From b54dd460c56f61bdbf93a5fa29132fd8eefbc9ff Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Tue, 14 Nov 2017 22:28:25 +0100 Subject: [PATCH 203/325] cam: Fix nullpointer dereference Unread portion of the kernel message buffer: ahcich1: Timeout on slot 27 port 0 ahcich1: is 00000000 cs 08000000 ss 00000000 rs 08000000 tfd 451 serr 00000000 cmd 000c5a17 Fatal trap 12: page fault while in kernel mode (aprobe0:ahcich1:0:0:0): SETFEATURES SET TRANSFER MODE. ACB: ef 03 00 00 00 40 00 00 00 00 08 00 cpuid = 2; apic id = 02 fault virtual address = 0x28 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff802a3981 stack pointer = 0x28:0xfffffe01ea3747e0 frame pointer = 0x28:0xfffffe01ea374810 (aprobe0:ahcich1:0:0:0): CAM status: Command timeout (aprobe0:ahcich1:0:0:0): Retrying command code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (swi4: clock (0)) trap number = 12 panic: page fault cpuid = 2 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01ea3743c0 vpanic() at vpanic+0x186/frame 0xfffffe01ea374440 panic() at panic+0x43/frame 0xfffffe01ea3744a0 trap_fatal() at trap_fatal+0x34d/frame 0xfffffe01ea3744f0 trap_pfault() at trap_pfault+0x49/frame 0xfffffe01ea374550 trap() at trap+0x29a/frame 0xfffffe01ea374710 calltrap() at calltrap+0x8/frame 0xfffffe01ea374710 --- trap 0xc, rip = 0xffffffff802a3981, rsp = 0xfffffe01ea3747e0, rbp = 0xfffffe01ea374810 --- xpt_async() at xpt_async+0x331/frame 0xfffffe01ea374810 ahci_reset() at ahci_reset+0x1fe/frame 0xfffffe01ea374860 ahci_end_transaction() at ahci_end_transaction+0x8bd/frame 0xfffffe01ea3748c0 ahci_timeout() at ahci_timeout+0x334/frame 0xfffffe01ea374900 softclock_call_cc() at softclock_call_cc+0x13b/frame 0xfffffe01ea3749b0 softclock() at softclock+0xb9/frame 0xfffffe01ea3749e0 intr_event_execute_handlers() at intr_event_execute_handlers+0xec/frame 0xfffffe01ea374a20 ithread_loop() at ithread_loop+0xd6/frame 0xfffffe01ea374a70 fork_exit() at fork_exit+0x85/frame 0xfffffe01ea374ab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe01ea374ab0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- Uptime: 2h57m40s Dumping 1433 out of 8055 MB:..2%..11%..21%..31%..41%..51%..61%..71%..81%..91% [...] __curthread () at ./machine/pcpu.h:222 222 __asm("movq %%gs:%1,%0" : "=r" (td) (kgdb) where #0 __curthread () at ./machine/pcpu.h:222 #1 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:298 #2 0xffffffff80579176 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:366 #3 0xffffffff80579650 in vpanic (fmt=, ap=0xfffffe01ea374480) at /usr/src/sys/kern/kern_shutdown.c:759 #4 0xffffffff80579483 in panic (fmt=) at /usr/src/sys/kern/kern_shutdown.c:690 #5 0xffffffff80855f6d in trap_fatal (frame=0xfffffe01ea374720, eva=40) at /usr/src/sys/amd64/amd64/trap.c:799 #6 0xffffffff80855fc9 in trap_pfault (frame=0xfffffe01ea374720, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:653 #7 0xffffffff8085581a in trap (frame=0xfffffe01ea374720) at /usr/src/sys/amd64/amd64/trap.c:420 #8 #9 0xffffffff802a3981 in xpt_async (async_code=1, path=, async_arg=0x0) at /usr/src/sys/cam/cam_xpt.c:4295 #10 0xffffffff8034d40e in ahci_reset (ch=0xfffffe0000d0c000) at /usr/src/sys/dev/ahci/ahci.c:2343 #11 0xffffffff8034ce2d in ahci_end_transaction (slot=, et=) at /usr/src/sys/dev/ahci/ahci.c:1957 #12 0xffffffff8034ea74 in ahci_process_timeout (ch=) at /usr/src/sys/dev/ahci/ahci.c:1671 #13 ahci_timeout (slot=0xfffffe0000d0ccb0) at /usr/src/sys/dev/ahci/ahci.c:1768 #14 0xffffffff805913ab in softclock_call_cc (c=, cc=0xffffffff80f08c80 , direct=) at /usr/src/sys/kern/kern_timeout.c:729 #15 0xffffffff80591909 in softclock (arg=0xffffffff80f08c80 ) at /usr/src/sys/kern/kern_timeout.c:867 #16 0xffffffff8053e89c in intr_event_execute_handlers (p=, ie=0xfffff8000326f500) at /usr/src/sys/kern/kern_intr.c:1262 #17 0xffffffff8053ef66 in ithread_execute_handlers (ie=, p=) at /usr/src/sys/kern/kern_intr.c:1275 #18 ithread_loop (arg=0xfffff800032487e0) at /usr/src/sys/kern/kern_intr.c:1356 #19 0xffffffff8053be85 in fork_exit (callout=0xffffffff8053ee90 , arg=0xfffff800032487e0, frame=0xfffffe01ea374ac0) at /usr/src/sys/kern/kern_fork.c:1044 #20 (kgdb) f 9 #9 0xffffffff802a3981 in xpt_async (async_code=1, path=, async_arg=0x0) at /usr/src/sys/cam/cam_xpt.c:4295 warning: Source file is more recent than executable. 4295 xpt_freeze_simq(path->bus->sim, 1); (kgdb) p path $1 = (kgdb) l - 4290 ccb->casync.async_arg_size = size; 4291 } 4292 if (path->device != NULL && path->device->lun_id != CAM_LUN_WILDCARD) 4293 xpt_freeze_devq(path, 1); 4294 else 4295 xpt_freeze_simq(path->bus->sim, 1); 4296 xpt_done(ccb); 4297 } 4298 4299 static void (kgdb) p path $2 = (kgdb) l - 4280 xpt_print(path, "Can't allocate argument to send %s\n", 4281 xpt_async_string(async_code)); 4282 xpt_free_path(ccb->ccb_h.path); 4283 xpt_free_ccb(ccb); 4284 return; 4285 } 4286 memcpy(ccb->casync.async_arg_ptr, async_arg, size); 4287 ccb->casync.async_arg_size = size; 4288 } else if (size < 0) { 4289 ccb->casync.async_arg_ptr = async_arg; (kgdb) l - 4270 size = xpt_async_size(async_code); 4271 CAM_DEBUG(ccb->ccb_h.path, CAM_DEBUG_TRACE, 4272 ("xpt_async: func %#x %s aync_code %d %s\n", 4273 ccb->ccb_h.func_code, 4274 xpt_action_name(ccb->ccb_h.func_code), 4275 async_code, 4276 xpt_async_string(async_code))); 4277 if (size > 0 && async_arg != NULL) { 4278 ccb->casync.async_arg_ptr = malloc(size, M_CAMXPT, M_NOWAIT); 4279 if (ccb->casync.async_arg_ptr == NULL) { (kgdb) f 10 #10 0xffffffff8034d40e in ahci_reset (ch=0xfffffe0000d0c000) at /usr/src/sys/dev/ahci/ahci.c:2343 2343 xpt_async(AC_BUS_RESET, ch->path, NULL); (kgdb) p ch->path $3 = (struct cam_path *) 0xfffff800032d3c80 (kgdb) p *ch->path $4 = {periph = 0x0, bus = 0x0, target = 0x0, device = 0x0} (kgdb) p *ch $5 = {dev = 0xfffff80003280b00, unit = 1, r_mem = 0xfffff80003474280, r_irq = 0xfffff80003474500, ih = 0x0, dma = {work_tag = 0xfffff80002fc8500, work_map = 0x0, work = 0xfffffe0233629000 "E", work_bus = 79859712, rfis_tag = 0xfffff80002fc8400, rfis_map = 0x0, rfis = 0xfffff80002fc8300 "\250\331\360YK\357\032q)\236\327\227\377^\332 -\341\260\300\356!J\237\065hr\304@a\\\036_`X", rfis_bus = 50103040, data_tag = 0xfffff80002fc8200}, sim = 0xfffff80003280400, path = 0xfffff800032d3c80, caps = 4281401189, caps2 = 4, chcaps = 786436, chscaps = 0, vendorid = 32902, deviceid = 7171, subvendorid = 6058, subdeviceid = 8655, quirks = 0, numslots = 32, pm_level = 0, devices = 1, pm_present = 0, fbs_enabled = 0, start = 0x0, hold = {0x0 }, slot = {{ch = 0xfffffe0000d0c000, slot = 0 '\000', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7ea00, nsegs = 0}, timeout = {c_links = {le = {le_next = 0xfffff8001b2293a0, le_prev = 0xffffffff80f08d98 }, sle = { sle_next = 0xfffff8001b2293a0}, tqe = {tqe_next = 0xfffff8001b2293a0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 44295607766411, c_precision = 