From bff162ac76910bf772504bd9356fbb787b9c6d74 Mon Sep 17 00:00:00 2001
From: Ola Olsson <ola.olsson@sonymobile.com>
Date: Tue, 20 Jan 2015 10:45:52 +0100
Subject: [PATCH] P2P: Fix NULL pointer dereference with SD query cancellation

A NULL pointer crash was caused by commit
7139cf4a4f1fecfd03d0daff9bb33adb80cc3530 ('P2P: Decrement
sd_pending_bcast_queries when sd returns'). p2p->sd_query can be cleared
to NULL whenever a query is cancelled, even in case the request had
already been transmitted. As such, need to be prepared for the query not
remaining when processing TX status callback for the frame.

Crashes on 2ee98 in following code
2ee90:       f7fc f8b6       bl      2b000 <p2p_dbg>
2ee94:       e02c            b.n     2eef0 <p2p_send_action_cb+0x348>
2ee96:       6c25            ldr     r5, [r4, #64]   ; 0x40
2ee98:       68ee            ldr     r6, [r5, #12]
2ee9a:       b166            cbz     r6, 2eeb6 <p2p_send_action_cb+0x30e>

Signed-off-by: Ola Olsson <ola.olsson@sonymobile.com>
---
 src/p2p/p2p.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 77bd7fc7f..418687a7b 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -2847,7 +2847,7 @@ static void p2p_sd_cb(struct p2p_data *p2p, int success)
 		return;
 	}
 
-	if (p2p->sd_query->for_all_peers) {
+	if (p2p->sd_query && p2p->sd_query->for_all_peers) {
 		/* Update the pending broadcast SD query count for this device
 		 */
 		p2p->sd_peer->sd_pending_bcast_queries--;