1042] panic: [ 191.9881117] vpanic() at netbsd:vpanic+0xc9d [ 192.0381759] panic() at netbsd:panic+0x1b3 [ 192.0882363] pmap_get_physpage() at netbsd:pmap_get_physpage+0x5a6 sys/arch/x86/x86/pmap.c:5631 [ 192.1483099] kmsan_md_shadow_map_page() at netbsd:kmsan_md_shadow_map_page+0x209 sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/msan.h:163 [ 192.1983716] kmsan_shadow_map() at netbsd:kmsan_shadow_map+0x128 sys/kern/subr_msan.c:509 [ 192.2484305] pmap_growkernel() at netbsd:pmap_growkernel+0x59a sys/arch/x86/x86/pmap.c:5791 [ 192.3085006] uvm_map_prepare() at netbsd:uvm_map_prepare+0x2033 sys/uvm/uvm_map.c:1213 [ 192.3585625] uvm_map() at netbsd:uvm_map+0x5f6 sys/uvm/uvm_map.c:1081 [ 192.4086229] kcov_allocbuf() at netbsd:kcov_allocbuf+0x2bf sys/kern/subr_kcov.c:202 [ 192.4686938] kcov_fops_ioctl() at netbsd:kcov_fops_ioctl+0x1cf sys/kern/subr_kcov.c:497 [ 192.5187532] sys_ioctl() at netbsd:sys_ioctl+0xd84 sys/kern/sys_generic.c:675 [ 192.5788263] syscall() at netbsd:syscall+0x576 sy_invoke sys/sys/syscallvar.h:94 [inline] [ 192.5788263] syscall() at netbsd:syscall+0x576 sys/arch/x86/x86/syscall.c:137 [ 192.5888389] --- syscall (number 54) --- [ 192.6088620] netbsd:syscall+0x576: [ 192.6088620] cpu1: End traceback... [ 192.6088620] fatal breakpoint trap in supervisor mode [ 192.6188777] trap type 1 code 0 rip 0xffffffff8023687d cs 0x8 rflags 0x282 cr2 0x7cd47d27a498 ilevel 0x6 rsp 0xffffd080c8781490 [ 192.6288880] curlwp 0xffffd08013b6b900 pid 3281.3281 lowest kstack 0xffffd080c877a2c0 Stopped in pid 3281.3281 (syz-executor.1) at netbsd:breakpoint+0x5: leave ? breakpoint() at netbsd:breakpoint+0x5 vpanic() at netbsd:vpanic+0xc9d panic() at netbsd:panic+0x1b3 pmap_get_physpage() at netbsd:pmap_get_physpage+0x5a6 sys/arch/x86/x86/pmap.c:5631 kmsan_md_shadow_map_page() at netbsd:kmsan_md_shadow_map_page+0x209 sys/arch/amd64/compile/obj/GENERIC_SYZKALLER/./machine/msan.h:163 kmsan_shadow_map() at netbsd:kmsan_shadow_map+0x128 sys/kern/subr_msan.c:509 pmap_growkernel() at netbsd:pmap_growkernel+0x59a sys/arch/x86/x86/pmap.c:5791 uvm_map_prepare() at netbsd:uvm_map_prepare+0x2033 sys/uvm/uvm_map.c:1213 uvm_map() at netbsd:uvm_map+0x5f6 sys/uvm/uvm_map.c:1081 kcov_allocbuf() at netbsd:kcov_allocbuf+0x2bf sys/kern/subr_kcov.c:202 kcov_fops_ioctl() at netbsd:kcov_fops_ioctl+0x1cf sys/kern/subr_kcov.c:497 sys_ioctl() at netbsd:sys_ioctl+0xd84 sys/kern/sys_generic.c:675 syscall() at netbsd:syscall+0x576 sy_invoke sys/sys/syscallvar.h:94 [inline] syscall() at netbsd:syscall+0x576 sys/arch/x86/x86/syscall.c:137 --- syscall (number 54) --- netbsd:syscall+0x576: Panic string: pmap_get_physpage: out of memory PID