Backport of:

From 0db895361b8a82e1114372ff9f4857abea605701 Mon Sep 17 00:00:00 2001
From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Date: Wed, 7 Apr 2021 20:57:50 +0100
Subject: [PATCH] esp: always check current_req is not NULL before use in DMA
 callbacks

After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
callback which resets both current_req and current_dev to NULL. If any data
is left in the transfer buffer (async_len != 0) then the next TI (Transfer
Information) command will attempt to reference the NULL pointer causing a
segfault.

Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>

CVE: CVE-2020-35504
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35504.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/0db895361b8a82e1114372ff9f4857abea605701 ]
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
 hw/scsi/esp.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -362,6 +362,11 @@ static void do_dma_pdma_cb(ESPState *s)
         do_cmd(s, s->cmdbuf);
         return;
     }
+
+    if (!s->current_req) {
+        return;
+    }
+
     s->dma_left -= len;
     s->async_buf += len;
     s->async_len -= len;
@@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s)
         do_cmd(s, s->cmdbuf);
         return;
     }
+    if (!s->current_req) {
+        return;
+    }
     if (s->async_len == 0) {
         /* Defer until data is available.  */
         return;