context_put(ptSapContext ctx)
+{
+	uint32_t i;
+
+	if (!ctx)
+		return;
+
+	qdf_mutex_acquire(&sap_context_lock);
+	for (i = 0; i < SAP_MAX_NUM_SESSION; i++) {
+		if (gp_sap_ctx[i] == ctx) {
+			if (qdf_atomic_dec_and_test(&sap_ctx_ref_count[i])) {
+				qdf_mem_free(ctx);
+				gp_sap_ctx[i] = NULL;
+				QDF_TRACE(QDF_MODULE_ID_SAP,
+					QDF_TRACE_LEVEL_INFO,
+					"%s: sap session freed: %d",
+					__func__, i);
+			}
+			qdf_mutex_release(&sap_context_lock);
+			return;
+		}
+	}
+	qdf_mutex_release(&sap_context_lock);
+}
+
 /**
  * wlansap_open() - WLAN SAP open function call
  * @p_cds_gctx: Pointer to the global cds context; a handle to SAP's
@@ -104,6 +260,7 @@ ptSapContext gp_sap_ctx;
 void *wlansap_open(void *p_cds_gctx)
 {
 	ptSapContext pSapCtx = NULL;
+	QDF_STATUS status;
 
 	/* dynamically allocate the sapContext */
 	pSapCtx = (ptSapContext) qdf_mem_malloc(sizeof(tSapContext));
@@ -122,8 +279,14 @@ void *wlansap_open(void *p_cds_gctx)
 	/* Setup the "link back" to the CDS context */
 	pSapCtx->p_cds_gctx = p_cds_gctx;
 
-	/* Store a pointer to the SAP context provided by CDS */
-	gp_sap_ctx = pSapCtx;
+	/* Save the SAP context pointer */
+	status = wlansap_save_context(pSapCtx);
+	if (QDF_IS_STATUS_ERROR(status)) {
+		QDF_TRACE(QDF_MODULE_ID_SAP, QDF_TRACE_LEVEL_ERROR,
+			"%s: failed to save SAP context", __func__);
+		qdf_mem_free(pSapCtx);
+		return NULL;
+	}
 
 	return pSapCtx;
 } /* wlansap_open */
@@ -296,7 +459,7 @@ QDF_STATUS wlansap_close(void *pCtx)
 	/* empty queues/lists/pkts if any */
 	wlansap_clean_cb(pSapCtx, true);
 
-	qdf_mem_free(pSapCtx);
+	wlansap_context_put(pSapCtx);
 
 	return QDF_STATUS_SUCCESS;
 } /* wlansap_close */