LID S CPU FLAGS STRUCT LWP * NAME WAIT 2034 2034 2 1 40000 ffffd080134ed980 syz-executor.3 3281 > 3281 7 1 40000 ffffd08013b6b900 syz-executor.1 2200 > 2200 7 0 0 ffffd08013b6b4c0 sh 3635 3635 3 1 40180 ffffd08013a2e8c0 syz-executor.4 wait 2115 3151 5 1 100100 ffffd08013b6b080 syz-executor.0 2115 2115 2 1 10040000 ffffd080134ed100 syz-executor.0 2202 2202 2 1 140 ffffd08013770640 syz-executor.0 2466 2466 3 1 180 ffffd08013a2e040 syz-executor.2 parked 3121 2040 3 1 11100000 ffffd08013954780 syz-executor.2 vfork 3121 3121 2 1 11000040 ffffd0801382a6c0 syz-executor.2 2636 2636 2 1 140 ffffd08012d0c940 syz-executor.3 1790 1790 3 0 180 ffffd080137fcac0 syz-executor.2 wait 2893 2893 3 1 180 ffffd08013a2e480 syz-executor.1 parked 2908 1926 3 0 1000000 ffffd0801393cb40 syz-executor.5 lwpwait 2908 3516 2 1 11e0000 ffffd080135f65c0 syz-executor.5 2908 2908 8 0 111a0000 ffffd080137fc680 syz-executor.5 1692 1692 3 1 180 ffffd08013770a80 syz-executor.5 wait 1970 1970 3 0 180 ffffd080135f6180 syz-executor.3 parked 1381 1381 3 0 180 ffffd08013770200 syz-executor.4 parked 2996 3136 3 0 11100000 ffffd08013953b80 syz-executor.4 vfork 2996 2996 2 1 11000040 ffffd08013954340 syz-executor.4 1264 1264 3 1 180 ffffd0801360a600 syz-executor.2 parked 757 757 3 0 180 ffffd08013954bc0 syz-executor.4 parked 1608 1608 3 0 180 ffffd0801382ab00 syz-executor.1 parked 1590 656 3 0 11100000 ffffd08013953300 syz-executor.1 vfork 1590 1590 2 1 11000040 ffffd0801233d700 syz-executor.1 676 676 3 0 180 ffffd08013953740 syz-executor.2 parked 1235 1313 3 1 180 ffffd080137fc240 syz-fuzzer parked 1235 1201 3 0 180 ffffd0801360aa40 syz-fuzzer wait 1235 1206 3 1 180 ffffd0801360a1c0 syz-fuzzer parked 1235 1207 2 1 0 ffffd080135f6a00 syz-fuzzer 1235 1120 3 0 180 ffffd080134f5580 syz-fuzzer wait 1235 1244 3 1 180 ffffd080134f5140 syz-fuzzer parked 1235 1243 3 1 180 ffffd080134ed540 syz-fuzzer wait 1235 1239 3 1 180 ffffd08012d0c500 syz-fuzzer wait 1235 1223 3 0 180 ffffd08012d0c0c0 syz-fuzzer parked 1235 449 3 0 180 ffffd08012c33900 syz-fuzzer parked 1235 1126 3 1 180 ffffd08012c334c0 syz-fuzzer parked 1235 1231 3 1 180 ffffd08012c33080 syz-fuzzer wait 1235 1080 3 1 180 ffffd08012311b00 syz-fuzzer parked 1235 1235 3 1 180 ffffd080123116c0 syz-fuzzer wait 1238 1238 3 0 180 ffffd0801233db40 sshd select 1225 1225 3 0 180 ffffd08012311280 getty nanoslp 1151 1151 3 0 180 ffffd0801233d2c0 getty nanoslp 1222 1222 3 1 180 ffffd08012275ac0 getty nanoslp 1224 1224 3 1 180 ffffd080121d7200 getty ttyraw 685 685 3 0 180 ffffd08012b818c0 sshd select 1000 1000 3 0 180 ffffd08012521b80 powerd kqueue 562 562 3 1 180 ffffd08012521300 syslogd kqueue 746 746 3 1 180 