qcacld-3.0: Validate pointers in wma layer

Currently in different functions we are assigning memory to
pointers and using it without checking that pointers has valid
address or NULL.

Add NULL checks before pointer dereferences.

Change-Id: I43a04fc59e56261d37e657b815b214a59cdcf838
CRs-Fixed: 1095650

core/wma/src/wma_data.c

@@ -1539,6 +1539,7 @@ QDF_STATUS wma_tx_attach(tp_wma_handle wma_handle)
 QDF_STATUS wma_tx_detach(tp_wma_handle wma_handle)
 {
 	uint32_t frame_index = 0;
+	void *soc = cds_get_context(QDF_MODULE_ID_SOC);
 
 	/* Get the Vos Context */
 	p_cds_contextType cds_handle =
@@ -1547,12 +1548,17 @@ QDF_STATUS wma_tx_detach(tp_wma_handle wma_handle)
 	/* Get the txRx Pdev handle */
 	void *txrx_pdev = cds_handle->pdev_txrx_ctx;
 
+	if (!soc) {
+		WMA_LOGE("%s:SOC context is NULL", __func__);
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	if (txrx_pdev) {
 		/* Deregister with TxRx for Tx Mgmt completion call back */
 		for (frame_index = 0; frame_index < FRAME_INDEX_MAX;
 							frame_index++) {
-			cdp_mgmt_tx_cb_set(cds_get_context(QDF_MODULE_ID_SOC),
-				txrx_pdev, frame_index, NULL, NULL, txrx_pdev);
+			cdp_mgmt_tx_cb_set(soc, txrx_pdev, frame_index, NULL,
+						NULL, txrx_pdev);
 		}
 	}
 
@@ -1603,6 +1609,11 @@ int wma_mcc_vdev_tx_pause_evt_handler(void *handle, uint8_t *event,
 		return 0;
 	}
 
+	if (!soc) {
+		WMA_LOGE("%s:SOC context is NULL", __func__);
+		return -EINVAL;
+	}
+
 	wmi_event = param_buf->fixed_param;
 	vdev_map = wmi_event->vdev_map;
 	/* FW mapped vdev from ID
@@ -2519,6 +2530,11 @@ QDF_STATUS wma_tx_packet(void *wma_context, void *tx_frame, uint16_t frmLen,
 		return QDF_STATUS_E_FAILURE;
 	}
 
+	if (!soc) {
+		WMA_LOGE("%s:SOC context is NULL", __func__);
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	cdp_hl_tdls_flag_reset(soc, txrx_vdev, false);
 
 	if (frmType >= TXRX_FRM_MAX) {

core/wma/src/wma_dev_if.c

@@ -537,6 +537,12 @@ static QDF_STATUS wma_handle_vdev_detach(tp_wma_handle wma_handle,
 	cds_msg_t sme_msg = { 0 };
 	void *soc = cds_get_context(QDF_MODULE_ID_SOC);
 
+	if (!soc) {
+		WMA_LOGE("%s:SOC context is NULL", __func__);
+		status = QDF_STATUS_E_FAILURE;
+		goto out;
+	}
+
 	status = wmi_unified_vdev_delete_send(wma_handle->wmi_handle, vdev_id);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		WMA_LOGE("Unable to remove an interface");
@@ -1081,6 +1087,11 @@ void wma_remove_peer(tp_wma_handle wma, uint8_t *bssid,
 		return;
 	}
 
+	if (!soc) {
+		WMA_LOGE("%s:SOC context is NULL", __func__);
+		return;
+	}
+
 	if (peer) {
 		if (roam_synch_in_progress)
 			cdp_peer_detach_force_delete(soc, peer);
@@ -1148,6 +1159,11 @@ QDF_STATUS wma_create_peer(tp_wma_handle wma, void *pdev, void *vdev,
 		goto err;
 	}
 
+	if (!soc) {
+		WMA_LOGE("%s:SOC context is NULL", __func__);
+		goto err;
+	}
+
 	/* The peer object should be created before sending the WMI peer
 	 * create command to firmware. This is to prevent a race condition
 	 * where the HTT peer map event is received before the peer object

core/wma/src/wma_features.c

@@ -5450,6 +5450,11 @@ QDF_STATUS wma_process_get_peer_info_req
 	uint8_t bcast_mac[IEEE80211_ADDR_LEN] = { 0xff, 0xff, 0xff,
 						  0xff, 0xff, 0xff };
 
