| Message ID | 1310222681-6271-1-git-send-email-hpoussin@reactos.org |
|---|---|
| State | New |
| Headers | show |
Thanks, applied. 2011/7/9 Hervé Poussineau <hpoussin@reactos.org>: > This bug was introduced in 94d3f98a3f3caddd7875f9a11776daeb84962a7b: > scsi_cancel_io was checking if some request was pending before trying > to cancel it, while scsi_req_cancel always cancels the request. > > This may lead to a crash of Qemu due to dereferencing a NULL pointer, > as exhibited by NetBSD 5.1 installer on MIPS Magnum emulation. > > Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> > --- > > Changes since v1: > - better commit message > > hw/esp.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/hw/esp.c b/hw/esp.c > index 8e95672..aa50800 100644 > --- a/hw/esp.c > +++ b/hw/esp.c > @@ -219,7 +219,7 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) > s->ti_rptr = 0; > s->ti_wptr = 0; > > - if (s->current_dev) { > + if (s->current_req) { > /* Started a new command before the old one finished. Cancel it. */ > scsi_req_cancel(s->current_req); > s->async_len = 0; > -- > 1.7.5.4 > >
diff --git a/hw/esp.c b/hw/esp.c index 8e95672..aa50800 100644 --- a/hw/esp.c +++ b/hw/esp.c @@ -219,7 +219,7 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) s->ti_rptr = 0; s->ti_wptr = 0; - if (s->current_dev) { + if (s->current_req) { /* Started a new command before the old one finished. Cancel it. */ scsi_req_cancel(s->current_req); s->async_len = 0;
This bug was introduced in 94d3f98a3f3caddd7875f9a11776daeb84962a7b: scsi_cancel_io was checking if some request was pending before trying to cancel it, while scsi_req_cancel always cancels the request. This may lead to a crash of Qemu due to dereferencing a NULL pointer, as exhibited by NetBSD 5.1 installer on MIPS Magnum emulation. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> --- Changes since v1: - better commit message hw/esp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)