ffffd08012b81480 dhcpcd poll 745 745 3 0 180 ffffd08012b81040 dhcpcd poll 741 741 3 1 180 ffffd0801254bbc0 dhcpcd poll 487 487 3 1 180 ffffd0801254b780 dhcpcd poll 292 292 3 0 180 ffffd0801254b340 dhcpcd poll 291 291 3 1 180 ffffd08012521740 dhcpcd poll 1 1 3 1 180 ffffd08011e53100 init wait 0 2123 3 0 200 ffffd0801393c700 ktrace ktrwait 0 1275 3 1 200 ffffd080134f59c0 ktrace ktrwait 0 1251 5 0 200 ffffd0801393c2c0 (zombie) 0 1364 3 0 200 ffffd0801382a280 ktrace ktrwait 0 686 3 0 200 ffffd080121d7640 physiod physiod 0 195 3 1 200 ffffd08012275240 ioflush syncer 0 196 3 1 200 ffffd08012275680 pooldrain pooldrain 0 194 3 0 200 ffffd080121d7a80 pgdaemon mutex 0 167 3 0 200 ffffd080121a7a40 usb7 usbevt 0 172 3 0 200 ffffd080121a7600 usb6 usbevt 0 170 3 1 200 ffffd080121a71c0 usb5 usbevt 0 168 3 0 200 ffffd0801211ba00 usb4 usbevt 0 166 3 0 200 ffffd0801211b5c0 usb3 usbevt 0 165 3 0 200 ffffd0801211b180 usb2 usbevt 0 31 3 0 200 ffffd0801206b9c0 usb1 usbevt 0 63 3 0 200 ffffd0801206b580 usb0 usbevt 0 126 3 1 200 ffffd0801206b140 usbtask-dr usbtsk 0 125 3 1 200 ffffd08011e53980 usbtask-hc usbtsk 0 124 3 0 200 ffffd080103d3b00 swwreboot swwreboot 0 123 3 0 200 ffffd08011e53540 npfgc0 npfgcw 0 122 3 1 200 ffffd08011e47940 rt_free rt_free 0 121 3 0 200 ffffd08011e47500 unpgc unpgc 0 120 3 0 200 ffffd08011e470c0 key_timehandler key_timehandler 0 119 3 1 200 ffffd08011e41900 icmp6_wqinput/1 icmp6_wqinput 0 118 3 0 200 ffffd08011e414c0 icmp6_wqinput/0 icmp6_wqinput 0 117 3 0 200 ffffd08011e41080 nd6_timer nd6_timer 0 116 3 1 200 ffffd08011cccbc0 carp6_wqinput/1 carp6_wqinput 0 115 3 0 200 ffffd08011ccc780 carp6_wqinput/0 carp6_wqinput 0 114 3 1 200 ffffd08011ccc340 carp_wqinput/1 carp_wqinput 0 113 3 0 200 ffffd08011ccd8c0 carp_wqinput/0 carp_wqinput 0 112 3 1 200 ffffd08011ccd480 icmp_wqinput/1 icmp_wqinput 0 111 3 0 200 ffffd08011cc9b80 icmp_wqinput/0 icmp_wqinput 0 110 3 1 200 ffffd08011cc9740 rt_timer rt_timer 0 109 3 1 200 ffffd08011ccd040 vmem_rehash vmem_rehash 0 100 3 0 200 ffffd08011cc9300 entbutler entropy 0 99 3 0 200 ffffd080117c0b40 viomb balloon 0 98 3 1 200 ffffd080117c0700 vioif0_txrx/1 vioif0_txrx 0 97 3 0 200 ffffd080117c02c0 vioif0_txrx/0 vioif0_txrx 0 30 3 0 200 ffffd080103d36c0 scsibus0 sccomp 0 29 3 0 200 ffffd080103d3280 pms0 pmsreset 0 28 3 1 200 ffffd080103baac0 xcall/1 xcall 0 27 1 1 200 ffffd080103ba680 softser/1 0 26 1 1 200 ffffd080103ba240 softclk/1 0 25 1 1 200 ffffd080103b7a80 softbio/1 0 24 1 1 200 ffffd080103b7640 softnet/1 0 23 1 1 201 ffffd080103b7200 idle/1 0 22 3 1 200 ffffd0800f1d2a40 lnxsyswq lnxsyswq 0 21 3 1 200 ffffd0800f1d2600 lnxubdwq lnxubdwq 0 20 3 1 200 ffffd0800f1d21c0 lnxpwrwq