qcacld-3.0: Fix null pointer dereference of lim_join_req

In lim_populate_peer_rate_set(), bss description is obtained by
dereferencing the bss descriptor from session->lim_join_req.
But in LFR-3.0 roaming case, the lim_join_req will be NULL, since
roaming is south bound operation and there is no csr join request
message after roam. So this results in NULL pointer dereference
of bss_description in lim_populate_peer_rate_set() while
handling LFR-3.0 roam synch indication event.

Pass the correct bss descriptor from caller to ensure that valid
bss descriptor is passed to the lim_populate_peer_rate_set() api.

Change-Id: I3af915d5753c7aa054dc6d8766e51fd62c8314bb
CRs-Fixed: 2733807

core/mac/src/pe/lim/lim_assoc_utils.c

@@ -1619,7 +1619,8 @@ QDF_STATUS lim_populate_peer_rate_set(struct mac_context *mac,
 				      struct pe_session *pe_session,
 				      tDot11fIEVHTCaps *pVHTCaps,
 				      tDot11fIEhe_cap *he_caps,
-				      struct sDphHashNode *sta_ds)
+				      struct sDphHashNode *sta_ds,
+				      struct bss_description *bss_desc)
 {
 	tSirMacRateSet tempRateSet;
 	tSirMacRateSet tempRateSet2;
@@ -1628,7 +1629,6 @@ QDF_STATUS lim_populate_peer_rate_set(struct mac_context *mac,
 	uint8_t aRateIndex = 0;
 	uint8_t bRateIndex = 0;
 	tDot11fIEhe_cap *peer_he_caps;
-	struct bss_description *bssDescription;
 	tSchBeaconStruct *pBeaconStruct = NULL;
 
 	/* copy operational rate set from pe_session */
@@ -1756,18 +1756,17 @@ QDF_STATUS lim_populate_peer_rate_set(struct mac_context *mac,
 	if (lim_check_valid_mcs_for_nss(pe_session, he_caps)) {
 		peer_he_caps = he_caps;
 	} else {
-		bssDescription = &pe_session->lim_join_req->bssDescription;
-		if (!bssDescription) {
+		if (!bss_desc) {
 			pe_err("bssDescription is NULL");
 			return QDF_STATUS_E_INVAL;
 		}
 		pBeaconStruct = qdf_mem_malloc(sizeof(tSchBeaconStruct));
 		if (!pBeaconStruct)
 			return QDF_STATUS_E_NOMEM;
-		lim_extract_ap_capabilities(mac,
-				(uint8_t *)bssDescription->ieFields,
-				lim_get_ielen_from_bss_description(
-					bssDescription),
+
+		lim_extract_ap_capabilities(
+				mac, (uint8_t *)bss_desc->ieFields,
+				lim_get_ielen_from_bss_description(bss_desc),
 				pBeaconStruct);
 		peer_he_caps = &pBeaconStruct->he_cap;
 	}
@@ -3816,10 +3815,15 @@ QDF_STATUS lim_sta_send_add_bss_pre_assoc(struct mac_context *mac,
 	tDot11fIEVHTOperation *vht_oper = NULL;
 	tDot11fIEVHTCaps *vht_caps = NULL;
 	uint32_t listen_interval = MLME_CFG_LISTEN_INTERVAL;
-	struct bss_description *bssDescription =
-		&pe_session->lim_join_req->bssDescription;
+	struct bss_description *bssDescription = NULL;
 	struct mlme_vht_capabilities_info *vht_cap_info;
 
+	if (!pe_session->lim_join_req) {
+		pe_err("Lim Join request is NULL");
+		return QDF_STATUS_E_FAILURE;
+	}
+
+	bssDescription = &pe_session->lim_join_req->bssDescription;
 	vht_cap_info = &mac->mlme_cfg->vht_caps.vht_cap_info;
 
 	pBeaconStruct = qdf_mem_malloc(sizeof(tSchBeaconStruct));
@@ -4038,7 +4042,8 @@ QDF_STATUS lim_sta_send_add_bss_pre_assoc(struct mac_context *mac,
 			pBeaconStruct->HTCaps.supportedMCSSet,
 			false, pe_session,
 			&pBeaconStruct->VHTCaps,
-			&pBeaconStruct->he_cap, NULL);
+			&pBeaconStruct->he_cap, NULL,
+			bssDescription);
 
 	pAddBssParams->staContext.encryptType = pe_session->encryptType;
 

core/mac/src/pe/lim/lim_assoc_utils.h

@@ -57,7 +57,8 @@ QDF_STATUS lim_populate_peer_rate_set(struct mac_context *mac,
 				      struct pe_session *pe_session,
 				      tDot11fIEVHTCaps *pVHTCaps,
 				      tDot11fIEhe_cap *he_caps,
-				      struct sDphHashNode *sta_ds);
+				      struct sDphHashNode *sta_ds,
+				      struct bss_description *bss_desc);
 
 /**
  * lim_populate_own_rate_set() - comprises the basic and extended rates read

core/mac/src/pe/lim/lim_ft.c

@@ -324,7 +324,8 @@ void lim_ft_prepare_add_bss_req(struct mac_context *mac,
 					   pBeaconStruct->HTCaps.supportedMCSSet,
 					   false, ft_session,
 					   &pBeaconStruct->VHTCaps,
-					   &pBeaconStruct->he_cap, NULL);
+					   &pBeaconStruct->he_cap, NULL,
+					   bssDescription);
 	}
 
 	pAddBssParams->maxTxPower = ft_session->maxTxPower;

core/mac/src/pe/lim/lim_process_assoc_rsp_frame.c

@@ -135,6 +135,7 @@ void lim_update_assoc_sta_datas(struct mac_context *mac_ctx,
 	bool qos_mode;
 	tDot11fIEVHTCaps *vht_caps = NULL;
 	tDot11fIEhe_cap *he_cap = NULL;
+	struct bss_description *bss_desc = NULL;
 
 	lim_get_phy_mode(mac_ctx, &phy_mode, session_entry);
 	sta_ds->staType = STA_ENTRY_SELF;
@@ -191,10 +192,14 @@ void lim_update_assoc_sta_datas(struct mac_context *mac_ctx,
 	if (lim_is_sta_he_capable(sta_ds))
 		he_cap = &assoc_rsp->he_cap;
 
+	if (session_entry->lim_join_req)
+		bss_desc = &session_entry->lim_join_req->bssDescription;
+
 	if (lim_populate_peer_rate_set(mac_ctx, &sta_ds->supportedRates,
 				assoc_rsp->HTCaps.supportedMCSSet,
 				false, session_entry,
-				vht_caps, he_cap, sta_ds) !=
+				vht_caps, he_cap, sta_ds,
+				bss_desc) !=
 				QDF_STATUS_SUCCESS) {
 		pe_err("could not get rateset and extended rate set");
 		return;

core/mac/src/pe/lim/lim_process_mlm_host_roam.c

@@ -380,6 +380,7 @@ void lim_process_sta_mlm_add_bss_rsp_ft(struct mac_context *mac,
 	tpDphHashNode sta = NULL;
 	tpAddStaParams pAddStaParams = NULL;
 	uint32_t listenInterval = MLME_CFG_LISTEN_INTERVAL;
+	struct bss_description *bss_desc = NULL;
 
 	/* Sanity Checks */
 
@@ -470,8 +471,12 @@ void lim_process_sta_mlm_add_bss_rsp_ft(struct mac_context *mac,
 
 	pAddStaParams->updateSta = false;
 
+	if (pe_session->lim_join_req)
+		bss_desc = &pe_session->lim_join_req->bssDescription;
+
 	lim_populate_peer_rate_set(mac, &pAddStaParams->supportedRates, NULL,
-				   false, pe_session, NULL, NULL, NULL);
+				   false, pe_session, NULL, NULL, NULL,
+				   bss_desc);
 
 	if (pe_session->htCapability) {
 		pAddStaParams->htCapable = pe_session->htCapability;