syzbot

 sign-in | mailing list | source | docs
🐞 Open [121]
🐞 Fixed [291]
🐞 Invalid [917]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

assert "refs != ~NUM" failed in kern_synch.c

Status: upstream: reported on 2025/02/08 12:26
Reported-by: syzbot+bee527c059e64ef8bdec@syzkaller.appspotmail.com
First crash: 272d, last: 4h22m

Sample crash report:
panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 953
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833977e1) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff833d54da,ffffffff833e5e43,3b9,ffffffff8340fba7) at __assert+0x29 sys/kern/subr_prf.c:-1
refcnt_finalize(ffff80003c44b4e8,ffffffff83390e87) at refcnt_finalize+0x1db sys/kern/kern_synch.c:954
pppx_if_destroy(285b9a,ffff80003c44b4e0) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794
pppxclose(285b9a,41,2000,ffff80003c002d18) at pppxclose+0xa0 sys/net/if_pppx.c:541
spec_close(ffff800039ff2e90) at spec_close+0x417 sys/kern/spec_vnops.c:-1
VOP_CLOSE(fffffd805f23c510,41,fffffd80097fb548,ffff80003c002d18) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156
vn_closefile(fffffd8061d7d240,ffff80003c002d18) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline]
vn_closefile(fffffd8061d7d240,ffff80003c002d18) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615
fdrop(fffffd8061d7d240,ffff80003c002d18) at fdrop+0x121 sys/kern/kern_descrip.c:1280
closef(fffffd8061d7d240,ffff80003c002d18) at closef+0x192 sys/kern/kern_descrip.c:1264
fdfree(ffff80003c002d18) at fdfree+0x116 sys/kern/kern_descrip.c:1195
exit1(ffff80003c002d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215
sys_exit(ffff80003c002d18,ffff800039ff3200,ffff800039ff3150) at sys_exit+0x1a sys/kern/kern_exit.c:-1
end trace frame: 0xffff800039ff31f0, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> set $maxwidth = 0
ddb{1}> show panic
*cpu1: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 953
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833977e1) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff833d54da,ffffffff833e5e43,3b9,ffffffff8340fba7) at __assert+0x29 sys/kern/subr_prf.c:-1
refcnt_finalize(ffff80003c44b4e8,ffffffff83390e87) at refcnt_finalize+0x1db sys/kern/kern_synch.c:954
pppx_if_destroy(285b9a,ffff80003c44b4e0) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794
pppxclose(285b9a,41,2000,ffff80003c002d18) at pppxclose+0xa0 sys/net/if_pppx.c:541
spec_close(ffff800039ff2e90) at spec_close+0x417 sys/kern/spec_vnops.c:-1
VOP_CLOSE(fffffd805f23c510,41,fffffd80097fb548,ffff80003c002d18) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156
vn_closefile(fffffd8061d7d240,ffff80003c002d18) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline]
vn_closefile(fffffd8061d7d240,ffff80003c002d18) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615
fdrop(fffffd8061d7d240,ffff80003c002d18) at fdrop+0x121 sys/kern/kern_descrip.c:1280
closef(fffffd8061d7d240,ffff80003c002d18) at closef+0x192 sys/kern/kern_descrip.c:1264
fdfree(ffff80003c002d18) at fdfree+0x116 sys/kern/kern_descrip.c:1195
exit1(ffff80003c002d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215
sys_exit(ffff80003c002d18,ffff800039ff3200,ffff800039ff3150) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff800039ff3200) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff800039ff3200) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d44dc66dac0, count: -16
ddb{1}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff800039ff2c60
rbx               0xffff8000299eeddf
rdx                                0
rcx               0xffff80003c002d18
rax               0xffff8000299edff0
r8                 0x101010101010101
r9                0x8080808080808080
r10               0xa27554f430407d8f
r11               0xe002f41672a0bc84
r12               0xffff8000299eebe0
r13                                0
r14                                0
r15                              0x1
rip               0xffffffff823c0875    db_enter+0x25
cs                               0x8
rflags                         0x246
rsp               0xffff800039ff2c50
ss                              0x10
db_enter+0x25:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor) tid=95935 pid=68156 tcnt=0 stat=onproc
    flags process=1008<EXITING,SINGLEEXIT> proc=2000<WEXIT>
    runpri=32, usrpri=86, slppri=32, nice=20
    wchan=0x0, wmesg=, ps_single=0xffff80003c002d18 scnt=-1 ecnt=1
