syzbot

 sign-in | mailing list | source | docs
🐞 Open [132] 🐞 Fixed [269] 🐞 Invalid [577] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

panic: pmap_remove_ptes: unmanaged page marked PG_PVLIST, va = ADDR, pa = ADDR (2)

Status: auto-closed as invalid on 2020/02/06 01:57
Reported-by: syzbot+cd00350d69f5744eb379@syzkaller.appspotmail.com
First crash: 1631d, last: 1631d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd panic: pmap_remove_ptes: unmanaged page marked PG_PVLIST, va = ADDR, pa = ADDR 1 1637d 1637d 0/3 closed as invalid on 2019/11/03 08:39

Sample crash report:
panic: pmap_remove_ptes: unmanaged page marked PG_PVLIST, va = 0x1b2ea60000, pa = 0x70003e000
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
*135397  23905      0     0x14000      0x200    0  reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
pmap_remove_ptes(fffffd802e1efaf8,fffffd8003dc2080,7f800d975100,1b2ea20000,1b2ec00000,0) at pmap_remove_ptes+0x373 sys/arch/amd64/amd64/pmap.c:1565
pmap_do_remove(fffffd802e1efaf8,1b2ea20000,1b2fa20000,0) at pmap_do_remove+0x430 sys/arch/amd64/amd64/pmap.c:1780
uvm_map_teardown(fffffd803f013330) at uvm_map_teardown+0x165 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:206 [inline]
uvm_map_teardown(fffffd803f013330) at uvm_map_teardown+0x165 sys/uvm/uvm_map.c:2719
uvmspace_free(fffffd803f013330) at uvmspace_free+0x86 sys/uvm/uvm_map.c:3592
uvm_exit(ffff8000148a30f8) at uvm_exit+0x29 sys/uvm/uvm_glue.c:297
reaper(ffff8000fffffb28) at reaper+0x15c sys/kern/kern_exit.c:442
end trace frame: 0x0, count: 7
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb> 
ddb> set $lines = 0
ddb> set $maxwidth = 0
ddb> show panic
pmap_remove_ptes: unmanaged page marked PG_PVLIST, va = 0x1b2ea60000, pa = 0x70003e000
ddb> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
pmap_remove_ptes(fffffd802e1efaf8,fffffd8003dc2080,7f800d975100,1b2ea20000,1b2ec00000,0) at pmap_remove_ptes+0x373 sys/arch/amd64/amd64/pmap.c:1565
pmap_do_remove(fffffd802e1efaf8,1b2ea20000,1b2fa20000,0) at pmap_do_remove+0x430 sys/arch/amd64/amd64/pmap.c:1780
uvm_map_teardown(fffffd803f013330) at uvm_map_teardown+0x165 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:206 [inline]
uvm_map_teardown(fffffd803f013330) at uvm_map_teardown+0x165 sys/uvm/uvm_map.c:2719
uvmspace_free(fffffd803f013330) at uvmspace_free+0x86 sys/uvm/uvm_map.c:3592
uvm_exit(ffff8000148a30f8) at uvm_exit+0x29 sys/uvm/uvm_glue.c:297
reaper(ffff8000fffffb28) at reaper+0x15c sys/kern/kern_exit.c:442
end trace frame: 0x0, count: -8
ddb> show registers
rdi                                0
rsi                              0x1
rbp               0xffff800014841e80
rbx               0xffff800014841f30
rdx                              0x2
rcx                                0
rax                                0
r8                0xffff800014841e40
r9                               0x1
r10                                0
r11               0xdce03a17494e529d
r12                     0x3000000008
r13               0xffff800014841e90
r14                            0x100
r15                              0x1
rip               0xffffffff8146d878    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff800014841e70
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb> show proc
PROC (reaper) pid=135397 stat=onproc
    flags process=14000<NOZOMBIE,SYSTEM> proc=200<SYSTEM>
    pri=4, usrpri=50, nice=20
    forw=0xffffffffffffffff, list=0xffff8000fffff8b0,0xffff8000ffff9650
    process=0xffff8000ffffb0e8 user=0xffff80001483d000, vmspace=0xffffffff82581530
    estcpu=0, cpticks=2, pctcpu=0.2
    user=0, sys=1, intr=0
ddb> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 57518  414459  56658      0  3        0x82  nanosleep     syz-executor.0
 12053  375889      1      0  3    0x100083  ttyin         getty
 15495   54526      0      0  3     0x14200  bored         sosplice
 56658   81020  19058      0  3        0x82  thrsleep      syz-fuzzer
 56658  235920  19058      0  3   0x4000082  thrsleep      syz-fuzzer
 56658  323614  19058      0  3   0x4000082  thrsleep      syz-fuzzer
 56658  267819  19058      0  3   0x4000082  thrsleep      syz-fuzzer
 56658  508841  19058      0  3   0x4000082  thrsleep      syz-fuzzer
 56658  112361  19058      0  3   0x4000082  kqread        syz-fuzzer
 56658  138272  19058      0  3   0x4000082  thrsleep      syz-fuzzer
 56658  346454  19058      0  3   0x4000082  thrsleep      syz-fuzzer
 19058   39244  63328      0  3    0x10008a  pause         ksh
 63328  181101  38713      0  3        0x92  select        sshd
 38713   17761      1      0  3        0x80  select        sshd
 12184  407310  43625     73  3    0x100090  kqread        syslogd
 43625   13600      1      0  3    0x100082  netio         syslogd
 69949  367412      1     77  3    0x100090  poll          dhclient
 36361  454573      1      0  3        0x80  poll          dhclient
  8637   23664      0      0  2     0x14200                zerothread
 80753  304281      0      0  3     0x14200  aiodoned      aiodoned
 56745   43226      0      0  3     0x14200  syncer        update
  7889   53464      0      0  3     0x14200  cleaner       cleaner
*23905  135397      0      0  7     0x14200                reaper
 98166  246710      0      0  3     0x14200  pgdaemon      pagedaemon
 21492  469492      0      0  3     0x14200  bored         crynlk
 77169  342665      0      0  3     0x14200  bored         crypto
 87186  195162      0      0  3  0x40014200  acpi0         acpi0
 49522  167786      0      0  3     0x14200  bored         softnet
 57842  502145      0      0  3     0x14200  bored         systqmp
 28683  254484      0      0  3     0x14200  bored         systq
 76028  237342      0      0  3  0x40014200  bored         softclock
 50538  173195      0      0  3  0x40014200                idle0
 17456  155639      0      0  3     0x14200  bored         smr
     1  421643      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb> show all locks
No such command
ddb> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim Kern Lim
         devbuf  9521   6355K    6929K  78643K     12664        0        0
            pcb    13      8K       9K  78643K       261        0        0
         rtable    92      3K       4K  78643K      1009        0        0
         ifaddr    60     14K      16K  78643K       319        0        0
       counters    19     16K      16K  78643K        19        0        0
       ioctlops     0      0K       2K  78643K        93        0        0
            iov     0      0K      16K  78643K       186        0        0
          mount     1      1K       1K  78643K         1        0        0
         vnodes  1205     76K      77K  78643K      2013        0        0
      UFS quota     1     32K      32K  78643K         1        0        0
      UFS mount     5     36K      36K  78643K         5        0        0
            shm     2      1K       5K  78643K        13        0        0
         VM map    15      3K       3K  78643K        22        0        0
            sem    12      0K       1K  78643K      1625        0        0
        dirhash    12      2K       2K  78643K        12        0        0
           ACPI  1793    195K     288K  78643K     12645        0        0
      file desc     3      5K      25K  78643K      1460        0        0
          sigio     0      0K       0K  78643K        14        0        0
           proc    48     38K      62K  78643K      1878        0        0
        subproc    16      1K       2K  78643K       136        0        0
    NFS srvsock     1      0K       0K  78643K         1        0        0
     NFS daemon     1     16K      16K  78643K         1        0        0
    ip_moptions     0      0K       0K  78643K        85        0        0
       in_multi    18      1K       2K  78643K       155        0        0
    ether_multi     1      0K       0K  78643K        11        0        0
            mrt     0      0K       0K  78643K         8        0        0
    ISOFS mount     1     32K      32K  78643K         1        0        0
  MSDOSFS mount     1     16K      16K  78643K         1        0        0
           ttys    60    265K     265K  78643K        60        0        0
           exec     0      0K       1K  78643K       346        0        0
        pagedep     1      8K       8K  78643K         1        0        0
       inodedep     1     32K      32K  78643K         1        0        0
         newblk     1      0K       0K  78643K         1        0        0
        VM swap     7     26K      26K  78643K         7        0        0
       UVM amap   131    128K     129K  78643K      4295        0        0
       UVM aobj   121      4K       4K  78643K       123        0        0
        memdesc     1      4K       4K  78643K         1        0        0
    crypto data     1      1K       1K  78643K         1        0        0
    ip6_options     0      0K       0K  78643K       238        0        0
            NDP    14      0K       0K  78643K        94        0        0
           temp   139   3534K    3604K  78643K     33240        0        0
         kqueue     0      0K       0K  78643K         4        0        0
      SYN cache     2     16K      16K  78643K         2        0        0
ddb> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp         64       39    0       34     1     0     1     1     0     8    0
rtpcb       80      107    0      105     1     0     1     1     0     8    0
rtentry    112      162    0      129     2     0     2     2     0     8    0
unpcb      120      964    0      956     1     0     1     1     0     8    0
syncache   264        8    0        8     3     3     0     1     0     8    0
tcpqe       32      114    0      114     3     3     0     1     0     8    0
tcpcb      544      454    0      449     2     1     1     2     0     8    0
ipq         40       11    0       11     4     3     1     1     0     8    1
ipqe        40      322    0      322     4     3     1     1     0     8    1
inpcb      280     1181    0     1172     6     4     2     4     0     8    0
rttmr       72        2    0        2     2     2     0     1     0     8    0
nd6         48       19    0       18     1     0     1     1     0     8    0
pkpcb       40        2    0        2     1     1     0     1     0     8    0
ppxss      1128      46    0       46     3     2     1     1     0     8    1
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      631    0      471    17     2    15    15     0     8    1
art_table   32      632    0      471     2     0     2     2     0     8    0
art_node    16      161    0      130     1     0     1     1     0     8    0
sysvmsgpl   40       54    0       33     1     0     1     1     0     8    0
semupl     112        4    0        4     1     1     0     1     0     8    0
semapl     112     1620    0     1610     1     0     1     1     0     8    0
shmpl      112      121    0        2     4     0     4     4     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino1pl    128     3839    0     2450    46     0    46    46     0     8    0
ffsino     240     3839    0     2450    83     0    83    83     0     8    0
nchpl      144     6718    0     6255    60    40    20    60     0     8    0
uvmvnodes   72     4445    0        0    81     0    81    81     0     8    0
vnodes     208     4445    0        0   234     0   234   234     0     8    0
namei      1024   26726    0    26726     1     0     1     1     0     8    1
vcpupl     1984      14    0        1     2     0     2     2     0     8    0
vmpool     520       20    0        7     1     0     1     1     0     8    0
scsiplug    64        2    0        2     2     1     1     1     0     8    1
scxspl     192    19956    0    19956    10     8     2     7     0     8    2
plimitpl   152       99    0       93     1     0     1     1     0     8    0
sigapl     432     1614    0     1603     2     0     2     2     0     8    0
futexpl     56    49818    0    49818     1     0     1     1     0     8    1
knotepl    112      226    0      213     1     0     1     1     0     8    0
kqueuepl   104      259    0      257     1     0     1     1     0     8    0
pipepl     112      702    0      689     2     0     2     2     0     8    1
fdescpl    424     1615    0     1603     2     0     2     2     0     8    0
filepl     120    14387    0    14315     8     3     5     6     0     8    2
lockfpl    104      347    0      346     1     0     1     1     0     8    0
lockfspl    48      129    0      128     1     0     1     1     0     8    0
sessionpl  112       25    0       16     1     0     1     1     0     8    0
pgrppl      48       29    0       20     1     0     1     1     0     8    0
ucredpl     96     2083    0     2076     1     0     1     1     0     8    0
zombiepl   144     1605    0     1604     1     0     1     1     0     8    0
processpl  864     1632    0     1604     4     0     4     4     0     8    0
procpl     632     3257    0     3222     4     0     4     4     0     8    0
sosppl     128       17    0       17     2     1     1     1     0     8    1
sockpl     384     3486    0     3468     9     4     5     6     0     8    2
mcl64k     65536    348    0      347    32    24     8    32     0     8    7
mcl16k     16384     22    0       22     2     2     0     1     0     8    0
mcl12k     12288    515    0      515     1     0     1     1     0     8    1
mcl9k      9216      14    0       14     5     4     1     1     0     8    1
mcl8k      8192      84    0       84     2     1     1     1     0     8    1
mcl4k      4096     164    0      164     2     1     1     1     0     8    1
mcl2k2     2112      15    0       15     4     3     1     1     0     8    1
mcl2k      2048   69439    0    69392    15     8     7    13     0     8    0
mtagpl      80       43    0       36     3     2     1     1     0     8    0
mbufpl     256   134083    0   133890    80    55    25    40     0     8    8
bufpl      256    11059    0     5185   368     0   368   368     0     8    0
anonpl      16   189046    0   173844   116    21    95    95     0    62   14
amapchunkpl 152    8036    0     7886    18     7    11    11     0   158    2
amappl16   192     9262    0     8171    88    26    62    66     0     8    7
amappl14   176      399    0      392     1     0     1     1     0     8    0
amappl13   168      302    0      300     1     0     1     1     0     8    0
amappl12   160      114    0      114     2     2     0     1     0     8    0
amappl11   152       62    0       51     1     0     1     1     0     8    0
amappl10   144       18    0       16     2     1     1     1     0     8    0
amappl9    136      648    0      645     1     0     1     1     0     8    0
amappl8    128      219    0      185     2     0     2     2     0     8    0
amappl7    120       61    0       56     1     0     1     1     0     8    0
amappl6    112       86    0       74     1     0     1     1     0     8    0
amappl5    104      314    0      303     1     0     1     1     0     8    0
amappl4     96     1934    0     1901     1     0     1     1     0     8    0
amappl3     88      978    0      969     1     0     1     1     0     8    0
amappl2     80    11820    0    11753     3     1     2     3     0     8    0
amappl1     72    37452    0    37050    27    18     9    20     0     8    0
amappl      80     3604    0     3552     2     0     2     2     0    84    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       17    0       17     1     1     0     1     0     8    0
aobjpl      64      122    0        2     2     0     2     2     0     8    0
uaddrrnd    24     1635    0     1603     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24     1635    0     1603     1     0     1     1     0     8    0
vmmpekpl   168    13116    0    13088     2     0     2     2     0     8    0
vmmpepl    168   197653    0   195485   177    59   118   165     0   357   17
vmsppl     272     1614    0     1602     2     1     1     2     0     8    0
pdppl      4096    3276    0     3231     8     1     7     7     0     8    1
pvpl        32   480512    0   462857   244    25   219   219     0   265   36
pmappl     200     1634    0     1609     2     0     2     2     0     8    0
extentpl    40       41    0       26     1     0     1     1     0     8    0
phpool     112      620    0       98    16     0    16    16     0     8    0

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/08 01:56 openbsd 9b3feccb14f9 f39aff9e .config console log report ci-openbsd-main
* Struck through repros no longer work on HEAD.