#!/bin/sh # Kernel page fault with the following non-sleepable locks held: # exclusive sleep mutex CAM device lock (CAM device lock) r = 0 (0xfffff80006ad2cd0) locked @ cam/scsi/scsi_pass.c:1766 # stack backtrace: # #0 0xffffffff80c4787c at witness_debugger+0x6c # #1 0xffffffff80c49189 at witness_warn+0x4c9 # #2 0xffffffff81131d8c at trap_pfault+0x8c # #3 0xffffffff811015a8 at calltrap+0x8 # #4 0xffffffff8039de7c at cam_periph_runccb+0xec # #5 0xffffffff803d9160 at passsendccb+0x160 # #6 0xffffffff803d8821 at passdoioctl+0x3a1 # #7 0xffffffff803d8102 at passioctl+0x22 # #8 0xffffffff80a413b1 at devfs_ioctl+0xd1 # #9 0xffffffff81204821 at VOP_IOCTL_APV+0x51 # #10 0xffffffff80cf0890 at vn_ioctl+0x160 # #11 0xffffffff80a41a7e at devfs_ioctl_f+0x1e # #12 0xffffffff80c4e3c1 at kern_ioctl+0x2a1 # #13 0xffffffff80c4e0bf at sys_ioctl+0x12f # #14 0xffffffff811327d9 at amd64_syscall+0x169 # #15 0xffffffff81101e9b at fast_syscall_common+0xf8 # # # Fatal trap 12: page fault while in kernel mode # cpuid = 9; apic id = 09 # fault virtual address = 0x50 # fault code = supervisor read data, page not present # instruction pointer = 0x20:0xffffffff803a1e9c # stack pointer = 0x28:0xfffffe01001f2930 # frame pointer = 0x28:0xfffffe01001f2970 # code segment = base 0x0, limit 0xfffff, type 0x1b # = DPL 0, pres 1, long 1, def32 0, gran 1 # processor eflags = interrupt enabled, resume, IOPL = 0 # current process = 3759 (syzkaller91) # rdi: fffff80006ac0800 rsi: 0000000000000004 rdx: ffffffff81250a83 # rcx: 0000000000000010 r8: 0000000000000008 r9: 0000000000000000 # rax: 0000000000000010 rbx: fffff80006ac0800 rbp: fffffe01001f2970 # r10: fffff80006ac08c8 r11: 0000000000000001 r12: 0000000000000001 # r13: fffff80006ac0848 r14: fffff80006b9d2c0 r15: 0000000000000000 # trap number = 12 # panic: page fault # cpuid = 9 # time = 1773832077 # KDB: stack backtrace: # db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01001f2660 # vpanic() at vpanic+0x136/frame 0xfffffe01001f2790 # panic() at panic+0x43/frame 0xfffffe01001f27f0 # trap_pfault() at trap_pfault+0x422/frame 0xfffffe01001f2860 # calltrap() at calltrap+0x8/frame 0xfffffe01001f2860 # --- trap 0xc, rip = 0xffffffff803a1e9c, rsp = 0xfffffe01001f2930, rbp = 0xfffffe01001f2970 --- # xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe01001f2970 # cam_periph_runccb() at cam_periph_runccb+0xec/frame 0xfffffe01001f2ac0 # passsendccb() at passsendccb+0x160/frame 0xfffffe01001f2b30 # passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe01001f2b80 # passioctl() at passioctl+0x22/frame 0xfffffe01001f2bc0 # devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe01001f2c10 # VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe01001f2c40 # vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe01001f2cb0 # devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01001f2cd0 # kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe01001f2d40 # sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe01001f2e00 # amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01001f2f30 # fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01001f2f30 # --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823e6feca, rsp = 0x820c6d558, rbp = 0x820c6d580 --- # KDB: enter: panic # [ thread pid 3759 tid 100348 ] # Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) # db> x/s version # version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 # pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO # db> # Reproducer obtained from: Jiaming Zhang # [Bug 293890] Fatal trap NUM: page fault while in kernel mode