[Bug 293895] panic: ata_action: ccb ADDR, func_code NUM should not be allocated from UMA zone

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 293895] panic: ata_action: ccb ADDR, func_code XXX should not be allocated from UMA zone"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 293895] panic: ata_action: ccb ADDR, func_code XXX should not be allocated from UMA zone"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 18 Mar 2026 11:12:35 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293895

            Bug ID: 293895
           Summary: panic: ata_action: ccb ADDR, func_code NUM should not
                    be allocated from UMA zone
           Product: Base System
           Version: 15.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: r772577952@gmail.com

Hi FreeBSD Maintainers,

While fuzzing the FreeBSD kernel with Syzkaller using our generated syscall
descriptions, we discovered a series of issues. These issues are reproducible
on the latest release (release/15.0.0-p4, commit
8ef0ed690df2dca0cc22b827819d112f868470bb).

Based on the issue reports and stack traces, these issues looks from a same
root cause within the ATA layer of the CAM subsystem. The title of issues are
shown below:

- panic: ata_action: ccb ADDR, func_code 0x1000 should not be allocated from
UMA zone
- panic: ata_action: ccb ADDR, func_code 0x1 should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0x200 should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0x20 should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0x2 should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0x30 should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0x6 should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0x7 should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0x8b should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0x8 should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0xa should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0xb0 should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0xb should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code 0xe should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code ADDR should not be allocated from UMA
zone
- panic: ata_action: ccb ADDR, func_code NUM should not be allocated from UMA
zone

Kernel console outputs, kernel configs, and C/Syz reproducers for all issue are
available at:
https://drive.google.com/drive/folders/1Z7RSVXrSNWEmOnei5LPYZS-pA5drIUrX?usp=sharing

A typical issue report (symbolized using our modified syz-symbolize) is
provided below to assist with the analysis:

```
TITLE: panic: ata_action: ccb ADDR, func_code NUM should not be allocated from
UMA zone
CORRUPTED: false ()
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []

login: panic: ata_action: ccb 0xfffffe012e83d7b8, func_code 0 should not be
allocated from UMA zone

cpuid = 2
time = 1773827516
KDB: stack backtrace:
#0 0xffffffff81608a59 at kdb_backtrace+0x119
/usr/obj/usr/src/kern/subr_kdb.c:452
#1 0xffffffff81537d67 at vpanic+0x257 /usr/obj/usr/src/kern/kern_shutdown.c:960
#2 0xffffffff81537b05 at panic+0xb5 /usr/obj/usr/src/kern/kern_shutdown.c:887
#3 0xffffffff803ac501 at ata_action+0xb61
/usr/obj/usr/src/cam/ata/ata_xpt.c:1786
#4 0xffffffff8040eaf7 at passdoioctl+0x1167
/usr/obj/usr/src/cam/scsi/scsi_pass.c:0
#5 0xffffffff8040d243 at passioctl+0x33
/usr/obj/usr/src/cam/scsi/scsi_pass.c:1750
#6 0xffffffff811cb236 at devfs_ioctl+0x266
/usr/obj/usr/src/fs/devfs/devfs_vnops.c:0
#7 0xffffffff822b9ad7 at VOP_IOCTL_APV+0x87
/usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.c:1154
#8 0xffffffff817bd187 at vn_ioctl+0x3c7
/usr/obj/usr/src/amd64.amd64/sys/CLOUD/vnode_if.h:639
#9 0xffffffff811cc0f9 at devfs_ioctl_f+0x69
/usr/obj/usr/src/fs/devfs/devfs_vnops.c:881
#10 0xffffffff81666cfa at kern_ioctl+0x4ca /usr/obj/usr/src/sys/file.h:378
#11 0xffffffff8166673e at sys_ioctl+0x36e
/usr/obj/usr/src/kern/sys_generic.c:716
#12 0xffffffff820f9372 at amd64_syscall+0x4e2
/usr/obj/usr/src/kern/subr_syscall.c:193
#13 0xffffffff8209ffab at fast_syscall_common+0xf8
/usr/obj/usr/src/amd64/amd64/exception.S:571
Uptime: 54s
Automatic reboot in 15 seconds - press a key on the console to abort
```

-- 
You are receiving this mail because:
You are the assignee for the bug.