aboutsummaryrefslogtreecommitdiff
path: root/hw
diff options
context:
space:
mode:
authorHervé Poussineau <hpoussin@reactos.org>2011-07-09 16:44:41 +0200
committerBlue Swirl <blauwirbel@gmail.com>2011-07-12 21:29:39 +0000
commit429bef6912bd3d504593b9aefdbcb39e981d387e (patch)
tree9dc0f51af1225be4cacaf1560769d9f91cfca256 /hw
parentf5fc40bb8133849618e0d05adc798c5f07f7b17f (diff)
downloadqemu-429bef6912bd3d504593b9aefdbcb39e981d387e.zip
qemu-429bef6912bd3d504593b9aefdbcb39e981d387e.tar.gz
qemu-429bef6912bd3d504593b9aefdbcb39e981d387e.tar.bz2
esp: cancel current request only if some request is in flight
This bug was introduced in 94d3f98a3f3caddd7875f9a11776daeb84962a7b: scsi_cancel_io was checking if some request was pending before trying to cancel it, while scsi_req_cancel always cancels the request. This may lead to a crash of Qemu due to dereferencing a NULL pointer, as exhibited by NetBSD 5.1 installer on MIPS Magnum emulation. Signed-off-by: Hervé Poussineau <hpoussin@reactos.org> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
Diffstat (limited to 'hw')
-rw-r--r--hw/esp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/esp.c b/hw/esp.c
index 8e95672..aa50800 100644
--- a/hw/esp.c
+++ b/hw/esp.c
@@ -219,7 +219,7 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
s->ti_rptr = 0;
s->ti_wptr = 0;
- if (s->current_dev) {
+ if (s->current_req) {
/* Started a new command before the old one finished. Cancel it. */
scsi_req_cancel(s->current_req);
s->async_len = 0;