Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Mar 2026 08:43:45 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 293893] panic: _free(NUM): address ADDR(ADDR) has not been allocated
Message-ID:  <bug-293893-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293893

            Bug ID: 293893
           Summary: panic: _free(NUM): address ADDR(ADDR) has not been
                    allocated
           Product: Base System
           Version: 15.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: r772577952@gmail.com

Hi FreeBSD maintainers,

When fuzzing freebsd kernel with syzkaller using our generated syscall
descriptions, an issue is discovered in the CAM subsystem, specifically in the
XPT layer. This issue is reproducible on the latest release (release/15.0.0-p4,
commit 8ef0ed690df2dca0cc22b827819d112f868470bb).

The kernel console output, kernel config, and C/syz reproducers can be found at
https://drive.google.com/drive/folders/1zq43OFQT1r362mQuESyvoXpLxBOztdt0?usp=sharing.
The issue report is also listed below (symbolized by our modified
syz-symbolize) to assist with the analysis:

```
TITLE: panic: _free(NUM): address ADDR(ADDR) has not been allocated
CORRUPTED: false ()
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []

panic: _free(0): address 0xfffffe012e9707b8(0xfffffe012e970000) has not been
allocated
cpuid = 3
time = 1773822689
KDB: stack backtrace:
#0 0xffffffff81608a59 at kdb_backtrace+0x119
/usr/obj/usr/src/kern/subr_kdb.c:452
#1 0xffffffff81537d67 at vpanic+0x257 /usr/obj/usr/src/kern/kern_shutdown.c:960
#2 0xffffffff81537b05 at panic+0xb5 /usr/obj/usr/src/kern/kern_shutdown.c:887
#3 0xffffffff814d706e at free+0x26e /usr/obj/usr/src/kern/kern_malloc.c:975
#4 0xffffffff80398e34 at xpt_release_ccb+0xa4 /usr/obj/usr/src/cam/cam_xpt.c:0
#5 0xffffffff8039bb5f at xpt_done_process+0x84f
/usr/obj/usr/src/cam/cam_xpt.c:5379
#6 0xffffffff803a008c at xpt_done_td+0x2bc /usr/obj/usr/src/cam/cam_xpt.c:5431
#7 0xffffffff8149139c at fork_exit+0xcc /usr/obj/usr/src/kern/kern_fork.c:1159
#8 0xffffffff820a06de at fork_trampoline+0xe
/usr/obj/usr/src/amd64/amd64/exception.S:1066
Uptime: 56s
Automatic reboot in 15 seconds - press a key on the console to abort
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-293893-227>