panic: kernel diagnostic assertion "ifp != NULL" failed: file "/syzkaller/managers/multicore/kernel/sys/netinet/if_ether.c", line 718
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
241486 43043 0 0x2 0x480 1 syz-executor.1
* 68870 37681 0 0x14000 0x40000200 0K softclock
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff823bfea9) at panic+0x15e sys/kern/subr_prf.c:218
__assert(ffffffff8242eaed,ffffffff8242b5ea,2ce,ffffffff823965c0) at __assert+0x2b sys/kern/subr_prf.c:162
arptfree(fffffd806f32fa10) at arptfree+0x10d sys/netinet/if_ether.c:718
arptimer(ffffffff8282bca8) at arptimer+0x80 sys/netinet/if_ether.c:120
timeout_run(ffffffff8282bca8) at timeout_run+0xcc sys/kern/kern_timeout.c:482
softclock_thread(ffff800020d99638) at softclock_thread+0x124 sys/kern/kern_timeout.c:580
end trace frame: 0x0, count: 8
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel diagnostic assertion "ifp != NULL" failed: file "/syzkaller/managers/multicore/kernel/sys/netinet/if_ether.c", line 718
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff823bfea9) at panic+0x15e sys/kern/subr_prf.c:218
__assert(ffffffff8242eaed,ffffffff8242b5ea,2ce,ffffffff823965c0) at __assert+0x2b sys/kern/subr_prf.c:162
arptfree(fffffd806f32fa10) at arptfree+0x10d sys/netinet/if_ether.c:718
arptimer(ffffffff8282bca8) at arptimer+0x80 sys/netinet/if_ether.c:120
timeout_run(ffffffff8282bca8) at timeout_run+0xcc sys/kern/kern_timeout.c:482
softclock_thread(ffff800020d99638) at softclock_thread+0x124 sys/kern/kern_timeout.c:580
end trace frame: 0x0, count: -7
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020da73f0
rbx 0xffff800020da7400
rdx 0x8b
rcx 0x2
rax 0x1
r8 0xffff800020da73b0
r9 0xffffffff811082e6 kprintf+0x146
r10 0x1
r11 0x5c76b4788e74ec9f
r12 0x3000000008
r13 0xffff800020da74a0
r14 0x100
r15 0x1
rip 0xffffffff822eb378 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020da73e0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (softclock) pid=68870 stat=onproc
flags process=14000<NOZOMBIE,SYSTEM> proc=40000200<SYSTEM,CPUPEG>
pri=0, usrpri=50, nice=20
forw=0xffffffffffffffff, list=0xffff800020d998b0,0xffff800020d993d0
process=0xffff800020d9b3b0 user=0xffff800020da2000, vmspace=0xffffffff828e4d40
estcpu=0, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
43043 241486 33634 0 7 0x482 syz-executor.1
20913 274896 1 0 3 0x100083 ttyin getty
97330 365880 33634 0 3 0x82 piperd syz-executor.0
61503 165135 0 0 3 0x14280 nfsidl nfsio
97699 79310 0 0 3 0x14280 nfsidl nfsio
30406 28906 0 0 3 0x14280 nfsidl nfsio
2488 493180 0 0 3 0x14280 nfsidl nfsio
20678 296205 0 0 3 0x14280 nfsidl nfsio
66821 467777 0 0 3 0x14280 nfsidl nfsio
2497 510946 0 0 3 0x14280 nfsidl nfsio
5139 84181 0 0 3 0x14280 nfsidl nfsio
65023 518991 0 0 3 0x14280 nfsidl nfsio
26382 252973 0 0 3 0x14280 nfsidl nfsio