in cam_periph_runccb [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg set -u prog=$(basename "$0" .sh) cat > /tmp/$prog.c < #include #include #include #include #include #include #include #include #include uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // openat\$pass_pass_cdevsw arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) // } // flags: open_flags = 0x2 (4 bytes) // mode: const = 0x0 (4 bytes) // ] // returns fd_pass_pass_cdevsw memcpy((void*)0x200000000100, "/dev/pass0\000", 11); res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0); if (res != -1) r[0] = res; // ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [ // fd: fd_pass_pass_cdevsw (resource) // cmd: const = 0xc4e01a02 (8 bytes) // arg: ptr[inout, ccb\$pass_cdevsw] { // union ccb\$pass_cdevsw { // ccb_h: ccb_hdr\$pass_cdevsw { // pinfo: cam_pinfo\$pass_cdevsw { // priority: int32 = 0x5 (4 bytes) // generation: int32 = 0x2 (4 bytes) // index: int32 = 0x3 (4 bytes) // } // pad = 0x0 (4 bytes) // xpt_links: camq_entry\$pass_cdevsw { // links_next: intptr = 0xb (8 bytes) // priority: int32 = 0x6 (4 bytes) // pad = 0x0 (4 bytes) // } // sim_links: camq_entry\$pass_cdevsw { // links_next: intptr = 0x8 (8 bytes) // priority: int32 = 0x6 (4 bytes) // pad = 0x0 (4 bytes) // } // periph_links: camq_entry\$pass_cdevsw { // links_next: intptr = 0xfe (8 bytes) // priority: int32 = 0x6 (4 bytes) // pad = 0x0 (4 bytes) // } // retry_count: int16 = 0x3 (2 bytes) // alloc_flags: int16 = 0x5 (2 bytes) // pad = 0x0 (4 bytes) // cbfcnp: intptr = 0xbfc (8 bytes) // func_code: int32 = 0x10 (4 bytes) // status: int32 = 0x4 (4 bytes) // path: intptr = 0x5 (8 bytes) // path_id: int32 = 0x0 (4 bytes) // target_id: int32 = 0x2 (4 bytes) // target_lun: int64 = 0x7e2 (8 bytes) // flags: int32 = 0x8 (4 bytes) // xflags: int32 = 0x3 (4 bytes) // periph_priv: buffer: {bc 09 6b 26 d7 02 3b 02 06 84 bf 81 a9 85 11 // 50} (length 0x10) sim_priv: buffer: {a5 da 75 ef af 1d 7f d5 40 94 // 02 67 14 f6 36 17} (length 0x10) qos: buffer: {74 70 33 74 c5 58 // 85 93 b4 d5 75 39 9f 79 94 a4} (length 0x10) timeout: int32 = 0x2 // (4 bytes) pad = 0x0 (4 bytes) softtimeout: timeval { // sec: intptr = 0x6e (8 bytes) // usec: intptr = 0x400 (8 bytes) // } // } // } // } // ] *(uint32_t*)0x200000000240 = 5; *(uint32_t*)0x200000000244 = 2; *(uint32_t*)0x200000000248 = 3; *(uint64_t*)0x200000000250 = 0xb; *(uint32_t*)0x200000000258 = 6; *(uint64_t*)0x200000000260 = 8; *(uint32_t*)0x200000000268 = 6; *(uint64_t*)0x200000000270 = 0xfe; *(uint32_t*)0x200000000278 = 6; *(uint16_t*)0x200000000280 = 3; *(uint16_t*)0x200000000282 = 5; *(uint64_t*)0x200000000288 = 0xbfc; *(uint32_t*)0x200000000290 = 0x10; *(uint32_t*)0x200000000294 = 4; *(uint64_t*)0x200000000298 = 5; *(uint32_t*)0x2000000002a0 = 0; *(uint32_t*)0x2000000002a4 = 2; *(uint64_t*)0x2000000002a8 = 0x7e2; *(uint32_t*)0x2000000002b0 = 8; *(uint32_t*)0x2000000002b4 = 3; memcpy((void*)0x2000000002b8, "\xbc\x09\x6b\x26\xd7\x02\x3b\x02\x06\x84\xbf\x81\xa9\x85\x11\x50", 16); memcpy((void*)0x2000000002c8, "\xa5\xda\x75\xef\xaf\x1d\x7f\xd5\x40\x94\x02\x67\x14\xf6\x36\x17", 16); memcpy((void*)0x2000000002d8, "\x74\x70\x33\x74\xc5\x58\x85\x93\xb4\xd5\x75\x39\x9f\x79\x94\xa4", 16); *(uint32_t*)0x2000000002e8 = 2; *(uint64_t*)0x2000000002f0 = 0x6e; *(uint64_t*)0x2000000002f8 = 0x400; syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul, /*arg=*/0x200000000240ul); return 0; } EOF mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 timeout 3m /tmp/$prog > /dev/null 2>&1 rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core exit 0