Date: Wed, 18 Mar 2026 08:28:55 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293892] Fatal trap NUM: page fault while in kernel mode in passsendccb Message-ID: <bug-293892-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293892 Bug ID: 293892 Summary: Fatal trap NUM: page fault while in kernel mode in passsendccb Product: Base System Version: 15.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: r772577952@gmail.com Hi FreeBSD maintainers, When fuzzing freebsd kernel with syzkaller and our generated syscall descriptions, an issue is discovered in the cam subsystem. This issue is reproducible on the latest release (release/15.0.0-p4, commit 8ef0ed690df2dca0cc22b827819d112f868470bb). The kernel console output, kernel config, and C/syz reproducers can be found at https://drive.google.com/drive/folders/1ZlK36_VBgxSf9uXv1NxLNzxZUOceHYI0?usp=sharing. The detailed issue report is also listed below (symbolized by our modified syz-symbolize) to assist with the analysis: ``` TITLE: Fatal trap NUM: page fault while in kernel mode in passsendccb CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] Fatal trap 12: page fault while in kernel mode cpuid = 3; apic id = 03 fault virtual address = 0x800000006 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff820f15f5 stack pointer = 0x28:0xfffffe00ec0fd4d0 frame pointer = 0x28:0xfffffe00ec0fd4d0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1468 (repro.out) rdi: fffffe00ec0fd500 rsi: 0000000800000006 rdx: 0000000000000002 rcx: 0000000000000002 r8: 0000000800000006 r9: 0000000000000002 rax: 0000000000000000 rbx: fffffe00ec0fd540 rbp: fffffe00ec0fd4d0 r10: 0000000000000001 r11: fffffe00edf95550 r12: fffffe012e6bc9f0 r13: fffffe00ec0fd500 r14: fffffe012e6bc800 r15: 0000000000000002 trap number = 12 panic: page fault cpuid = 3 time = 1773822193 KDB: stack backtrace: #0 0xffffffff81608a59 at kdb_backtrace+0x119 /usr/obj/usr/src/kern/subr_kdb.c:452 #1 0xffffffff81537d67 at vpanic+0x257 /usr/obj/usr/src/kern/kern_shutdown.c:960 #2 0xffffffff81537b05 at panic+0xb5 /usr/obj/usr/src/kern/kern_shutdown.c:887 #3 0xffffffff820f7cd2 at trap_pfault+0xaf2 /usr/obj/usr/src/amd64/amd64/trap.c:851 #4 0xffffffff820f61de at trap+0x78e /usr/obj/usr/src/amd64/amd64/trap.c:0 #5 0xffffffff8209f6b8 at calltrap+0x8 /usr/obj/usr/src/amd64/amd64/exception.S:287 #6 0xffffffff8040ef8c at passsendccb+0x16c /usr/obj/usr/src/cam/scsi/scsi_pass.c:2199 #7 0xffffffff8040dfa5 at passdoioctl+0x615 /usr/obj/usr/src/cam/scsi/scsi_pass.c:1830 #8 0xffffffff8040d243 at passioctl+0x33 /usr/obj/usr/src/cam/scsi/scsi_pass.c:1750 #9 0xffffffff811cb236 at devfs_ioctl+0x266 /usr/obj/usr/src/fs/devfs/devfs_vnops.c:0 #10 0xffffffff822b9ad7 at VOP_IOCTL_APV+0x87 /usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.c:1154 #11 0xffffffff817bd187 at vn_ioctl+0x3c7 /usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.h:639 #12 0xffffffff811cc0f9 at devfs_ioctl_f+0x69 /usr/obj/usr/src/fs/devfs/devfs_vnops.c:881 #13 0xffffffff81666cfa at kern_ioctl+0x4ca /usr/obj/usr/src/sys/file.h:378 #14 0xffffffff8166673e at sys_ioctl+0x36e /usr/obj/usr/src/kern/sys_generic.c:716 #15 0xffffffff820f9372 at amd64_syscall+0x4e2 /usr/obj/usr/src/kern/subr_syscall.c:193 #16 0xffffffff8209ffab at fast_syscall_common+0xf8 /usr/obj/usr/src/amd64/amd64/exception.S:571 Uptime: 56s Automatic reboot in 15 seconds - press a key on the console to abort ``` -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-293892-227>