qcacmn: Avoid null pointer dereference and un-initialized data access

Fix possible null pointer dereference and un-initialized vairable access in scan component. Change-Id: Ide1adf2f53712fa987fdda8170eee4e95bff0036 CRs-Fixed: 2169517
2018-01-18 10:53:45 -08:00
--- a/umac/scan/core/src/wlan_scan_bss_score.c
+++ b/umac/scan/core/src/wlan_scan_bss_score.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2017-2018 The Linux Foundation. All rights reserved.
 *
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
@@ -381,7 +381,7 @@ static int32_t scm_calculate_bandwidth_score(
 	int32_t bw_weight_per_idx;
 	uint8_t cbmode = 0;
 	uint8_t ch_width_index;
-	bool is_vht;
+	bool is_vht = false;

 	bw_weight_per_idx = score_config->bandwidth_weight_per_index;

--- a/umac/scan/core/src/wlan_scan_cache_db.c
+++ b/umac/scan/core/src/wlan_scan_cache_db.c
@@ -287,6 +287,10 @@ void scm_age_out_entries(struct wlan_objmgr_psoc *psoc,
 	struct scan_default_params *def_param;

 	def_param = wlan_scan_psoc_get_def_params(psoc);
+	if (!def_param) {
+		scm_err("wlan_scan_psoc_get_def_params failed");
+		return;
+	}

 	for (i = 0 ; i < SCAN_HASH_SIZE; i++) {
 		cur_node = scm_get_next_node(scan_db,
@@ -334,10 +338,13 @@ static QDF_STATUS scm_flush_oldest_entry(struct scan_dbs *scan_db)
 				oldest_node = cur_node;
 		}
 	}
-	scm_debug("Flush oldest BSSID: %pM with age %d ms",
-			oldest_node->entry->bssid.bytes,
-			util_scan_entry_age(oldest_node->entry));
-	scm_scan_entry_put_ref(scan_db, oldest_node, false, true);
+
+	if (oldest_node) {
+		scm_debug("Flush oldest BSSID: %pM with age %d ms",
+				oldest_node->entry->bssid.bytes,
+				util_scan_entry_age(oldest_node->entry));
+		scm_scan_entry_put_ref(scan_db, oldest_node, false, true);
+	}
 	qdf_spin_unlock_bh(&scan_db->scan_db_lock);

 	return QDF_STATUS_SUCCESS;
@@ -726,6 +733,10 @@ static void scm_list_insert_sorted(struct wlan_objmgr_psoc *psoc,
 	int pcl_chan_weight = 0;

 	params = wlan_scan_psoc_get_def_params(psoc);
+	if (!params) {
+		scm_err("wlan_scan_psoc_get_def_params failed");
+		return;
+	}

 	if (filter->num_of_pcl_channels > 0 &&
 			(scan_node->entry->rssi_raw > SCM_PCL_RSSI_THRESHOLD)) {
--- a/umac/scan/core/src/wlan_scan_filter.c
+++ b/umac/scan/core/src/wlan_scan_filter.c
@@ -255,7 +255,7 @@ static bool scm_is_wep_security(struct scan_filter *filter,
 	}


-	if (match && security) {
+	if (match) {
 		security->auth_type = neg_auth;
 		security->mc_enc = neg_mccipher;
 	}
@@ -526,7 +526,7 @@ static bool scm_is_rsn_security(struct scan_filter *filter,

 	match = scm_check_pmf_match(filter, &rsn);

-	if (match && security) {
+	if (match) {
 		security->auth_type = neg_auth;
 		security->mc_enc = neg_mccipher;
 	}
@@ -626,7 +626,7 @@ static bool scm_is_wpa_security(struct scan_filter *filter,
 		}
 	}

-	if (match && security) {
+	if (match) {
 		security->auth_type = neg_auth;
 		security->mc_enc = neg_mccipher;
 	}
@@ -698,7 +698,7 @@ static bool scm_is_wapi_security(struct scan_filter *filter,
 		}
 	}

