From: GuoHan Zhao <zhaoguohan@kylinos.cn>

Fix a null pointer dereference issue in ncr710_transfer_data().

The code dereferences s->current->dma_len before checking if s->current
is NULL. Only the dma_len assignment needs null protection, while
s->command_complete should be set unconditionally to maintain proper
boot sequence.

Initialize s->current from req->hba_private if it is NULL before
accessing dma_len.

Fixes: 9ce93b74cdc0 ("ncr710: Add driver for the NCR 53c710 SCSI chip")
Suggested-by: Soumyajyotii Datta <soumyajyotii.datta@broadcom.com>
Reviewed-by: Helge Deller <deller@gmx.de>
Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
---
Changes in v2:
- Only protect dma_len assignment instead of moving all code
- Keep s->command_complete set unconditionally
- Initialize s->current from req->hba_private when NULL
- Thanks to Soumyajyotii for testing and suggesting the fix
---
 hw/scsi/ncr53c710.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/scsi/ncr53c710.c b/hw/scsi/ncr53c710.c
index e479a212bc54..01b0ca21ec51 100644
--- a/hw/scsi/ncr53c710.c
+++ b/hw/scsi/ncr53c710.c
@@ -831,13 +831,13 @@ void ncr710_transfer_data(SCSIRequest *req, uint32_t len)
         }
     }
 
+    /* Host adapter (re)connected */
+    s->command_complete = NCR710_CMD_DATA_READY;
+
     if (!s->current) {
-        return;
+        s->current = (NCR710Request *)req->hba_private;
     }
-
-    /* Host adapter (re)connected */
     s->current->dma_len = len;
-    s->command_complete = NCR710_CMD_DATA_READY;
 
     if (s->waiting) {
         s->scntl1 |= NCR710_SCNTL1_CON;
-- 
2.43.0