1#!/bin/sh 2 3# cpuid = 4; apic id = 04 4# instruction pointer = 0x20:0xffffffff803a1e9c 5# stack pointer = 0x28:0xfffffe0202e4c930 6# frame pointer = 0x28:0xfffffe0202e4c970 7# code segment = base 0x0, limit 0xfffff, type 0x1b 8# = DPL 0, pres 1, long 1, def32 0, gran 1 9# processor eflags = interrupt enabled, resume, IOPL = 0 10# current process = 90315 (repro20) 11# rdi: fffff803157b7000 rsi: 0000000000000004 rdx: ffffffff81250a83 12# rcx: 0000000000000010 r8: 000000000000000e r9: 1627af6b9da6f5a7 13# rax: 0000000000000010 rbx: fffff803157b7000 rbp: fffffe0202e4c970 14# r10: fffff803157b70c8 r11: fffff807cf9bfcd0 r12: 0000000000000001 15# r13: fffff803157b7048 r14: fffff800035e0ac0 r15: 6e3642f32a3ae6f2 16# trap number = 9 17# panic: general protection fault 18# cpuid = 4 19# time = 1773820163 20# KDB: stack backtrace: 21# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0202e4c6b0 22# vpanic() at vpanic+0x136/frame 0xfffffe0202e4c7e0 23# panic() at panic+0x43/frame 0xfffffe0202e4c840 24# trap_fatal() at trap_fatal+0x68/frame 0xfffffe0202e4c860 25# calltrap() at calltrap+0x8/frame 0xfffffe0202e4c860 26# --- trap 0x9, rip = 0xffffffff803a1e9c, rsp = 0xfffffe0202e4c930, rbp = 0xfffffe0202e4c970 --- 27# xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe0202e4c970 28# cam_periph_runccb() at cam_periph_runccb+0xec/frame 0xfffffe0202e4cac0 29# passsendccb() at passsendccb+0x160/frame 0xfffffe0202e4cb30 30# passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe0202e4cb80 31# passioctl() at passioctl+0x22/frame 0xfffffe0202e4cbc0 32# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe0202e4cc10 33# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe0202e4cc40 34# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe0202e4ccb0 35# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe0202e4ccd0 36# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe0202e4cd40 37# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe0202e4ce00 38# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe0202e4cf30 39# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0202e4cf30 40# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823e9deca, rsp = 0x820edf228, rbp = 0x820edf250 --- 41# KDB: enter: panic 42# [ thread pid 90315 tid 851795 ] 43# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) 44# db> x/s version 45# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 46# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 47# db> 48 49# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com> 50# Bug 293888 - Fatal trap NUM: general protection fault while in kernel mode in cam_periph_runccb 51 52[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 53 54. ../default.cfg 55set -u 56prog=$(basename "$0" .sh) 57cat > /tmp/$prog.c <<EOF 58// Bug 293888 - Fatal trap NUM: general protection fault while in kernel mode in cam_periph_runccb 59// autogenerated by syzkaller (https://github.com/google/syzkaller) 60 61#define _GNU_SOURCE 62 63#include <pwd.h> 64#include <stdarg.h> 65#include <stdbool.h> 66#include <stdint.h> 67#include <stdio.h> 68#include <stdlib.h> 69#include <string.h> 70#include <sys/endian.h> 71#include <sys/syscall.h> 72#include <unistd.h> 73 74uint64_t r[1] = {0xffffffffffffffff}; 