    forw=0xffffffffffffffff, list=0xffff80003c003a10,0xffff80003c0022c8
    process=0xffff800035fe9360 user=0xffff800039fee000, vmspace=0xfffffd806bfb45d8
    estcpu=36, cpticks=3, pctcpu=0.0, user=0, sys=1, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 92272   93928   5029      0  2           0                syz-executor
 92272  469896   5029      0  2   0x4000000                syz-executor
 36601  343142  53142      0  3        0x80  nanoslp       syz-executor
 36601  321449  53142      0  3   0x4000080  ttyout        syz-executor
 36601   57619  53142      0  3   0x4000080  fsleep        syz-executor
 36601   97616  53142      0  3   0x4000080  fsleep        syz-executor
 95342  177657  41219      0  2           0                syz-executor
 95342   10458  41219      0  3   0x4000080  lockf         syz-executor
 95342  252253  41219      0  3   0x4000080  fsleep        syz-executor
 69714  336733      0      0  3     0x14200  acct          acct
 85648  110705  81376      0  3    0x100082  sbwait        arp
 81376  522965  19247      0  3    0x10008a  sigsusp       sh
  1185   25753  52757      0  3        0x82  nanoslp       syz-executor
 41219   32908  52757      0  3        0x82  nanoslp       syz-executor
 61894  236706  52757      0  3        0x82  nanoslp       syz-executor
 47424  284230  52757      0  3        0x82  nanoslp       syz-executor
 19247   70937  52757      0  3        0x82  wait          syz-executor
  5029  455397  52757      0  3        0x82  nanoslp       syz-executor
 53142  445022  52757      0  3        0x82  nanoslp       syz-executor
 15366   46957  52757      0  2         0x2                syz-executor
 52757  368537  19879      0  3        0x82  kqread        syz-executor
 19879  293239  13325      0  3    0x10008a  sigsusp       ksh
 13325  523839  82594      0  3        0x98  kqread        sshd-session
 82594   91209  95672      0  3        0x92  kqread        sshd-session
 34039  271471      1      0  3    0x100083  ttyopn        getty
 95672  390292      1      0  3        0x88  kqread        sshd
 42653  170683  75101     74  3   0x1100092  bpf           pflogd
 75101  281379      1      0  3        0x80  sbwait        pflogd
 87402  170985  80579     73  3   0x1100090  kqread        syslogd
 80579  358493      1      0  3    0x100082  sbwait        syslogd
 87051  253979      1      0  3    0x100080  kqread        resolvd
 87958  253197  98554     77  3    0x100092  kqread        dhcpleased
 90335  486529  98554     77  3    0x100092  kqread        dhcpleased
 98554  177856      1      0  3        0x80  kqread        dhcpleased
 27863  470108      0      0  3     0x14200  bored         smr
 47691  172569      0      0  3     0x14200  pgzero        zerothread
 68986  127646      0      0  3     0x14200  aiodoned      aiodoned
 42622  296724      0      0  3     0x14200  syncer        update
 66942  433395      0      0  3     0x14200  cleaner       cleaner
  4764  354265      0      0  2     0x14200                reaper
 31431  220864      0      0  3     0x14200  pgdaemon      pagedaemon
  5811  289108      0      0  3     0x14200  bored         viomb
 73228  183567      0      0  3  0x40014200  acpi0         acpi0
 61086   92917      0      0  3  0x40014200                idle1
 28900  235988      0      0  3     0x14200  bored         softnet1
  8388  271134      0      0  3     0x14200  bored         softnet0
 55721  475276      0      0  3     0x14200  bored         systqmp
 79037  468360      0      0  3     0x14200  bored         systq
 87073  232500      0      0  3     0x14200  tmoslp        softclockmp
 13489  323721      0      0  3  0x40014200  tmoslp        softclock
 87686   19022      0      0  3  0x40014200                idle0
     1  390521      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}> show all locks
ddb{1}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10205  11026K   11218K 166960K     11563        0
            pcb    17     12K      12K 166960K        60        0
         rtable   198      7K       8K 166960K       376        0
             pf    39     18K      21K 166960K        81        0
         ifaddr    42      7K       7K 166960K        62        0
        ifgroup    60      2K       2K 166960K        98        0
         sysctl     1      1K       9K 166960K         7        0
       counters    80     37K      37K 166960K       112        0
