syzbot

 sign-in | mailing list | source | docs
🐞 Open [169]
🐞 Fixed [299]
🐞 Invalid [972]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

uvm_fault: pmap_page_remove (7)

Status: upstream: reported on 2025/11/11 16:24
Reported-by: syzbot+4f31ad0ccb0a35f3f07a@syzkaller.appspotmail.com
First crash: 113d, last: 23d
Similar bugs (6)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd uvm_fault: pmap_page_remove (4) -1 1 1413d 1413d 0/3 auto-closed as invalid on 2022/07/20 03:20
openbsd uvm_fault: pmap_page_remove (5) -1 16 505d 816d 0/3 auto-obsoleted due to no activity on 2025/01/12 21:41
openbsd uvm_fault: pmap_page_remove -1 7 2357d 2614d 0/3 auto-closed as invalid on 2019/12/19 05:38
openbsd uvm_fault: pmap_page_remove (6) -1 1 236d 236d 0/3 auto-obsoleted due to no activity on 2025/10/08 23:25
openbsd uvm_fault: pmap_page_remove (3) -1 1 1482d 1482d 0/3 closed as invalid on 2022/02/15 06:33
openbsd uvm_fault: pmap_page_remove (2) -1 5 2034d 2210d 0/3 auto-closed as invalid on 2020/11/06 07:50

Sample crash report:
uvm_fault(0xfffffd806c98fd70, 0x7f8797b67048, 0, 2) -> e
kernel: page fault trap, code=2
Stopped at   pmap_page_remove+0x45d:   xchgq        %rax,0(%r14,%rcx,1)
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 322179  89615      0           0          0    0  syz-executor
pmap_page_remove(fffffd8007e0dfc8) at pmap_page_remove+0x45d _atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117 [inline]
pmap_page_remove(fffffd8007e0dfc8) at pmap_page_remove+0x45d sys/arch/amd64/amd64/pmap.c:2014
uvm_anfree(fffffd800dfcef20) at uvm_anfree+0xd8 sys/uvm/uvm_anon.c:111
amap_wipeout(fffffd806cc3a970) at amap_wipeout+0x246 sys/uvm/uvm_amap.c:-1
uvm_unmap_detach(ffff80003c46f040,0) at uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
uvm_map_teardown(fffffd806c98fd70) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2530
exit1(ffff800038fe1cb0,43,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff800038fe1cb0,ffff80003c46f210,ffff80003c46f160) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80003c46f210) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c46f210) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x739f1f7e0c10, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: uvm_fault(0xfffffd806c98fd70, 0x7f8797b67048, 0, 2) -> e
ddb{1}> trace
pmap_page_remove(fffffd8007e0dfc8) at pmap_page_remove+0x45d _atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117 [inline]
pmap_page_remove(fffffd8007e0dfc8) at pmap_page_remove+0x45d sys/arch/amd64/amd64/pmap.c:2014
uvm_anfree(fffffd800dfcef20) at uvm_anfree+0xd8 sys/uvm/uvm_anon.c:111
amap_wipeout(fffffd806cc3a970) at amap_wipeout+0x246 sys/uvm/uvm_amap.c:-1
uvm_unmap_detach(ffff80003c46f040,0) at uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
uvm_map_teardown(fffffd806c98fd70) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2530
exit1(ffff800038fe1cb0,43,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff800038fe1cb0,ffff80003c46f210,ffff80003c46f160) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80003c46f210) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c46f210) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x739f1f7e0c10, count: -9
ddb{1}> show registers
rdi                                0
rsi                                0
rbp               0xffff80003c46ef40
rbx               0xfffffd806da51308
rdx                                0
rcx                   0x7f8000000000
rax                                0
r8                                 0
r9                0xffff80003c46ef30
r10               0xfa3ab4a911ebf558
r11               0x1792690bacb7989c
r12                                0
r13               0x800000006d3b5001
r14                      0x797b67048
r15               0xfffffd8007e0e030
rip               0xffffffff82666d1d   pmap_page_remove+0x45d
cs                               0x8
rflags                       0x10246   __ALIGN_SIZE+0xf246
rsp               0xffff80003c46eec0
ss                              0x10
pmap_page_remove+0x45d:   xchgq        %rax,0(%r14,%rcx,1)
ddb{1}> show proc
PROC (syz-executor) tid=325571 pid=74057 tcnt=0 stat=onproc
    flags process=a<EXEC,EXITING> proc=2000<WEXIT>
    runpri=86, usrpri=86, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=1
    forw=0xffffffffffffffff, list=0xffff8000fffee548,0xffff800038fe0fc8
    process=0xffff80003c40c4f0 user=0xffff80003c46a000, vmspace=0xfffffd806c98fd70
    estcpu=36, cpticks=197, pctcpu=0.19, user=0, sys=3, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 89615  322179  58371      0  7           0                syz-executor
 34071  249192  74909      0  2         0x2                ifconfig
  5914  361156  73815      0  2           0                syz-executor
  5914  128202  73815      0  3   0x4000080  ttyout        syz-executor
  5914  143735  73815      0  3   0x4000080  ttyout        syz-executor
 74909    8026  38274      0  3    0x10008a  sigsusp       sh
 98035  429643  78838      0  2           0                syz-executor
 98035  320410  78838      0  2   0x4000000                syz-executor
 98035  344709  78838      0  3   0x4000080  fsleep        syz-executor
 38274  522066  77365      0  3        0x82  wait          syz-executor
 59566   83371      0      0  3     0x14200  acct          acct
 34596  395077  57800  60929  3        0x90  nanoslp       syz-executor
 34596  188534  57800  60929  3   0x4000090  kqsel         syz-executor
 34596   70169  57800  60929  3   0x4000090  fsleep        syz-executor
 34596  500521  57800  60929  3   0x4000090  fsleep        syz-executor
 22176  336068  32631      0  3      0x3000  suspend       syz-executor
 22176  294602  32631      0  2   0x4081000                syz-executor
 32631   66749  77365      0  3        0x82  wait          syz-executor
 31639  309447  85924      0  3        0x82  sbwait        sshd-session
 73815  387267  77365      0  3        0x82  nanoslp       syz-executor
 78838  391991  77365      0  3        0x82  nanoslp       syz-executor
 28190  212740  85924      0  3        0x82  sbwait        sshd-session
 60719  140270  77365      0  2         0x2                syz-executor
 58371  388023  77365      0  3        0x82  nanoslp       syz-executor
 57800  483220  77365      0  2         0x3                syz-executor
 77365   37274  45651      0  2         0x2                syz-executor
 45651  150667  45015      0  3    0x10008a  sigsusp       ksh
 45015  365177  13444      0  3        0x98  kqread        sshd-session
 13444  209645  85924      0  3        0x92  kqread        sshd-session
 78553   73356      1      0  3    0x100083  ttyopn        getty
 85924  190596      1      0  3        0x88  kqread        sshd
 94019  317654  13294     74  3   0x1100092  bpf           pflogd
 13294  346061      1      0  3        0x80  sbwait        pflogd
 43021  374473   4270     73  3   0x1100090  kqread        syslogd
  4270  104638      1      0  3    0x100082  sbwait        syslogd
 88035  296859      1      0  3    0x100080  kqread        resolvd
  3049  440523  94923     77  3    0x100092  kqread        dhcpleased
 36320  289578  94923     77  3    0x100092  kqread        dhcpleased
 94923   95003      1      0  3        0x80  kqread        dhcpleased
 17165   72537      0      0  3     0x14200  bored         smr
  7693  316131      0      0  2     0x14200                zerothread
 89238  457989      0      0  3     0x14200  aiodoned      aiodoned
 55244  295914      0      0  3     0x14200  syncer        update
  2448  127905      0      0  3     0x14200  cleaner       cleaner
 66491  465641      0      0  3     0x14200  reaper        reaper
 76383   89611      0      0  3     0x14200  pgdaemon      pagedaemon
 11459   75473      0      0  3     0x14200  bored         viomb
 25476  232448      0      0  3  0x40014200  acpi0         acpi0
 15122  245140      0      0  3  0x40014200                idle1
 21741  367826      0      0  3     0x14200  bored         softnet1
 71742   54281      0      0  3     0x14200  bored         softnet0
 55512  517368      0      0  3     0x14200  smrbar        systqmp
 74453   19892      0      0  3     0x14200  bored         systq
 77854   74870      0      0  3     0x14200  tmoslp        softclockmp
 57244  369908      0      0  3  0x40014200  tmoslp        softclock
 87033  371046      0      0  3  0x40014200                idle0
     1  354204      0      0  3     0x80082  wait          init
     0       0     -1      0  3  0x10010200  scheduler     swapper
ddb{1}> show all locks
CPU 1:
exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd806eadde10)
#0  witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0  witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1  mtx_enter+0x4b4 sys/kern/kern_lock.c:487
#2  pmap_page_remove+0xca rcr3 sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:139 [inline]
#2  pmap_page_remove+0xca pmap_map_ptes sys/arch/amd64/amd64/pmap.c:437 [inline]
#2  pmap_page_remove+0xca sys/arch/amd64/amd64/pmap.c:1974
#3  uvm_anfree+0xd8 sys/uvm/uvm_anon.c:111
#4  amap_wipeout+0x246 sys/uvm/uvm_amap.c:-1
#5  uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
#6  uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2530
#7  exit1+0x6fc sys/kern/kern_exit.c:260
#8  sys_exit+0x1a sys/kern/kern_exit.c:-1
#9  syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#9  syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
#10 Xsyscall+0x128
Process 34071 (ifconfig) thread 0xffff80003c3f94e0 (249192)
Process 98035 (syz-executor) thread 0xffff8000fffef4d8 (320410)
Process 22176 (syz-executor) thread 0xffff80003c3f87e8 (294602)
Process 60719 (syz-executor) thread 0xffff800038fe0fb8 (140270)
Process 55512 (systqmp) thread 0xffff8000ffffe7c8 (517368)
ddb{1}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 11092  12092K   13946K 166960K     14863        0
            pcb    17     16K      18K 166960K       693        0
         rtable   200     15K      16K 166960K       988        0
             pf    35     18K      83K 166960K       361        0
         ifaddr    28      6K       9K 166960K       234        0
        ifgroup    43      2K       2K 166960K       442        0
         sysctl     4      1K       9K 166960K        22        0
       counters    64     36K      38K 166960K       676        0
       ioctlops     0      0K       4K 166960K      2617        0
            iov     0      0K      24K 166960K       179        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1512     95K      96K 166960K      4036        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     3      5K       9K 166960K        43        0
         VM map     2      1K       1K 166960K         2        0
            sem    15      1K       1K 166960K       284        0
        dirhash    12      2K       3K 166960K        66        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    17     61K     240K 166960K      3289        0
          sigio     0      0K       0K 166960K        62        0
           proc    79    131K     164K 166960K      1166        0
        subproc    63      3K       4K 166960K       171        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K       366        0
       in_multi    43      3K       7K 166960K       323        0
    ether_multi     1      0K       0K 166960K        28        0
            mrt     1      0K       0K 166960K        18        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys   259   1155K    1155K 166960K       259        0
           exec     0      0K       1K 166960K      1202        0
   fusefs mount     1     32K      32K 166960K         1        0
     pfkey data     0      0K       0K 166960K         6        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   271    185K     207K 166960K     33238        0
       UVM aobj   104     25K      27K 166960K       119        0
     pinsyscall    46     92K     103K 166960K      4694        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     0      0K       1K 166960K       478        0
            NDP     9      0K       2K 166960K       181        0
           temp    80   8688K    8784K 166960K    141014        0
         kqueue    13     20K      32K 166960K       621        0
      SYN cache     2     16K      16K 166960K         2        0
ddb{1}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       26    0        0     1     0     1     1     0     8    0
rtpcb      120      317    0      314     2     1     1     2     0     8    0
rtentry    176      287    0      226     6     1     5     6     0     8    0
unpcb      144     1939    0     1918    15    13     2     6     0     8    1
syncache   336       14    0       14     6     6     0     1     0     8    0
tcpqe       32        3    0        3     2     2     0     1     0     8    0
tcpcb      736     1205    0     1196    28    26     2     9     0     8    1
arp        136       49    0       35     1     0     1     1     0     8    0
inpcb      328     3789    0     3775    38    31     7    10     0     8    5
nd6        152       60    0       49     2     0     2     2     0     8    0
pkpcb       40       24    0       24    10     9     1     1     0     8    1
kcovpl      48       19    0       12     1     0     1     1     0     8    0
mppekey    1024       2    0        2     2     2     0     1     0     8    0
ppxss      1192     253    0      253     5     5     0     1     0     8    0
pppxif     1504      15    0       15     6     6     0     1     0     8    0
pfstscr     40        1    0        1     1     1     0     1     0     8    0
pffrag     232       71    0       66     1     0     1     1     0   482    0
pffrnode    88       37    0       32     1     0     1     1     0     8    0
pffrent     40      136    0      131     1     0     1     1     0     8    0
pfosfp      40     1428    0     1005     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfrktable  1344      10    0        5     1     0     1     1     0     8    0
pfanchor   1288       1    0        0     1     0     1     1     0     8    0
pftag       88        5    0        0     1     0     1     1     0     8    0
pfstitem    24        4    0        0     1     0     1     1     0     8    0
pfstkey    128       12    0        8     1     0     1     1     0     8    0
pfstate    448        7    0        5     1     0     1     1     0     8    0
pfrule     1360      19    0       11     1     0     1     1     0     8    0
rttmr      136        4    0        4     3     3     0     1     0     8    0
art_heap8  4096       5    0        0     5     0     5     5     0     8    0
art_heap4  256     1126    0      902    35    14    21    32     0     8    0
art_table   40     1131    0      902     6     1     5     6     0     8    0
art_node    32      284    0      225     1     0     1     1     0     8    0
sysvmsgpl   40       17    0       12     1     0     1     1     0     8    0
semupl     112        4    0        4     4     4     0     1     0     8    0
semapl     112      274    0      261     1     0     1     1     0     8    0
shmpl      112      102    0       12     3     0     3     3     0     8    0
dirhash    1024      53    0       36     3     0     3     3     0     8    0
dino2pl    256     7631    0     6104    96     0    96    96     0     8    0
ffsino     296     7631    0     6104   118     0   118   118     0     8    0
nchpl      144    12155    0    10427    65     0    65    65     0     8    0
rtmask      32       41    0       41     7     7     0     1     0     8    0
vnodes     216     5926    0        0   330     0   330   330     0     8    0
namei      1024   43824    0    43824     6     5     1     2     0     8    1
percpumem   16      353    0      306     1     0     1     1     0     8    0
vcpupl     3968      13    0        2     2     0     2     2     0     8    0
vmpool     848       14    0        3     2     0     2     2     0     8    0
pfiaddrpl  120        2    0        0     1     0     1     1     0     8    0
kstatmem   264      286    0      264     4     1     3     3     0     8    0
acpiwqpl    32        1    0        1     1     0     1     1     1     8    1
scsiplug    72       11    0       11     6     6     0     1     0     8    0
scxspl     216    91301    0    91301    27    25     2     8     1     8    2
plimitpl   152     1157    0     1137     1     0     1     1     0     8    0
sigapl     424     3588    0     3537     9     2     7     8     0     8    0
knotepl    120      678    0        0    20     0    20    20     0     8    0
kqueuepl   224     1488    0     1478    23    22     1     5     0     8    0
pipepl     344      470    0      442     7     4     3     6     0     8    0
fdescpl    528     3536    0     3503     3     0     3     3     0     8    0
filepl     160    25442    0    25226    37    23    14    19     0     8    0
lockfpl    104     1482    0     1479     4     3     1     3     0     8    0
lockfspl    48      575    0      572     2     1     1     2     0     8    0
sessionpl  144       43    0       32     1     0     1     1     0     8    0
pgrppl      48      137    0      118     1     0     1     1     0     8    0
ucredpl    104     4249    0     4235     1     0     1     1     0     8    0
zombiepl   144     3867    0     3865     2     1     1     1     0     8    0
processpl  1232    3588    0     3537     7     2     5     6     0     8    0
procpl     664     8915    0     8856     8     0     8     8     0     8    0
