On Sep 29, 2007, at 11:40, Martin Husemann wrote:
> On Fri, Sep 28, 2007 at 11:21:24PM -0400, Chris Ross wrote:
>> dumping to dev 7,1 offset 4310231
>> dump Calling callout_stop on 0x187ea98
>> callout_stop: c 0x187ea98, c_magic 0
>> panic: kernel diagnostic assertion "c->c_magic == CALLOUT_MAGIC"
>> failed: file "/data/NetBSD/src/sys/kern/kern_timeout.c", line 431
>
> The previous transfers were properly malloc()ed, this one is on the  
> kernel
> stack. Is it wrongly hand-crafted somewhere?

   Possible.  The address being passed to callout_stop here is  
actually a static member of the scsipi_xfer struct that's in the  
esiop_cmd->cmd_c:

         struct scsipi_xfer *xs = esiop_cmd->cmd_c.xs;

and, then the later callout_stop is [effectively, but not *actually*  
for no reason I understand]:

callout_stop(xs->xs_callout);

   Any idea where the scsipi_xfer gets allocated or "hand-crafted" in  
the cmd_c before esiop_cmd_end() is called?

                - Chris