>Number:         15552
>Category:       kern
>Synopsis:       iop(4) bug: iop_reset() failure cause system panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Feb 09 09:32:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Takahiro Kambe
>Release:        NetBSD 1.5ZA
>Organization:
	
>Environment:
	
	
System: NetBSD edge.sky.yamashina.kyoto.jp 1.5ZA NetBSD 1.5ZA (FIVA20X) #113: Sat Feb 9 00:23:49 JST 2002 taca@edge.sky.yamashina.kyoto.jp:/usr/src/sys/arch/i386/compile/FIVA20X i386
Architecture: i386
Machine: i386
>Description:
	iop_reset() failure cause system will panic().
>How-To-Repeat:
	I hava a chance to boot Tosihba MAGNIA Z300 server.  Its SCSI RAID
	has I2O emulation mode, but something was wrong with iop_reset().
	It was NetBSD 1.5.3_ALPHA but it seems that the problem still
	exists in current.
>Fix:
	It seems that something wrong with state handling? 
	iop_reset() cause freeing NULL pointer in sc->sc_ims.

--- sys/dev/i2o/iop.c.orig	Sun Jan 13 17:57:30 2002
+++ sys/dev/i2o/iop.c	Sun Feb 10 02:09:22 2002
@@ -312,7 +312,6 @@
 		printf("%s: cannot load scratch dmamap\n", sc->sc_dv.dv_xname);
 		goto bail_out;
 	}
-	state++;
 
 #ifdef I2ODEBUG
 	/* So that our debug checks don't choke. */
@@ -373,6 +372,7 @@
 	im = malloc(sizeof(*im) * sc->sc_maxib, M_DEVBUF, M_NOWAIT|M_ZERO);
 	sc->sc_ims = im;
 	SLIST_INIT(&sc->sc_im_freelist);
+	state++;
 
 	for (i = 0, state++; i < sc->sc_maxib; i++, im++) {
 		rv = bus_dmamap_create(sc->sc_dmat, IOP_MAX_XFER,
>Release-Note:
>Audit-Trail:
>Unformatted: