Date: Wed, 18 Mar 2026 11:12:35 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293895] panic: ata_action: ccb ADDR, func_code NUM should not be allocated from UMA zone Message-ID: <bug-293895-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293895 Bug ID: 293895 Summary: panic: ata_action: ccb ADDR, func_code NUM should not be allocated from UMA zone Product: Base System Version: 15.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: r772577952@gmail.com Hi FreeBSD Maintainers, While fuzzing the FreeBSD kernel with Syzkaller using our generated syscall descriptions, we discovered a series of issues. These issues are reproducible on the latest release (release/15.0.0-p4, commit 8ef0ed690df2dca0cc22b827819d112f868470bb). Based on the issue reports and stack traces, these issues looks from a same root cause within the ATA layer of the CAM subsystem. The title of issues are shown below: - panic: ata_action: ccb ADDR, func_code 0x1000 should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0x1 should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0x200 should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0x20 should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0x2 should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0x30 should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0x6 should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0x7 should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0x8b should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0x8 should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0xa should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0xb0 should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0xb should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code 0xe should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code ADDR should not be allocated from UMA zone - panic: ata_action: ccb ADDR, func_code NUM should not be allocated from UMA zone Kernel console outputs, kernel configs, and C/Syz reproducers for all issue are available at: https://drive.google.com/drive/folders/1Z7RSVXrSNWEmOnei5LPYZS-pA5drIUrX?usp=sharing A typical issue report (symbolized using our modified syz-symbolize) is provided below to assist with the analysis: ``` TITLE: panic: ata_action: ccb ADDR, func_code NUM should not be allocated from UMA zone CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] login: panic: ata_action: ccb 0xfffffe012e83d7b8, func_code 0 should not be allocated from UMA zone cpuid = 2 time = 1773827516 KDB: stack backtrace: #0 0xffffffff81608a59 at kdb_backtrace+0x119 /usr/obj/usr/src/kern/subr_kdb.c:452 #1 0xffffffff81537d67 at vpanic+0x257 /usr/obj/usr/src/kern/kern_shutdown.c:960 #2 0xffffffff81537b05 at panic+0xb5 /usr/obj/usr/src/kern/kern_shutdown.c:887 #3 0xffffffff803ac501 at ata_action+0xb61 /usr/obj/usr/src/cam/ata/ata_xpt.c:1786 #4 0xffffffff8040eaf7 at passdoioctl+0x1167 /usr/obj/usr/src/cam/scsi/scsi_pass.c:0 #5 0xffffffff8040d243 at passioctl+0x33 /usr/obj/usr/src/cam/scsi/scsi_pass.c:1750 #6 0xffffffff811cb236 at devfs_ioctl+0x266 /usr/obj/usr/src/fs/devfs/devfs_vnops.c:0 #7 0xffffffff822b9ad7 at VOP_IOCTL_APV+0x87 /usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.c:1154 #8 0xffffffff817bd187 at vn_ioctl+0x3c7 /usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.h:639 #9 0xffffffff811cc0f9 at devfs_ioctl_f+0x69 /usr/obj/usr/src/fs/devfs/devfs_vnops.c:881 #10 0xffffffff81666cfa at kern_ioctl+0x4ca /usr/obj/usr/src/sys/file.h:378 #11 0xffffffff8166673e at sys_ioctl+0x36e /usr/obj/usr/src/kern/sys_generic.c:716 #12 0xffffffff820f9372 at amd64_syscall+0x4e2 /usr/obj/usr/src/kern/subr_syscall.c:193 #13 0xffffffff8209ffab at fast_syscall_common+0xf8 /usr/obj/usr/src/amd64/amd64/exception.S:571 Uptime: 54s Automatic reboot in 15 seconds - press a key on the console to abort ``` -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-293895-227>