From nobody Wed Mar 18 07:55:43 2026 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fbLjW4HWPz6VPtH for ; Wed, 18 Mar 2026 07:55:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fbLjW3nlpz43cM for ; Wed, 18 Mar 2026 07:55:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1773820543; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pmoPJ9Kef6Y77ZSWE+LHttJDpreCR0cmIHvJxYwVLqM=; b=EswzSj+w365OelfEQXVDCjS6V1pjKCPkg3vTn+TgfrBSDX7jp8o5Lnyef2ShKfhuhs65XE GhHhq5XMz18pCvzTMAGRFWRPAMUpPeX59vWHQ3VwKKzlk6fpo35mCItZd3GVqfS2JY9jaI F6WKqUp0ltrrEoPXbioxBkfc3KtUwI8jBPGw8h9Ho8Sx/hggMbXPltxbQnPQIdHaiBtGsV Q76eNHo6GY4VDYbm9u+hHKxugTSd4uKNLs7OEqyfAhrIt+WHjQCtaT5nbPyhYVpESL/jl2 EWODte7zCblfErwBV+VWYxkGjdUlwgyvbRcmL916q/igvgC/2TeLoZI7aE566g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1773820543; a=rsa-sha256; cv=none; b=MJO07hD0Qt9/I6gVLwjLMTt/DQLpUt7gzL85tFAWVAC3ztbm+78BX+n4jCB6k/zwpYehnQ 5WiKh4CaGZ/fNVp+S6I5jhNadn34yKbks2rc6NDpSJdYNbCNei6SGTbQan5hcUUYaKaKN+ ROBxJxacBnlZMAMYrAC4iINxw0Gh9qwgUYqZPvq/4wv4Rb4P4JPyKKw4cBali3DYA42yjj 4zRfKzmCIolMIOITi+xZFky/SEZjY6quNO1yaRK/RRF0glYTQCHUapzKw0ZYATaoGsZRau HO2IxT85nHcVETSqeHeXT1UEb6tJuiDHFLhbT6L4Y+CSuXtdLFuhkBlbOyJ+zw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1773820543; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pmoPJ9Kef6Y77ZSWE+LHttJDpreCR0cmIHvJxYwVLqM=; b=X/XjA1/PhaIjI1iGEoGy9eSDUtTX/FOltl4eqHBeI96UQ+kmKrPhtgVH5J7pbA081S/rEv t72dnLdDz191BDwr3gIGnA7EMn+fhIbl3LGz+FZyEsXnYNWn6bPJn4FNZmSWEcDUlZnP+z bBJFTUR8INP10TfsAr+V9+HiBhV3P5Tz91fJXHu6m3PDDtJoFlL6KN24IGq7h1pFUd41tH kQMl0h93wb/H2a16H3KH4rEOsbKtu5z6PlCSW14ugCkyvtGOGFdk+4nCZ8nrWGKQNogPxN g6+U4X7bYmdJ/+JBcJecgau0agcRXZSy1nIFUsmLJiSR/d2eVCPejiDYGlLsBg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4fbLjW365lz1043 for ; Wed, 18 Mar 2026 07:55:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 62I7thRm066242 for ; Wed, 18 Mar 2026 07:55:43 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 62I7thkv066241 for bugs@FreeBSD.org; Wed, 18 Mar 2026 07:55:43 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293890] Fatal trap NUM: page fault while in kernel mode in cam_periph_runccb Date: Wed, 18 Mar 2026 07:55:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 15.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: r772577952@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D293890 Bug ID: 293890 Summary: Fatal trap NUM: page fault while in kernel mode in cam_periph_runccb Product: Base System Version: 15.0-RELEASE Hardware: arm64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: r772577952@gmail.com Hi FreeBSD maintainers, When fuzzing freebsd kernel with syzkaller and our generated syscall descriptions, an issue is discovered in the cam subsystem. This issue is reproducible on the latest release (release/15.0.0-p4, commit 8ef0ed690df2dca0cc22b827819d112f868470bb). The kernel console output, kernel config, and C/syz reproducers can be foun= d at https://drive.google.com/drive/folders/1aqIT9ry9Lk-OhHJL5daUA35hHnk9q3_S?us= p=3Ddrive_link. The issue report is also listed below (symbolized by our modified syz-symbolize) to assist with the analysis: ``` TITLE: Fatal trap NUM: page fault while in kernel mode in cam_periph_runccb CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] Fatal trap 12: page fault while in kernel mode cpuid =3D 1; apic id =3D 01 fault virtual address =3D 0x50 fault code =3D supervisor read data, page not present instruction pointer =3D 0x20:0xffffffff80392a6f stack pointer =3D 0x28:0xfffffe00ec1352b0 frame pointer =3D 0x28:0xfffffe00ec135310 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 1479 (repro.out) rdi: 0000000000000050 rsi: ffffffff82e093d0 rdx: 0000000000000000 rcx: fffffe00175ef388 r8: 0000000000000000 r9: 0000000000000001 rax: fffffe0000000000 rbx: 0000000000000900 rbp: fffffe00ec135310 r10: fffffe00ef2f00c8 