       ioctlops     0      0K       4K 166960K      1547        0
            iov     1      0K      16K 166960K        17        0
          mount     1      1K       1K 166960K         1        0
            log     0      0K       0K 166960K         4        0
         vnodes  1375     86K      86K 166960K      1523        0
      UFS quota     1     32K      32K 166960K         1        0
      UFS mount     5     36K      36K 166960K         5        0
            shm     2      1K       5K 166960K         5        0
         VM map     2      1K       1K 166960K         2        0
            sem     7      0K       0K 166960K        14        0
        dirhash    12      2K       2K 166960K        30        0
           ACPI  1692    195K     286K 166960K     12470        0
      file desc    19     69K      89K 166960K       335        0
          sigio     0      0K       0K 166960K         5        0
           proc    72    115K     180K 166960K       549        0
        subproc    72      4K       4K 166960K        72        0
    NFS srvsock     1      0K       0K 166960K         1        0
     NFS daemon     1     16K      16K 166960K         1        0
    ip_moptions     0      0K       0K 166960K        25        0
       in_multi    82      6K       6K 166960K       107        0
    ether_multi     1      0K       0K 166960K         1        0
            mrt     1      0K       0K 166960K         1        0
    ISOFS mount     1     32K      32K 166960K         1        0
  MSDOSFS mount     1     16K      16K 166960K         1        0
           ttys    73    334K     334K 166960K        73        0
           exec     0      0K       1K 166960K       425        0
   fusefs mount     1     32K      32K 166960K         1        0
            tdb     3      0K       0K 166960K         3        0
        VM swap     8     62K      64K 166960K        10        0
       UVM amap   259    169K     179K 166960K      4816        0
       UVM aobj    12      2K       2K 166960K        13        0
     pinsyscall    45     90K     104K 166960K      1450        0
        memdesc     1      4K       4K 166960K         1        0
    crypto data     1      1K       1K 166960K         1        0
    ip6_options     1      0K       1K 166960K        20        0
            NDP    14      0K       1K 166960K        39        0
           temp    43   8651K    8719K 166960K     19362        0
         kqueue    13     20K      26K 166960K        57        0
      SYN cache     2     16K      16K 166960K         2        0
ddb{1}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       26    0        0     1     0     1     1     0     8    0
rtpcb      120      111    0      107     3     0     3     3     0     8    2
rtentry    176      111    0       27     5     0     5     5     0     8    0
unpcb      144      400    0      377     6     0     6     6     0     8    4
syncache   336        3    0        3     1     1     0     1     0     8    0
tcpcb      736       56    0       51     1     0     1     1     0     8    0
arp        136       17    0        2     1     0     1     1     0     8    0
inpcb      328      292    0      283     2     0     2     2     0     8    1
nd6        152       22    0        3     1     0     1     1     0     8    0
pkpcb       40        1    0        1     1     0     1     1     0     8    1
kcovpl      48        8    0        0     1     0     1     1     0     8    0
mppekey    1024       1    0        1     1     0     1     1     0     8    1
ppxss      1192      17    0       11     1     0     1     1     0     8    0
pppxif     1504       1    0        0     1     0     1     1     0     8    0
pffrag     232        1    0        0     1     0     1     1     0   482    0
pffrnode    88        1    0        0     1     0     1     1     0     8    0
pffrent     40        1    0        0     1     0     1     1     0     8    0
pfosfp      40     1428    0     1005     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfrktable  1344       1    0        1     1     0     1     1     0     8    1
pfanchor   1288       1    0        1     1     0     1     1     0     8    1
pfstitem    24       32    0        1     1     0     1     1     0     8    0
pfstkey    128       32    0        1     2     0     2     2     0     8    0
