panic: pmap_san_enter_alloc_4k: no memory to grow shadow map cpuid = 1 time = 1767076290 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xc6/frame 0xfffffe0056fe6010 kdb_backtrace() at kdb_backtrace+0xd0/frame 0xfffffe0056fe6170 vpanic() at vpanic+0x257/frame 0xfffffe0056fe6330 panic() at panic+0xb5/frame 0xfffffe0056fe63f0 pmap_san_enter_alloc_4k() at pmap_san_enter_alloc_4k+0x4b/frame 0xfffffe0056fe6410 pmap_san_enter() at pmap_san_enter+0x353/frame 0xfffffe0056fe6450 kasan_shadow_map() at kasan_shadow_map+0x78/frame 0xfffffe0056fe6470 pmap_growkernel() at pmap_growkernel+0xd1/frame 0xfffffe0056fe64d0 vm_map_insert1() at vm_map_insert1+0x672/frame 0xfffffe0056fe6610 vm_map_find_locked() at vm_map_find_locked+0xa12/frame 0xfffffe0056fe6780 vm_map_find() at vm_map_find+0xc7/frame 0xfffffe0056fe67f0 kva_import() at kva_import+0xd4/frame 0xfffffe0056fe68d0 vmem_try_fetch() at vmem_try_fetch+0x21e/frame 0xfffffe0056fe69c0 vmem_xalloc() at vmem_xalloc+0x538/frame 0xfffffe0056fe6a60 kva_import_domain() at kva_import_domain+0x5f/frame 0xfffffe0056fe6ab0 vmem_try_fetch() at vmem_try_fetch+0x21e/frame 0xfffffe0056fe6b90 vmem_xalloc() at vmem_xalloc+0x538/frame 0xfffffe0056fe6c30 vmem_alloc() at vmem_alloc+0x170/frame 0xfffffe0056fe6c90 kmem_malloc_domainset() at kmem_malloc_domainset+0x1a6/frame 0xfffffe0056fe6dd0 malloc_large() at malloc_large+0x3e/frame 0xfffffe0056fe6e10 ip6_ctloutput() at ip6_ctloutput+0xb56/frame 0xfffffe0056fe7890 udp_ctloutput() at udp_ctloutput+0x21b/frame 0xfffffe0056fe7970 sogetopt() at sogetopt+0x1fa/frame 0xfffffe0056fe7af0 kern_getsockopt() at kern_getsockopt+0x2a9/frame 0xfffffe0056fe7c50 sys_getsockopt() at sys_getsockopt+0x121/frame 0xfffffe0056fe7d10 ia32_syscall() at ia32_syscall+0x4d2/frame 0xfffffe0056fe7f30 int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0xdfffcf98 KDB: enter: panic [ thread pid 876 tid 100150 ] Stopped at kdb_enter+0x6e: movq $0,0x2587a77(%rip) db> db> set $lines = 0 db> set $maxwidth = 0 db> show registers cs 0x20 ds 0x3b es 0x3b fs 0x13 gs 0x1b ss 0 rax 0x12 rcx 0xfffffe0002bf1850 rdx 0xdffff7c000000000 rbx 0xffffffff8283c160 .str.27 rsp 0xfffffe0056fe6150 rbp 0xfffffe0056fe6170 rsi 0 rdi 0xffffffff830004e0 panicstr r8 0 r9 0xffffffff r10 0 r11 0x3f r12 0xfffffe0058b07780 r13 0xfffffffffffffffd r14 0xffffffff8283c160 .str.27 r15 0 rip 0xffffffff8164d41e kdb_enter+0x6e rflags 0x46 kdb_enter+0x6e: movq $0,0x2587a77(%rip) db> show proc Process 876 (syz-executor) at 0xfffffe0058aed570: state: NORMAL uid: 0 gid: 0 supp gids: 0, 5 parent: pid 862 at 0xfffffe0058a0d570 ABI: FreeBSD ELF32 flag: 0x10000080 flag2: 0 arguments: ./syz-executor exec reaper: 0xfffffe0007809010 reapsubtree: 1 sigparent: 20 vmspace: 0xfffffe0007810db0 (map 0xfffffe0007810db0) (map.pmap 