lnxpwrwq 0 19 3 1 200 ffffd0800f1d1a00 lnxlngwq lnxlngwq 0 18 3 1 200 ffffd0800f1d15c0 lnxhipwq lnxhipwq 0 17 3 0 200 ffffd0800f1d1180 lnxrcugc lnxrcugc 0 16 3 0 200 ffffd0800f1ca9c0 sysmon smtaskq 0 15 3 0 200 ffffd0800f1ca580 pmfsuspend pmfsuspend 0 14 3 0 200 ffffd0800f1ca140 pmfevent pmfevent 0 13 3 0 200 ffffd0800f1c8980 sopendfree sopendfr 0 12 3 0 200 ffffd0800f1c8540 ifwdog ifwdog 0 11 3 0 200 ffffd0800f1c8100 iflnkst iflnkst 0 10 3 0 200 ffffd0800f1be940 nfssilly nfssilly 0 9 3 1 200 ffffd0800f1be500 pooldisp pooldisp 0 8 3 1 200 ffffd0800f1be0c0 modunload mod_unld 0 7 3 0 200 ffffd0800ebc9900 xcall/0 xcall 0 6 1 0 200 ffffd0800ebc94c0 softser/0 0 5 1 0 200 ffffd0800ebc9080 softclk/0 0 4 3 0 200 ffffd0800ebc88c0 softbio/0 rwlock 0 3 1 0 200 ffffd0800ebc8480 softnet/0 0 2 1 0 201 ffffd0800ebc8040 idle/0 0 0 3 1 200 ffffffff86a6f9c0 swapper uvm [Locks tracked through LWPs] ****** LWP 3281.3281 (syz-executor.1) @ 0xffffd08013b6b900, l_stat=7 *** Locks held: * Lock 0 (initialized at netbsd:kcov_open+0x10d sys/kern/subr_kcov.c:461) lock address : ffffd08013f872c0 type : sleep/adaptive initialized : netbsd:kcov_open+0x10d shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffd08013b6b900 last held: 0xffffd08013b6b900 last locked* : netbsd:kcov_fops_ioctl+0xa0 unlocked : 0 owner field : 0xffffd08013b6b900 wait/spin: 0/0 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at netbsd:uvm_map_setup+0x2a0 sys/uvm/uvm_map.c:4786) lock address : netbsd:kernel_map_store+0x8 type : sleep/adaptive initialized : netbsd:uvm_map_setup+0x2a0 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffd08013b6b900 last held: 0xffffd08013b6b900 last locked* : netbsd:uvm_map_prepare+0xd7f unlocked : netbsd:uvm_fault_lower_enter+0x2071 owner/count : 0xffffd08013b6b900 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 2 (initialized at netbsd:pmap_bootstrap+0x20c sys/arch/x86/x86/pmap.c:1237) lock address : netbsd:kernel_pmap_store+0x180 type : sleep/adaptive initialized : netbsd:pmap_bootstrap+0x20c shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffd08013b6b900 last held: 0xffffd08013b6b900 last locked* : netbsd:pmap_growkernel+0x98 unlocked : netbsd:pmap_pp_remove+0x26b3 owner field : 0xffffd08013b6b900 wait/spin: 1/0 Turnstile: => 0 waiting readers: => 1 waiting writers: 0xffffd080121d7a80 *** Locks wanted: none ****** LWP 2200.2200 (sh) @ 0xffffd08013b6b4c0, l_stat=7 *** Locks held: * Lock 0 (initialized at netbsd:amap_ctor+0xdf sys/uvm/uvm_amap.c:265) lock address : ffffd08013f878c0 type : sleep/adaptive initialized : netbsd:amap_ctor+0xdf shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffd08013b6b4c0 