From patchwork Sat Jul  9 14:44:41 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Herv=C3=A9_Poussineau?=
 <hpoussin@reactos.org>
X-Patchwork-Id: 103981
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [140.186.70.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 40A2E1007D1
	for <incoming@patchwork.ozlabs.org>;
	Sun, 10 Jul 2011 00:48:13 +1000 (EST)
Received: from localhost ([::1]:54683 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1QfYpF-0003H5-Kq
	for incoming@patchwork.ozlabs.org; Sat, 09 Jul 2011 10:48:09 -0400
Received: from eggs.gnu.org ([140.186.70.92]:48550)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <hpoussin@reactos.org>) id 1QfYmO-0003GP-Fo
	for qemu-devel@nongnu.org; Sat, 09 Jul 2011 10:45:14 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <hpoussin@reactos.org>) id 1QfYmM-0005Zg-HL
	for qemu-devel@nongnu.org; Sat, 09 Jul 2011 10:45:12 -0400
Received: from smtp5-g21.free.fr ([212.27.42.5]:41487)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <hpoussin@reactos.org>) id 1QfYmL-0005VD-Nu
	for qemu-devel@nongnu.org; Sat, 09 Jul 2011 10:45:10 -0400
Received: from localhost.localdomain (unknown [88.171.126.33])
	by smtp5-g21.free.fr (Postfix) with ESMTP id 7CD14D48070;
	Sat,  9 Jul 2011 16:44:57 +0200 (CEST)
From: =?UTF-8?q?Herv=C3=A9=20Poussineau?= <hpoussin@reactos.org>
To: qemu-devel@nongnu.org
Date: Sat,  9 Jul 2011 16:44:41 +0200
Message-Id: <1310222681-6271-1-git-send-email-hpoussin@reactos.org>
X-Mailer: git-send-email 1.7.5.4
MIME-Version: 1.0
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 212.27.42.5
Cc: blauwirbel@gmail.com,
	=?UTF-8?q?Herv=C3=A9=20Poussineau?= <hpoussin@reactos.org>
Subject: [Qemu-devel] [PATCH v2] esp: cancel current request only if some
	request is in flight
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: </archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

This bug was introduced in 94d3f98a3f3caddd7875f9a11776daeb84962a7b:
scsi_cancel_io was checking if some request was pending before trying
to cancel it, while scsi_req_cancel always cancels the request.

This may lead to a crash of Qemu due to dereferencing a NULL pointer,
as exhibited by NetBSD 5.1 installer on MIPS Magnum emulation.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
---

Changes since v1:
- better commit message

 hw/esp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/esp.c b/hw/esp.c
index 8e95672..aa50800 100644
--- a/hw/esp.c
+++ b/hw/esp.c
@@ -219,7 +219,7 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
     s->ti_rptr = 0;
     s->ti_wptr = 0;
 
-    if (s->current_dev) {
+    if (s->current_req) {
         /* Started a new command before the old one finished.  Cancel it.  */
         scsi_req_cancel(s->current_req);
         s->async_len = 0;