panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 315
Stopped at db_enter+0x1c: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*438258 9196 0 0x8000000 0x4000000 0K syz-executor.5
273577 99025 77 0x18100012 0 1 dhcpleased
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8294fdae) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82909147,ffffffff828df3ea,13b,ffffffff828e89be) at __assert+0x29 sys/kern/subr_prf.c:157
tun_clone_destroy(ffff800000e02800) at tun_clone_destroy+0x278 sys/net/if_tun.c:315
if_clone_destroy(ffff80002f8eee50) at if_clone_destroy+0x132 sys/net/if.c:1384
ifioctl(ffff800000e62b30,80206979,ffff80002f8eee50,ffff8000ffffcce0) at ifioctl+0x44b
sys_ioctl(ffff8000ffffcce0,ffff80002f8ef030,ffff80002f8eef80) at sys_ioctl+0x4a9
syscall(ffff80002f8ef030) at syscall+0x8cf mi_syscall sys/sys/syscall_mi.h:180 [inline]
syscall(ffff80002f8ef030) at syscall+0x8cf sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xb164cefe1a0, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 315
ddb{0}> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8294fdae) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82909147,ffffffff828df3ea,13b,ffffffff828e89be) at __assert+0x29 sys/kern/subr_prf.c:157
tun_clone_destroy(ffff800000e02800) at tun_clone_destroy+0x278 sys/net/if_tun.c:315
if_clone_destroy(ffff80002f8eee50) at if_clone_destroy+0x132 sys/net/if.c:1384
ifioctl(ffff800000e62b30,80206979,ffff80002f8eee50,ffff8000ffffcce0) at ifioctl+0x44b
sys_ioctl(ffff8000ffffcce0,ffff80002f8ef030,ffff80002f8eef80) at sys_ioctl+0x4a9
syscall(ffff80002f8ef030) at syscall+0x8cf mi_syscall sys/sys/syscall_mi.h:180 [inline]
syscall(ffff80002f8ef030) at syscall+0x8cf sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xb164cefe1a0, count: -9
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff80002f8eec00
rbx 0xffffffff82d50cbf cpu_info_full_primary+0x2cbf
rdx 0xffff800000ecbe40
rcx 0xffff8000ffffcce0
rax 0xffffffff82d4fff0 cpu_info_full_primary+0x1ff0
r8 0
r9 0x8080808080808080
r10 0xc8623fe200e2713a
r11 0x718ff9b3deffe2fd
r12 0xffffffff82d50ac0 cpu_info_full_primary+0x2ac0
r13 0
r14 0
r15 0x1
rip 0xffffffff826964fc db_enter+0x1c
cs 0x8
rflags 0x246
rsp 0xffff80002f8eebf0
ss 0x10
db_enter+0x1c: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.5) tid=438258 pid=9196 tcnt=2 stat=onproc
flags process=8000000 proc=4000000<THREAD>
runpri=32, usrpri=82, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0
forw=0xffffffffffffffff, list=0xffff80002f114d10,0xffff80002a1aed00
process=0xffff80002f2c6818 user=0xffff80002f8ea000, vmspace=0xfffffd806b5b9dd8
estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
94984 186617 4377 0 2 0x8000000 syz-executor.1
9196 212731 68487 0 2 0x8000000 syz-executor.5