0xfffffe0007810e50) (pmap 0xfffffe0007810ec0) threads: 2 100122 RunQ syz-executor 100150 Run CPU 1 syz-executor db> ps pid ppid pgrp uid state wmesg wchan cmd 876 862 862 0 R (threaded) syz-executor 100122 RunQ syz-executor 100150 Run CPU 1 syz-executor 870 739 0 0 NE+ sysctl 869 773 869 0 R syz-executor 868 867 851 0 R arp 867 851 851 0 S wait 0xfffffe0058acb010 sh 866 864 864 0 LV *kernel 0xfffffe000782f600 syz-executor 864 773 864 0 D ppwait 0xfffffe0058a03fb8 syz-executor 863 773 863 0 R syz-executor 862 773 862 0 R syz-executor 861 1 829 0 T (threaded) syz-executor 100142 s syz-executor 100148 RunQ syz-executor 860 1 822 0 T (threaded) syz-executor 100143 s syz-executor 100147 RunQ syz-executor 859 1 825 0 T (threaded) syz-executor 100125 s syz-executor 100146 RunQ syz-executor 853 1 819 0 T (threaded) syz-executor 100133 s syz-executor 100145 RunQ syz-executor 851 831 851 0 Ss wait 0xfffffe0058aec568 dhclient 837 1 837 0 Ss select 0xfffffe006ecfbb40 dhclient 831 815 423 65 S piperd 0xfffffe0059bc99f8 dhclient 815 423 423 0 S wait 0xfffffe0058aecac0 sh 773 772 770 0 S select 0xfffffe006df98bc0 syz-executor 772 770 770 0 S (threaded) syz-execprog 100091 S uwait 0xfffffe0059a3ef00 syz-execprog 100115 S uwait 0xfffffe00585f4800 syz-execprog 100116 S uwait 0xfffffe00585f4700 syz-execprog 100117 S uwait 0xfffffe00585f4600 syz-execprog 100118 S uwait 0xfffffe00585f4500 syz-execprog 100119 S uwait 0xfffffe0059a3da80 syz-execprog 100120 S kqread 0xfffffe0059a84200 syz-execprog 100140 S uwait 0xfffffe00585f4d00 syz-execprog 770 768 770 0 Ss sigsusp 0xfffffe0058a04618 csh 768 681 768 0 Ss select 0xfffffe006df98ac0 sshd 747 1 747 0 Ss+ ttyin 0xfffffe005422dcb0 getty 746 1 746 0 Ss+ ttyin 0xfffffe00599538b0 getty 745 1 745 0 Ss+ ttyin 0xfffffe00542300b0 getty 744 1 744 0 Ss+ ttyin 0xfffffe00542308b0 getty 743 1 743 0 Ss+ ttyin 0xfffffe0007bf70b0 getty 742 1 742 0 Ss+ ttyin 0xfffffe0007bf78b0 getty 741 1 741 0 Ss+ ttyin 0xfffffe0007bf80b0 getty 740 1 740 0 Ss+ ttyin 0xfffffe0007bf88b0 getty 739 1 739 0 Ss+ ttyin 0xfffffe0007bf90b0 getty 737 1 17 0 S+ piperd 0xfffffe0059bcde60 logger 736 735 17 0 S+ nanslp 0xffffffff83bb5f40 sleep 735 1 17 0 S+ wait 0xfffffe0058aeb008 sh 685 1 685 0 Ss nanslp 0xffffffff83bb5f40 cron 681 1 681 0 Ss select 0xfffffe0059a8eb40 sshd 494 1 494 0 Ss select 0xfffffe0058685340 syslogd 423 1 423 0 Ss wait 0xfffffe0058ac9558 devd 422 1 422 65 Ss select 0xfffffe0059a8f0c0 dhclient 337 1 337 0 Ss select 0xfffffe006df9a0c0 dhclient 334 1 334 0 Ss select 0xfffffe0059a8f140 dhclient 16 0 0 0 DL syncer 0xffffffff83ce3ae0 [syncer] 15 0 0 0 DL vlruwt 0xfffffe0058a02558 [vnlru] 14 0 0 0 DL (threaded) [bufdaemon] 100079 D psleep 0xffffffff83ce2020 [bufdaemon] 100082 D - 0xffffffff83001ec0 [bufspacedaemon-0] 100094 D sdflush 