1#!/bin/sh 2 3# Kernel page fault with the following non-sleepable locks held: 4# exclusive sleep mutex CAM device lock (CAM device lock) r = 0 (0xfffff8000365ecd0) locked @ cam/scsi/scsi_pass.c:1973 5# stack backtrace: 6# #0 0xffffffff80c4787c at witness_debugger+0x6c 7# #1 0xffffffff80c49189 at witness_warn+0x4c9 8# #2 0xffffffff81131d8c at trap_pfault+0x8c 9# #3 0xffffffff811015a8 at calltrap+0x8 10# #4 0xffffffff803d8e3e at passdoioctl+0x9be 11# #5 0xffffffff803d8102 at passioctl+0x22 12# #6 0xffffffff80a413b1 at devfs_ioctl+0xd1 13# #7 0xffffffff81204821 at VOP_IOCTL_APV+0x51 14# #8 0xffffffff80cf0890 at vn_ioctl+0x160 15# #9 0xffffffff80a41a7e at devfs_ioctl_f+0x1e 16# #10 0xffffffff80c4e3c1 at kern_ioctl+0x2a1 17# #11 0xffffffff80c4e0bf at sys_ioctl+0x12f 18# #12 0xffffffff811327d9 at amd64_syscall+0x169 19# #13 0xffffffff81101e9b at fast_syscall_common+0xf8 20# 21# 22# Fatal trap 12: page fault while in kernel mode 23# cpuid = 11; apic id = 0b 24# fault virtual address = 0x50 25# fault code = supervisor read data, page not present 26# instruction pointer = 0x20:0xffffffff803a1e9c 27# stack pointer = 0x28:0xfffffe01000d5af0 28# frame pointer = 0x28:0xfffffe01000d5b30 29# code segment = base 0x0, limit 0xfffff, type 0x1b 30# = DPL 0, pres 1, long 1, def32 0, gran 1 31# processor eflags = interrupt enabled, resume, IOPL = 0 32# current process = 4511 (syzkaller92) 33# rdi: fffff8016ace27b8 rsi: fffff8016ace2f60 rdx: 0000000000000010 34# rcx: 0000000000000010 r8: fffff8000602ad80 r9: ffffffff8226dee8 35# rax: 0000000000000010 rbx: fffff8016ace27b8 rbp: fffffe01000d5b30 36# r10: fffff8016ace27b8 r11: fffff80066e42cd0 r12: fffff8016ace27b8 37# r13: 0000000000000016 r14: fffff80003676200 r15: 0000000000000000 38# trap number = 12 39# panic: page fault 40# cpuid = 11 41# time = 1773833440 42# KDB: stack backtrace: 43# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01000d5820 44# vpanic() at vpanic+0x136/frame 0xfffffe01000d5950 45# panic() at panic+0x43/frame 0xfffffe01000d59b0 46# trap_pfault() at trap_pfault+0x422/frame 0xfffffe01000d5a20 47# calltrap() at calltrap+0x8/frame 0xfffffe01000d5a20 48# --- trap 0xc, rip = 0xffffffff803a1e9c, rsp = 0xfffffe01000d5af0, rbp = 0xfffffe01000d5b30 --- 49# xpt_action_default() at xpt_action_default+0x80c/frame 0xfffffe01000d5b30 50# passdoioctl() at passdoioctl+0x9be/frame 0xfffffe01000d5b80 51# passioctl() at passioctl+0x22/frame 0xfffffe01000d5bc0 52# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe01000d5c10 53# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe01000d5c40 54# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe01000d5cb0 55# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01000d5cd0 56# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe01000d5d40 57# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe01000d5e00 58# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01000d5f30 59# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01000d5f30 60# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x824057eca, rsp = 0x820f14468, rbp = 0x820f14490 --- 61# KDB: enter: panic 62# [ thread pid 4511 tid 100357 ] 63# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) 