* 9196 438258 68487 0 7 0xc000000 syz-executor.5
34378 252525 82550 0 2 0x8000480 syz-executor.3
34378 278969 82550 0 3 0xc000080 kqread syz-executor.3
34378 241289 82550 0 3 0xc000080 fsleep syz-executor.3
45295 179891 1 0 3 0x18000082 nanoslp getty
815 304311 50936 0 2 0x8000480 syz-executor.4
815 427985 50936 0 3 0xc000080 kqsel syz-executor.4
815 177219 50936 0 3 0xc000080 kqsel syz-executor.4
815 296543 50936 0 3 0xc000080 fsleep syz-executor.4
99858 239040 70701 0 2 0x8000480 syz-executor.7
99858 273022 70701 0 3 0xc000080 kqsel syz-executor.7
99858 148111 70701 0 3 0xc000080 kqsel syz-executor.7
99858 5489 70701 0 3 0xc000080 fsleep syz-executor.7
50936 381008 13881 0 2 0x8000482 syz-executor.4
82550 381473 13881 0 2 0x8000482 syz-executor.3
68487 47516 13881 0 2 0x8000482 syz-executor.5
70701 497557 13881 0 2 0x8000482 syz-executor.7
4377 429049 13881 0 2 0x8000482 syz-executor.1
81292 278284 13881 0 2 0x8000482 syz-executor.2
3989 215934 0 0 3 0x14200 acct acct
66259 112264 13881 0 2 0x8000482 syz-executor.0
46462 217362 0 0 3 0x14280 nfsidl nfsio
94962 157707 0 0 3 0x14280 nfsidl nfsio
49077 246840 0 0 3 0x14280 nfsidl nfsio
73918 520353 0 0 3 0x14280 nfsidl nfsio
36254 80377 0 0 3 0x14280 nfsidl nfsio
93660 206199 0 0 3 0x14280 nfsidl nfsio
85771 154016 0 0 3 0x14280 nfsidl nfsio
21583 232095 0 0 3 0x14280 nfsidl nfsio
26102 308196 0 0 3 0x14280 nfsidl nfsio
60177 77544 0 0 3 0x14280 nfsidl nfsio
66015 1145 0 0 3 0x14280 nfsidl nfsio
28805 237982 0 0 3 0x14280 nfsidl nfsio
54162 355210 0 0 3 0x14280 nfsidl nfsio
31855 237603 0 0 3 0x14280 nfsidl nfsio
72933 187027 0 0 3 0x14280 nfsidl nfsio
79358 512121 0 0 3 0x14280 nfsidl nfsio
77709 363917 0 0 3 0x14280 nfsidl nfsio
28283 344742 0 0 3 0x14280 nfsidl nfsio
19678 99629 0 0 3 0x14280 nfsidl nfsio
5948 35123 0 0 3 0x14280 nfsidl nfsio
24134 287614 0 0 3 0x14200 bored sosplice
13881 317782 51761 0 3 0x1a000082 thrsleep syz-fuzzer
13881 296711 51761 0 3 0x1e000082 thrsleep syz-fuzzer
13881 344763 51761 0 3 0x1e000082 wait syz-fuzzer
13881 443467 51761 0 3 0x1e000082 thrsleep syz-fuzzer
13881 390931 51761 0 3 0x1e000082 wait syz-fuzzer
13881 460699 51761 0 3 0x1e000082 wait syz-fuzzer
13881 301206 51761 0 3 0x1e000082 kqread syz-fuzzer
13881 155634 51761 0 3 0x1e000082 wait syz-fuzzer
13881 514178 51761 0 3 0x1e000082 thrsleep syz-fuzzer
13881 45938 51761 0 3 0x1e000082 thrsleep syz-fuzzer
13881 453123 51761 0 3 0x1e000082 thrsleep syz-fuzzer
13881 448780 51761 0 3 0x1e000082 thrsleep syz-fuzzer
13881 359497 51761 0 3 0x1e000082 wait syz-fuzzer
13881 123646 51761 0 3 0x1e000082 wait syz-fuzzer
13881 328136 51761 0 3 0x1e000082 wait syz-fuzzer
13881 167872 51761 0 3 0x1e000082 thrsleep syz-fuzzer
13881 98699 51761 0 3 0x1e000082 thrsleep syz-fuzzer
51761 211629 25406 0 3 0x810008a sigsusp ksh
