Null-ptr dereference on AHCICmdHdr in ahci_pio_transfer

== Reproducer ==

cat << EOF | ./qemu-system-i386 -display none \
-m 512M -machine q35 -nodefaults \
-drive file=null-co://,if=none,format=raw,id=disk0 \
-device ide-hd,drive=disk0 -machine accel=qtest -qtest stdio
outl 0xcf8 0x8000fa24
outl 0xcfc 0xe0000000
outl 0xcf8 0x8000fa04
outw 0xcfc 0x06
write 0x10a 0x1 0x02
write 0xe0000398 0x1 0x01
write 0x20000 0x1 0x27
write 0x20001 0x1 0x80
write 0x20002 0x1 0x20
write 0x20005 0x1 0x02
write 0xe00003b8 0x2 0x0101
write 0xe0000004 0x1 0x01
write 0x2bb 0x1 0x00
write 0x2bf 0x1 0x00
write 0x2cf 0x1 0x00
write 0x2db 0x1 0x00
write 0x2df 0x1 0x00
write 0x2ed 0x1 0x00
write 0x2ef 0x1 0x00
write 0x2fb 0x1 0x00
write 0x2ff 0x1 0x00
write 0x31f 0x1 0x00
write 0x32b 0x1 0x00
write 0x32f 0x1 0x00
write 0x337 0x1 0x00
write 0x33f 0x1 0x00
write 0x347 0x1 0x00
write 0x357 0x1 0x00
write 0x35f 0x1 0x00
write 0x36b 0x1 0x00
write 0x36f 0x1 0x00
write 0x377 0x1 0x00
write 0x37f 0x1 0x00
write 0x397 0x1 0x00
write 0x39f 0x1 0x00
write 0x3ab 0x1 0x00
write 0x3af 0x1 0x00
write 0x3b7 0x1 0x00
write 0x3bf 0x1 0x00
write 0x3c7 0x1 0x00
write 0x3d7 0x1 0x00
write 0x3df 0x1 0x00
write 0x3eb 0x1 0x00
write 0x3ef 0x1 0x00
write 0x3f7 0x1 0x00
write 0x3ff 0x1 0x00
write 0xe0000394 0x1 0x00
write 0xe0000398 0x1 0x01
EOF

== Stack Trace ==
../hw/ide/ahci.c:1349:46: runtime error: member access within null pointer of
type 'AHCICmdHdr' (aka 'struct AHCICmdHdr') SUMMARY:
UndefinedBehaviorSanitizer: undefined-behavior ../hw/ide/ahci.c:1349:46 in
../hw/ide/ahci.c:1349:46: runtime error: load of null pointer of type
'uint16_t' (aka 'unsigned short')
SUMMARY: UndefinedBehaviorSanitizer:
undefined-behavior ../hw/ide/ahci.c:1349:46 in AddressSanitizer:DEADLYSIGNAL
=================================================================
==238806==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x555787d414c9 bp 0x7fffe1bb41a0 sp 0x7fffe1bb3fe0 T0)
==238806==The signal is caused by a READ memory access.
==238806==Hint: address points to the zero page.
#0 0x555787d414c9 in ahci_pio_transfer build/../hw/ide/ahci.c:1349:46
#1 0x5557886089d6 in ide_transfer_start_norecurse build/../hw/ide/core.c:553:5
#2 0x555788638945 in ide_transfer_start build/../hw/ide/core.c:560:9
#3 0x555788638945 in ide_sector_read_cb build/../hw/ide/core.c:761:5
#4 0x55578860c989 in ide_buffered_readv_cb build/../hw/ide/core.c:656:9
#5 0x5557898999d6 in blk_aio_complete build/../block/block-backend.c:1412:9
#6 0x555789db8d26 in aio_bh_poll build/../util/async.c:164:13
#7 0x555789d80704 in aio_dispatch build/../util/aio-posix.c:381:5
#8 0x555789dbd94c in aio_ctx_dispatch build/../util/async.c:306:5
#9 0x7f6dcedcfbaa in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51baa)
#10 0x555789dc3763 in glib_pollfds_poll build/../util/main-loop.c:232:9
#11 0x555789dc3763 in os_host_main_loop_wait build/../util/main-loop.c:255:5
#12 0x555789dc3763 in main_loop_wait build/../util/main-loop.c:531:11
#13 0x555789206a49 in qemu_main_loop build/../softmmu/runstate.c:722:9
#14 0x555787d052ed in main build/../softmmu/main.c:50:5
#15 0x7f6dcd84ecc9 in __libc_start_main csu/../csu/libc-start.c:308:16
#16 0x555787c5b619 in _start (system-i386+0x2a13619)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV build/../hw/ide/ahci.c:1349:46 in ahci_pio_transfer
==238806==ABORTING

OSS-Fuzz link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30861