Null-ptr dereference in megasas_command_complete

This was originally reported at: https://bugs.launchpad.net/qemu/+bug/1878057

Hello,

Reproducer

cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest  -m \
512M -machine q35 -nodefaults -device megasas -device  \
scsi-cd,drive=null0 -blockdev  \
driver=null-co,read-zeroes=on,node-name=null0 -qtest stdio
outl 0xcf8 0x80000801
outl 0xcfc 0x05000000
outl 0xcf8 0x80000816
outl 0xcfc 0x19000000
write 0x1e1ed300 0x1 0x01
write 0x1e1ed307 0x1 0x01
write 0x1e1ed316 0x1 0x01
write 0x1e1ed328 0x1 0x01
write 0x1e1ed32f 0x1 0x01
outl 0x1940 0x1e1ed300
outb 0x1940 0x0
EOF

Stack-Trace

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
../hw/scsi/megasas.c:1884:21: runtime error: member access within null pointer of type 'struct mfi_frame_header'
#0 0x559955e5b521 in megasas_command_complete ../hw/scsi/megasas.c:1884:28
#1 0x559955821994 in scsi_req_complete ../hw/scsi/scsi-bus.c:1515:5
#2 0x55995538cfcb in scsi_dma_complete_noio ../hw/scsi/scsi-disk.c:345:9
#3 0x55995538b4a7 in scsi_dma_complete ../hw/scsi/scsi-disk.c:366:5
#4 0x55995536a9ec in dma_complete ../softmmu/dma-helpers.c:121:9
#5 0x55995536a9ec in dma_blk_cb ../softmmu/dma-helpers.c:139:9
#6 0x559956b09e49 in blk_aio_complete ../block/block-backend.c:1426:9
#7 0x559957020832 in aio_bh_poll ../util/async.c:169:13
#8 0x5599570a270b in aio_dispatch ../util/aio-posix.c:381:5
#9 0x5599570243ea in aio_ctx_dispatch ../util/async.c:311:5
#10 0x7f19be96ce6a in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51e6a)
#11 0x559956fe1053 in glib_pollfds_poll ../util/main-loop.c:232:9
#12 0x559956fe1053 in os_host_main_loop_wait ../util/main-loop.c:255:5
#13 0x559956fe1053 in main_loop_wait ../util/main-loop.c:531:11
#14 0x55995664c0c6 in qemu_main_loop ../softmmu/runstate.c:726:9
#15 0x5599551ba85a in main ../softmmu/main.c:50:5
#16 0x7f19bd0cbd09 in __libc_start_main csu/../csu/libc-start.c:308:16
#17 0x55995510e259 in _start (system-i386+0x2204259)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/scsi/megasas.c:1884:21 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==206228==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000003 (pc 0x559955e5a663 bp 0x7ffe5d3d7f30 sp 0x7ffe5d3d7c80 T0)
==206228==The signal is caused by a WRITE memory access.
==206228==Hint: address points to the zero page.
#0 0x559955e5a663 in megasas_command_complete ../hw/scsi/megasas.c:1884:40
#1 0x559955821994 in scsi_req_complete ../hw/scsi/scsi-bus.c:1515:5
#2 0x55995538cfcb in scsi_dma_complete_noio ../hw/scsi/scsi-disk.c:345:9
#3 0x55995538b4a7 in scsi_dma_complete ../hw/scsi/scsi-disk.c:366:5
#4 0x55995536a9ec in dma_complete ../softmmu/dma-helpers.c:121:9
#5 0x55995536a9ec in dma_blk_cb ../softmmu/dma-helpers.c:139:9
#6 0x559956b09e49 in blk_aio_complete ../block/block-backend.c:1426:9
#7 0x559957020832 in aio_bh_poll ../util/async.c:169:13
#8 0x5599570a270b in aio_dispatch ../util/aio-posix.c:381:5
#9 0x5599570243ea in aio_ctx_dispatch ../util/async.c:311:5
#10 0x7f19be96ce6a in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51e6a)
#11 0x559956fe1053 in glib_pollfds_poll ../util/main-loop.c:232:9
#12 0x559956fe1053 in os_host_main_loop_wait ../util/main-loop.c:255:5
#13 0x559956fe1053 in main_loop_wait ../util/main-loop.c:531:11
#14 0x55995664c0c6 in qemu_main_loop ../softmmu/runstate.c:726:9
#15 0x5599551ba85a in main ../softmmu/main.c:50:5
#16 0x7f19bd0cbd09 in __libc_start_main csu/../csu/libc-start.c:308:16
#17 0x55995510e259 in _start (system-i386+0x2204259)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../hw/scsi/megasas.c:1884:40 in megasas_command_complete
==206228==ABORTING

OSS-Fuzz Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35351

libqtest Reproducer: 1918321.c

Thank you