mwifiex: ensure user_scan_in not NULL while setting scan channel gap

Check for scan channel gap only when user_scan_in is not NULL.
user_scan_in is NULL for internal scans and if we check scan channel gap
at this place, it may result into crash.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Cathy Luo <cluo@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
index c09ebee..ca64d4c 100644 (file)
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -926,6 +926,23 @@ mwifiex_config_scan(struct mwifiex_private *priv,
                if ((i && ssid_filter) ||
                    !is_zero_ether_addr(scan_cfg_out->specific_bssid))
                        *filtered_scan = true;
+
+               if (user_scan_in->scan_chan_gap) {
+                       dev_dbg(adapter->dev, "info: scan: channel gap = %d\n",
+                               user_scan_in->scan_chan_gap);
+                       *max_chan_per_scan =
+                                       MWIFIEX_MAX_CHANNELS_PER_SPECIFIC_SCAN;
+
+                       chan_gap_tlv = (void *)tlv_pos;
+                       chan_gap_tlv->header.type =
+                                        cpu_to_le16(TLV_TYPE_SCAN_CHANNEL_GAP);
+                       chan_gap_tlv->header.len =
+                                   cpu_to_le16(sizeof(chan_gap_tlv->chan_gap));
+                       chan_gap_tlv->chan_gap =
+                                    cpu_to_le16((user_scan_in->scan_chan_gap));
+                       tlv_pos +=
+                                 sizeof(struct mwifiex_ie_types_scan_chan_gap);
+               }
        } else {
                scan_cfg_out->bss_mode = (u8) adapter->scan_mode;
                num_probes = adapter->scan_probes;
@@ -940,22 +957,6 @@ mwifiex_config_scan(struct mwifiex_private *priv,
        else
                *max_chan_per_scan = MWIFIEX_DEF_CHANNELS_PER_SCAN_CMD;
 
-       if (user_scan_in->scan_chan_gap) {
-               *max_chan_per_scan = MWIFIEX_MAX_CHANNELS_PER_SPECIFIC_SCAN;
-               dev_dbg(adapter->dev, "info: scan: channel gap = %d\n",
-                       user_scan_in->scan_chan_gap);
-
-               chan_gap_tlv = (void *)tlv_pos;
-               chan_gap_tlv->header.type =
-                                        cpu_to_le16(TLV_TYPE_SCAN_CHANNEL_GAP);
-               chan_gap_tlv->header.len =
-                       cpu_to_le16(sizeof(chan_gap_tlv->chan_gap));
-               chan_gap_tlv->chan_gap =
-                                    cpu_to_le16((user_scan_in->scan_chan_gap));
-
-               tlv_pos += sizeof(struct mwifiex_ie_types_scan_chan_gap);
-       }
-
        /* If the input config or adapter has the number of Probes set,
           add tlv */
        if (num_probes) {