last held: 0xffffd08013b6b4c0 last locked* : netbsd:uvm_fault_internal+0x1d08 unlocked : 0 owner/count : 0xffffd08013b6b4c0 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at netbsd:uvmpdpol_init+0x3b sys/uvm/uvm_pdpolicy_clock.c:643) lock address : netbsd:pdpol_state type : sleep/adaptive initialized : netbsd:uvmpdpol_init+0x3b shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 0 last held: 0 relevant lwp : 0xffffd08013b6b4c0 last held: 0xffffd08013b6b4c0 last locked* : netbsd:uvmpdpol_pagerealize+0x1cd unlocked : netbsd:uvmpdpol_selectvictim+0x129b owner field : 000000000000000000 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 2908.3516 (syz-executor.5) @ 0xffffd080135f65c0, l_stat=2 *** Locks held: * Lock 0 (initialized at netbsd:fork1+0x972 sys/kern/kern_fork.c:366) lock address : ffffd08012318390 type : sleep/adaptive initialized : netbsd:fork1+0x972 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffd080135f65c0 last held: 0xffffd080135f65c0 last locked* : netbsd:execve_loadvm+0x708 unlocked : 0 owner/count : 0xffffd080135f65c0 flags : 0x0000000000000004 Turnstile: no active turnstile for this lock. * Lock 1 (initialized at netbsd:procinit+0x85 sys/kern/kern_proc.c:387) lock address : netbsd:proc_lock type : sleep/adaptive initialized : netbsd:procinit+0x85 shared holds : 0 exclusive: 1 shares wanted: 0 exclusive: 0 relevant cpu : 1 last held: 1 relevant lwp : 0xffffd080135f65c0 last held: 0xffffd080135f65c0 last locked* : netbsd:proclist_foreach_call+0xad unlocked : netbsd:proclist_foreach_call+0xa73 owner field : 0xffffd080135f65c0 wait/spin: 0/0 Turnstile: no active turnstile for this lock. *** Locks wanted: none ****** LWP 1590.1590 (syz-executor.1) @ 0xffffd0801233d700, l_stat=2 *** Locks held: none *** Locks wanted: * Lock 0 (initialized at netbsd:fork1+0xa35 sys/kern/kern_fork.c:377) lock address : ffffd08012d1bd40 type : sleep/adaptive initialized : netbsd:fork1+0xa35 shared holds : 0 exclusive: 0 shares wanted: 0 exclusive: 1 relevant cpu : 1 last held: 1 relevant lwp : 0xffffd0801233d700 last held: 000000000000000000 last locked : netbsd:cv_timedwait+0x1aa unlocked* : netbsd:cv_enter+0x348 owner field : 0xffffd0801233d700 wait/spin: 0/0 Turnstile: no active turnstile for this lock. ****** LWP 333193768.0 (uvm_fault(0xffffd080137f46c0, 0x0, 1) -> e [ 192.6388998] fatal page fault in supervisor mode [ 192.6388998] trap type 6 code 0 rip 0xffffffff8547c250 cs 0x8 rflags 0x10246 cr2 0x8 ilevel 0x8 rsp 0xffffd080c8780860 [ 192.6388998] curlwp 0xffffd08013b6b900 pid 3281.3281 lowest kstack 0xffffd080c877a2c0 kernel: page fault trap, code=0 Faulted in DDB; continuing...