17216 346201 0 0 3 0x14280 nfsidl nfsio
34643 40493 0 0 3 0x14280 nfsidl nfsio
41744 7630 0 0 3 0x14280 nfsidl nfsio
29639 64009 0 0 3 0x14280 nfsidl nfsio
73946 148156 0 0 3 0x14280 nfsidl nfsio
42598 173442 0 0 3 0x14280 nfsidl nfsio
27299 477188 0 0 3 0x14280 nfsidl nfsio
99418 478504 0 0 3 0x14280 nfsidl nfsio
29751 48658 0 0 3 0x14280 nfsidl nfsio
58262 460115 0 0 3 0x14280 nfsidl nfsio
93829 510414 0 0 3 0x14200 bored sosplice
33634 218719 41020 0 3 0x82 thrsleep syz-fuzzer
33634 35604 41020 0 3 0x4000082 thrsleep syz-fuzzer
33634 510778 41020 0 3 0x4000082 thrsleep syz-fuzzer
33634 131483 41020 0 3 0x4000082 kqread syz-fuzzer
33634 57988 41020 0 3 0x4000082 thrsleep syz-fuzzer
33634 218040 41020 0 3 0x4000082 thrsleep syz-fuzzer
33634 45778 41020 0 3 0x4000082 thrsleep syz-fuzzer
33634 408238 41020 0 3 0x4000082 thrsleep syz-fuzzer
41020 145549 55809 0 3 0x10008a pause ksh
55809 406642 85348 0 3 0x92 select sshd
85348 437198 1 0 3 0x80 select sshd
84380 312636 5406 74 3 0x100092 bpf pflogd
5406 255822 1 0 3 0x80 netio pflogd
36901 379335 22908 73 3 0x100090 kqread syslogd
22908 438969 1 0 3 0x100082 netio syslogd
39868 140252 1 77 3 0x100090 poll dhclient
74978 131842 1 0 3 0x80 poll dhclient
83738 236312 0 0 3 0x14200 bored smr
6806 229012 0 0 3 0x14200 pgzero zerothread
20792 224363 0 0 3 0x14200 aiodoned aiodoned
74743 164909 0 0 3 0x14200 syncer update
3398 3789 0 0 3 0x14200 cleaner cleaner
76202 48317 0 0 3 0x14200 reaper reaper
90922 323296 0 0 3 0x14200 pgdaemon pagedaemon
98097 234274 0 0 3 0x14200 bored crynlk
28255 52822 0 0 3 0x14200 bored crypto
44587 239775 0 0 3 0x40014200 acpi0 acpi0
24936 105563 0 0 3 0x40014200 idle1
25522 499744 0 0 3 0x14200 bored softnet
54482 443976 0 0 3 0x14200 bored systqmp
48837 397433 0 0 3 0x14200 bored systq
*37681 68870 0 0 7 0x40014200 softclock
78334 517091 0 0 3 0x40014200 idle0
1 286577 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
Process 37681 (softclock) thread 0xffff800020d99638 (68870)
exclusive rwlock netlock r = 0 (0xffffffff826d6a30)
#0 witness_lock+0x4b0 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4b0 sys/kern/subr_witness.c:1164
#1 arptimer+0x22 sys/netinet/if_ether.c:119
#2 timeout_run+0xcc sys/kern/kern_timeout.c:482
#3 softclock_thread+0x124 sys/kern/kern_timeout.c:580
#4 proc_trampoline+0x1c
shared rwlock timeout r = 0 (0xffffffff826aadb0)
#0 witness_lock+0x4b0 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4b0 sys/kern/subr_witness.c:1164
#1 timeout_run+0xb3 sys/kern/kern_timeout.c:477
#2 softclock_thread+0x124 sys/kern/kern_timeout.c:580
#3 proc_trampoline+0x1c
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82885db0)
#0 witness_lock+0x4b0 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0 witness_lock+0x4b0 sys/kern/subr_witness.c:1164