+	if (NULL == soc) {
+		WMA_LOGE("%s: SOC context is NULL", __func__);
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	vdev_id = wma_find_vdev_by_type(wma, WMI_VDEV_TYPE_IBSS);
 	if (vdev_id < 0) {
 		WMA_LOGE("%s: IBSS vdev does not exist could not get peer info",
@@ -5475,6 +5480,11 @@ QDF_STATUS wma_process_get_peer_info_req
 			return QDF_STATUS_E_FAILURE;
 		}
 		peer_mac_raw = cdp_peer_get_peer_mac_addr(soc, peer);
+		if (peer_mac_raw == NULL) {
+			WMA_LOGE("peer_mac_raw is NULL");
+			return QDF_STATUS_E_FAILURE;
+		}
+
 		WMA_LOGE("%s: staIdx %d peer mac: 0x%2x:0x%2x:0x%2x:0x%2x:0x%2x:0x%2x",
 			__func__, pReq->staIdx, peer_mac_raw[0],
 			peer_mac_raw[1], peer_mac_raw[2],
@@ -7029,6 +7039,12 @@ int wma_update_tdls_peer_state(WMA_HANDLE handle,
 		goto end_tdls_peer_state;
 	}
 
+	if (!soc) {
+		WMA_LOGE("%s: SOC context is NULL", __func__);
+		ret = -EINVAL;
+		goto end_tdls_peer_state;
+	}
+
 	/* peer capability info is valid only when peer state is connected */
 	if (WMA_TDLS_PEER_STATE_CONNECTED != peerStateParams->peerState) {
 		qdf_mem_zero(&peerStateParams->peerCap,
@@ -7079,6 +7095,12 @@ int wma_update_tdls_peer_state(WMA_HANDLE handle,
 			goto end_tdls_peer_state;
 		}
 		peer_mac_addr = cdp_peer_get_peer_mac_addr(soc, peer);
+		if (peer_mac_addr == NULL) {
+			WMA_LOGE("peer_mac_addr is NULL");
+			ret = -EIO;
+			goto end_tdls_peer_state;
+		}
+
 		restore_last_peer = cdp_peer_is_vdev_restore_last_peer(
 						soc, peer);
 

core/wma/src/wma_main.c

@@ -927,22 +927,34 @@ static void wma_process_cli_set_cmd(tp_wma_handle wma,
 
 		switch (privcmd->param_id) {
 		case GEN_VDEV_PARAM_AMPDU:
-			ret = cdp_aggr_cfg(soc, vdev, privcmd->param_value, 0);
-			if (ret)
-				WMA_LOGE("cdp_aggr_cfg set ampdu failed ret %d",
-					 ret);
-			else
-				intr[privcmd->param_vdev_id].config.ampdu =
-							 privcmd->param_value;
+			if (soc) {
+				ret = cdp_aggr_cfg(soc, vdev,
+						privcmd->param_value, 0);
+				if (ret)
+					WMA_LOGE("cdp_aggr_cfg set ampdu failed ret %d",
+						ret);
+				else
+					intr[privcmd->param_vdev_id].config.
+						ampdu = privcmd->param_value;
+			} else {
+				WMA_LOGE("%s:SOC context is NULL", __func__);
+				return;
+			}
 			break;
 		case GEN_VDEV_PARAM_AMSDU:
-			ret = cdp_aggr_cfg(soc, vdev, 0, privcmd->param_value);
-			if (ret)
-				WMA_LOGE("cdp_aggr_cfg set amsdu failed ret %d",
-					 ret);
-			else
-				intr[privcmd->param_vdev_id].config.
-				amsdu = privcmd->param_value;
+			if (soc) {
+				ret = cdp_aggr_cfg(soc, vdev, 0,
+							privcmd->param_value);
+				if (ret)
+					WMA_LOGE("cdp_aggr_cfg set amsdu failed ret %d",
+						ret);
+				else
+					intr[privcmd->param_vdev_id].config.
+					amsdu = privcmd->param_value;
+			} else {
+				WMA_LOGE("%s:SOC context is NULL", __func__);
+				return;
+			}
 			break;
 		case GEN_PARAM_DUMP_AGC_START:
 			htc_dump(wma->htc_handle, AGC_DUMP, true);
@@ -6044,6 +6056,7 @@ QDF_STATUS wma_mc_process_msg(void *cds_context, cds_msg_t *msg)
 	tp_wma_handle wma_handle;
 	void *txrx_vdev_handle = NULL;
 	extern uint8_t *mac_trace_get_wma_msg_string(uint16_t wmaMsg);
+	void *soc = cds_get_context(QDF_MODULE_ID_SOC);
 
 	if (NULL == msg) {
 		WMA_LOGE("msg is NULL");
@@ -6100,10 +6113,15 @@ QDF_STATUS wma_mc_process_msg(void *cds_context, cds_msg_t *msg)
 			WMA_LOGE("Failed to attach vdev");
 		} else {
 			/* Register with TxRx Module for Data Ack Complete Cb */
-			cdp_data_tx_cb_set(cds_get_context(QDF_MODULE_ID_SOC),
-					txrx_vdev_handle,
-					wma_data_tx_ack_comp_hdlr,
-					wma_handle);
+			if (soc) {
+				cdp_data_tx_cb_set(soc, txrx_vdev_handle,
+						wma_data_tx_ack_comp_hdlr,
+						wma_handle);
+			} else {
+				WMA_LOGE("%s: SOC context is NULL", __func__);
+				qdf_status = QDF_STATUS_E_FAILURE;
+				goto end;
+			}
 		}
 		break;
 	case WMA_DEL_STA_SELF_REQ:
@@ -7216,6 +7234,10 @@ void wma_peer_set_default_routing(void *scn_handle, uint8_t *peer_macaddr,
 	tp_wma_handle wma = cds_get_context(QDF_MODULE_ID_WMA);
 	struct peer_set_params param;
 
