[Bug 293891] Fatal trap NUM: page fault while in kernel mode in passdoioctl
Date: Wed, 18 Mar 2026 08:20:12 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293891
Bug ID: 293891
Summary: Fatal trap NUM: page fault while in kernel mode in
passdoioctl
Product: Base System
Version: 15.0-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: r772577952@gmail.com
Hi FreeBSD maintainers,
When fuzzing freebsd kernel with syzkaller and our generated syscall
descriptions, an issue is discovered in the cam subsystem. This issue is
reproducible on the latest release (release/15.0.0-p4, commit
8ef0ed690df2dca0cc22b827819d112f868470bb).
The kernel console output, kernel config, and C/syz reproducers can be found at
https://drive.google.com/drive/folders/1JoAZu51-cbBIBX7FUlcL_cJ2MRwJwzQv?usp=sharing?usp=drive_link.
The detail issue report is also listed below (symbolized by our modified
syz-symbolize) to assist with the analysis:
```
TITLE: Fatal trap NUM: page fault while in kernel mode in passdoioctl
CORRUPTED: false ()
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x50
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80392a6f
stack pointer = 0x28:0xfffffe00ec12e5f0
frame pointer = 0x28:0xfffffe00ec12e650
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 1475 (repro.out)
rdi: 0000000000000050 rsi: ffffffff82e093d0 rdx: 0000000000000000
rcx: fffffe00175ef388 r8: 0000000000000000 r9: 0000000000000001
rax: fffffe0000000000 rbx: 0000000000000900 rbp: fffffe00ec12e650
r10: 000000000000002d r11: fffffe00edfaacd0 r12: 0000000000000050
r13: fffffe012ea4e7b8 r14: fffffe00ed0ddb80 r15: 0000000000000000
trap number = 12
panic: page fault
cpuid = 1
time = 1773820938
KDB: stack backtrace:
#0 0xffffffff81608a59 at kdb_backtrace+0x119
/usr/obj/usr/src/kern/subr_kdb.c:452
#1 0xffffffff81537d67 at vpanic+0x257 /usr/obj/usr/src/kern/kern_shutdown.c:960
#2 0xffffffff81537b05 at panic+0xb5 /usr/obj/usr/src/kern/kern_shutdown.c:887
#3 0xffffffff820f7cd2 at trap_pfault+0xaf2
/usr/obj/usr/src/amd64/amd64/trap.c:851
#4 0xffffffff820f61de at trap+0x78e /usr/obj/usr/src/amd64/amd64/trap.c:0
#5 0xffffffff8209f6b8 at calltrap+0x8
/usr/obj/usr/src/amd64/amd64/exception.S:287
#6 0xffffffff8040eaf7 at passdoioctl+0x1167
/usr/obj/usr/src/cam/scsi/scsi_pass.c:0
#7 0xffffffff8040d243 at passioctl+0x33
/usr/obj/usr/src/cam/scsi/scsi_pass.c:1750
#8 0xffffffff811cb236 at devfs_ioctl+0x266
/usr/obj/usr/src/fs/devfs/devfs_vnops.c:0
#9 0xffffffff822b9ad7 at VOP_IOCTL_APV+0x87
/usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.c:1154
#10 0xffffffff817bd187 at vn_ioctl+0x3c7
/usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.h:639
#11 0xffffffff811cc0f9 at devfs_ioctl_f+0x69
/usr/obj/usr/src/fs/devfs/devfs_vnops.c:881
#12 0xffffffff81666cfa at kern_ioctl+0x4ca /usr/obj/usr/src/sys/file.h:378
#13 0xffffffff8166673e at sys_ioctl+0x36e
/usr/obj/usr/src/kern/sys_generic.c:716
#14 0xffffffff820f9372 at amd64_syscall+0x4e2
/usr/obj/usr/src/kern/subr_syscall.c:193
#15 0xffffffff8209ffab at fast_syscall_common+0xf8
/usr/obj/usr/src/amd64/amd64/exception.S:571
Uptime: 1m21s
Automatic reboot in 15 seconds - press a key on the console to abort
```
--
You are receiving this mail because:
You are the assignee for the bug.