pfstate    384       32    0        1     4     0     4     4     0     8    0
pfrule     1344      25    0       20     2     1     1     2     0     8    0
art_heap8  4096       2    0        0     2     0     2     2     0     8    0
art_heap4  256      474    0      109    26     0    26    26     0     8    3
art_table   40      476    0      109     5     0     5     5     0     8    0
art_node    32      110    0       34     1     0     1     1     0     8    0
sysvmsgpl   40        5    0        4     1     0     1     1     0     8    0
semapl     112        9    0        4     1     0     1     1     0     8    0
shmpl      112       10    0        1     1     0     1     1     0     8    0
dirhash    1024      29    0       12     3     0     3     3     0     8    0
dino2pl    256     1948    0      432    95     0    95    95     0     8    0
ffsino     296     1948    0      432   117     0   117   117     0     8    0
nchpl      144     2418    0      711    64     0    64    64     0     8    0
rtmask      32        5    0        3     2     1     1     1     0     8    0
vnodes     216     2125    0        0   119     0   119   119     0     8    0
namei      1024    8028    0     8028     2     1     1     2     0     8    1
percpumem   16       71    0       16     1     0     1     1     0     8    0
kstatmem   264       52    0       22     3     0     3     3     0     8    1
scxspl     216     8711    0     8711     3     2     1     2     1     8    1
plimitpl   152       54    0       37     1     0     1     1     0     8    0
sigapl     424      644    0      594     7     0     7     7     0     8    0
knotepl    120      315    0        0    10     0    10    10     0     8    0
kqueuepl   224      117    0      108     3     0     3     3     0     8    2
pipepl     344      132    0      105     3     0     3     3     0     8    0
fdescpl    528      627    0      594     3     0     3     3     0     8    0
filepl     160     3216    0     2980    15     0    15    15     0     8    5
lockfpl    104       99    0       93     1     0     1     1     0     8    0
lockfspl    48       40    0       35     1     0     1     1     0     8    0
sessionpl  144       22    0       13     1     0     1     1     0     8    0
pgrppl      48       31    0       14     1     0     1     1     0     8    0
ucredpl    104      312    0      296     1     0     1     1     0     8    0
zombiepl   144      598    0      594     1     0     1     1     0     8    0
processpl  1232     644    0      594     5     0     5     5     0     8    0
procpl     664     1017    0      960     6     0     6     6     0     8    0
sosppl     176        4    0        4     2     1     1     1     0     8    1
sockpl     752      817    0      781    17     5    12    17     0     8    7
mcl64k     65536      2    0        0     1     0     1     1     0     8    0
mcl16k     16384      2    0        0     1     0     1     1     0     8    0
mcl8k      8192       2    0        0     1     0     1     1     0     8    0
mcl4k      4096     114    0        0    15     0    15    15     0     8    0
mcl2k      2048      35    0        0     5     0     5     5     0     8    0
mtagpl      96        3    0        0     1     0     1     1     0     8    0
mbufpl     256      185    0        0    12     0    12    12     0     8    0
bufpl      280     3342    0      130   230     0   230   230     0     8    0
anonpl      32     7799    0        0    64     1    63    64     0   246    0
amapchunkpl 152   14959    0    14426    27     0    27    27     0   158    5
amappl16   200     2507    0     2478    17     2    15    15     0     8   10
amappl15   192       31    0       31     1     1     0     1     0     8    0
amappl14   184        6    0        6     1     1     0     1     0     8    0
amappl13   176      416    0      414     1     0     1     1     0     8    0
amappl12   168      983    0      938     3     0     3     3     0     8    0
amappl11   160        2    0        2     1     1     0     1     0     8    0
amappl10   152       79    0       65     1     0     1     1     0     8    0
amappl9    144      250    0      249     1     0     1     1     0     8    0
amappl8    136       30    0       26     1     0     1     1     0     8    0
amappl7    128       76    0       75     1     0     1     1     0     8    0