75 76int main(void) 77{ 78 syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, 79 /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, 80 /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, 81 /*fd=*/(intptr_t)-1, /*offset=*/0ul); 82 const char* reason; 83 (void)reason; 84 intptr_t res = 0; 85 if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { 86 } 87 // openat\$pass_pass_cdevsw arguments: [ 88 // fd: const = 0xffffffffffffff9c (8 bytes) 89 // file: ptr[in, buffer] { 90 // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) 91 // } 92 // flags: open_flags = 0x2 (4 bytes) 93 // mode: const = 0x0 (4 bytes) 94 // ] 95 // returns fd_pass_pass_cdevsw 96 memcpy((void*)0x200000000000, "/dev/pass0\000", 11); 97 res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, 98 /*file=*/0x200000000000ul, /*flags=O_RDWR*/ 2, /*mode=*/0); 99 if (res != -1) 100 r[0] = res; 101 // ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [ 102 // fd: fd_pass_pass_cdevsw (resource) 103 // cmd: const = 0xc4e01a02 (8 bytes) 104 // arg: ptr[inout, ccb\$pass_cdevsw] { 105 // union ccb\$pass_cdevsw { 106 // nvmeio: ccb_nvmeio\$pass_cdevsw { 107 // ccb_h: ccb_hdr\$pass_cdevsw { 108 // pinfo: cam_pinfo\$pass_cdevsw { 109 // priority: int32 = 0x8 (4 bytes) 110 // generation: int32 = 0x6 (4 bytes) 111 // index: int32 = 0xb406 (4 bytes) 112 // } 113 // pad = 0x0 (4 bytes) 114 // xpt_links: camq_entry\$pass_cdevsw { 115 // links_next: intptr = 0x100000000 (8 bytes) 116 // priority: int32 = 0x70 (4 bytes) 117 // pad = 0x0 (4 bytes) 118 // } 119 // sim_links: camq_entry\$pass_cdevsw { 120 // links_next: intptr = 0x7 (8 bytes) 121 // priority: int32 = 0x81 (4 bytes) 122 // pad = 0x0 (4 bytes) 123 // } 124 // periph_links: camq_entry\$pass_cdevsw { 125 // links_next: intptr = 0x8000000000000000 (8 bytes) 126 // priority: int32 = 0xffffffc0 (4 bytes) 127 // pad = 0x0 (4 bytes) 128 // } 129 // retry_count: int16 = 0xa5f (2 bytes) 130 // alloc_flags: int16 = 0xb (2 bytes) 131 // pad = 0x0 (4 bytes) 132 // cbfcnp: intptr = 0x3ff (8 bytes) 133 // func_code: int32 = 0x10 (4 bytes) 134 // status: int32 = 0x3 (4 bytes) 135 // path: intptr = 0xe10 (8 bytes) 136 // path_id: int32 = 0x8 (4 bytes) 137 // target_id: int32 = 0x7fffffff (4 bytes) 138 // target_lun: int64 = 0x4 (8 bytes) 139 // flags: int32 = 0xe (4 bytes) 140 // xflags: int32 = 0x130d (4 bytes) 141 // periph_priv: buffer: {5c d8 48 b0 e1 42 d0 a6 b0 73 4f 56 fb 07 142 // 08 b5} (length 0x10) sim_priv: buffer: {0f c0 f1 57 fc dc a5 76 143 // 71 ad 9f 46 0c eb b2 fc} (length 0x10) qos: buffer: {7a 6f cd f8 144 // b3 f0 65 53 2e 65 18 29 70 c1 63 f1} (length 0x10) timeout: 145 // int32 = 0x8000 (4 bytes) pad = 0x0 (4 bytes) softtimeout: 146 // timeval { 147 // sec: intptr = 0x6 (8 bytes) 148 // usec: intptr = 0x9 (8 bytes) 149 // } 150 // } 151 // payload: buffer: {ec d6 eb 0c 55 29 7e 1e f2 e6 3a 2a f3 42 36 6e 152 // a7 f5 a6 9d 6b af 27 16 0d 12 f7 c7 a6 d3 dc 8d 89 88 c3 75 c4 2c 153 // a8 fb 0a 90 70 3d c6 5a 63 b8 ac 32 e2 21 4b 36 13 0e 64 c1 86 b2 154 // 38 66 cc bf 6d c9 86 33 8c eb a1 fa b5 dd 55 c8 76 04 6d c2 b8 20 155 // 31 11 5f 24 8b f4 d7 00 7c 7a 4f 00 4e fd 2f 0f 57 bc c2 00 22 b1 156 // 23 4f 4b 19 c7 9a 47 1e b0 ea 60 87 f3 88 71 9d d1 