qcacld-3.0: Fix possible NULL pointer dereference in ol_rx.c

Pointer head_buf returned from call to function
htt_rx_offload_paddr_msdu_pop_ll may be NULL and will be
dereferenced

Change-Id: I6e1db520d525a42d59ebfb675325e37c4097ad71
CRs-Fixed: 2085696

core/dp/htt/htt_rx.c

@@ -1501,6 +1501,12 @@ htt_rx_offload_msdu_pop_ll(htt_pdev_handle pdev,
 	uint32_t *msdu_hdr, msdu_len;
 
 	*head_buf = *tail_buf = buf = htt_rx_netbuf_pop(pdev);
+
+	if (qdf_unlikely(NULL == buf)) {
+		qdf_print("%s: netbuf pop failed!\n", __func__);
+		return 1;
+	}
+
 	/* Fake read mpdu_desc to keep desc ptr in sync */
 	htt_rx_mpdu_desc_list_next(pdev, NULL);
 	qdf_nbuf_set_pktlen(buf, HTT_RX_BUF_SIZE);
@@ -1548,7 +1554,7 @@ htt_rx_offload_paddr_msdu_pop_ll(htt_pdev_handle pdev,
 
 	if (qdf_unlikely(NULL == buf)) {
 		qdf_print("%s: netbuf pop failed!\n", __func__);
-		return 0;
+		return 1;
 	}
 	qdf_nbuf_set_pktlen(buf, HTT_RX_BUF_SIZE);
 #ifdef DEBUG_DMA_DONE

core/dp/txrx/ol_rx.c

@@ -1647,10 +1647,18 @@ ol_rx_offload_paddr_deliver_ind_handler(htt_pdev_handle htt_pdev,
 	int msdu_iter = 0;
 
 	while (msdu_count) {
-		htt_rx_offload_paddr_msdu_pop_ll(htt_pdev, msg_word, msdu_iter,
+		if (htt_rx_offload_paddr_msdu_pop_ll(
+						htt_pdev, msg_word, msdu_iter,
 						 &vdev_id, &peer_id, &tid,
 						 &fw_desc, &head_buf,
-						 &tail_buf);
+						 &tail_buf)) {
+			msdu_iter++;
+			msdu_count--;
+			QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_INFO,
+				  "skip msg_word %p, msdu #%d, continue next",
+				  msg_word, msdu_iter);
+			continue;
+		}
 
 		peer = ol_txrx_peer_find_by_id(htt_pdev->txrx_pdev, peer_id);
 		if (peer) {