During the disks probing to discover the zfs pools, the loader will attempt to read the pool label with NULL (uninitialized) spa. The normal loader operations do hide the issue, but userboot did reveal it by crashing bhyveload.
https://reviews.freebsd.org/D7634
A commit references this bug: Author: tsoome Date: Wed Aug 24 16:30:16 UTC 2016 New revision: 304753 URL: https://svnweb.freebsd.org/changeset/base/304753 Log: Bug 212114 - loader: zio_checksum_verify() must test spa for NULL pointer The issue was introduced with adding support for salted checksums, and was revealed by bhyve userboot.so. During pool discovery the loader is reading pool label from disks, and at that time the spa structure is not yet set up, so the NULL pointer is passed for spa. This condition must be checked to avoid the corruption of the memory and NULL pointer dereference. PR: 212114 Reported by: tsoome@freebsd.com Reviewed by: allanjude Approved by: allanjude (mentor) Differential Revision: https://reviews.freebsd.org/D7634 Changes: head/sys/cddl/boot/zfs/zfssubr.c
*** Bug 212137 has been marked as a duplicate of this bug. ***