25406 25175 13579 0 3 0x1800009a kqread sshd
13579 49624 1 0 3 0x18000088 kqread sshd
36168 324780 18293 73 3 0x19100090 kqread syslogd
18293 402692 1 0 3 0x18100082 sbwait syslogd
37117 521369 1 0 3 0x18100080 kqread resolvd
99025 273577 7960 77 7 0x18100012 dhcpleased
26381 254842 7960 77 3 0x18100092 kqread dhcpleased
7960 47865 1 0 3 0x18000080 kqread dhcpleased
60984 206745 0 0 3 0x14200 bored smr
49923 420030 0 0 2 0x14200 zerothread
1738 61566 0 0 3 0x14200 aiodoned aiodoned
47223 284111 0 0 3 0x14200 syncer update
55638 49689 0 0 3 0x14200 cleaner cleaner
96592 440893 0 0 3 0x14200 reaper reaper
47351 65984 0 0 3 0x14200 pgdaemon pagedaemon
84483 366243 0 0 3 0x14200 bored viomb
6043 253830 0 0 3 0x40014200 acpi0 acpi0
9996 330863 0 0 3 0x40014200 idle1
71061 130425 0 0 3 0x14200 bored softnet3
87913 460908 0 0 3 0x14200 bored softnet2
4653 102558 0 0 3 0x14200 bored softnet1
35505 509258 0 0 3 0x14200 bored softnet0
38690 448378 0 0 3 0x14200 bored systqmp
70620 387873 0 0 3 0x14200 bored systq
30456 75337 0 0 3 0x14200 tmoslp softclockmp
57584 275891 0 0 2 0x40014200 softclock
69634 391599 0 0 3 0x40014200 idle0
1 142270 0 0 3 0x8080082 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 9196 (syz-executor.5) thread 0xffff8000ffffcce0 (438258)
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 10197 6642K 6896K 166960K 16621 0
pcb 15 11K 12K 166960K 622 0
rtable 176 6K 8K 166960K 2585 0
pf 29 9K 10K 166960K 291 0
ifaddr 36 14K 16K 166960K 344 0
ifgroup 49 2K 3K 166960K 495 0
sysctl 4 1K 2K 166960K 17 0
counters 62 36K 37K 166960K 282 0
ioctlops 0 0K 4K 166960K 1731 0
iov 0 0K 24K 166960K 393 0
mount 1 1K 1K 166960K 1 0
log 0 0K 0K 166960K 4 0
vnodes 1446 91K 91K 166960K 4840 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 9K 166960K 103 0
VM map 2 1K 1K 166960K 2 0
sem 17 1K 1K 166960K 242 0
dirhash 12 2K 3K 166960K 159 0
ACPI 1697 195K 286K 166960K 12548 0
file desc 15 53K 89K 166960K 5777 0
sigio 1 0K 0K 166960K 195 0
proc 59 79K 128K 166960K 2712 0
subproc 91 5K 7K 166960K 875 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 4 0K 0K 166960K 965 0
in_multi 69 5K 7K 166960K 926 0
ether_multi 2 0K 0K 166960K 55 0
mrt 1 0K 0K 166960K 32 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 79 360K 360K 166960K 79 0
exec 0 0K 1K 166960K 1736 0
pfkey data 0 0K 0K 166960K 15 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 343 205K 215K 166960K 51963 0
UVM aobj 131 7K 9K 166960K 146 0
pinsyscall 35 70K 108K 166960K 8605 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 1K 166960K 424 0
NDP 10 0K 1K 166960K 253 0
temp 76 6815K 7311K 166960K 141667 0
kqueue 13 20K 29K 166960K 691 0
SYN cache 2 16K 16K 166960K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 24 0 0 1 0 1 1 0 8 0
