DF-0003 panic signature -- captured from dfbsd-qemu/boot.log (serial console) after `kldload poc_negunit.ko` (module whose only action is device_add_child(root_bus, "df3neg", -2)). The crash is the exact OOB-write sink cited in the finding: sys/kern/subr_bus.c:1144 dc->devices[dev->unit] = dev; Confirmed by addr2line -e /boot/kernel/kernel 0xffffffff8068a946: /usr/src/sys/kern/subr_bus.c:1144 Control (unit=0) loaded cleanly and printed: DF0003-CTRL: unit=0 -> OK (child=0xfffff80065c20ea0) [valid unit: no crash] Trigger (unit=-2) panicked immediately: --- login: Fatal user address access from kernel mode ... (some boots) / OR / Fatal trap 12: page fault while in kernel mode cpuid = 0; lapic id = 0 fault virtual address = 0xfffffffffffffff0 fault code = supervisor write data, page not present instruction pointer = 0x8:0xffffffff8068a946 stack pointer = 0x10:0xfffff800ab5ab738 frame pointer = 0x10:0xfffff800ab5ab778 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 990 current thread = pri 6 kernel: type 12 trap, code=2 CPU0 stopping CPUs: 0x00000002 stopped Stopped at devclass_add_device+0xf6: movq %r14,(%rdx,%rax,1) db> FAULT-ADDRESS ARITHMETIC (proves negative-index write): fault VA = 0xfffffffffffffff0 = (device_t *)NULL + (-2) = 0 + (-2)*8 dev->unit = -2 (returned successfully by devclass_alloc_unit) dc->devices == NULL for the freshly-created "df3neg" devclass => dc->devices[dev->unit] = dev writes 8 bytes (the dev pointer) at address 0 + (-2)*sizeof(device_t) = 0xfffffffffffffff0 (unmapped) -> supervisor WRITE page fault inside devclass_add_device at subr_bus.c:1144. SYMBOL PROOF: nm /boot/kernel/kernel | grep devclass_add_device ffffffff8068a850 t devclass_add_device (base) fault IP 0xffffffff8068a946 = base + 0xf6 (offset matches panic string) addr2line 0xffffffff8068a946 -> sys/kern/subr_bus.c:1144