r11: 000000000000009b r12: 0000000000000050 r13: fffffe00ef2f0000 r14: fffffe00ecfc37e0 r15: 0000000000000000 trap number =3D 12 panic: page fault cpuid =3D 1 time =3D 1773819883 KDB: stack backtrace: #0 0xffffffff81608a59 at kdb_backtrace+0x119 /usr/obj/usr/src/kern/subr_kdb.c:452 #1 0xffffffff81537d67 at vpanic+0x257 /usr/obj/usr/src/kern/kern_shutdown.c= :960 #2 0xffffffff81537b05 at panic+0xb5 /usr/obj/usr/src/kern/kern_shutdown.c:8= 87 #3 0xffffffff820f7cd2 at trap_pfault+0xaf2 /usr/obj/usr/src/amd64/amd64/trap.c:851 #4 0xffffffff820f61de at trap+0x78e /usr/obj/usr/src/amd64/amd64/trap.c:0 #5 0xffffffff8209f6b8 at calltrap+0x8 /usr/obj/usr/src/amd64/amd64/exception.S:287 #6 0xffffffff80389f28 at cam_periph_runccb+0x2b8 /usr/obj/usr/src/cam/cam_periph.c:0 #7 0xffffffff8040f159 at passsendccb+0x339 /usr/obj/usr/src/cam/scsi/scsi_pass.c:0 #8 0xffffffff8040dfa5 at passdoioctl+0x615 /usr/obj/usr/src/cam/scsi/scsi_pass.c:1830 #9 0xffffffff8040d243 at passioctl+0x33 /usr/obj/usr/src/cam/scsi/scsi_pass.c:1750 #10 0xffffffff811cb236 at devfs_ioctl+0x266 /usr/obj/usr/src/fs/devfs/devfs_vnops.c:0 #11 0xffffffff822b9ad7 at VOP_IOCTL_APV+0x87 /usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.c:1154 #12 0xffffffff817bd187 at vn_ioctl+0x3c7 /usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.h:639 #13 0xffffffff811cc0f9 at devfs_ioctl_f+0x69 /usr/obj/usr/src/fs/devfs/devfs_vnops.c:881 #14 0xffffffff81666cfa at kern_ioctl+0x4ca /usr/obj/usr/src/sys/file.h:378 #15 0xffffffff8166673e at sys_ioctl+0x36e /usr/obj/usr/src/kern/sys_generic.c:716 #16 0xffffffff820f9372 at amd64_syscall+0x4e2 /usr/obj/usr/src/kern/subr_syscall.c:193 #17 0xffffffff8209ffab at fast_syscall_common+0xf8 /usr/obj/usr/src/amd64/amd64/exception.S:571 Uptime: 1m36s Automatic reboot in 15 seconds - press a key on the console to abort Rebooting... cpu_reset: Restarting BSP cpu_reset_proxy: Stopped CPU 1 TITLE: panic: page fault CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] panic: page fault cpuid =3D 1 time =3D 1773819883 KDB: stack backtrace: #0 0xffffffff81608a59 at kdb_backtrace+0x119 /usr/obj/usr/src/kern/subr_kdb.c:452 #1 0xffffffff81537d67 at vpanic+0x257 /usr/obj/usr/src/kern/kern_shutdown.c= :960 #2 0xffffffff81537b05 at panic+0xb5 /usr/obj/usr/src/kern/kern_shutdown.c:8= 87 #3 0xffffffff820f7cd2 at trap_pfault+0xaf2 /usr/obj/usr/src/amd64/amd64/trap.c:851 #4 0xffffffff820f61de at trap+0x78e /usr/obj/usr/src/amd64/amd64/trap.c:0 #5 0xffffffff8209f6b8 at calltrap+0x8 /usr/obj/usr/src/amd64/amd64/exception.S:287 #6 0xffffffff80389f28 at cam_periph_runccb+0x2b8 /usr/obj/usr/src/cam/cam_periph.c:0 #7 0xffffffff8040f159 at passsendccb+0x339 /usr/obj/usr/src/cam/scsi/scsi_pass.c:0 #8 0xffffffff8040dfa5 at passdoioctl+0x615 /usr/obj/usr/src/cam/scsi/scsi_pass.c:1830 #9 0xffffffff8040d243 at passioctl+0x33 /usr/obj/usr/src/cam/scsi/scsi_pass.c:1750 #10 0xffffffff811cb236 at devfs_ioctl+0x266 /usr/obj/usr/src/fs/devfs/devfs_vnops.c:0 #11 0xffffffff822b9ad7 at VOP_IOCTL_APV+0x87 /usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.c:1154 #12 0xffffffff817bd187 at vn_ioctl+0x3c7 /usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.h:639 #13 0xffffffff811cc0f9 at devfs_ioctl_f+0x69 /usr/obj/usr/src/fs/devfs/devfs_vnops.c:881 #14 0xffffffff81666cfa at kern_ioctl+0x4ca /usr/obj/usr/src/sys/file.h:378 #15 0xffffffff8166673e at sys_ioctl+0x36e /usr/obj/usr/src/kern/sys_generic.c:716 #16 0xffffffff820f9372 at amd64_syscall+0x4e2 /usr/obj/usr/src/kern/subr_syscall.c:193 #17 0xffffffff8209ffab at fast_syscall_common+0xf8 /usr/obj/usr/src/amd64/amd64/exception.S:571 Uptime: 1m36s Automatic reboot in 15 seconds - press a key on the console to abort Rebooting... cpu_reset: Restarting BSP cpu_reset_proxy: Stopped CPU 1 ``` --=20 You are receiving this mail because: You are the assignee for the bug.=