[PATCH] scsi: qla2xxx: fix NULL deref, check user input

[Alexander A. Klimov]

qla2x00_dfs_fce_write() did this:

    OUTPUT = kstrtoul(INPUT, BASE, 0);

Whenever INPUT was successfully parsed, kstrtoul() wrote its output
to *(unsigned long*)0. Otherwise, OUTPUT was set to an error value.
I added proper error handling and call kstrtoul() as expected now:

    ERROR = kstrtoul(INPUT, BASE, &OUTPUT);

Fixes: 841df27d619e ("scsi: qla2xxx: Move FCE Trace buffer allocation to user control")
Signed-off-by: Alexander A. Klimov <grandmaster@xxxxxxxxxxxx>
---
 drivers/scsi/qla2xxx/qla_dfs.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/qla2xxx/qla_dfs.c b/drivers/scsi/qla2xxx/qla_dfs.c
index 43970caca7b3..efb0fb198a30 100644
--- a/drivers/scsi/qla2xxx/qla_dfs.c
+++ b/drivers/scsi/qla2xxx/qla_dfs.c
@@ -510,7 +510,14 @@ qla2x00_dfs_fce_write(struct file *file, const char __user *buffer,
 		return PTR_ERR(buf);
 	}
 
-	enable = kstrtoul(buf, 0, 0);
+	rc = kstrtoul(buf, 0, &enable);
+	if (rc) {
+		ql_dbg(ql_dbg_user, vha, 0xd03d,
+		    "fail to parse user input.");
+		rc = -EINVAL;
+		goto out_free;
+	}
+
 	rc = count;
 
 	mutex_lock(&ha->fce_mutex);
-- 
2.54.0