0xfffffe0057f1fce8 [/ worker] 9 0 0 0 DL psleep 0xffffffff83d23380 [vmdaemon] 8 0 0 0 LL (threaded) [pagedaemon] 100077 L *kernel 0xfffffe000782f600 [dom0] 100080 D launds 0xffffffff83d09454 [laundry: dom0] 100081 D umarecl 0xffffffff83d084e0 [uma] 7 0 0 0 RL CPU 0 [rand_harvestq] 6 0 0 0 DL pftm 0xffffffff8440bf80 [pf purge] 5 0 0 0 DL waiting 0xffffffff84831700 [sctp_iterator] 4 0 0 0 DL (threaded) [cam] 100045 D - 0xffffffff838f8340 [doneq0] 100046 D - 0xffffffff838f82c0 [async] 100075 D - 0xffffffff838f8140 [scanner] 3 0 0 0 DL (threaded) [crypto] 100042 D crypto_ 0xffffffff83d04ce0 [crypto] 100043 D crypto_ 0xfffffe00077af830 [crypto returns 0] 100044 D crypto_ 0xfffffe00077af880 [crypto returns 1] 13 0 0 0 DL (threaded) [geom] 100037 D - 0xffffffff83b5e520 [g_event] 100038 D - 0xffffffff83b5e540 [g_up] 100039 D - 0xffffffff83b5e560 [g_down] 2 0 0 0 WL (threaded) [clock] 100031 I [clock (0)] 100032 I [clock (1)] 12 0 0 0 WL (threaded) [intr] 100013 I [swi6: task queue] 100014 I [swi6: Giant taskq] 100016 I [swi5: fast taskq] 100033 I [swi1: netisr 0] 100034 I [swi1: hpts] 100035 I [swi1: hpts] 100047 I [irq24: virtio_pci0] 100048 I [irq25: virtio_pci0] 100049 I [irq26: virtio_pci0] 100050 I [irq27: virtio_pci0] 100051 I [irq28: virtio_pci1] 100052 I [irq29: virtio_pci1] 100053 I [irq30: virtio_pci1] 100054 I [irq31: virtio_pci1] 100055 I [irq32: virtio_pci1] 100060 I [irq10: virtio_pci2] 100062 I [irq1: atkbd0] 100063 I [irq12: psm0] 100064 I [swi0: uart uart++] 100068 I [swi1: pf send] 11 0 0 0 RL (threaded) [idle] 100003 CanRun [idle: cpu0] 100004 CanRun [idle: cpu1] 1 0 1 0 SLs wait 0xfffffe0007809010 [init] 10 0 0 0 DL audit_w 0xffffffff83d05780 [audit] 0 0 0 0 DLs (threaded) [kernel] 100000 D - 0xffffffff84c5dff0 [kernel] 100005 D - 0xfffffe00077cb000 [softirq_0] 100006 D - 0xfffffe00077cae00 [softirq_1] 100007 D - 0xfffffe00077cad00 [if_io_tqg_0] 100008 D - 0xfffffe00077cac00 [if_io_tqg_1] 100009 D - 0xfffffe00077cab00 [if_config_tqg_0] 100010 D - 0xfffffe00077caa00 [kqueue_ctx taskq] 100011 D - 0xfffffe00077ca900 [jail_remove taskq] 100012 D - 0xfffffe00077ca800 [bus taskq] 100015 D - 0xfffffe00077ca500 [thread taskq] 100017 D - 0xfffffe00077ca300 [aiod_kick taskq] 100018 D - 0xfffffe00077ca200 [deferred_unmount ta] 100019 D - 0xfffffe00077ca100 [inm_free taskq] 100020 D - 0xfffffe00077ca000 [in6m_free taskq] 100021 D - 0xfffffe00077c9e00 [linuxkpi_irq_wq] 100022 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_0] 100023 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_1] 100024 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_2] 100025 D - 0xfffffe00077c9d00 [linuxkpi_short_wq_3] 100026 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_0] 100027 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_1] 