Mm-iot-sdk-2.10.4: mmwlan_scan_abort() returns success after scan timeout, but firmware rejects ABORT HW_SCAN and host scan FSM remains wedged

We are using mm-iot-sdk-2.10.4 on an STM32WB55-based IoT device with a Morse Micro HaLow radio.

We found a scan-abort failure path that appears to leave the host-side scan FSM wedged.

Sequence:

1. We start a scan while trying to find our AP.

2. The scan-complete callback is not called within 35 seconds.

3. Our application times out and calls mmwlan_scan_abort().

4. mmwlan_scan_abort() appears to return success to the application:

Scan timed out after 35000 ms; abort status 0

5. Shortly after that, morselib logs:

E    68209 ev morse_cmd_tx\[239\] Command 44:100 failed with rc -22 (0xffffffea)

E    68210 ev hw_scan_abort_scan\[426\] Failed to execute ABORT HW_SCAN command

The problem is that framework/morselib/src/umac/scan/hw_scan.c currently ignores the return value from hw_scan_abort_scan() in hw_scan_fsm_req_abort():

(void)hw_scan_abort_scan(umacd);

If the firmware rejects the abort command, the host FSM appears to wait for a scan-aborted / scan-terminated event that is never delivered. This leaves the scan interface / active_scan_req stale and causes later shutdown/retry/association paths to wedge.

We tested the following local change:

static void hw_scan_fsm_req_abort(struct hw_scan_fsm_instance \*inst,

                                  enum hw_scan_fsm_event event)

{

    struct umac_data \*umacd = (struct umac_data \*)inst->arg;

    struct umac_scan_data \*data = umac_data_get_scan(umacd);

    enum mmwlan_status status;



    data->hw_scan_data.abort_all = (event == HW_SCAN_FSM_EVENT_ABORT_ALL);



    status = hw_scan_abort_scan(umacd);

    if (status != MMWLAN_SUCCESS)

    {

        /\*

         \* The abort request was not accepted by the firmware. In the observed

         \* failure case no later scan-terminated indication is delivered, so the

         \* host FSM would otherwise remain in ABORT_PENDING with a stale

         \* active_scan_req. Force host-side termination so the scan interface is

         \* removed and shutdown/retry paths can continue.

         \*/

        hw_scan_fsm_handle_event(inst, HW_SCAN_FSM_EVENT_ABORT);

    }

}

This appears to recover the host-side state correctly.

This looks related to my older 2.7.2 thread about `mmwlan_scan_abort()` producing HW_SCAN errors, but this 2.10.4 case is different because the scan never completes, the abort command is rejected, and the host-side FSM appears to remain wedged.

Some version information:

Morselib: compiled from source. MM_VERSION_BUILDID "2.10.4"

BCF: "bcf_file": "$MMIOT_ROOT/morsefirmware/mm6108/bcfs/bcf_mf08651_us.mbin"

Radio chip: MM6108 

Transport: SPI

Hi @Straff

Thanks for raising the issue, and a solution. I’ll forward this on to the team responsible

@Straff Thanks for the details! We observed the same issue (under different conditions) and have fixed this in 2.11, which is now released on github! GitHub - MorseMicro/mm-iot-sdk at 2.11.2 · GitHub