10092 sysevent_evc_control() dereferences pointer before checking for NULL

@@ -21,10 +21,14 @@
 /*
  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 /*
+ * Copyright (c) 2018, Joyent, Inc.
+ */
+
+/*
  * This file contains the source of the general purpose event channel extension
  * to the sysevent framework. This implementation is made up mainly of four
  * layers of functionality: the event queues (evch_evq_*()), the handling of
  * channels (evch_ch*()), the kernel interface (sysevent_evc_*()) and the
  * interface for the sysevent pseudo driver (evch_usr*()).

@@ -1974,20 +1978,22 @@
 
 int
 sysevent_evc_control(evchan_t *scp, int cmd, ...)
 {
         va_list         ap;
-        evch_chan_t     *chp = ((evch_bind_t *)scp)->bd_channel;
+        evch_chan_t     *chp;
         uint32_t        *chlenp;
         uint32_t        chlen;
         uint32_t        ochlen;
         int             rc = 0;
 
         if (scp == NULL) {
                 return (EINVAL);
         }
 
+        chp = ((evch_bind_t *)scp)->bd_channel;
+
         va_start(ap, cmd);
         mutex_enter(&chp->ch_mutex);
         switch (cmd) {
         case EVCH_GET_CHAN_LEN:
                 chlenp = va_arg(ap, uint32_t *);