e4 dd 15 da bf 157 // 0d 03 34 d9 32 bf b5 80 9f 72 80 dc 37 b2 0e 79 d3 96 93 12 50 0c 158 // 77 0b d9 9d 0c 93 0c b2 c8 03 bc 75 14 5a c0 50 dc 3f d3 92 ee 07 159 // b5 a9 f2 85 76 a7 36 8d 6f 71 fb 8a cb ee 8c 0c 77 8d 81 b0 02 38 160 // 70 4a 3d c9 1a f5 4f 91 e6 a1 14 93 3e be a0 e8 7a 69 33 cc e4 d2 161 // 8c 88 af c9 05 d4 74 b0 87 a3 34 3b 0c 9e d4 42 bd 8e 03 24 91 2c 162 // 94 1f 5b 88 7c 0c b2 07 af 68 43 d0 5b cb f9 b2 64 ce b6 c9} 163 // (length 0x100) 164 // } 165 // } 166 // } 167 // ] 168 *(uint32_t*)0x200000000140 = 8; 169 *(uint32_t*)0x200000000144 = 6; 170 *(uint32_t*)0x200000000148 = 0xb406; 171 *(uint64_t*)0x200000000150 = 0x100000000; 172 *(uint32_t*)0x200000000158 = 0x70; 173 *(uint64_t*)0x200000000160 = 7; 174 *(uint32_t*)0x200000000168 = 0x81; 175 *(uint64_t*)0x200000000170 = 0x8000000000000000; 176 *(uint32_t*)0x200000000178 = 0xffffffc0; 177 *(uint16_t*)0x200000000180 = 0xa5f; 178 *(uint16_t*)0x200000000182 = 0xb; 179 *(uint64_t*)0x200000000188 = 0x3ff; 180 *(uint32_t*)0x200000000190 = 0x10; 181 *(uint32_t*)0x200000000194 = 3; 182 *(uint64_t*)0x200000000198 = 0xe10; 183 *(uint32_t*)0x2000000001a0 = 8; 184 *(uint32_t*)0x2000000001a4 = 0x7fffffff; 185 *(uint64_t*)0x2000000001a8 = 4; 186 *(uint32_t*)0x2000000001b0 = 0xe; 187 *(uint32_t*)0x2000000001b4 = 0x130d; 188 memcpy((void*)0x2000000001b8, 189 "\x5c\xd8\x48\xb0\xe1\x42\xd0\xa6\xb0\x73\x4f\x56\xfb\x07\x08\xb5", 190 16); 191 memcpy((void*)0x2000000001c8, 192 "\x0f\xc0\xf1\x57\xfc\xdc\xa5\x76\x71\xad\x9f\x46\x0c\xeb\xb2\xfc", 193 16); 194 memcpy((void*)0x2000000001d8, 195 "\x7a\x6f\xcd\xf8\xb3\xf0\x65\x53\x2e\x65\x18\x29\x70\xc1\x63\xf1", 196 16); 197 *(uint32_t*)0x2000000001e8 = 0x8000; 198 *(uint64_t*)0x2000000001f0 = 6; 199 *(uint64_t*)0x2000000001f8 = 9; 200 memcpy( 201 (void*)0x200000000200, 202 "\xec\xd6\xeb\x0c\x55\x29\x7e\x1e\xf2\xe6\x3a\x2a\xf3\x42\x36\x6e\xa7\xf5" 203 "\xa6\x9d\x6b\xaf\x27\x16\x0d\x12\xf7\xc7\xa6\xd3\xdc\x8d\x89\x88\xc3\x75" 204 "\xc4\x2c\xa8\xfb\x0a\x90\x70\x3d\xc6\x5a\x63\xb8\xac\x32\xe2\x21\x4b\x36" 205 "\x13\x0e\x64\xc1\x86\xb2\x38\x66\xcc\xbf\x6d\xc9\x86\x33\x8c\xeb\xa1\xfa" 206 "\xb5\xdd\x55\xc8\x76\x04\x6d\xc2\xb8\x20\x31\x11\x5f\x24\x8b\xf4\xd7\x00" 207 "\x7c\x7a\x4f\x00\x4e\xfd\x2f\x0f\x57\xbc\xc2\x00\x22\xb1\x23\x4f\x4b\x19" 208 "\xc7\x9a\x47\x1e\xb0\xea\x60\x87\xf3\x88\x71\x9d\xd1\xe4\xdd\x15\xda\xbf" 209 "\x0d\x03\x34\xd9\x32\xbf\xb5\x80\x9f\x72\x80\xdc\x37\xb2\x0e\x79\xd3\x96" 210 "\x93\x12\x50\x0c\x77\x0b\xd9\x9d\x0c\x93\x0c\xb2\xc8\x03\xbc\x75\x14\x5a" 211 "\xc0\x50\xdc\x3f\xd3\x92\xee\x07\xb5\xa9\xf2\x85\x76\xa7\x36\x8d\x6f\x71" 212 "\xfb\x8a\xcb\xee\x8c\x0c\x77\x8d\x81\xb0\x02\x38\x70\x4a\x3d\xc9\x1a\xf5" 213 "\x4f\x91\xe6\xa1\x14\x93\x3e\xbe\xa0\xe8\x7a\x69\x33\xcc\xe4\xd2\x8c\x88" 214 "\xaf\xc9\x05\xd4\x74\xb0\x87\xa3\x34\x3b\x0c\x9e\xd4\x42\xbd\x8e\x03\x24" 215 "\x91\x2c\x94\x1f\x5b\x88\x7c\x0c\xb2\x07\xaf\x68\x43\xd0\x5b\xcb\xf9\xb2" 216 "\x64\xce\xb6\xc9", 217 256); 218 syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul, 219 /*arg=*/0x200000000140ul); 220 return 0; 221} 222EOF 223mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 224 225timeout 3m /tmp/$prog > /dev/null 2>&1 226 227rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core 228exit 0 229