SCSI fixes on 20170830

Three minor fixes: a NULL deref in qedf, an off by one in sg and a fix
 to IPR to prevent an error on initialisation.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJZpr2hAAoJEAVr7HOZEZN4AU0P/3BMq6arCr5u2ZrKuYRyExht
 hglV2s8Qn8m231sdZCufU4lImjFY65ydqgq0WC7J6B+uFuNUqWrGJXB1fQyMHLdx
 WDlCaJhchflvKWXMODMAbcmZHvUXHCU/k8rWG6VesgvGJPvql/Y/q7PWqSJ68Iaf
 bjALfRy6xljm5nJCDHjsKqaaUOgHYSzgioDz7q1sNTF6aDM5wSJQyXqmEp6OfNXj
 fdXnys35s7ZQ5ihqXYQVHl3DQxB2utVoGcwma6bHDqE6YxoF4+3R2MAes7uJRyMB
 nsU7SFgdIuAo2bhoGxft6463bZFhbDpfEhKr+l8Y/DYK0khiEutlGwL9PJw55Mei
 MN2BEM7m31wpWcECJLfo4C096qXpd1ruo5apv4cz/JAeBCk2mIwM1Ejzv6jpVw21
 Cdm8CxRgsx6iyS5+IoZFVNFfNE47yDCsmnwqOxPkVeZJPK/5tJpVpBoDOQBe7w9s
 4uc4rjmMyyvC4qgEVWzhgZ9Lf7zv9KSgxMSV29Kef6rqdFhxOxJlw6+HCxYbvqOf
 5hxjepZH86lSknFSojLpoJ9pcqE56G4mWS8o9P/vbM/tnTy+w1NuPOs5hd7WsQcm
 9gCc+HjbyfkYyvCGEC0i2uFgp5WaiAxyCt7WPHAvPUF6efR9TAayYlYVr+Ldl+rz
 T1Oz7R/E2cnci6OA2eVs
 =+Yu6
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Three minor fixes: a NULL deref in qedf, an off by one in sg and a fix
  to IPR to prevent an error on initialisation"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: qedf: Fix a potential NULL pointer dereference
  scsi: sg: off by one in sg_ioctl()
  scsi: ipr: Set no_report_opcodes for RAID arrays

drivers/scsi/ipr.c

@@ -4945,6 +4945,7 @@ static int ipr_slave_configure(struct scsi_device *sdev)
 		}
 		if (ipr_is_vset_device(res)) {
 			sdev->scsi_level = SCSI_SPC_3;
+			sdev->no_report_opcodes = 1;
 			blk_queue_rq_timeout(sdev->request_queue,
 					     IPR_VSET_RW_TIMEOUT);
 			blk_queue_max_hw_sectors(sdev->request_queue, IPR_VSET_MAX_SECTORS);

drivers/scsi/qedf/qedf_els.c

@@ -489,7 +489,7 @@ static void qedf_srr_compl(struct qedf_els_cb_arg *cb_arg)
 
 	/* If a SRR times out, simply free resources */
 	if (srr_req->event == QEDF_IOREQ_EV_ELS_TMO)
-		goto out_free;
+		goto out_put;
 
 	/* Normalize response data into struct fc_frame */
 	mp_req = &(srr_req->mp_req);
@@ -501,7 +501,7 @@ static void qedf_srr_compl(struct qedf_els_cb_arg *cb_arg)
 	if (!fp) {
 		QEDF_ERR(&(qedf->dbg_ctx),
 		    "fc_frame_alloc failure.\n");
-		goto out_free;
+		goto out_put;
 	}
 
 	/* Copy frame header from firmware into fp */
@@ -526,9 +526,10 @@ static void qedf_srr_compl(struct qedf_els_cb_arg *cb_arg)
 	}
 
 	fc_frame_free(fp);
-out_free:
+out_put:
 	/* Put reference for original command since SRR completed */
 	kref_put(&orig_io_req->refcount, qedf_release_cmd);
+out_free:
 	kfree(cb_arg);
 }
 
@@ -780,7 +781,7 @@ static void qedf_rec_compl(struct qedf_els_cb_arg *cb_arg)
 
 	/* If a REC times out, free resources */
 	if (rec_req->event == QEDF_IOREQ_EV_ELS_TMO)
-		goto out_free;
+		goto out_put;
 
 	/* Normalize response data into struct fc_frame */
 	mp_req = &(rec_req->mp_req);
@@ -792,7 +793,7 @@ static void qedf_rec_compl(struct qedf_els_cb_arg *cb_arg)
 	if (!fp) {
 		QEDF_ERR(&(qedf->dbg_ctx),
 		    "fc_frame_alloc failure.\n");
-		goto out_free;
+		goto out_put;
 	}
 
 	/* Copy frame header from firmware into fp */
@@ -884,9 +885,10 @@ static void qedf_rec_compl(struct qedf_els_cb_arg *cb_arg)
 
 out_free_frame:
 	fc_frame_free(fp);
-out_free:
+out_put:
 	/* Put reference for original command since REC completed */
 	kref_put(&orig_io_req->refcount, qedf_release_cmd);
+out_free:
 	kfree(cb_arg);
 }
 

drivers/scsi/sg.c

@@ -1021,7 +1021,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 			read_lock_irqsave(&sfp->rq_list_lock, iflags);
 			val = 0;
 			list_for_each_entry(srp, &sfp->rq_list, entry) {
-				if (val > SG_MAX_QUEUE)
+				if (val >= SG_MAX_QUEUE)
 					break;
 				memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
 				rinfo[val].req_state = srp->done + 1;