[Bug 293888] Fatal trap NUM: general protection fault while in kernel mode in cam_periph_runccb

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293888

            Bug ID: 293888
           Summary: Fatal trap NUM: general protection fault while in
                    kernel mode in cam_periph_runccb
           Product: Base System
           Version: 15.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: r772577952@gmail.com

Created attachment 268892
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=268892&action=edit
kernel config file

Hi FreeBSD maintainers,

When fuzzing freebsd kernel with syzkaller and our generated syscall
descriptions, an issue is discovered in the cam subsystem. This issue is
reproducible on the latest release (release/15.0.0-p4, commit
8ef0ed690df2dca0cc22b827819d112f868470bb).

We have attached the kernel console output, kernel config, and reproducers to
assist with the analysis. The issue report is also listed below (symbolized by
our modified syz-symbolize):

```
TITLE: Fatal trap NUM: general protection fault while in kernel mode in
cam_periph_runccb
CORRUPTED: false ()
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []

Fatal trap 9: general protection fault while in kernel mode
cpuid = 0; apic id = 00
instruction pointer     = 0x20:0xffffffff80392a6f
stack pointer           = 0x28:0xfffffe00ec0cc2b0
frame pointer           = 0x28:0xfffffe00ec0cc310
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1604 (syz-executor)
rdi: 6e3642f32a3ae742 rsi: ffffffff82e093d0 rdx: 0000000000000000
rcx: fffffe00175ef388  r8: 0000000000000000  r9: 0000000000000001
rax: fffffe0000000000 rbx: 0000000000000900 rbp: fffffe00ec0cc310
r10: fffffe01330db0c8 r11: 000000000000009b r12: 6e3642f32a3ae742
r13: fffffe01330db000 r14: fffffe00ecfcb2e0 r15: 6e3642f32a3ae6f2
trap number             = 9
panic: general protection fault
cpuid = 0
time = 1773643780
KDB: stack backtrace:
#0 0xffffffff81608a59 at kdb_backtrace+0x119
/usr/obj/usr/src/kern/subr_kdb.c:452
#1 0xffffffff81537d67 at vpanic+0x257 /usr/obj/usr/src/kern/kern_shutdown.c:960
#2 0xffffffff81537b05 at panic+0xb5 /usr/obj/usr/src/kern/kern_shutdown.c:887
#3 0xffffffff820f71d5 at trap_fatal+0x105
/usr/obj/usr/src/amd64/amd64/trap.c:969
#4 0xffffffff820f6898 at trap+0xe48 /usr/obj/usr/src/amd64/amd64/trap.c:0
#5 0xffffffff8209f6b8 at calltrap+0x8
/usr/obj/usr/src/amd64/amd64/exception.S:287
#6 0xffffffff80389f28 at cam_periph_runccb+0x2b8
/usr/obj/usr/src/cam/cam_periph.c:0
#7 0xffffffff8040f159 at passsendccb+0x339
/usr/obj/usr/src/cam/scsi/scsi_pass.c:0
#8 0xffffffff8040dfa5 at passdoioctl+0x615
/usr/obj/usr/src/cam/scsi/scsi_pass.c:1830
#9 0xffffffff8040d243 at passioctl+0x33
/usr/obj/usr/src/cam/scsi/scsi_pass.c:1750
#10 0xffffffff811cb236 at devfs_ioctl+0x266
/usr/obj/usr/src/fs/devfs/devfs_vnops.c:0
#11 0xffffffff822b9ad7 at VOP_IOCTL_APV+0x87
/usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.c:1154
#12 0xffffffff817bd187 at vn_ioctl+0x3c7
/usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.h:639
#13 0xffffffff811cc0f9 at devfs_ioctl_f+0x69
/usr/obj/usr/src/fs/devfs/devfs_vnops.c:881
#14 0xffffffff81666cfa at kern_ioctl+0x4ca /usr/obj/usr/src/sys/file.h:378
#15 0xffffffff8166673e at sys_ioctl+0x36e
/usr/obj/usr/src/kern/sys_generic.c:716
#16 0xffffffff820f9372 at amd64_syscall+0x4e2
/usr/obj/usr/src/kern/subr_syscall.c:193
#17 0xffffffff8209ffab at fast_syscall_common+0xf8
/usr/obj/usr/src/amd64/amd64/exception.S:571
Uptime: 59s
Automatic reboot in 15 seconds - press a key on the console to abort


TITLE: panic: general protection fault
CORRUPTED: false ()
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []

panic: general protection fault
cpuid = 0
time = 1773643780
KDB: stack backtrace:
#0 0xffffffff81608a59 at kdb_backtrace+0x119
/usr/obj/usr/src/kern/subr_kdb.c:452
#1 0xffffffff81537d67 at vpanic+0x257 /usr/obj/usr/src/kern/kern_shutdown.c:960
#2 0xffffffff81537b05 at panic+0xb5 /usr/obj/usr/src/kern/kern_shutdown.c:887
#3 0xffffffff820f71d5 at trap_fatal+0x105
/usr/obj/usr/src/amd64/amd64/trap.c:969
#4 0xffffffff820f6898 at trap+0xe48 /usr/obj/usr/src/amd64/amd64/trap.c:0
#5 0xffffffff8209f6b8 at calltrap+0x8
/usr/obj/usr/src/amd64/amd64/exception.S:287
#6 0xffffffff80389f28 at cam_periph_runccb+0x2b8
/usr/obj/usr/src/cam/cam_periph.c:0
#7 0xffffffff8040f159 at passsendccb+0x339
/usr/obj/usr/src/cam/scsi/scsi_pass.c:0
#8 0xffffffff8040dfa5 at passdoioctl+0x615
/usr/obj/usr/src/cam/scsi/scsi_pass.c:1830
#9 0xffffffff8040d243 at passioctl+0x33
/usr/obj/usr/src/cam/scsi/scsi_pass.c:1750
#10 0xffffffff811cb236 at devfs_ioctl+0x266
/usr/obj/usr/src/fs/devfs/devfs_vnops.c:0
#11 0xffffffff822b9ad7 at VOP_IOCTL_APV+0x87
/usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.c:1154
#12 0xffffffff817bd187 at vn_ioctl+0x3c7
/usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.h:639
#13 0xffffffff811cc0f9 at devfs_ioctl_f+0x69
/usr/obj/usr/src/fs/devfs/devfs_vnops.c:881
#14 0xffffffff81666cfa at kern_ioctl+0x4ca /usr/obj/usr/src/sys/file.h:378
#15 0xffffffff8166673e at sys_ioctl+0x36e
/usr/obj/usr/src/kern/sys_generic.c:716
#16 0xffffffff820f9372 at amd64_syscall+0x4e2
/usr/obj/usr/src/kern/subr_syscall.c:193
#17 0xffffffff8209ffab at fast_syscall_common+0xf8
/usr/obj/usr/src/amd64/amd64/exception.S:571
Uptime: 59s
Automatic reboot in 15 seconds - press a key on the console to abort
```

-- 
You are receiving this mail because:
You are the assignee for the bug.