From 184f24a57bf2731c45888aeed7cc5ea85b8e6e5a Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 2 Sep 2011 12:17:51 +0200
Subject: [PATCH 05/13] usb-storage: fix NULL pointer dereference.

RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1314965871-32485-6-git-send-email-kraxel@redhat.com>
Patchwork-id: 32203
O-Subject: [RHEL-6.2 kvm PATCH 5/5] usb-storage: fix NULL pointer dereference.
Bugzilla: 733010
RH-Acked-by: Hans de Goede <hdegoede@redhat.com>
RH-Acked-by: Jes Sorensen <Jes.Sorensen@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>

When a usb packet is canceled we need to check whenever we actually have
a scsi request in flight before we try to cancel it.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

bugzilla: 733010 - core dump when issue fdisk -l in guest which has two
                   usb-storage attached
upstream: submitted (http://patchwork.ozlabs.org/patch/113128/).
---
 hw/usb-msd.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 hw/usb-msd.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index cdeac58..ed7e0fa 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -333,7 +333,10 @@ static int usb_msd_handle_control(USBDevice *dev, USBPacket *p,
 static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
 {
     MSDState *s = DO_UPCAST(MSDState, dev, dev);
-    scsi_req_cancel(s->req);
+
+    if (s->req) {
+        scsi_req_cancel(s->req);
+    }
 }
 
 static int usb_msd_handle_data(USBDevice *dev, USBPacket *p)
-- 
1.7.4.4