Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Three minor fixes: a NULL deref in qedf, an off by one in sg and a fix
  to IPR to prevent an error on initialisation"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: qedf: Fix a potential NULL pointer dereference
  scsi: sg: off by one in sg_ioctl()
  scsi: ipr: Set no_report_opcodes for RAID arrays

3 files changed, 10 insertions, 7 deletions

diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index da5bdbdcce52..f838bd73befa 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -4945,6 +4945,7 @@ static int ipr_slave_configure(struct scsi_device *sdev)
                 }
                 if (ipr_is_vset_device(res)) {
                         sdev->scsi_level = SCSI_SPC_3;
+                        sdev->no_report_opcodes = 1;
                         blk_queue_rq_timeout(sdev->request_queue,
                                              IPR_VSET_RW_TIMEOUT);
                         blk_queue_max_hw_sectors(sdev->request_queue, IPR_VSET_MAX_SECTORS);
diff --git a/drivers/scsi/qedf/qedf_els.c b/drivers/scsi/qedf/qedf_els.c
index eb07f1de8afa..59c18ca4cda9 100644
--- a/drivers/scsi/qedf/qedf_els.c
+++ b/drivers/scsi/qedf/qedf_els.c
@@ -489,7 +489,7 @@ static void qedf_srr_compl(struct qedf_els_cb_arg *cb_arg)
 
         /* If a SRR times out, simply free resources */
         if (srr_req->event == QEDF_IOREQ_EV_ELS_TMO)
-                goto out_free;
+                goto out_put;
 
         /* Normalize response data into struct fc_frame */
         mp_req = &(srr_req->mp_req);
@@ -501,7 +501,7 @@ static void qedf_srr_compl(struct qedf_els_cb_arg *cb_arg)
         if (!fp) {
                 QEDF_ERR(&(qedf->dbg_ctx),
                     "fc_frame_alloc failure.\n");
-                goto out_free;
+                goto out_put;
         }
 
         /* Copy frame header from firmware into fp */
@@ -526,9 +526,10 @@ static void qedf_srr_compl(struct qedf_els_cb_arg *cb_arg)
         }
 
         fc_frame_free(fp);
-out_free:
+out_put:
         /* Put reference for original command since SRR completed */
         kref_put(&orig_io_req->refcount, qedf_release_cmd);
+out_free:
         kfree(cb_arg);
 }
 
@@ -780,7 +781,7 @@ static void qedf_rec_compl(struct qedf_els_cb_arg *cb_arg)
 
         /* If a REC times out, free resources */
         if (rec_req->event == QEDF_IOREQ_EV_ELS_TMO)
-                goto out_free;
+                goto out_put;
 
         /* Normalize response data into struct fc_frame */
         mp_req = &(rec_req->mp_req);
@@ -792,7 +793,7 @@ static void qedf_rec_compl(struct qedf_els_cb_arg *cb_arg)
         if (!fp) {
                 QEDF_ERR(&(qedf->dbg_ctx),
                     "fc_frame_alloc failure.\n");
-                goto out_free;
+                goto out_put;
         }
 
         /* Copy frame header from firmware into fp */
@@ -884,9 +885,10 @@ static void qedf_rec_compl(struct qedf_els_cb_arg *cb_arg)
 
 out_free_frame:
         fc_frame_free(fp);
-out_free:
+out_put:
         /* Put reference for original command since REC completed */
         kref_put(&orig_io_req->refcount, qedf_release_cmd);
+out_free:
         kfree(cb_arg);
 }
 
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index d7ff71e0c85c..84e782d8e7c3 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1021,7 +1021,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                         read_lock_irqsave(&sfp->rq_list_lock, iflags);
                         val = 0;
                         list_for_each_entry(srp, &sfp->rq_list, entry) {
-                                if (val > SG_MAX_QUEUE)
+                                if (val >= SG_MAX_QUEUE)
                                         break;
                                 memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
                                 rinfo[val].req_state = srp->done + 1;