-	if (match && security) {
+	if (match) {
 		security->auth_type = neg_auth;
 		security->mc_enc = neg_mccipher;
 	}
@@ -895,6 +895,9 @@ bool scm_filter_match(struct wlan_objmgr_psoc *psoc,
 	struct scan_default_params *def_param;

 	def_param = wlan_scan_psoc_get_def_params(psoc);
+	if (!def_param)
+		return false;
+
 	roam_params = &def_param->roam_params;

 	if (filter->p2p_results && !db_entry->is_p2p)
--- a/umac/scan/core/src/wlan_scan_manager.c
+++ b/umac/scan/core/src/wlan_scan_manager.c
@@ -300,12 +300,18 @@ scm_scan_serialize_callback(struct wlan_serialization_command *cmd,
 	struct scan_start_request *req;
 	QDF_STATUS status;

-	if (!cmd || !cmd->umac_cmd) {
-		scm_err("cmd: %pK, umac_cmd: %pK, reason: %d",
-			cmd, cmd->umac_cmd, reason);
+	if (!cmd) {
+		scm_err("cmd: %pK, reason: %d", cmd, reason);
 		QDF_ASSERT(0);
 		return QDF_STATUS_E_NULL_VALUE;
 	}
+
+	if (!cmd->umac_cmd) {
+		scm_err("umac_cmd: %pK, reason: %d", cmd->umac_cmd, reason);
+		QDF_ASSERT(0);
+		return QDF_STATUS_E_NULL_VALUE;
+	}
+
 	req = cmd->umac_cmd;
 	scm_debug("reason:%d, reqid:%d, scanid:%d, vdevid:%d, vdev:0x%pK",
 		reason, req->scan_req.scan_req_id, req->scan_req.scan_id,
@@ -369,10 +375,10 @@ scm_scan_start_req(struct scheduler_msg *msg)
 	QDF_STATUS status = QDF_STATUS_SUCCESS;

 	if (!msg || !msg->bodyptr) {
-		scm_err("msg: 0x%pK, bodyptr: 0x%pK", msg, msg->bodyptr);
-		QDF_ASSERT(0);
+		scm_err("msg or msg->bodyptr is NULL");
 		return QDF_STATUS_E_NULL_VALUE;
 	}
+
 	req = msg->bodyptr;
 	cmd.cmd_type = WLAN_SER_CMD_SCAN;
 	cmd.cmd_id = req->scan_req.scan_id;
@@ -472,10 +478,10 @@ scm_scan_cancel_req(struct scheduler_msg *msg)
 	QDF_STATUS status = QDF_STATUS_SUCCESS;

 	if (!msg || !msg->bodyptr) {
-		scm_err("msg: 0x%pK, bodyptr: 0x%pK", msg, msg->bodyptr);
-		QDF_ASSERT(0);
+		scm_err("msg or msg->bodyptr is NULL");
 		return QDF_STATUS_E_NULL_VALUE;
 	}
+
 	req = msg->bodyptr;
 	/*
 	 * If requester wants to wait for target scan cancel event
@@ -614,9 +620,10 @@ scm_scan_event_handler(struct scheduler_msg *msg)
 	struct scan_start_request *scan_start_req;

 	if (!msg || !msg->bodyptr) {
-		scm_err("msg: %pK, bodyptr: %pK", msg, msg->bodyptr);
+		scm_err("msg or msg->bodyptr is NULL");
 		return QDF_STATUS_E_NULL_VALUE;
 	}
+
 	event_info = msg->bodyptr;
 	vdev = event_info->vdev;
 	event = &(event_info->event);
@@ -704,9 +711,10 @@ QDF_STATUS scm_scan_event_flush_callback(struct scheduler_msg *msg)
 	struct scan_event_info *event_info;

 	if (!msg || !msg->bodyptr) {
-		scm_err("msg: %pK, bodyptr: %pK", msg, msg->bodyptr);
+		scm_err("msg or msg->bodyptr is NULL");
 		return QDF_STATUS_E_NULL_VALUE;
 	}
+
 	event_info = msg->bodyptr;
 	vdev = event_info->vdev;