amappl6    120      276    0      261     1     0     1     1     0     8    0
amappl5    112       73    0       62     1     0     1     1     0     8    0
amappl4    104      408    0      375     1     0     1     1     0     8    0
amappl3     96     2505    0     2406     4     1     3     3     0     8    0
amappl2     88      735    0      657     2     0     2     2     0     8    0
amappl1     80     9787    0     9160    15     1    14    15     0     8    0
amappl      88     4076    0     3899     5     0     5     5     0    92    0
uvmvnodes   80     2125    0        0    44     0    44    44     0     8    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72       12    0        1     1     0     1     1     0     8    0
uaddrrnd    24      627    0      594     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      627    0      594     1     0     1     1     0     8    0
vmmpekpl   168     6837    0     6803     2     0     2     2     0     8    0
vmmpepl    168    47130    0    45108    99     0    99    99     0   357    6
vmsppl     488      626    0      594     5     0     5     5     0     8    0
rwobjpl     80    18082    0    14954    68     0    68    68     0     8    3
pdppl      4096    1262    0     1188   102    28    74    86     0     8    0
pvpl        32    14933    0        0   121     0   121   121     0   265    0
pmappl     256      626    0      594     3     0     3     3     0     8    0
extentpl    40       45    0       27     1     0     1     1     0     8    0
phpool     112      274    0       32     8     0     8     8     0     8    0
ddb{1}> machine ddbcpu 0
Stopped at      x86_ipi_db+0x27:        addq    $0x8,%rsp
x86_ipi_db(ffffffff837d6ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 kd_curproc sys/dev/kcov.c:585 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 sys/dev/kcov.c:153
__mp_lock(ffffffff839de8c0) at __mp_lock+0x1a3 __mp_lock_spin sys/kern/kern_lock.c:138 [inline]
__mp_lock(ffffffff839de8c0) at __mp_lock+0x1a3 sys/kern/kern_lock.c:169
intr_handler(ffff80002ffdaab0,ffff80000007aa00) at intr_handler+0xe9 sys/arch/amd64/amd64/intr.c:559
Xintr_ioapic_edge18_untramp() at Xintr_ioapic_edge18_untramp+0x18f
__mp_lock(ffffffff839de8c0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:138 [inline]
__mp_lock(ffffffff839de8c0) at __mp_lock+0x192 sys/kern/kern_lock.c:169
__mp_acquire_count(ffffffff839de8c0,2) at __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
sleep_finish(ffffffffffffffff,1) at sleep_finish+0x2d8 sys/kern/kern_synch.c:367
cond_wait(ffff80002ffdaccc,ffffffff833b6792) at cond_wait+0x7b sys/kern/kern_synch.c:997
smr_barrier_impl(0) at smr_barrier_impl+0x102 sys/kern/kern_smr.c:295
if_idxmap_remove(ffff800001493800) at if_idxmap_remove+0x11b if_put sys/net/if.c:-1 [inline]
if_idxmap_remove(ffff800001493800) at if_idxmap_remove+0x11b sys/net/if.c:479
if_detach(ffff800001493800) at if_detach+0xfa if_remove sys/net/if.c:1160 [inline]
if_detach(ffff800001493800) at if_detach+0xfa sys/net/if.c:1208
end trace frame: 0xffff80002ffdae00, count: 0
ddb{0}> trace
x86_ipi_db(ffffffff837d6ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 kd_curproc sys/dev/kcov.c:585 [inline]
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc+0x33 sys/dev/kcov.c:153
__mp_lock(ffffffff839de8c0) at __mp_lock+0x1a3 __mp_lock_spin sys/kern/kern_lock.c:138 [inline]
__mp_lock(ffffffff839de8c0) at __mp_lock+0x1a3 sys/kern/kern_lock.c:169
intr_handler(ffff80002ffdaab0,ffff80000007aa00) at intr_handler+0xe9 sys/arch/amd64/amd64/intr.c:559
Xintr_ioapic_edge18_untramp() at Xintr_ioapic_edge18_untramp+0x18f
__mp_lock(ffffffff839de8c0) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:138 [inline]
__mp_lock(ffffffff839de8c0) at __mp_lock+0x192 sys/kern/kern_lock.c:169
__mp_acquire_count(ffffffff839de8c0,2) at __mp_acquire_count+0x58 sys/kern/kern_lock.c:-1
sleep_finish(ffffffffffffffff,1) at sleep_finish+0x2d8 sys/kern/kern_synch.c:367
cond_wait(ffff80002ffdaccc,ffffffff833b6792) at cond_wait+0x7b sys/kern/kern_synch.c:997
smr_barrier_impl(0) at smr_barrier_impl+0x102 sys/kern/kern_smr.c:295
if_idxmap_remove(ffff800001493800) at if_idxmap_remove+0x11b if_put sys/net/if.c:-1 [inline]
if_idxmap_remove(ffff800001493800) at if_idxmap_remove+0x11b sys/net/if.c:479
if_detach(ffff800001493800) at if_detach+0xfa if_remove sys/net/if.c:1160 [inline]