+	if (!wma) {
+		WMA_LOGE("%s:wma_handle is NULL", __func__);
+		return;
+	}
 
 	/* TODO: Need bit definitions for ring number and hash based routing
 	 * fields in common wmi header file
@@ -7235,6 +7257,11 @@ int wma_peer_rx_reorder_queue_setup(void *scn_handle,
 	tp_wma_handle wma = cds_get_context(QDF_MODULE_ID_WMA);
 	struct rx_reorder_queue_setup_params param;
 
+	if (!wma) {
+		WMA_LOGE("%s:wma_handle is NULL", __func__);
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	param.tid = tid;
 	param.vdev_id = vdev_id;
 	param.peer_macaddr = peer_macaddr;
@@ -7252,6 +7279,11 @@ int wma_peer_rx_reorder_queue_remove(void *scn_handle,
 	tp_wma_handle wma = cds_get_context(QDF_MODULE_ID_WMA);
 	struct rx_reorder_queue_remove_params param;
 
+	if (!wma) {
+		WMA_LOGE("%s:wma_handle is NULL", __func__);
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	param.vdev_id = vdev_id;
 	param.peer_macaddr = peer_macaddr;
 	param.peer_tid_bitmap = peer_tid_bitmap;

core/wma/src/wma_nan_datapath.c

@@ -1010,6 +1010,11 @@ void wma_delete_all_nan_remote_peers(tp_wma_handle wma, uint32_t vdev_id)
 	uint8_t *self_mac = NULL;
 	uint8_t peer_id;
 
+	if (!pdev) {
+		WMA_LOGE("%s:pdev is NULL", __func__);
+		return;
+	}
+
 	if (vdev_id > wma->max_bssid) {
 		WMA_LOGE("%s: invalid vdev_id = %d", __func__, vdev_id);
 		return;
@@ -1022,6 +1027,11 @@ void wma_delete_all_nan_remote_peers(tp_wma_handle wma, uint32_t vdev_id)
 		return;
 	}
 
+	if (!soc) {
+		WMA_LOGE("%s:SOC context is NULL", __func__);
+		return;
+	}
+
 	/* remove all remote peers of ndi */
 	cdp_peer_remove_for_vdev(soc, vdev, NULL, NULL, false);
 

core/wma/src/wma_utils.c

@@ -2014,6 +2014,12 @@ int32_t wma_txrx_fw_stats_reset(tp_wma_handle wma_handle,
 {
 	struct ol_txrx_stats_req req;
 	void *vdev;
+	void *soc = cds_get_context(QDF_MODULE_ID_SOC);
+
+	if (!soc) {
+		WMA_LOGE("%s:SOC context is NULL", __func__);
+		return -EINVAL;
+	}
 
 	vdev = wma_find_vdev_by_id(wma_handle, vdev_id);
 	if (!vdev) {
@@ -2022,7 +2028,7 @@ int32_t wma_txrx_fw_stats_reset(tp_wma_handle wma_handle,
 	}
 	qdf_mem_zero(&req, sizeof(req));
 	req.stats_type_reset_mask = value;
-	cdp_fw_stats_get(cds_get_context(QDF_MODULE_ID_SOC), vdev, &req,
+	cdp_fw_stats_get(soc, vdev, &req,
 			false, false);
 
 	return 0;
@@ -2076,6 +2082,12 @@ int32_t wma_set_txrx_fw_stats_level(tp_wma_handle wma_handle,
 	struct ol_txrx_stats_req req;
 	void *vdev;
 	uint32_t l_up_mask;
+	void *soc = cds_get_context(QDF_MODULE_ID_SOC);
+
+	if (!soc) {
+		WMA_LOGE("%s:SOC context is NULL", __func__);
+		return -EINVAL;
+	}
 
 	vdev = wma_find_vdev_by_id(wma_handle, vdev_id);
 	if (!vdev) {
@@ -2093,7 +2105,7 @@ int32_t wma_set_txrx_fw_stats_level(tp_wma_handle wma_handle,
 	l_up_mask = 1 << (value - 1);
 	req.stats_type_upload_mask = l_up_mask;
 
-	cdp_fw_stats_get(cds_get_context(QDF_MODULE_ID_SOC), vdev, &req,
+	cdp_fw_stats_get(soc, vdev, &req,
 			 false, true);
 
 	return 0;