rtpcb 120 716 0 713 3 2 1 3 0 8 0
rtentry 112 872 0 796 6 3 3 4 0 8 0
unpcb 144 4351 0 4335 22 20 2 6 0 8 1
syncache 336 5 0 5 2 2 0 1 0 8 0
tcpqe 32 40 0 40 1 1 0 1 0 8 0
tcpcb 808 1896 0 1890 25 23 2 8 0 8 0
arp 120 174 0 158 1 0 1 1 0 8 0
inpcb 392 5852 0 5839 38 35 3 9 0 8 1
nd6 136 217 0 198 1 0 1 1 0 8 0
pkpcb 40 30 0 30 12 11 1 1 0 8 1
kcovpl 48 67 0 60 1 0 1 1 0 8 0
ppxss 1168 19 0 19 7 7 0 1 0 8 0
pffrag 232 25 0 20 3 2 1 1 0 482 0
pffrnode 88 25 0 20 3 2 1 1 0 8 0
pffrent 40 324 0 319 5 4 1 1 0 8 0
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfstitem 24 378 0 295 1 0 1 1 0 8 0
pfstkey 128 379 0 296 3 0 3 3 0 8 0
pfstate 376 379 0 296 9 0 9 9 0 8 0
pfrule 1344 21 0 16 2 1 1 2 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 3181 0 2881 57 38 19 30 0 8 0
art_table 32 3182 0 2881 7 3 4 4 0 8 0
art_node 16 861 0 798 1 0 1 1 0 8 0
sysvmsgpl 40 35 0 22 1 0 1 1 0 8 0
semupl 112 5 0 5 4 4 0 1 0 8 0
semapl 112 235 0 220 1 0 1 1 0 8 0
shmpl 112 143 0 15 4 0 4 4 0 8 0
dirhash 1024 115 0 98 3 0 3 3 0 8 0
dino2pl 256 9913 0 8384 97 0 97 97 0 8 0
ffsino 272 9913 0 8384 103 0 103 103 0 8 0
nchpl 144 17872 0 16145 67 0 67 67 0 8 0
uvmvnodes 80 6914 0 0 142 0 142 142 0 8 0
vnodes 216 6914 0 0 385 0 385 385 0 8 0
namei 1024 61788 0 61788 7 6 1 2 0 8 1
percpumem 16 155 0 110 1 0 1 1 0 8 0
vcpupl 2048 25 0 0 4 0 4 4 0 8 0
vmpool 696 40 0 15 3 0 3 3 0 8 0
kstatmem 264 242 0 222 3 1 2 3 0 8 0
scsiplug 72 15 0 15 5 4 1 1 0 8 1
scxspl 216 66756 0 66756 18 17 1 8 1 8 1
plimitpl 152 726 0 712 1 0 1 1 0 8 0
sigapl 424 6021 0 5954 11 2 9 9 0 8 0
futexpl 64 72022 0 72019 2 1 1 1 0 8 0
knotepl 120 555 0 0 11 0 11 11 0 8 0
kqueuepl 216 1335 0 1322 1 0 1 1 0 8 0
pipepl 320 879 0 854 3 0 3 3 0 8 0
fdescpl 496 5980 0 5954 5 0 5 5 0 8 0
filepl 152 34727 0 34501 37 24 13 16 0 8 2
lockfpl 104 1593 0 1589 1 0 1 1 0 8 0
lockfspl 48 653 0 649 1 0 1 1 0 8 0
sessionpl 144 94 0 80 1 0 1 1 0 8 0
pgrppl 48 238 0 224 1 0 1 1 0 8 0
ucredpl 104 5235 0 5224 1 0 1 1 0 8 0
zombiepl 144 5956 0 5954 4 3 1 1 0 8 0
processpl 1136 6021 0 5954 6 0 6 6 0 8 0
procpl 656 12511 0 12419 9 0 9 9 0 8 0
srpgc 96 101 0 101 13 13 0 1 0 8 0
sosppl 168 118 0 118 8 7 1 1 0 8 1
sockpl 568 11002 0 10971 45 41 4 13 0 8 1
mcl64k 65536 16 0 0 2 0 2 2 0 8 0
mcl16k 16384 8 0 0 1 0 1 1 0 8 0
mcl12k 12288 12 0 0 2 0 2 2 0 8 0
mcl9k 9216 7 0 0 1 0 1 1 0 8 0
mcl8k 8192 25 0 0 3 0 3 3 0 8 0
mcl4k 4096 32 0 0 3 0 3 3 0 8 0
mcl2k2 2112 11 0 0 1 0 1 1 0 8 0
mcl2k 2048 475 0 0 50 1 49 50 0 8 0
mtagpl 96 80 0 0 2 0 2 2 0 8 0
mbufpl 256 1268 0 0 62 0 62 62 0 8 0
bufpl 280 16332 0 9419 495 0 495 495 0 8 0
anonpl 24 758268 0 752036 154 87 67 93 0 186 0
amapchunkpl 152 163431 0 162754 82 50 32 40 0 158 1
amappl16 200 17038 0 16914 107 87 20 33 0 8 7
amappl15 192 15 0 15 3 3 0 1 0 8 0
amappl14 184 404 0 393 2 1 1 2 0 8 0