4026531562, c_arg = 0xfffffe0000d0c1b8, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 1 '\001', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = { data_map = 0xfffff80002f7e980, nsegs = 1}, timeout = {c_links = {le = {le_next = 0xfffffe0000d0ce10, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0xfffffe0000d0ce10}, tqe = { tqe_next = 0xfffffe0000d0ce10, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45074001815689, c_precision = 4026531562, c_arg = 0xfffffe0000d0c220, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 2 '\002', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e900, nsegs = 0}, timeout = { c_links = {le = {le_next = 0xfffff8001b2293a0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0xfffff8001b2293a0}, tqe = {tqe_next = 0xfffff8001b2293a0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45139272429188, c_precision = 4026531562, c_arg = 0xfffffe0000d0c288, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, { ch = 0xfffffe0000d0c000, slot = 3 '\003', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e880, nsegs = 0}, timeout = {c_links = {le = {le_next = 0xfffff800035bb3a0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0xfffff800035bb3a0}, tqe = {tqe_next = 0xfffff800035bb3a0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45203735588891, c_precision = 4026531562, c_arg = 0xfffffe0000d0c2f0, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 4 '\004', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e800, nsegs = 0}, timeout = {c_links = {le = {le_next = 0x0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0x0}, tqe = { tqe_next = 0x0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 44360878379910, c_precision = 4026531562, c_arg = 0xfffffe0000d0c358, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 5 '\005', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e780, nsegs = 0}, timeout = { c_links = {le = {le_next = 0x0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 44425332949679, c_precision = 4026531562, c_arg = 0xfffffe0000d0c3c0, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 6 '\006', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e700, nsegs = 1}, timeout = {c_links = {le = {le_next = 0xfffffe0000d0c318, le_prev = 0xffffffff80f08d98 }, sle = { sle_next = 0xfffffe0000d0c318}, tqe = {tqe_next = 0xfffffe0000d0c318, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45203735588891, c_precision = 4026531562, c_arg = 0xfffffe0000d0c428, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 7 '\a', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = { data_map = 0xfffff80002f7e680, nsegs = 0}, timeout = {c_links = {le = {le_next = 0x0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45268997612456, c_precision = 4026531562, c_arg = 0xfffffe0000d0c490, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 8 '\b', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e600, nsegs = 0}, timeout = {c_links = {le = {le_next = 0xfffff8001b2293a0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0xfffff8001b2293a0}, tqe = {tqe_next = 0xfffff8001b2293a0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45333439297324, c_precision = 4026531562, c_arg = 0xfffffe0000d0c4f8, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 9 '\t', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e580, nsegs = 0}, timeout = {c_links = {le = {le_next = 0xfffff8001b2293a0, le_prev = 0xffffffff80f08d98 }, sle = { sle_next = 0xfffff8001b2293a0}, tqe = {tqe_next = 0xfffff8001b2293a0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 44490607858145, c_precision = 4026531562, c_arg = 0xfffffe0000d0c560, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 10 '\n', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = { data_map = 0xfffff80002f7e500, nsegs = 0}, timeout = {c_links = {le = {le_next = 0xfffff800035bb3a0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0xfffff800035bb3a0}, tqe = { tqe_next = 0xfffff800035bb3a0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 44555071017848, c_precision = 4026531562, c_arg = 0xfffffe0000d0c5c8, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 11 '\v', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e480, nsegs = 1}, timeout = { c_links = {le = {le_next = 0xfffffe0000d0c520, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0xfffffe0000d0c520}, tqe = {tqe_next = 0xfffffe0000d0c520, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45333443592291, c_precision = 4026531562, c_arg = 0xfffffe0000d0c630, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, { ch = 0xfffffe0000d0c000, slot = 12 '\f', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e400, nsegs = 0}, timeout = {c_links = {le = {le_next = 0x0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45398744270559, c_precision = 4026531562, c_arg = 0xfffffe0000d0c698, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 13 '\r', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = { data_map = 0xfffff80002f7e380, nsegs = 0}, timeout = {c_links = {le = {le_next = 0xfffff8001b2293a0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0xfffff8001b2293a0}, tqe = { tqe_next = 0xfffff8001b2293a0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45463190250394, c_precision = 4026531562, c_arg = 0xfffffe0000d0c700, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 14 '\016', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e300, nsegs = 0}, timeout = { c_links = {le = {le_next = 0xfffff8001b2293a0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0xfffff8001b2293a0}, tqe = {tqe_next = 0xfffff8001b2293a0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 44620333041413, c_precision = 4026531562, c_arg = 0xfffffe0000d0c768, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, { ch = 0xfffffe0000d0c000, slot = 15 '\017', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e280, nsegs = 0}, timeout = {c_links = {le = {le_next = 0xfffff800035bb3a0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0xfffff800035bb3a0}, tqe = {tqe_next = 0xfffff800035bb3a0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 44684796201116, c_precision = 4026531562, c_arg = 0xfffffe0000d0c7d0, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 16 '\020', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e200, nsegs = 1}, timeout = {c_links = {le = {le_next = 0xfffffe0000d0c728, le_prev = 0xffffffff80f08d98 }, sle = { sle_next = 0xfffffe0000d0c728}, tqe = {tqe_next = 0xfffffe0000d0c728, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45463190250394, c_precision = 4026531562, c_arg = 0xfffffe0000d0c838, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 17 '\021', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = { data_map = 0xfffff80002f7e180, nsegs = 0}, timeout = {c_links = {le = {le_next = 0x0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45528469453827, c_precision = 4026531562, c_arg = 0xfffffe0000d0c8a0, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 18 '\022', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e100, nsegs = 0}, timeout = {c_links = {le = {le_next = 0x0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xffffffff80f08d98 }}, c_time = 45592924023596, c_precision = 4026531562, c_arg = 0xfffffe0000d0c908, c_func = 0xffffffff8034e740 , c_lock = 0xfffffe0000d0d300, c_flags = 2, c_iflags = 128, c_cpu = 0}}, {ch = 0xfffffe0000d0c000, slot = 19 '\023', state = AHCI_SLOT_EMPTY, ccb = 0x0, dma = {data_map = 0xfffff80002f7e080, nsegs = 0}, timeout = {c_links = {le = {le_next = 0xfffff800035bb3a0, le_prev = 0xffffffff80f08d98 }, sle = {sle_next = 0xfffff800035bb3a0}, tqe = { ---Type to continue, or q to quit---qq tqe_next Quit (kgdb) where #0 __curthread () at ./machine/pcpu.h:222 #1 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:298 #2 0xffffffff80579176 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:366 #3 0xffffffff80579650 in vpanic (fmt=, ap=0xfffffe01ea374480) at /usr/src/sys/kern/kern_shutdown.c:759 #4 0xffffffff80579483 in panic (fmt=) at /usr/src/sys/kern/kern_shutdown.c:690 #5 0xffffffff80855f6d in trap_fatal (frame=0xfffffe01ea374720, eva=40) at /usr/src/sys/amd64/amd64/trap.c:799 #6 0xffffffff80855fc9 in trap_pfault (frame=0xfffffe01ea374720, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:653 #7 0xffffffff8085581a in trap (frame=0xfffffe01ea374720) at /usr/src/sys/amd64/amd64/trap.c:420 #8 #9 0xffffffff802a3981 in xpt_async (async_code=1, path=, async_arg=0x0) at /usr/src/sys/cam/cam_xpt.c:4295 #10 0xffffffff8034d40e in ahci_reset (ch=0xfffffe0000d0c000) at /usr/src/sys/dev/ahci/ahci.c:2343 #11 0xffffffff8034ce2d in ahci_end_transaction (slot=, et=) at /usr/src/sys/dev/ahci/ahci.c:1957 #12 0xffffffff8034ea74 in ahci_process_timeout (ch=) at /usr/src/sys/dev/ahci/ahci.c:1671 #13 ahci_timeout (slot=0xfffffe0000d0ccb0) at /usr/src/sys/dev/ahci/ahci.c:1768 #14 0xffffffff805913ab in softclock_call_cc (c=, cc=0xffffffff80f08c80 , direct=) at /usr/src/sys/kern/kern_timeout.c:729 #15 0xffffffff80591909 in softclock (arg=0xffffffff80f08c80 ) at /usr/src/sys/kern/kern_timeout.c:867 #16 0xffffffff8053e89c in intr_event_execute_handlers (p=, ie=0xfffff8000326f500) at /usr/src/sys/kern/kern_intr.c:1262 #17 0xffffffff8053ef66 in ithread_execute_handlers (ie=, p=) at /usr/src/sys/kern/kern_intr.c:1275 #18 ithread_loop (arg=0xfffff800032487e0) at /usr/src/sys/kern/kern_intr.c:1356 #19 0xffffffff8053be85 in fork_exit (callout=0xffffffff8053ee90 , arg=0xfffff800032487e0, frame=0xfffffe01ea374ac0) at /usr/src/sys/kern/kern_fork.c:1044 #20 Obtained from: ElectroBSD --- sys/cam/cam_xpt.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/sys/cam/cam_xpt.c b/sys/cam/cam_xpt.c index bd59dc1fc01f..36cb73141a55 100644 --- a/sys/cam/cam_xpt.c +++ b/sys/cam/cam_xpt.c @@ -4463,10 +4463,12 @@ xpt_async(u_int32_t async_code, struct cam_path *path, void *async_arg) ccb->casync.async_arg_ptr = async_arg; ccb->casync.async_arg_size = size; } - if (path->device != NULL && path->device->lun_id != CAM_LUN_WILDCARD) - xpt_freeze_devq(path, 1); - else - xpt_freeze_simq(path->bus->sim, 1); + if (path != NULL) { + if (path->device != NULL && path->device->lun_id != CAM_LUN_WILDCARD) + xpt_freeze_devq(path, 1); + else + xpt_freeze_simq(path->bus->sim, 1); + } xpt_action(ccb); } -- 2.32.0