#1 __mp_acquire_count+0x4c sys/kern/kern_lock.c:227
#2 mi_switch+0x390 sys/kern/sched_bsd.c:435
#3 sleep_finish+0x111 sys/kern/kern_synch.c:418
#4 softclock_thread+0xd6 sys/kern/kern_timeout.c:575
#5 proc_trampoline+0x1c
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 9556 6516K 8389K 78643K 166694 0
pcb 13 8K 8K 78643K 486 0
rtable 100 4K 11K 78643K 1387 0
ifaddr 86 17K 20K 78643K 590 0
sysctl 2 0K 1K 78643K 588 0
counters 43 33K 34K 78643K 219 0
ioctlops 0 0K 4K 78643K 7155 0
iov 0 0K 16K 78643K 1242 0
mount 1 1K 1K 78643K 1 0
vnodes 1227 77K 77K 78643K 54327 0
UFS quota 1 32K 32K 78643K 1 0
UFS mount 5 36K 36K 78643K 5 0
shm 2 1K 9K 78643K 146 0
VM map 2 1K 1K 78643K 2 0
sem 12 0K 0K 78643K 827 0
dirhash 12 2K 2K 78643K 12 0
ACPI 1824 197K 290K 78643K 13058 0
file desc 5 13K 25K 78643K 83260 0
sigio 0 0K 0K 78643K 63 0
proc 67 63K 95K 78643K 1246 0
subproc 32 2K 2K 78643K 136 0
NFS srvsock 1 0K 0K 78643K 1 0
NFS daemon 1 16K 16K 78643K 1 0
ip_moptions 0 0K 0K 78643K 539 0
in_multi 35 2K 2K 78643K 446 0
ether_multi 1 0K 0K 78643K 121 0
mrt 0 0K 0K 78643K 35 0
ISOFS mount 1 32K 32K 78643K 1 0
MSDOSFS mount 1 16K 16K 78643K 1 0
ttys 73 334K 334K 78643K 73 0
exec 0 0K 2K 78643K 833 0
pagedep 1 8K 8K 78643K 1 0
inodedep 1 32K 32K 78643K 1 0
newblk 1 0K 0K 78643K 1 0
VM swap 7 26K 26K 78643K 7 0
UVM amap 381 321K 321K 78643K 185551 0
UVM aobj 131 9K 9K 78643K 142 0
memdesc 1 4K 4K 78643K 1 0
crypto data 1 1K 1K 78643K 1 0
ip6_options 0 0K 1K 78643K 598 0
NDP 15 0K 0K 78643K 120 0
temp 143 3963K 4040K 78643K 255298 0
kqueue 3 4K 22K 78643K 9033 0
SYN cache 2 16K 16K 78643K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 64 31 0 23 1 0 1 1 0 8 0
plcache 128 20 0 0 1 0 1 1 0 8 0
rtpcb 88 328 0 326 1 0 1 1 0 8 0
rtentry 112 193 0 155 2 0 2 2 0 8 0
unpcb 120 6869 0 6856 2 1 1 2 0 8 0
syncache 272 38 0 38 8 8 0 1 0 8 0
tcpqe 32 117 0 117 11 11 0 1 0 8 0
tcpcb 592 3873 0 3869 52 51 1 5 0 8 0
inpcb 296 9693 0 9686 10 9 1 3 0 8 0
rttmr 72 6 0 6 1 1 0 1 0 8 0
nd6 48 26 0 20 1 0 1 1 0 8 0
pkpcb 40 37 0 37 6 6 0 1 0 8 0
kcovpl 48 8 0 6 1 0 1 1 0 8 0
swfcl 56 2 0 0 1 0 1 1 0 8 0
ppxss 1136 29 0 29 7 7 0 1 0 8 0
pfstscr 40 58 0 58 2 2 0 1 0 8 0
pffrag 232 21 0 21 4 4 0 1 0 482 0
pffrnode 88 21 0 21 4 4 0 1 0 8 0
pffrent 40 601 0 601 4 4 0 1 0 8 0
pfosfp 40 860 0 423 5 0 5 5 0 8 0
pfosfpen 112 1444 0 714 21 0 21 21 0 8 0
pfrktable 1344 50 0 50 5 5 0 2 0 8 0
pftag 88 5 0 3 2 1 1 1 0 8 0
pfqueue 264 11 0 10 1 0 1 1 0 8 0
pfstitem 24 87 0 85 1 0 1 1 0 8 0
pfstkey 112 156 0 154 2 1 1 2 0 8 0
pfstate 328 122 0 120 6 5 1 6 0 8 0
pfsrctr 152 31 0 31 4 4 0 1 0 8 0
pfrule 1360 135 0 134 5 4 1 4 0 8 0
art_heap8 4096 1 0 0 1 0 1 1 0 8 0
art_heap4 256 599 0 414 17 5 12 13 0 8 0
art_table 32 600 0 414 2 0 2 2 0 8 0
art_node 16 181 0 151 1 0 1 1 0 8 0
