Bug #7075
open
ahci: NULL pointer dereference in ahci_add_doneq()
0%
Description
::panicinfo
cpu 10
thread ffffff00ac8dac40
message
BAD TRAP: type=e (#pf Page fault) rp=ffffff00ac8da8b0 addr=40 occurred in module "ahci" due to a NULL pointer dereference
rdi ffffff17eb3e5000
rsi 0
rdx 1
rcx fffffffe
r8 0
r9 10
rax 1
rbx ffffff17eb3e5000
rbp ffffff00ac8da9c0
r10 ffffff00ac8da840
r11 0
r12 0
r13 0
r14 0
r15 1
fsbase 0
gsbase ffffff179b6f8040
ds 4b
es 4b
fs 0
gs 1c3
trapno e
err 0
rip fffffffff8188d24
cs 30
rflags 10286
rsp ffffff00ac8da9a0
ss 38
*panic_thread::findstack -v
stack pointer for thread ffffff00ac8dac40: ffffff00ac8da570
ffffff00ac8da5e0 avl_find+0x72(fffffffffbc32430, ffffff00ac8da5f8, 0)
ffffff00ac8da610 as_segat+0x3d(fffffffffbc323e0, 0)
ffffff00ac8da700 as_fault+0x4e7(fffffffffb938770, fffffffffbc323e0, 40, ffffff00ac8da8b0, fffffffffb955b29, fffffffffb955a3f)
ffffff00ac8da790 die+0xdf(e, ffffff00ac8da8b0, 40, a)
ffffff00ac8da8a0 trap+0xdd8(ffffff00ac8da8b0, 40, a)
ffffff00ac8da8b0 0xfffffffffb8001d6()
ffffff00ac8da9c0 ahci_add_doneq+0x14(ffffff17eb3e5000, 0, 1)
ffffff00ac8daa60 ahci_mop_commands+0x148(ffffff17eb3dde40, ffffff17eb3e5000, 0, 1, 0, 0, ffffff0000000000)
ffffff00ac8dab00 ahci_fatal_error_recovery_handler+0x241(ffffff17eb3dde40, ffffff17eb3e5000, ffffff17c3d82830, 8000000)
ffffff00ac8dab60 ahci_events_handler+0xda(ffffff17c3d0c6f0)
ffffff00ac8dac20 taskq_thread+0x2d0(ffffff17eb3fd928)
ffffff00ac8dac30 thread_start+8()
email me for a link to core kdump.0 if you need it.
Files
Related issues
Updated by
Updated by Marcel Telka about 7 years ago
- Category set to driver - device drivers
Updated by Marcel Telka about 7 years ago
- Has duplicate Bug #7182: panic when booting with KVM SATA CDROM added
Updated by Marcel Telka about 7 years ago
- Subject changed from Marvell 88SE9235 crashes when not underload. to ahci: NULL pointer dereference in ahci_add_doneq()
Updated by Marcel Telka over 6 years ago
- Has duplicate Bug #8001: guest virtualbox system dumps core when I attach Host drive DVD-RW with inserted audio CD to it added
Updated by Alexander Pyhalov over 6 years ago
Steps to reproduce (at least for me):
1) Create Virtualbox VM (used Virtualbox 4.3.30) running on OI.
2) Attach host drive to VM (Host CDrom device is attached to SATA controller - in real life and in Virtual Box VM).
3) Insert audio disk (or perhaps, just this exact disk) into CDrom.
4) Boot VM.
5) On boot you get it.
Updated by Michal Nowak about 6 years ago
- File ahci_crash.xml ahci_crash.xml added
I can reproduce it on KVM with any recent OI ISO image attached as a SATA CDROM device with two vCPUs. OI with this combination at least once booted for me.
Updated by Michal Nowak almost 3 years ago
On KVM and VirtualBox the problem is mostly theoretical as one can always use different CDROM controller.
But recently I was bitten by it on the Hetzner Cloud (https://www.hetzner.com/cloud), where OpenIndiana 2020.10 either crashes during boot (90 % of the time), or can't detect the disk (10 %) via format.
Updated by Marcel Telka 12 months ago
- Related to Bug #15250: Module Ahci NULL pointer dereference when booting from SATA CDROM in Libvirt added
Updated by Marcel Telka 12 months ago
- Has duplicate Bug #15250: Module Ahci NULL pointer dereference when booting from SATA CDROM in Libvirt added
Updated by Marcel Telka 12 months ago
- Related to deleted (Bug #15250: Module Ahci NULL pointer dereference when booting from SATA CDROM in Libvirt)
Updated by Joshua M. Clulow 4 months ago
- File panique.png panique.png added
This is still occurring with modern KVM/QEMU on Ubuntu, and indeed I have only seen it so far when I added a second VCPU to the guest.
$ qemu-system-x86_64 --version QEMU emulator version 6.2.0 (Debian 1:6.2+dfsg-2ubuntu6.12) Copyright (c) 2003-2021 Fabrice Bellard and the QEMU Project developers $ grep PRETTY /etc/os-release PRETTY_NAME="Ubuntu 22.04.2 LTS"
Updated by Joshua M. Clulow 4 months ago
- File sleepy.png sleepy.png added
As in the other adjacent thread stacks in other bugs (e.g., #7182), there was a sata_add_device() stack as well:
The rest of the stack after that frame is different, but it suggests that a transaction of some kind was in flight in both cases.