qcacmn: Fix possible NULL pointer dereference access

In multiple functions of hif_sdio_recv.c and hif_scatter.c, there is
A_ASSERT to check NULL pointers which might null operation if it is
not debug build.

Fix it by adding proper error handle if pointer is NULL

Change-Id: Ib183366d4a1193a3cf22aae2f3431efa761d1d35
CRs-Fixed: 2058905

hif/src/sdio/hif_sdio_recv.c

@@ -488,8 +488,9 @@ static inline QDF_STATUS hif_dev_process_trailer(struct hif_sdio_device *pdev,
 					   pBundledLookAheadRpt->LookAhead3;
 					pBundledLookAheadRpt++;
 				}
-
-				*num_look_aheads = i;
+				if (num_look_aheads) {
+					*num_look_aheads = i;
+				}
 			}
 			break;
 		default:
@@ -733,6 +734,9 @@ static QDF_STATUS hif_dev_issue_recv_packet_bundle(struct hif_sdio_device *pdev,
 	     i++) {
 		packet = htc_packet_dequeue(recv_pkt_queue);
 		A_ASSERT(packet != NULL);
+		if (!packet) {
+			break;
+		}
 		padded_length =
 			DEV_CALC_RECV_PADDED_LEN(pdev, packet->ActualLength);
 
@@ -750,13 +754,16 @@ static QDF_STATUS hif_dev_issue_recv_packet_bundle(struct hif_sdio_device *pdev,
 		}
 		packet->PktInfo.AsRx.HTCRxFlags |= HTC_RX_PKT_PART_OF_BUNDLE;
 
-		HTC_PACKET_ENQUEUE(sync_completion_queue, packet);
-
+		if (sync_completion_queue) {
+			HTC_PACKET_ENQUEUE(sync_completion_queue, packet);
+		}
 		total_length += padded_length;
 	}
 #ifdef DEBUG_BUNDLE
 	qdf_print("Recv bundle count %d, length %d.\n",
-		  HTC_PACKET_QUEUE_DEPTH(sync_completion_queue), total_length);
+		sync_completion_queue ?
+		HTC_PACKET_QUEUE_DEPTH(sync_completion_queue) : 0,
+		total_length);
 #endif
 
 	status = hif_read_write(pdev->HIFDevice,
@@ -926,6 +933,10 @@ QDF_STATUS hif_dev_recv_message_pending_handler(struct hif_sdio_device *pdev,
 				/* dequeue one packet */
 				packet = htc_packet_dequeue(&recv_pkt_queue);
 				A_ASSERT(packet != NULL);
+				if (!packet) {
+					break;
+				}
+
 				packet->Completion = NULL;
 
 				if (HTC_PACKET_QUEUE_DEPTH(&recv_pkt_queue) >
@@ -971,6 +982,9 @@ QDF_STATUS hif_dev_recv_message_pending_handler(struct hif_sdio_device *pdev,
 
 			packet = htc_packet_dequeue(&sync_completed_pkts_queue);
 			A_ASSERT(packet != NULL);
+			if (!packet) {
+				break;
+			}
 
 			num_look_aheads = 0;
 			status =
@@ -1064,7 +1078,7 @@ static QDF_STATUS hif_dev_service_cpu_interrupt(struct hif_sdio_device *pdev)
 	 * of CPU INT register
 	 */
 	if (cpu_int_status & 0x1) {
-		if (pdev && pdev->hif_callbacks.fwEventHandler)
+		if (pdev->hif_callbacks.fwEventHandler)
 			/* It calls into HTC which propagates this
 			 * to ol_target_failure()
 			 */

hif/src/sdio/native_sdio/src/hif_scatter.c

@@ -122,6 +122,9 @@ QDF_STATUS do_hif_read_write_scatter(struct hif_sdio_dev *device,
 	req_priv = busrequest->scatter_req;
 
 	A_ASSERT(req_priv != NULL);
+	if (!req_priv) {
+		return QDF_STATUS_E_FAILURE;
+	}
 
 	req = req_priv->hif_scatter_req;
 
@@ -226,7 +229,9 @@ QDF_STATUS do_hif_read_write_scatter(struct hif_sdio_dev *device,
 				 (unsigned long)busrequest, status));
 		/* complete the request */
 		A_ASSERT(req->completion_routine != NULL);
-		req->completion_routine(req);
+		if (req->completion_routine) {
+			req->completion_routine(req);
+		}
 	} else {
 		AR_DEBUG_PRINTF(ATH_DEBUG_SCATTER,
 			("HIF-SCATTER async_task upping busreq : 0x%lX (%d)\n",
@@ -258,6 +263,9 @@ static QDF_STATUS hif_read_write_scatter(struct hif_sdio_dev *device,
 	do {
 
 		A_ASSERT(req_priv != NULL);
+		if (!req_priv) {
+			break;
+		}
 
 		AR_DEBUG_PRINTF(ATH_DEBUG_SCATTER,
 			("HIF-SCATTER: total len: %d Scatter Entries: %d\n",
@@ -455,6 +463,9 @@ void cleanup_hif_scatter_resources(struct hif_sdio_dev *device)
 
 		req_priv = (struct HIF_SCATTER_REQ_PRIV *)req->hif_private[0];
 		A_ASSERT(req_priv != NULL);
+		if (!req_priv) {
+			continue;
+		}
 
 		if (req_priv->busrequest != NULL) {
 			req_priv->busrequest->scatter_req = NULL;