scsi: qla2xxx: Prevent sp->free null/uninitialized pointer dereference.

Signed-off-by: Joe Carnuccio <joe.carnuccio@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index b380a7c97d5b021f1813e1a46fe3a598c85c7b9e..d00e0129c51b7e4a6117e6fb33a166651ba91744 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -808,6 +808,12 @@ int qla24xx_async_gpdb(struct scsi_qla_host *vha, fc_port_t *fcport, u8 opt)
        if (!sp)
                goto done;
 
+       sp->type = SRB_MB_IOCB;
+       sp->name = "gpdb";
+       sp->gen1 = fcport->rscn_gen;
+       sp->gen2 = fcport->login_gen;
+       qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2);
+
        pd = dma_pool_alloc(ha->s_dma_pool, GFP_KERNEL, &pd_dma);
        if (pd == NULL) {
                ql_log(ql_log_warn, vha, 0xd043,
@@ -816,12 +822,6 @@ int qla24xx_async_gpdb(struct scsi_qla_host *vha, fc_port_t *fcport, u8 opt)
        }
        memset(pd, 0, max(PORT_DATABASE_SIZE, PORT_DATABASE_24XX_SIZE));
 
-       sp->type = SRB_MB_IOCB;
-       sp->name = "gpdb";
-       sp->gen1 = fcport->rscn_gen;
-       sp->gen2 = fcport->login_gen;
-       qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2);
-
        mb = sp->u.iocb_cmd.u.mbx.out_mb;
        mb[0] = MBC_GET_PORT_DATABASE;
        mb[1] = fcport->loop_id;

diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c
index 10b742d27e16467e4bd06f40bd030dd60a766b61..e23a3d4c36f39b81f2594b95582018f16a59931b 100644 (file)
--- a/drivers/scsi/qla2xxx/qla_mr.c
+++ b/drivers/scsi/qla2xxx/qla_mr.c
@@ -1819,6 +1819,10 @@ qlafx00_fx_disc(scsi_qla_host_t *vha, fc_port_t *fcport, uint16_t fx_type)
        if (!sp)
                goto done;
 
+       sp->type = SRB_FXIOCB_DCMD;
+       sp->name = "fxdisc";
+       qla2x00_init_timer(sp, FXDISC_TIMEOUT);
+
        fdisc = &sp->u.iocb_cmd;
        switch (fx_type) {
        case FXDISC_GET_CONFIG_INFO:
@@ -1920,9 +1924,6 @@ qlafx00_fx_disc(scsi_qla_host_t *vha, fc_port_t *fcport, uint16_t fx_type)
                        goto done_unmap_req;
        }
 
-       sp->type = SRB_FXIOCB_DCMD;
-       sp->name = "fxdisc";
-       qla2x00_init_timer(sp, FXDISC_TIMEOUT);
        fdisc->timeout = qla2x00_fxdisc_iocb_timeout;
        fdisc->u.fxiocb.req_func_type = cpu_to_le16(fx_type);
        sp->done = qla2x00_fxdisc_sp_done;