sysvmsgpl 40 32 0 10 1 0 1 1 0 8 0
semapl 112 825 0 815 1 0 1 1 0 8 0
shmpl 112 139 0 11 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 87908 0 86510 95 7 88 89 0 8 0
ffsino 272 87908 0 86510 95 0 95 95 0 8 0
nchpl 144 176642 0 175048 60 0 60 60 0 8 0
uvmvnodes 72 5926 0 0 108 0 108 108 0 8 0
vnodes 208 5926 0 0 312 0 312 312 0 8 0
namei 1024 433048 0 433048 4 3 1 1 0 8 1
percpumem 16 120 0 88 1 0 1 1 0 8 0
vcpupl 1984 22 0 0 3 0 3 3 0 8 0
vmpool 560 22 0 0 2 0 2 2 0 8 0
pfiaddrpl 120 38 0 38 1 1 0 1 0 8 0
scsiplug 72 4 0 4 1 1 0 1 0 8 0
scxspl 200 523693 0 523693 11 10 1 7 0 8 1
plimitpl 152 487 0 479 1 0 1 1 0 8 0
sigapl 424 83485 0 83433 8 2 6 7 0 8 0
futexpl 56 541014 0 541014 5 4 1 1 0 8 1
knotepl 112 5029 0 5009 3 2 1 2 0 8 0
kqueuepl 152 81572 0 81542 15 13 2 2 0 8 0
pipepl 304 8882 0 8870 13 11 2 2 0 8 0
fdescpl 496 83443 0 83427 3 0 3 3 0 8 0
filepl 152 284420 0 284313 10 5 5 7 0 8 0
lockfpl 104 13847 0 13845 1 0 1 1 0 8 0
lockfspl 48 5762 0 5760 1 0 1 1 0 8 0
sessionpl 120 25 0 14 1 0 1 1 0 8 0
pgrppl 48 88 0 77 1 0 1 1 0 8 0
ucredpl 96 5768 0 5758 1 0 1 1 0 8 0
zombiepl 144 83434 0 83433 3 2 1 1 0 8 0
processpl 1008 83485 0 83433 7 0 7 7 0 8 0
procpl 632 172373 0 172314 6 0 6 6 0 8 0
sosppl 144 54 0 54 8 8 0 1 0 8 0
sockpl 400 16953 0 16930 27 24 3 6 0 8 0
mcl64k 65536 25 0 0 3 0 3 3 0 8 0
mcl16k 16384 17 0 0 3 0 3 3 0 8 0
mcl12k 12288 33 0 0 2 0 2 2 0 8 0
mcl9k 9216 25 0 0 2 0 2 2 0 8 0
mcl8k 8192 33 0 0 4 1 3 3 0 8 0
mcl4k 4096 37 0 0 4 1 3 3 0 8 0
mcl2k2 2112 17 0 0 2 0 2 2 0 8 0
mcl2k 2048 1006 0 0 22 2 20 21 0 8 0
mtagpl 96 698 0 0 13 0 13 13 0 8 0
mbufpl 256 2147 0 0 79 0 79 79 0 8 0
bufpl 280 92405 0 86147 448 0 448 448 0 8 0
anonpl 16 5424507 0 5410069 153 94 59 67 0 124 0
amapchunkpl 152 264106 0 263785 23 10 13 15 0 158 0
amappl16 192 263699 0 263094 145 114 31 39 0 8 0
amappl15 184 2944 0 2944 3 3 0 1 0 8 0
amappl14 176 37 0 24 1 0 1 1 0 8 0
amappl13 168 288 0 286 1 0 1 1 0 8 0
amappl12 160 25 0 21 2 1 1 1 0 8 0
amappl11 152 1508 0 1492 1 0 1 1 0 8 0
amappl10 144 38353 0 38347 1 0 1 1 0 8 0
amappl9 136 235 0 234 1 0 1 1 0 8 0
amappl8 128 821 0 569 9 0 9 9 0 8 0
amappl7 120 38666 0 38657 1 0 1 1 0 8 0
amappl6 112 1602 0 1579 1 0 1 1 0 8 0
amappl5 104 85303 0 85288 1 0 1 1 0 8 0
amappl4 96 1185 0 1151 1 0 1 1 0 8 0
amappl3 88 1454 0 1447 1 0 1 1 0 8 0
amappl2 80 586495 0 586422 3 1 2 3 0 8 0
amappl1 72 2204052 0 2203566 25 15 10 19 0 8 0
amappl 80 172788 0 172688 3 0 3 3 0 84 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 6 0 6 1 1 0 1 0 8 0
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 64 141 0 11 3 0 3 3 0 8 0
uaddrrnd 24 83465 0 83427 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 83465 0 83427 1 0 1 1 0 8 0
vmmpekpl 168 371959 0 371912 3 0 3 3 0 8 0
vmmpepl 168 10109316 0 10107148 243 143 100 104 0 357 1