@@ -743,9 +751,10 @@ QDF_STATUS scm_scan_start_flush_callback(struct scheduler_msg *msg)
 	struct scan_start_request *req;

 	if (!msg || !msg->bodyptr) {
-		scm_err("msg: 0x%pK, bodyptr: 0x%pK", msg, msg->bodyptr);
+		scm_err("msg or msg->bodyptr is NULL");
 		return QDF_STATUS_E_NULL_VALUE;
 	}
+
 	req = msg->bodyptr;
 	wlan_objmgr_vdev_release_ref(req->vdev, WLAN_SCAN_ID);
 	scm_scan_free_scan_request_mem(req);
@@ -758,7 +767,7 @@ QDF_STATUS scm_scan_cancel_flush_callback(struct scheduler_msg *msg)
 	struct scan_cancel_request *req;

 	if (!msg || !msg->bodyptr) {
-		scm_err("msg: 0x%pK, bodyptr: 0x%pK", msg, msg->bodyptr);
+		scm_err("msg or msg->bodyptr is NULL");
 		return QDF_STATUS_E_NULL_VALUE;
 	}

--- a/umac/scan/dispatcher/src/wlan_scan_tgt_api.c
+++ b/umac/scan/dispatcher/src/wlan_scan_tgt_api.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2017-2018 The Linux Foundation. All rights reserved.
 *
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
@@ -283,7 +283,12 @@ tgt_scan_set_max_active_scans(struct wlan_objmgr_psoc *psoc,
 		scm_err("null psoc");
 		return QDF_STATUS_E_NULL_VALUE;
 	}
+
 	scan_params = wlan_scan_psoc_get_def_params(psoc);
+	if (!scan_params) {
+		scm_err("wlan_scan_psoc_get_def_params returned NULL");
+		return QDF_STATUS_E_NULL_VALUE;
+	}

 	scan_params->max_active_scans_allowed = max_active_scans;

--- a/umac/scan/dispatcher/src/wlan_scan_ucfg_api.c
+++ b/umac/scan/dispatcher/src/wlan_scan_ucfg_api.c
@@ -307,6 +307,11 @@ ucfg_scan_get_pno_def_params(struct wlan_objmgr_vdev *vdev,
 	}

 	scan_def = wlan_vdev_get_def_scan_params(vdev);
+	if (!scan_def) {
+		scm_err("wlan_vdev_get_def_scan_params returned NULL");
+		return QDF_STATUS_E_NULL_VALUE;
+	}
+
 	pno_def = &scan->pno_cfg;

 	req->active_dwell_time = scan_def->active_dwell;
@@ -477,7 +482,7 @@ ucfg_scan_start(struct scan_start_request *req)
 	struct wlan_objmgr_pdev *pdev;

 	if (!req || !req->vdev) {
-		scm_err("vdev: %pK, req: %pK", req->vdev, req);
+		scm_err("req or vdev within req is NULL");
 		if (req)
 			scm_scan_free_scan_request_mem(req);
 		return QDF_STATUS_E_NULL_VALUE;
@@ -622,7 +627,7 @@ ucfg_scan_cancel(struct scan_cancel_request *req)
 	QDF_STATUS status;

 	if (!req || !req->vdev) {
-		scm_err("vdev: %pK, req: %pK", req->vdev, req);
+		scm_err("req or vdev within req is NULL");
 		if (req)
 			qdf_mem_free(req);
 		return QDF_STATUS_E_NULL_VALUE;
@@ -669,7 +674,7 @@ ucfg_scan_cancel_sync(struct scan_cancel_request *req)
 	qdf_event_t cancel_scan_event;

 	if (!req || !req->vdev) {
-		scm_err("vdev: %pK, req: %pK", req->vdev, req);
+		scm_err("req or vdev within req is NULL");
 		if (req)
 			qdf_mem_free(req);
 		return QDF_STATUS_E_NULL_VALUE;
@@ -1100,6 +1105,10 @@ ucfg_scan_init_default_params(struct wlan_objmgr_vdev *vdev,
 		return QDF_STATUS_E_INVAL;
 	}
 	def = wlan_vdev_get_def_scan_params(vdev);
+	if (!def) {
+		scm_err("wlan_vdev_get_def_scan_params returned NULL");
+		return QDF_STATUS_E_NULL_VALUE;
+	}

 	/* Zero out everything and explicitly set fields as required */
 	qdf_mem_zero(req, sizeof(*req));
@@ -1640,6 +1649,10 @@ ucfg_scan_get_max_active_scans(struct wlan_objmgr_psoc *psoc)
 		return 0;
 	}
 	scan_params = wlan_scan_psoc_get_def_params(psoc);
+	if (!scan_params) {
+		scm_err("Failed to get scan object");
+		return 0;
+	}

 	return scan_params->max_active_scans_allowed;
 }