Once 1 roaming happened, ipa_ctx->sta_connected increased 1, and its
type was uint8_t, once increased to 256, overflow happened.
ipa_ctx->sta_connected became 0. then wlan_ipa_cleanup_iface couldn’t be
called to free old iface, but wlan_ipa_setup_iface was called to add new
iface, then there were 2 sta ipa interfaces with same session id 2.
When sta disconnected, only 1 ipa interface was freed, the other ipa
interface with session id 2 was left, but vdev 2 was deleted.
If 1st client connected DUT SAP, sta vdev 2 was found by mistake,
WMI_IPA_OFFLOAD_ENABLE_DISABLE_CMDID was sent to F/W to enable IPA path
for vdev 2, but vdev 2 wasn't existed, assert happened.
To fix it, when LFR3 roaming happens, when wlan_ipa_cleanup_iface is
called to free old iface, ipa_ctx->sta_connected is decreased by 1
first, when wlan_ipa_setup_iface is called to add new iface,
ipa_ctx->sta_connected is increased by 1, then
ipa_ctx->sta_connected reflects real STA number on DUT.
Change-Id: I5c91b3402dcfe8b1828d8d1f0701f66ca3c15d50
CRs-Fixed: 2859438
cd6a5aa828