Subject: kern/15552: iop(4) bug: iop_reset() failure cause system panic
To: None <>
From: Takahiro Kambe <>
List: netbsd-bugs
Date: 02/10/2002 02:31:46
>Number:         15552
>Category:       kern
>Synopsis:       iop(4) bug: iop_reset() failure cause system panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Feb 09 09:32:00 PST 2002
>Originator:     Takahiro Kambe
>Release:        NetBSD 1.5ZA
System: NetBSD 1.5ZA NetBSD 1.5ZA (FIVA20X) #113: Sat Feb 9 00:23:49 JST 2002 i386
Architecture: i386
Machine: i386
	iop_reset() failure cause system will panic().
	I hava a chance to boot Tosihba MAGNIA Z300 server.  Its SCSI RAID
	has I2O emulation mode, but something was wrong with iop_reset().
	It was NetBSD 1.5.3_ALPHA but it seems that the problem still
	exists in current.
	It seems that something wrong with state handling? 
	iop_reset() cause freeing NULL pointer in sc->sc_ims.

--- sys/dev/i2o/iop.c.orig	Sun Jan 13 17:57:30 2002
+++ sys/dev/i2o/iop.c	Sun Feb 10 02:09:22 2002
@@ -312,7 +312,6 @@
 		printf("%s: cannot load scratch dmamap\n", sc->sc_dv.dv_xname);
 		goto bail_out;
-	state++;
 #ifdef I2ODEBUG
 	/* So that our debug checks don't choke. */
@@ -373,6 +372,7 @@
 	im = malloc(sizeof(*im) * sc->sc_maxib, M_DEVBUF, M_NOWAIT|M_ZERO);
 	sc->sc_ims = im;
+	state++;
 	for (i = 0, state++; i < sc->sc_maxib; i++, im++) {
 		rv = bus_dmamap_create(sc->sc_dmat, IOP_MAX_XFER,