amappl13 176 17 0 17 3 2 1 1 0 8 1
amappl12 168 7626 0 7595 4 1 3 3 0 8 0
amappl11 160 64 0 53 1 0 1 1 0 8 0
amappl10 152 125 0 117 2 1 1 1 0 8 0
amappl9 144 396 0 396 7 7 0 1 0 8 0
amappl8 136 934 0 810 6 0 6 6 0 8 0
amappl7 128 180 0 161 1 0 1 1 0 8 0
amappl6 120 1186 0 1160 3 1 2 2 0 8 0
amappl5 112 482 0 470 1 0 1 1 0 8 0
amappl4 104 1264 0 1210 3 1 2 3 0 8 0
amappl3 96 31082 0 30999 3 0 3 3 0 8 0
amappl2 88 6919 0 6831 5 2 3 4 0 8 0
amappl1 80 34091 0 33604 23 10 13 23 0 8 0
amappl 88 50416 0 50208 6 0 6 6 0 92 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 145 0 15 3 0 3 3 0 8 0
uaddrrnd 24 6020 0 5969 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 6020 0 5969 1 0 1 1 0 8 0
vmmpekpl 168 43985 0 43910 4 0 4 4 0 8 0
vmmpepl 168 389068 0 387086 216 102 114 128 0 357 2
vmsppl 440 6019 0 5969 8 1 7 7 0 8 0
rwobjpl 56 100725 0 92464 132 10 122 122 0 8 3
pdppl 4096 12047 0 11963 376 286 90 95 0 8 6
pvpl 32 49258 0 0 399 1 398 398 0 265 0
pmappl 248 6019 0 5969 4 0 4 4 0 8 0
extentpl 40 56 0 38 1 0 1 1 0 8 0
phpool 112 806 0 365 13 0 13 13 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff8294fdae) at panic+0x17b sys/kern/subr_prf.c:198
__assert(ffffffff82909147,ffffffff828df3ea,13b,ffffffff828e89be) at __assert+0x29 sys/kern/subr_prf.c:157
tun_clone_destroy(ffff800000e02800) at tun_clone_destroy+0x278 sys/net/if_tun.c:315
if_clone_destroy(ffff80002f8eee50) at if_clone_destroy+0x132 sys/net/if.c:1384
ifioctl(ffff800000e62b30,80206979,ffff80002f8eee50,ffff8000ffffcce0) at ifioctl+0x44b
sys_ioctl(ffff8000ffffcce0,ffff80002f8ef030,ffff80002f8eef80) at sys_ioctl+0x4a9
syscall(ffff80002f8ef030) at syscall+0x8cf mi_syscall sys/sys/syscall_mi.h:180 [inline]
syscall(ffff80002f8ef030) at syscall+0x8cf sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0xb164cefe1a0, count: -9
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp
x86_ipi_db(ffff800029cebff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff82e627e0) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82e627e0) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff80002a1b8aa0) at syscall+0x83b mi_syscall sys/sys/syscall_mi.h:180 [inline]
syscall(ffff80002a1b8aa0) at syscall+0x83b sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d5815299cc0, count: 9
ddb{1}> trace
x86_ipi_db(ffff800029cebff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__mp_lock(ffffffff82e627e0) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline]
__mp_lock(ffffffff82e627e0) at __mp_lock+0x122 sys/kern/kern_lock.c:147
syscall(ffff80002a1b8aa0) at syscall+0x83b mi_syscall sys/sys/syscall_mi.h:180 [inline]
syscall(ffff80002a1b8aa0) at syscall+0x83b sys/arch/amd64/amd64/trap.c:577
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d5815299cc0, count: -6