vmsppl 368 83464 0 83427 4 0 4 4 0 8 0
pdppl 4096 166937 0 166876 11 3 8 9 0 8 0
pvpl 32 18962341 0 18944461 455 308 147 165 0 265 0
pmappl 232 83464 0 83427 3 0 3 3 0 8 0
extentpl 40 53 0 36 1 0 1 1 0 8 0
phpool 112 387 0 60 10 0 10 10 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic(ffffffff823bfea9) at panic+0x15e sys/kern/subr_prf.c:218
__assert(ffffffff8242eaed,ffffffff8242b5ea,2ce,ffffffff823965c0) at __assert+0x2b sys/kern/subr_prf.c:162
arptfree(fffffd806f32fa10) at arptfree+0x10d sys/netinet/if_ether.c:718
arptimer(ffffffff8282bca8) at arptimer+0x80 sys/netinet/if_ether.c:120
timeout_run(ffffffff8282bca8) at timeout_run+0xcc sys/kern/kern_timeout.c:482
softclock_thread(ffff800020d99638) at softclock_thread+0x124 sys/kern/kern_timeout.c:580
end trace frame: 0x0, count: -7
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp
x86_ipi_db(ffff800020d80ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc
__mp_acquire_count(ffffffff82885ba8,1) at __mp_acquire_count+0x4c sys/kern/kern_lock.c:227
mi_switch() at mi_switch+0x390 sys/kern/sched_bsd.c:435
sleep_finish(ffff800021eee800,1) at sleep_finish+0x111 sys/kern/kern_synch.c:418
sleep_finish_all(ffff800021eee800,1) at sleep_finish_all+0x32 sleep_finish_timeout sys/kern/kern_synch.c:447 [inline]
sleep_finish_all(ffff800021eee800,1) at sleep_finish_all+0x32 sys/kern/kern_synch.c:393
tsleep(ffffffff8282c214,120,ffffffff823b5402,2) at tsleep+0x1c2 sys/kern/kern_synch.c:155
sys_nanosleep(ffff800021fc6ef8,ffff800021eee930,ffff800021eee980) at sys_nanosleep+0x1f5 sys/kern/kern_time.c:297
syscall(ffff800021eeea00) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021eeea00) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffe3050, count: 3
ddb{1}> trace
x86_ipi_db(ffff800020d80ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:352
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
__sanitizer_cov_trace_pc() at __sanitizer_cov_trace_pc
__mp_acquire_count(ffffffff82885ba8,1) at __mp_acquire_count+0x4c sys/kern/kern_lock.c:227
mi_switch() at mi_switch+0x390 sys/kern/sched_bsd.c:435
sleep_finish(ffff800021eee800,1) at sleep_finish+0x111 sys/kern/kern_synch.c:418
sleep_finish_all(ffff800021eee800,1) at sleep_finish_all+0x32 sleep_finish_timeout sys/kern/kern_synch.c:447 [inline]
sleep_finish_all(ffff800021eee800,1) at sleep_finish_all+0x32 sys/kern/kern_synch.c:393
tsleep(ffffffff8282c214,120,ffffffff823b5402,2) at tsleep+0x1c2 sys/kern/kern_synch.c:155
sys_nanosleep(ffff800021fc6ef8,ffff800021eee930,ffff800021eee980) at sys_nanosleep+0x1f5 sys/kern/kern_time.c:297
syscall(ffff800021eeea00) at syscall+0x4a1 mi_syscall sys/sys/syscall_mi.h:102 [inline]
syscall(ffff800021eeea00) at syscall+0x4a1 sys/arch/amd64/amd64/trap.c:570
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffe3050, count: -12