From 429bef6912bd3d504593b9aefdbcb39e981d387e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herv=C3=A9=20Poussineau?= <hpoussin@reactos.org>
Date: Sat, 9 Jul 2011 16:44:41 +0200
Subject: [PATCH] esp: cancel current request only if some request is in flight
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This bug was introduced in 94d3f98a3f3caddd7875f9a11776daeb84962a7b:
scsi_cancel_io was checking if some request was pending before trying
to cancel it, while scsi_req_cancel always cancels the request.

This may lead to a crash of Qemu due to dereferencing a NULL pointer,
as exhibited by NetBSD 5.1 installer on MIPS Magnum emulation.

Signed-off-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
---
 hw/esp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/esp.c b/hw/esp.c
index 8e95672f0..aa50800a5 100644
--- a/hw/esp.c
+++ b/hw/esp.c
@@ -219,7 +219,7 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
     s->ti_rptr = 0;
     s->ti_wptr = 0;
 
-    if (s->current_dev) {
+    if (s->current_req) {
         /* Started a new command before the old one finished.  Cancel it.  */
         scsi_req_cancel(s->current_req);
         s->async_len = 0;