100028 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_2] 100029 D - 0xfffffe00077c9c00 [linuxkpi_long_wq_3] 100036 D - 0xfffffe00077c9b00 [firmware taskq] 100040 D - 0xfffffe00077c9100 [crypto_0] 100041 D - 0xfffffe00077c9100 [crypto_1] 100056 D - 0xfffffe00077c8900 [vtnet0 rxq 0] 100057 D - 0xfffffe00077c8800 [vtnet0 txq 0] 100058 D - 0xfffffe00077c8700 [vtnet0 rxq 1] 100059 D - 0xfffffe00077c8600 [vtnet0 txq 1] 100061 D vtbslp 0xfffffe005800d900 [virtio_balloon] 100065 D - 0xffffffff82840841 [deadlkres] 100069 D - 0xfffffe00077c8b00 [acpi_task_0] 100070 D - 0xfffffe00077c8b00 [acpi_task_1] 100071 D - 0xfffffe00077c8b00 [acpi_task_2] 100073 D - 0xfffffe00077cb100 [mca taskq] 100074 D - 0xfffffe00077c8a00 [CAM taskq] 100076 D - 0xfffffe00077c8300 [ipsec_offload] db> show all locks Process 876 (syz-executor) thread 0xfffffe0058b07780 (100150) exclusive sleep mutex vm map (system) (vm map (system)) r = 0 (0xffffffff83d088a0) locked @ /syzkaller/managers/i386/kernel/sys/vm/vm_map.c:2124 Process 869 (syz-executor) thread 0xfffffe0058afd780 (100121) shared sx killpg racer (killpg racer) r = 0 (0xfffffe0058ad92b0) locked @ /syzkaller/managers/i386/kernel/sys/kern/kern_fork.c:979 Process 866 (syz-executor) thread 0xfffffe0058a11000 (100089) exclusive sx vm map (user) (vm map (user)) r = 0 (0xfffffe000780fe10) locked @ /syzkaller/managers/i386/kernel/sys/vm/vm_map.c:1975 shared lockmgr ufs (ufs) r = 0 (0xfffffe00543df070) locked @ /syzkaller/managers/i386/kernel/sys/kern/imgact_elf.c:1347 Process 861 (syz-executor) thread 0xfffffe0058b08000 (100148) exclusive sleep mutex vm page free queue (vm page free queue) r = 0 (0xffffffff83d09040) locked @ /syzkaller/managers/i386/kernel/sys/vm/vm_page.c:2766 exclusive rw kernel vm object (kernel vm object) r = 0 (0xffffffff83d08c80) locked @ /syzkaller/managers/i386/kernel/sys/vm/vm_kern.c:666 Process 8 (pagedaemon) thread 0xfffffe0058a14780 (100077) shared rw UMA lock (UMA lock) r = 0 (0xffffffff830033c0) locked @ /syzkaller/managers/i386/kernel/sys/vm/uma_core.c:3106 shared sx umareclaim (umareclaim) r = 0 (0xffffffff83d084e0) locked @ /syzkaller/managers/i386/kernel/sys/vm/uma_core.c:5322 Process 7 (rand_harvestq) thread 0xfffffe00079f7000 (100072) exclusive sleep mutex reseed mutex (reseed mutex) r = 0 (0xffffffff83939810) locked @ /syzkaller/managers/i386/kernel/sys/dev/random/fortuna.c:343 db> show malloc Type InUse MemUse Requests pf_hash 6 12804K 6 devbuf 8283 7252K 8308 linker 385 5207K 499 tcp_hpts 8 4865K 8 sysctloid 35065 2066K 35140 vtbuf 24 1968K 46 newblk 1807 1476K 1881 kobj 337 1348K 501 vfscache 3 1025K 3 pcb 24 669K 55 inodedep 93 547K 134 ufs_quota 1 512K 1 vfs_hash 1 512K 1 callout 2 512K 2 intr 4 472K 4 subproc 123 250K 943 vnet_data 2 224K 2 acpitask 