1#!/bin/sh 2 3# panic: cam_periph_ccbwait: proceeding with incomplete ccb: ccb=0xfffff80006171800, func_code=0x3, status=0, index=-1 4# cpuid = 3 5# time = 1773850497 6# KDB: stack backtrace: 7# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01001de7e0 8# vpanic() at vpanic+0x136/frame 0xfffffe01001de910 9# panic() at panic+0x43/frame 0xfffffe01001de970 10# cam_periph_runccb() at cam_periph_runccb+0x2ec/frame 0xfffffe01001deac0 11# passsendccb() at passsendccb+0x160/frame 0xfffffe01001deb30 12# passdoioctl() at passdoioctl+0x3a1/frame 0xfffffe01001deb80 13# passioctl() at passioctl+0x22/frame 0xfffffe01001debc0 14# devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe01001dec10 15# VOP_IOCTL_APV() at VOP_IOCTL_APV+0x51/frame 0xfffffe01001dec40 16# vn_ioctl() at vn_ioctl+0x160/frame 0xfffffe01001decb0 17# devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe01001decd0 18# kern_ioctl() at kern_ioctl+0x2a1/frame 0xfffffe01001ded40 19# sys_ioctl() at sys_ioctl+0x12f/frame 0xfffffe01001dee00 20# amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01001def30 21# fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01001def30 22# --- syscall (0, FreeBSD ELF64, syscall), rip = 0x823b1eeca, rsp = 0x820adb1c8, rbp = 0x820adb1f0 --- 23# KDB: enter: panic 24# [ thread pid 4950 tid 100344 ] 25# Stopped at kdb_enter+0x33: movq $0,0x15e9d32(%rip) 26# db> x/s version 27# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026 28# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO 29# db> 30 31# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com> 32# Bug 293899 - panic: cam_periph_ccbwait: proceeding with incomplete ccb: ccb=ADDR, func_code=0x3, status=NUM, index=-NUM 33 34[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 35 36. ../default.cfg 37set -u 38prog=$(basename "$0" .sh) 39cat > /tmp/$prog.c <<EOF 40// autogenerated by syzkaller (https://github.com/google/syzkaller) 41 42#define _GNU_SOURCE 43 44#include <pwd.h> 45#include <stdarg.h> 46#include <stdbool.h> 47#include <stdint.h> 48#include <stdio.h> 49#include <stdlib.h> 50#include <string.h> 51#include <sys/endian.h> 52#include <sys/syscall.h> 53#include <unistd.h> 54 55uint64_t r[1] = {0xffffffffffffffff}; 56 57int main(void) 58{ 59 syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, 60 /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, 61 /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul, 62 /*fd=*/(intptr_t)-1, /*offset=*/0ul); 63 const char* reason; 64 (void)reason; 65 intptr_t res = 0; 66 if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { 67 } 68 // openat\$pass_pass_cdevsw arguments: [ 69 // fd: const = 0xffffffffffffff9c (8 bytes) 70 // file: ptr[in, buffer] { 71 // buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb) 72 // } 73 // flags: open_flags = 0x2 (4 bytes) 74 // mode: const = 0x0 (4 bytes) 75 // ] 76 // returns fd_pass_pass_cdevsw 77 memcpy((void*)0x200000000100, "/dev/pass0\000", 11); 78 res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul, 79 /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0); 80 if (res != -1) 81 r[0] = res; 82 // ioctl\$CAMIOCOMMAND_pass_cdevsw arguments: [ 83 // fd: fd_pass_pass_cdevsw (resource) 84 // cmd: const = 0xc4e01a02 (8 bytes) 85 // arg: ptr[inout, ccb\$pass_cdevsw] { 86 // union ccb\$pass_cdevsw { 87 // cqc: ccb_query_config\$pass_cdevsw { 88 // ccb_h: ccb_hdr\$pass_cdevsw { 89 // pinfo: cam_pinfo\$pass_cdevsw { 90 // priority: int32 = 0x7 (4 bytes) 91 // generation: int32 = 0x8 (4 bytes) 92 // index: int32 = 0x4 (4 bytes) 93 // } 94 // pad = 0x0 (4 bytes) 95 // xpt_links: camq_entry\$pass_cdevsw { 96 // links_next: intptr = 0xfffffffffffffffe (8 bytes) 97 // priority: int32 = 0xd (4 bytes) 98 // pad = 0x0 (4 bytes) 99 // } 100 // sim_links: camq_entry\$pass_cdevsw { 101 // links_next: intptr = 0x1000 (8 bytes) 102 // priority: int32 = 0x7fff (4 bytes) 103 // pad = 0x0 (4 bytes) 104 // } 105 // periph_links: camq_entry\$pass_cdevsw { 106 // links_next: intptr = 0x100000001 (8 bytes) 107 // priority: int32 = 0x3 (4 bytes) 108 // pad = 0x0 (4 bytes) 109 // } 110 // retry_count: int16 = 0x8 (2 bytes) 111 // alloc_flags: int16 = 0x84ce (2 bytes) 112 // pad = 0x0 (4 bytes) 113 // cbfcnp: intptr = 0xffffffff (8 bytes) 114 // func_code: int32 = 0x3 (4 bytes) 115 // status: int32 = 0x6 (4 bytes) 116 // path: intptr = 0x8000000000000001 (8 bytes) 117 // path_id: int32 = 0x3 (4 bytes) 118 // target_id: int32 = 0x800 (4 bytes) 119 // target_lun: int64 = 0x12 (8 bytes) 120 // flags: int32 = 0x5 (4 bytes) 121 // xflags: int32 = 0x8 (4 bytes) 122 // periph_priv: buffer: {ff 00 fc 8b be 26 59 c1 e3 be e5 97 9a b9 123 // a8 da} (length 0x10) sim_priv: buffer: {bc 62 8a da 83 8f 2b 49 124 // f1 67 50 3f 43 71 98 c8} (length 0x10) qos: buffer: {5e 98 6e af 125 // a2 b9 ac 4a 3a d1 ed 97 4e f6 f6 e2} (length 0x10) timeout: 126 // int32 = 0x8 (4 bytes) pad = 0x0 (4 bytes) softtimeout: timeval { 127 // sec: intptr = 0x4 (8 bytes) 128 // usec: intptr = 0x1 (8 bytes) 129 // } 130 // } 131 // payload: buffer: {ac f7 a5 7c b5 71 08 e5 db bd f4 df d0 16 4a 33 132 // 68 b1 76 63 b8 c0 6b b7 31 4e 7d 97 28 be ee e6 5b 35 e8 8a cf a8 133 // 49 62 11 9b 25 b5 fc 67 8f ef a1 44 b2 e5 a7 9b 5a 06 34 ae a0 56 134 // fe 95 69 61 27 4a ba aa 92 e2 b9 ea 97 e6 1c cf 24 6b 8e 8f f7 b7 135 // c8 3a cf b7 97 c8 32 12 f1 4d bc 0b 8b ef 30 11 62 5d f1 0f af c2 136 // 67 76 65 be 11 2e 10 5f 65 70 58 e2 3b c2 91 99 3b 2e 00 00 00 00 137 // 00 00} (length 0x80) 138 // } 139 // } 140 // } 141 // ] 142 *(uint32_t*)0x200000000ec0 = 7; 143 *(uint32_t*)0x200000000ec4 = 8; 144 *(uint32_t*)0x200000000ec8 = 4; 145 *(uint64_t*)0x200000000ed0 = 0xfffffffffffffffe; 146 *(uint32_t*)0x200000000ed8 = 0xd; 147 *(uint64_t*)0x200000000ee0 = 0x1000; 148 *(uint32_t*)0x200000000ee8 = 0x7fff; 149 *(uint64_t*)0x200000000ef0 = 0x100000001; 150 *(uint32_t*)0x200000000ef8 = 3; 151 *(uint16_t*)0x200000000f00 = 8; 152 *(uint16_t*)0x200000000f02 = 0x84ce; 153 *(uint64_t*)0x200000000f08 = 0xffffffff; 154 *(uint32_t*)0x200000000f10 = 3; 155 *(uint32_t*)0x200000000f14 = 6; 156 *(uint64_t*)0x200000000f18 = 0x8000000000000001; 157 *(uint32_t*)0x200000000f20 = 3; 158 *(uint32_t*)0x200000000f24 = 0x800; 159 *(uint64_t*)0x200000000f28 = 0x12; 160 *(uint32_t*)0x200000000f30 = 5; 161 *(uint32_t*)0x200000000f34 = 8; 162 memcpy((void*)0x200000000f38, 163 "\xff\x00\xfc\x8b\xbe\x26\x59\xc1\xe3\xbe\xe5\x97\x9a\xb9\xa8\xda", 164 16); 165 memcpy((void*)0x200000000f48, 166 "\xbc\x62\x8a\xda\x83\x8f\x2b\x49\xf1\x67\x50\x3f\x43\x71\x98\xc8", 167 16); 168 memcpy((void*)0x200000000f58, 169 "\x5e\x98\x6e\xaf\xa2\xb9\xac\x4a\x3a\xd1\xed\x97\x4e\xf6\xf6\xe2", 170 16); 171 *(uint32_t*)0x200000000f68 = 8; 172 *(uint64_t*)0x200000000f70 = 4; 173 *(uint64_t*)0x200000000f78 = 1; 174 memcpy((void*)0x200000000f80, 175 "\xac\xf7\xa5\x7c\xb5\x71\x08\xe5\xdb\xbd\xf4\xdf\xd0\x16\x4a\x33\x68" 176 "\xb1\x76\x63\xb8\xc0\x6b\xb7\x31\x4e\x7d\x97\x28\xbe\xee\xe6\x5b\x35" 177 "\xe8\x8a\xcf\xa8\x49\x62\x11\x9b\x25\xb5\xfc\x67\x8f\xef\xa1\x44\xb2" 178 "\xe5\xa7\x9b\x5a\x06\x34\xae\xa0\x56\xfe\x95\x69\x61\x27\x4a\xba\xaa" 179 "\x92\xe2\xb9\xea\x97\xe6\x1c\xcf\x24\x6b\x8e\x8f\xf7\xb7\xc8\x3a\xcf" 180 "\xb7\x97\xc8\x32\x12\xf1\x4d\xbc\x0b\x8b\xef\x30\x11\x62\x5d\xf1\x0f" 181 "\xaf\xc2\x67\x76\x65\xbe\x11\x2e\x10\x5f\x65\x70\x58\xe2\x3b\xc2\x91" 182 "\x99\x3b\x2e\x00\x00\x00\x00\x00\x00", 183 128); 184 syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0xc4e01a02ul, 185 /*arg=*/0x200000000ec0ul); 186 return 0; 187} 188EOF 189mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1 190 191timeout 3m /tmp/$prog > /dev/null 2>&1 192 193rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core 194exit 0 195