qcacld-3.0: Fix null pointer dereference in lim_process_auth_retry_timer

In lim, gpLimMlmAuthReq is freed in lim_restore_auth_state if
auth failure timeout happens. gpLimMlmAuthReq is dereferenced in
lim_process_auth_retry_timer. When there is a race where
lim_restore_auth_state is called before lim_process_auth_retry_timer,
then null pointer dereference of gpLimMlmAuthReq happens in
lim_process_auth_retry_timer.

Validate gpLimMlmAuthReq against null before accessing it.

Change-Id: Ic1af10172aa98785c84165c4491c8bdc1b3e508f
CRs-Fixed: 2550793

core/mac/src/pe/lim/lim_process_mlm_req_messages.c

@@ -1871,7 +1871,7 @@ static void lim_process_periodic_join_probe_req_timer(struct mac_context *mac_ct
 static void lim_process_auth_retry_timer(struct mac_context *mac_ctx)
 {
 	struct pe_session *session_entry;
-	tAniAuthType auth_type = mac_ctx->lim.gpLimMlmAuthReq->authType;
+	tAniAuthType auth_type;
 	tLimTimers *lim_timers = &mac_ctx->lim.lim_timers;
 	uint16_t vdev_id =
 		lim_timers->g_lim_periodic_auth_retry_timer.sessionId;
@@ -1891,14 +1891,16 @@ static void lim_process_auth_retry_timer(struct mac_context *mac_ctx)
 		 * Send the auth retry only in case we have received ack failure
 		 * else just restart the retry timer.
 		 */
-		if (LIM_AUTH_ACK_RCD_FAILURE == mac_ctx->auth_ack_status) {
+		if (LIM_AUTH_ACK_RCD_FAILURE == mac_ctx->auth_ack_status &&
+		    mac_ctx->lim.gpLimMlmAuthReq) {
+			auth_type = mac_ctx->lim.gpLimMlmAuthReq->authType;
+
 			/* Prepare & send Authentication frame */
 			if (session_entry->sae_pmk_cached &&
 			    auth_type == eSIR_AUTH_TYPE_SAE)
 				auth_frame.authAlgoNumber = eSIR_OPEN_SYSTEM;
 			else
-				auth_frame.authAlgoNumber = (uint8_t)
-					mac_ctx->lim.gpLimMlmAuthReq->authType;
+				auth_frame.authAlgoNumber = (uint8_t)auth_type;
 
 			auth_frame.authTransactionSeqNumber =
 						SIR_MAC_AUTH_FRAME_1;