kern/52676: Kernel assert "pmap->pm_obj[i].uo_npages == 0" on 8.99.3 [syzkaller]

[n54%gmx.com@localhost]

>Number:         52676
>Category:       kern
>Synopsis:       Kernel assert "pmap->pm_obj[i].uo_npages == 0" on 8.99.3 [syzkaller]
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Oct 30 19:50:00 +0000 2017
>Originator:     Kamil Rytarowski
>Release:        NetBSD 8.99.3
>Organization:
TNF
>Environment:
NetBSD  8.99.3 NetBSD 8.99.3 (GENERIC) #0: Sat
Sep 30 12:34:57 IST 2017
utkarsh@utkarsh-GP62-6QE:/extra/amd64/sys/arch/amd64/compile/GENERIC
amd64
>Description:
panic: kernel diagnostic assertion "pmap->pm_obj[i].uo_npages == 0"
failed: file "/extra/netbsd-src/sys/arch/x86/x86/pmap.c", line 2368
cpu1: Begin traceback...
vpanic() at netbsd:vpanic+0x140
ch_voltag_convert_in() at netbsd:ch_voltag_convert_in
pmap_destroy() at netbsd:pmap_destroy+0x265
pmap_pp_remove() at netbsd:pmap_pp_remove+0x27a
uvm_anon_dispose() at netbsd:uvm_anon_dispose+0x11f
uvm_anon_freelst() at netbsd:uvm_anon_freelst+0x35
amap_wipeout() at netbsd:amap_wipeout+0x133
uvm_unmap_detach() at netbsd:uvm_unmap_detach+0x44
uvmspace_free() at netbsd:uvmspace_free+0xf4
exit1() at netbsd:exit1+0x1a0
sys_exit() at netbsd:sys_exit+0x3d
syscall() at netbsd:syscall+0x1d8
--- syscall (number 1) ---


Reported by Dmitry Vyukov (google), found by syzkaller.
>How-To-Repeat:
1. Build syz-execprog from google/syzkaller

2. Fetch reproducer.

https://gist.githubusercontent.com/dvyukov/13a6f173306c00ebbb3552ce689b566f/raw/9e35a7ff8e572963c30e5ea5c372d30badf94212/gistfile1.txt

3. Spawn a machine with >= 4 cores with hw assisted virtualization (qemu-kvm)

4. ./syz-execprog -procs=8 -repeat=0 prog

where prog is the fetched gistfile1.txt

///

This is not reproducible by myself with softemu in qemu and it looks like a race.
>Fix:
N/A