64# db> x/s version 65# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 66# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 67# db> reset 68 69# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com> 70# [Bug 293892] Fatal trap NUM: page fault while in kernel mode in passsendccb 71 72[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 73 74. ../default.cfg 75set -u 76prog=$(basename "$0" .sh) 77cat > /tmp/$prog.c <<EOF 78// autogenerated by syzkaller (https://github.com/google/syzkaller) 79 80#define _GNU_SOURCE 81 82#include <pwd.h> 83#include <stdarg.h> 84#include <stdbool.h> 85#include <stdint.h> 86#include <stdio.h> 87#include <stdlib.h> 88#include <string.h> 89#include <sys/endian.h> 90#include <sys/syscall.h> 91#include <unistd.h> 92 93#ifndef SYS_aio_readv 94#define SYS_aio_readv 579 95#endif 96 97uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; 98 99int main(void) 100{ 101 syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, 102 /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, 103 /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, 104 /*fd=*/(intptr_t)-1, /*offset=*/0ul); 105 const char* reason; 106 (void)reason; 107 intptr_t res = 0; 108 if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { 109 } 110 // rfork arguments: [ 111 // flags: rfork_flags = 0x14014 (8 bytes) 112 // ] 113 syscall(SYS_rfork, /*flags=RFLINUXTHPN|RFSIGSHARE|RFFDG|RFPROC*/ 0x14014ul); 114 // freebsd11_fhstatfs arguments: [ 115 // fhp: nil 116 // buf: nil 117 // ] 118 syscall(SYS_freebsd11_fhstatfs, /*fhp=*/0ul, /*buf=*/0ul); 119 // socket\$inet_tcp arguments: [ 120 // domain: const = 0x2 (8 bytes) 121 // type: const = 0x1 (8 bytes) 122 // proto: const = 0x0 (1 bytes) 123 // ] 124 // returns sock_tcp 125 syscall(SYS_socket, /*domain=*/2ul, /*type=*/1ul, /*proto=*/0); 126 // openat\$bpf arguments: [ 127 // fd: const = 0xffffffffffffff9c (8 bytes) 128 // file: ptr[in, buffer] { 129 // buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9) 130 // } 131 // flags: open_flags = 0x8408 (4 bytes) 132 // mode: const = 0x0 (4 bytes) 133 // ] 134 // returns fd_bpf 135 memcpy((void*)0x200000000980, "/dev/bpf\000", 9); 136 res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, 137 /*file=*/0x200000000980ul, 138 /*flags=O_TRUNC|O_NOCTTY|O_APPEND*/ 0x8408, /*mode=*/0); 139 if (res != -1) 140 r[0] = res; 141 // aio_readv arguments: [ 142 // iocb: ptr[in, aiocb] { 143 // aiocb { 144 // aio_fildes: fd (resource) 145 // pad = 0x0 (4 bytes) 146 // aio_offset: int64 = 0x81 (8 bytes) 147 // aio_buf: ptr[in, buffer] { 148 // buffer: {fa} (length 0x1) 149 // } 150 // aio_nbytes: len = 0x1 (8 bytes) 151 // spare: array[int32] { 152 // int32 = 0xffff (4 bytes) 153 // int32 = 0x7 (4 bytes) 154 // } 155 // spare2: intptr = 0x1 (8 bytes) 156 // aio_lio_opcode: lio_opcodes = 0x18 (4 bytes) 157 // aio_reqprio: int32 = 0x1ff (4 bytes) 158 // aiocb_private: aiocb_private { 159 // status: intptr = 0x37 (8 bytes) 160 // error: intptr = 0x24 (8 bytes) 161 // kernelinfo: nil 162 // } 163 // aio_sigevent: sigevent { 164 // notify: sigev_notify = 0x0 (4 bytes) 165 // signo: int32 = 0x13 (4 bytes) 166 // val: union sigval { 167 // sigval_int: int32 = 0x6 (4 bytes) 168 // } 169 // u: union sigevent_u { 170 // ke_flags: evflags = 0x8000 (2 bytes) 171 // } 172 // } 173 // } 174 // } 175 // ] 176 *(uint32_t*)0x200000000040 = r[0]; 177 *(uint64_t*)0x200000000048 = 0x81; 178 *(uint64_t*)0x200000000050 = 0x200000000000; 179 memset((void*)0x200000000000, 250, 1); 180 *(uint64_t*)0x200000000058 = 1; 181 *(uint32_t*)0x200000000060 = 0xffff; 182 *(uint32_t*)0x200000000064 = 7; 183 *(uint64_t*)0x200000000068 = 1; 184 *(uint32_t*)0x200000000070 = 0x18; 185 *(uint32_t*)0x200000000074 = 0x1ff; 186 *(uint64_t*)0x200000000078 = 0x37; 187 *(uint64_t*)0x200000000080 = 0x24; 188 *(uint64_t*)0x200000000088 = 0; 189 *(uint32_t*)0x200000000090 = 0; 190 *(uint32_t*)0x200000000094 = 0x13; 191 *(uint32_t*)0x200000000098 = 6; 192 *(uint16_t*)0x2000000000a0 = 0x8000; 193 syscall(SYS_aio_readv, /*iocb=*/0x200000000040ul); 194 // openat\$bpf arguments: [ 195 // fd: const = 0xffffffffffffff9c (8 bytes) 196 // file: ptr[in, buffer] { 197 // buffer: {2f 64 65 76 2f 62 70 66 00} (length 0x9) 198 // } 199 // flags: open_flags = 0x800 (4 bytes) 200 // mode: const = 0x0 (4 bytes) 201 // ] 202 // returns fd_bpf 203 memcpy((void*)0x200000000040, "/dev/bpf\000", 9); 204 syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000040ul, 205 /*flags=O_EXCL*/ 0x800, /*mode=*/0); 206 // sigaction arguments: [ 207 // signo: int32 = 0x6b (4 bytes) 208 // act: ptr[in, sigaction] { 209 // sigaction { 210 // sigaction_u: nil 211 // sa_flags: sigaction_flags = 0x0 (4 bytes) 212 // sa_mask: sigset { 213 // mask: array[int32] { 214 // int32 = 0x4 (4 bytes) 215 // int32 = 0x10 (4 bytes) 216 // int32 = 0x492d (4 bytes) 217 // int32 = 0x3 (4 bytes) 218 // } 219 // } 220 // pad = 0x0 (4 bytes) 221 // } 222 // } 223 // oact: nil 224 // ] 225 *(uint64_t*)0x200000000040 = 0; 226 *(uint32_t*)0x200000000048 = 0; 227 *(uint32_t*)0x20000000004c = 4; 228 *(uint32_t*)0x200000000050 = 0x10; 229 *(uint32_t*)0x200000000054 = 0x492d; 230 *(uint32_t*)0x200000000058 = 3; 231 syscall(SYS_sigaction, /*signo=*/0x6b, /*act=*/0x200000000040ul, 232 /*oact=*/0ul); 233 // openat\$pass_pass_cdevsw arguments: [ 234 // fd: const = 0xffffffffffffff9c (8 bytes) 235 // file: ptr[in, buffer] { 236 // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) 237 // } 238 // flags: open_flags = 0x2 (4 bytes) 239 // mode: const = 0x0 (4 bytes) 240 // ] 241 // returns fd_pass_pass_cdevsw 242 memcpy((void*)0x200000000100, "/dev/pass0\000", 11); 243 res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, 244 /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0); 245 if (res != -1) 246 r[1] = res; 247 // ioctl\$CAMIOQUEUE_pass_cdevsw arguments: [ 248 // fd: fd_pass_pass_cdevsw (resource) 249 // cmd: const = 0x20001a04 (8 bytes) 250 // arg: ptr[in, ptr[in, ccb\$pass_cdevsw]] { 251 // nil 252 // } 253 // ] 254 *(uint64_t*)0x200000000000 = 0; 255 syscall(SYS_ioctl, /*fd=*/r[1], /*cmd=*/0x20001a04ul, 256 /*arg=*/0x200000000000ul); 257 return 0; 258} 259EOF 260mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 261 262timeout 3m /tmp/$prog > /dev/null 2>&1 263 264rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core 265exit 0 266