sosppl     176       18    0       18     5     5     0     1     0     8    0
sockpl     752     6170    0     6132    58    47    11    17     0     8    6
mcl64k     65536      9    0        0     2     0     2     2     0     8    0
mcl16k     16384      6    0        0     1     0     1     1     0     8    0
mcl12k     12288      3    0        0     1     0     1     1     0     8    0
mcl9k      9216       1    0        0     1     0     1     1     0     8    0
mcl8k      8192       6    0        0     1     0     1     1     0     8    0
mcl4k      4096     119    0        0    15     0    15    15     0     8    0
mcl2k2     2112       2    0        0     1     0     1     1     0     8    0
mcl2k      2048      55    0        0     7     0     7     7     0     8    0
mtagpl      96        4    0        0     1     0     1     1     0     8    0
mbufpl     256     1734    0        0   105     0   105   105     0     8    0
bufpl      280    39466    0    33330   439     0   439   439     0     8    0
anonpl      32    15061    0        0   122     0   122   122     0   246    0
amapchunkpl 152  112506    0   111996    74    45    29    39     0   158    4
amappl16   200    13774    0    13518   124   101    23    36     0     8    2
amappl15   192        3    0        3     1     1     0     1     0     8    0
amappl14   184        7    0        7     2     2     0     1     0     8    0
amappl13   176      562    0      560     1     0     1     1     0     8    0
amappl12   168     2842    0     2808     3     0     3     3     0     8    0
amappl11   160       20    0       20     2     2     0     1     0     8    0
amappl10   152       85    0       71     1     0     1     1     0     8    0
amappl9    144      248    0      247     1     0     1     1     0     8    0
amappl8    136       44    0       42     1     0     1     1     0     8    0
amappl7    128      121    0      118     1     0     1     1     0     8    0
amappl6    120      409    0      391     1     0     1     1     0     8    0
amappl5    112       88    0       74     1     0     1     1     0     8    0
amappl4    104      524    0      492     1     0     1     1     0     8    0
amappl3     96    19946    0    19850     6     2     4     4     0     8    0
amappl2     88     3710    0     3616     3     0     3     3     0     8    0
amappl1     80    25033    0    24278    19     1    18    18     0     8    0
amappl      88    31771    0    31594     7     1     6     6     0    92    0
uvmvnodes   80      201    0        0     5     0     5     5     0     8    0
dma65536   65536      1    0        1     1     1     0     1     0     8    0
dma16384   16384      1    0        1     1     1     0     1     0     8    0
dma4096    4096       3    0        3     3     3     0     1     0     8    0
dma2048    2048       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      254    0      254     2     2     0     1     0     8    0
dma64       64       12    0       12     6     6     0     1     0     8    0
dma32       32        8    0        8     2     2     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72      118    0       15     2     0     2     2     0     8    0
uaddrrnd    24     3536    0     3503     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24     3536    0     3503     1     0     1     1     0     8    0
vmmpekpl   168    26997    0    26931     4     0     4     4     0     8    0
vmmpepl    168   239532    0   237148   175    58   117   122     0   357    2
vmsppl     488     3535    0     3502     5     0     5     5     0     8    0
rwobjpl     80    63209    0    61535    53    15    38    40     0     8    0
pdppl      4096    7108    0     7021   155    66    89    89     0     8    2
pvpl        32    22868    0        0   186     2   184   184     0   265    0
pmappl     256     3549    0     3505     3     0     3     3     0     8    0
extentpl    40       45    0       27     1     0     1     1     0     8    0
phpool     112      480    0      126    11     0    11    11     0     8    0
ddb{1}> machine ddbcpu 0
Stopped at   x86_ipi_db+0x27:          addq         $0x8,%rsp
x86_ipi_db(ffffffff838a3ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff83906d80) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83906d80) at __mp_lock+0x192 sys/kern/kern_lock.c:173
softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
__mp_lock(ffffffff83906d80) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83906d80) at __mp_lock+0x192 sys/kern/kern_lock.c:173
syscall(ffff80002a35e5f0) at syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
syscall(ffff80002a35e5f0) at syscall+0xaf4 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x754159365d00, count: 5
ddb{0}> trace
x86_ipi_db(ffffffff838a3ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff83906d80) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83906d80) at __mp_lock+0x192 sys/kern/kern_lock.c:173
softintr_dispatch(0) at softintr_dispatch+0x125 sys/kern/kern_softintr.c:83
dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:862
Xsoftclock() at Xsoftclock+0x27
__mp_lock(ffffffff83906d80) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:142 [inline]
__mp_lock(ffffffff83906d80) at __mp_lock+0x192 sys/kern/kern_lock.c:173
syscall(ffff80002a35e5f0) at syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
syscall(ffff80002a35e5f0) at syscall+0xaf4 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x754159365d00, count: -10
ddb{0}> machine ddbcpu 1
Stopped at   pmap_page_remove+0x45d:   xchgq        %rax,0(%r14,%rcx,1)
pmap_page_remove(fffffd8007e0dfc8) at pmap_page_remove+0x45d _atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117 [inline]
pmap_page_remove(fffffd8007e0dfc8) at pmap_page_remove+0x45d sys/arch/amd64/amd64/pmap.c:2014
uvm_anfree(fffffd800dfcef20) at uvm_anfree+0xd8 sys/uvm/uvm_anon.c:111
amap_wipeout(fffffd806cc3a970) at amap_wipeout+0x246 sys/uvm/uvm_amap.c:-1
uvm_unmap_detach(ffff80003c46f040,0) at uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
uvm_map_teardown(fffffd806c98fd70) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2530
exit1(ffff800038fe1cb0,43,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff800038fe1cb0,ffff80003c46f210,ffff80003c46f160) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80003c46f210) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c46f210) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x739f1f7e0c10, count: 6
ddb{1}> trace
pmap_page_remove(fffffd8007e0dfc8) at pmap_page_remove+0x45d _atomic_swap_64 sys/arch/amd64/compile/SYZKALLER/obj/machine/atomic.h:117 [inline]
pmap_page_remove(fffffd8007e0dfc8) at pmap_page_remove+0x45d sys/arch/amd64/amd64/pmap.c:2014
uvm_anfree(fffffd800dfcef20) at uvm_anfree+0xd8 sys/uvm/uvm_anon.c:111
amap_wipeout(fffffd806cc3a970) at amap_wipeout+0x246 sys/uvm/uvm_amap.c:-1
uvm_unmap_detach(ffff80003c46f040,0) at uvm_unmap_detach+0x8a sys/uvm/uvm_map.c:1353
uvm_map_teardown(fffffd806c98fd70) at uvm_map_teardown+0x360 sys/uvm/uvm_map.c:2530
exit1(ffff800038fe1cb0,43,0,1) at exit1+0x6fc sys/kern/kern_exit.c:260
sys_exit(ffff800038fe1cb0,ffff80003c46f210,ffff80003c46f160) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80003c46f210) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80003c46f210) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:775
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x739f1f7e0c10, count: -9

Crashes (10):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/02/09 13:33 openbsd a82d9bb4a825 018ebef2 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: pmap_page_remove
2026/01/19 19:34 openbsd 665aeba05e03 56f88057 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: pmap_page_remove
2025/12/29 03:14 openbsd 6a98c69fc684 5dc09de1 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: pmap_page_remove
2025/12/24 11:02 openbsd 1dc30a6de584 5dc09de1 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: pmap_page_remove
2025/12/18 22:56 openbsd 3f23c8878a83 e14dbeb9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: pmap_page_remove
2025/12/11 12:57 openbsd a762189c5efb 48b27acc .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: pmap_page_remove
2025/12/11 07:55 openbsd d004c0aeba6f 48b27acc .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: pmap_page_remove
2025/11/24 05:53 openbsd 879ea5f6fdb7 4fb8ef37 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: pmap_page_remove
2025/11/14 06:05 openbsd 83ff66b05700 07e030de .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main uvm_fault: pmap_page_remove
2025/11/11 16:24 openbsd 05de582f27ae 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore uvm_fault: pmap_page_remove
* Struck through repros no longer work on HEAD.