if_detach(ffff800001493800) at if_detach+0xfa sys/net/if.c:1208
pppacclose(637d,1,2000,ffff80003c002020) at pppacclose+0x118 sys/net/if_pppx.c:1329
spec_close(ffff80002ffdae80) at spec_close+0x417 sys/kern/spec_vnops.c:-1
VOP_CLOSE(fffffd8062670138,1,fffffd80097fb548,ffff80003c002020) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156
vn_closefile(fffffd806c0fdd60,ffff80003c002020) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline]
vn_closefile(fffffd806c0fdd60,ffff80003c002020) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615
fdrop(fffffd806c0fdd60,ffff80003c002020) at fdrop+0x121 sys/kern/kern_descrip.c:1280
closef(fffffd806c0fdd60,ffff80003c002020) at closef+0x192 sys/kern/kern_descrip.c:1264
fdfree(ffff80003c002020) at fdfree+0x116 sys/kern/kern_descrip.c:1195
exit1(ffff80003c002020,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215
sys_exit(ffff80003c002020,ffff80002ffdb1f0,ffff80002ffdb140) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80002ffdb1f0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002ffdb1f0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x73350b849dd0, count: -25
ddb{0}> machine ddbcpu 1
Stopped at      db_enter+0x25:  addq    $0x8,%rsp
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833977e1) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff833d54da,ffffffff833e5e43,3b9,ffffffff8340fba7) at __assert+0x29 sys/kern/subr_prf.c:-1
refcnt_finalize(ffff80003c44b4e8,ffffffff83390e87) at refcnt_finalize+0x1db sys/kern/kern_synch.c:954
pppx_if_destroy(285b9a,ffff80003c44b4e0) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794
pppxclose(285b9a,41,2000,ffff80003c002d18) at pppxclose+0xa0 sys/net/if_pppx.c:541
spec_close(ffff800039ff2e90) at spec_close+0x417 sys/kern/spec_vnops.c:-1
VOP_CLOSE(fffffd805f23c510,41,fffffd80097fb548,ffff80003c002d18) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156
vn_closefile(fffffd8061d7d240,ffff80003c002d18) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline]
vn_closefile(fffffd8061d7d240,ffff80003c002d18) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615
fdrop(fffffd8061d7d240,ffff80003c002d18) at fdrop+0x121 sys/kern/kern_descrip.c:1280
closef(fffffd8061d7d240,ffff80003c002d18) at closef+0x192 sys/kern/kern_descrip.c:1264
fdfree(ffff80003c002d18) at fdfree+0x116 sys/kern/kern_descrip.c:1195
exit1(ffff80003c002d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215
sys_exit(ffff80003c002d18,ffff800039ff3200,ffff800039ff3150) at sys_exit+0x1a sys/kern/kern_exit.c:-1
end trace frame: 0xffff800039ff31f0, count: 0
ddb{1}> trace
db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438
panic(ffffffff833977e1) at panic+0x1e5 sys/kern/subr_prf.c:198
__assert(ffffffff833d54da,ffffffff833e5e43,3b9,ffffffff8340fba7) at __assert+0x29 sys/kern/subr_prf.c:-1
refcnt_finalize(ffff80003c44b4e8,ffffffff83390e87) at refcnt_finalize+0x1db sys/kern/kern_synch.c:954
pppx_if_destroy(285b9a,ffff80003c44b4e0) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794
pppxclose(285b9a,41,2000,ffff80003c002d18) at pppxclose+0xa0 sys/net/if_pppx.c:541
spec_close(ffff800039ff2e90) at spec_close+0x417 sys/kern/spec_vnops.c:-1
VOP_CLOSE(fffffd805f23c510,41,fffffd80097fb548,ffff80003c002d18) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156
vn_closefile(fffffd8061d7d240,ffff80003c002d18) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline]
vn_closefile(fffffd8061d7d240,ffff80003c002d18) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615
fdrop(fffffd8061d7d240,ffff80003c002d18) at fdrop+0x121 sys/kern/kern_descrip.c:1280
closef(fffffd8061d7d240,ffff80003c002d18) at closef+0x192 sys/kern/kern_descrip.c:1264
fdfree(ffff80003c002d18) at fdfree+0x116 sys/kern/kern_descrip.c:1195
exit1(ffff80003c002d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215
sys_exit(ffff80003c002d18,ffff800039ff3200,ffff800039ff3150) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff800039ff3200) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff800039ff3200) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:765
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7d44dc66dac0, count: -16

Crashes (706):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/11/07 20:39 openbsd cc3bb0869211 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/07 05:15 openbsd e6704d8803de 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main assert "refs != ~NUM" failed in kern_synch.c