1 224K 1 KTRACE 100 200K 100 acpica 1674 184K 56977 vmem 5 144K 7 pagedep 53 141K 69 tidhash 3 141K 3 tfo_ccache 1 128K 1 IP reass 1 128K 1 DEVFS1 107 107K 129 sem 4 106K 4 gtaskqueue 18 98K 18 bus 1015 83K 5167 LRO 20 83K 30 filedesc 11 77K 176 mtx_pool 3 74K 3 syncache 1 68K 1 NFSD srvcache 3 68K 3 module 529 67K 529 ddb_capture 1 64K 1 BPF 28 39K 29 kdtrace 194 38K 1028 umtx 288 36K 288 hostcache 1 32K 1 shm 1 32K 1 DEVFS3 126 32K 137 msg 4 30K 4 kbdmux 6 28K 6 temp 35 21K 2015 DEVFS_RULE 56 20K 56 ifaddr 72 18K 92 ufs_mount 4 17K 5 proc 3 17K 3 tty 16 16K 16 routetbl 218 16K 795 ithread 90 15K 90 bus-sc 34 15K 1690 eventhandler 170 14K 170 lltable 43 13K 63 kenv 95 12K 95 plimit 27 11K 474 GEOM 49 11K 431 CAM queue 5 11K 1528 rman 75 10K 430 cred 24 9K 283 rpc 8 9K 8 bmsafemap 2 9K 100 diradd 65 9K 96 devstat 4 9K 4 UART 12 9K 12 ksem 1 8K 1 shmfd 1 8K 1 pfs_vncache 1 8K 1 audit_evclass 240 8K 306 ifnet 8 8K 9 taskqueue 69 8K 69 kqueue 61 7K 883 sglist 6 7K 6 CAM DEV 3 6K 510 mkdir 45 6K 116 pfs_nodes 22 6K 22 ether_multi 68 6K 223 newdirblk 43 6K 58 pf_ifnet 12 5K 27 ufs_dirhash 22 5K 24 UMA 268 5K 268 in6_multi 35 5K 85 dirrem 17 5K 47 vt 11 5K 11 memdesc 1 4K 1 MCA 32 4K 32 evdev 4 4K 4 pwddesc 56 4K 881 acpisem 28 4K 28 proc-args 95 4K 2042 selfd 45 3K 28054 terminal 11 3K 11 session 22 3K 52 indirdep 10 3K 10 acpidev 20 3K 20 hhook 8 3K 10 uidinfo 3 3K 9 netlink 2 3K 134 local_apic 1 2K 1 io_apic 1 2K 1 ipsec-saq 2 2K 2 clone 8 2K 8 lockf 19 2K 29 tun 5 2K 6 CAM XPT 22 2K 543 Unitno 25 2K 57 toponodes 6 2K 6 ipsecpolicy 2 2K 2 select 11 2K 35 ip6opt 10 2K 13 ip6ndp 11 2K 18 msi 9 2K 9 softdep 1 1K 1 sahead 1 1K 1 secasvar 1 1K 1 mld 8 1K 9 igmp 8 1K 9 vnodemarker 2 1K 10 NFSD session 1 1K 1 sctp_ifa 7 1K 18 CAM periph 4 1K 271 ipsec 3 1K 3 CC Mem 6 1K 13 in_multi 3 1K 11 nhops 6 1K 10 pfil 6 1K 6 isadev 6 1K 6 DEVFSP 12 1K 45 mount 16 1K 89 pci_link 10 1K 10 crypto 4 1K 4 encap_export_host 12 1K 12 osd 11 1K 30 inpcbpolicy 19 1K 201 cdev 2 1K 2 lkpikmalloc 8 1K 9 counter_rate 13 1K 13 sctp_ifn 3 1K 18 chacha20random 1 1K 1 biobuf 1 1K 1 vnodes 1 1K 1 procdesc 2 1K 8 NFSD lckfile 1 1K 1 NFSD V4client 1 1K 1 DEVFS 9 1K 10 CAM SIM 2 1K 2 tcpfunc 3 1K 3 loginclass 3 1K 7 prison 6 1K 6 cryptodev 2 1K 49 nexusdev 8 1K 8 apmdev 1 1K 1 atkbddev 2 1K 2 pmchooks 1 1K 1 filecaps 5 1K 72 CAM path 4 1K 1034 CAM dev queue 2 1K 2 CAM I/O Scheduler 1 1K 1 soname 4 1K 3357 sctp_vrf 1 1K 1 freework 1 1K 37 vnet 1 1K 1 iov 1 1K 15415 pmc 1 1K 1 entropy 2 1K 61 acpiintr 1 1K 1 cpus 2 1K 2 vnet_data_free 1 1K 1 Per-cpu 1 1K 1 p1003.1b 1 1K 1 tcp_pcm_rack 0 0K 0 tcp_do_rack 0 0K 0 tcp_fsb_rack 0 0K 0 sctp_mcore 0 0K 0 sctp_socko 0 0K 0 sctp_iter 0 0K 21 sctp_mvrf 0 0K 0 sctp_timw 0 0K 0 sctp_cpal 0 0K 0 sctp_cmsg 0 0K 0 sctp_stre 0 0K 0