2025/11/07 02:59 openbsd b51d00b45631 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/06 23:43 openbsd b51d00b45631 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/06 21:03 openbsd b51d00b45631 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/06 20:14 openbsd b51d00b45631 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/06 18:57 openbsd b51d00b45631 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/06 15:53 openbsd b51d00b45631 4e1406b4 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main assert "refs != ~NUM" failed in kern_synch.c
2025/11/06 07:55 openbsd 05dcfb71c047 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main assert "refs != ~NUM" failed in kern_synch.c
2025/11/06 06:00 openbsd 3c68d8d4395f a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/05 20:23 openbsd 69af9e93ff65 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/05 14:19 openbsd 69af9e93ff65 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/05 13:12 openbsd 69af9e93ff65 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/05 12:10 openbsd e111ebd78232 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/05 10:23 openbsd e111ebd78232 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/05 05:56 openbsd e111ebd78232 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/05 05:53 openbsd e111ebd78232 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/05 02:53 openbsd e111ebd78232 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 23:54 openbsd e111ebd78232 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 22:41 openbsd e111ebd78232 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 21:30 openbsd e111ebd78232 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 19:42 openbsd e111ebd78232 a6c9c731 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 18:32 openbsd e111ebd78232 686bf657 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 16:07 openbsd e111ebd78232 686bf657 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 14:51 openbsd 512bb19460b6 686bf657 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 13:18 openbsd 512bb19460b6 686bf657 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 10:17 openbsd 512bb19460b6 686bf657 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 08:52 openbsd 512bb19460b6 686bf657 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 06:13 openbsd 512bb19460b6 686bf657 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main assert "refs != ~NUM" failed in kern_synch.c
2025/11/04 04:46 openbsd 512bb19460b6 686bf657 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/03 22:18 openbsd 0214ec5c7fc4 e6c64ba8 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/03 22:04 openbsd 0214ec5c7fc4 e6c64ba8 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/03 18:40 openbsd 0214ec5c7fc4 e6c64ba8 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/03 15:18 openbsd 0214ec5c7fc4 e6c64ba8 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/03 13:11 openbsd 0214ec5c7fc4 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/02 22:57 openbsd dd6e4afad218 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/02 20:25 openbsd 6e779084bd79 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/02 15:22 openbsd 6e779084bd79 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/02 12:05 openbsd 6e779084bd79 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/02 09:40 openbsd 6e779084bd79 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/02 08:11 openbsd 61cf0bee8b67 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/02 04:39 openbsd 61cf0bee8b67 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/02 03:27 openbsd 61cf0bee8b67 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main assert "refs != ~NUM" failed in kern_synch.c
2025/11/02 01:53 openbsd 61cf0bee8b67 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/02 00:36 openbsd 61cf0bee8b67 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/01 23:01 openbsd 61cf0bee8b67 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/11/01 22:32 openbsd 61cf0bee8b67 2c50b6a9 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-multicore assert "refs != ~NUM" failed in kern_synch.c
2025/02/08 12:25 openbsd 2347e6edcd5e ef44b750 .config console log report [disk image] [bsd.gdb] [kernel image] ci-openbsd-main assert "refs != ~NUM" failed in kern_synch.c
* Struck through repros no longer work on HEAD.