panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 Stopped at db_enter+030: addq $010,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *436833 66572 0 0 0x4000000 0K syz-executor.2 db_enter() at db_enter+030 panic(ffffffff825739a5) at panic+0567 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+045 tun_clone_destroy(ffff800000be9000) at tun_clone_destroy+01170 if_clone_destroy(ffff80002e42b460) at if_clone_destroy+0462 soo_ioctl(fffffd80639e4390,80206979,ffff80002e42b460,ffff8000211422a8) at soo_ioctl+01154 sys_ioctl(ffff8000211422a8,ffff80002e42b578,ffff80002e42b5d0) at sys_ioctl+02242 syscall(ffff80002e42b640) at syscall+02211 Xsyscall() at Xsyscall+0450 end of kernel end trace frame: 0x4d7c7503b80, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 ddb{0}> trace db_enter() at db_enter+030 panic(ffffffff825739a5) at panic+0567 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+045 tun_clone_destroy(ffff800000be9000) at tun_clone_destroy+01170 if_clone_destroy(ffff80002e42b460) at if_clone_destroy+0462 soo_ioctl(fffffd80639e4390,80206979,ffff80002e42b460,ffff8000211422a8) at soo_ioctl+01154 sys_ioctl(ffff8000211422a8,ffff80002e42b578,ffff80002e42b5d0) at sys_ioctl+02242 syscall(ffff80002e42b640) at syscall+02211 Xsyscall() at Xsyscall+0450 end of kernel end trace frame: 0x4d7c7503b80, count: -9 ddb{0}> show registers rdi 0 rsi 01 rbp 01777774000005620531160 rbx 01777777777760244405777 cpu_info_full_primary+025777 rdx 0 rcx 0 rax 01777774000004105021250 r8 0 r9 01002004010020040100200 r10 0355277364112547146460 r11 0610414572677122017173 r12 01777777777760244405000 cpu_info_full_primary+025000 r13 0 r14 0 r15 01 rip 01777777777760121747750 db_enter+030 cs 010 rflags 01106 rsp 01777774000005620531140 ss 020 db_enter+030: addq $010,%rsp ddb{0}> show proc PROC (syz-executor.2) pid=436833 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=84, nice=20 forw=0xffffffffffffffff, list=0xffff8000ffff6010,0xffff8000ffff4010 process=0xffff80002af37a48 user=0xffff80002e426000, vmspace=0xfffffd807733ed00 estcpu=34, cpticks=2, pctcpu=0.0 user=0, sys=2, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 66572 163535 69772 0 2 0 syz-executor.2 *66572 436833 69772 0 7 0x4000000 syz-executor.2 10870 320166 74012 0 2 0 syz-executor.7 10870 392681 74012 0 3 0x4000080 fsleep syz-executor.7 10870 421640 74012 0 3 0x4000080 fsleep syz-executor.7 97423 356942 74175 0 2 0x480 syz-executor.4 97423 262725 74175 0 3 0x4000080 fsleep syz-executor.4 52603 504686 57360 0 2 0 syz-executor.6 52603 457728 57360 0 3 0x4000080 fsleep syz-executor.6 52603 199458 57360 0 3 0x4000080 fsleep syz-executor.6 16144 338638 70803 0 2 0x480 syz-executor.5 16144 387766 70803 0 3 0x4000080 fsleep syz-executor.5 9509 42414 90036 0 2 0x480 syz-executor.0 9509 356737 90036 0 3 0x4000080 netio syz-executor.0 9509 449492 90036 0 3 0x4000080 netio syz-executor.0 9509 386419 90036 0 3 0x4000080 netio syz-executor.0 9509 95055 90036 0 3 0x4000080 netio syz-executor.0 9509 504859 90036 0 3 0x4000080 fsleep syz-executor.0 90036 419812 87415 0 2 0x482 syz-executor.0 97737 206277 0 0 3 0x14200 acct acct 57360 213268 87415 0 2 0x482 syz-executor.6 74012 304306 87415 0 2 0x482 syz-executor.7 56345 207357 87415 0 2 0x482 syz-executor.3 70803 280413 87415 0 2 0x482 syz-executor.5 69772 7563 87415 0 2 0x482 syz-executor.2 4824 465304 87415 0 2 0x482 syz-executor.1 74175 323909 87415 0 2 0x482 syz-executor.4 55198 217475 1 0 3 0x100083 ttyopn getty 96478 329780 0 0 3 0x14200 bored sosplice 87415 209291 31184 0 3 0x82 thrsleep syz-fuzzer 87415 218268 31184 0 3 0x4000082 thrsleep syz-fuzzer 87415 318353 31184 0 3 0x4000082 thrsleep syz-fuzzer 87415 283365 31184 0 3 0x4000082 thrsleep syz-fuzzer 87415 65463 31184 0 3 0x4000082 kqread syz-fuzzer 87415 418745 31184 0 3 0x4000082 thrsleep syz-fuzzer 87415 239544 31184 0 3 0x4000082 thrsleep syz-fuzzer 87415 95346 31184 0 3 0x4000082 thrsleep syz-fuzzer 87415 151499 31184 0 3 0x4000082 thrsleep syz-fuzzer 31184 320630 75013 0 3 0x10008a sigsusp ksh 75013 83124 33654 0 3 0x9a kqread sshd 33654 351420 1 0 3 0x88 kqread sshd 12667 121780 57501 74 3 0x100092 bpf pflogd 57501 327609 1 0 3 0x80 netio pflogd 22390 457395 16855 73 3 0x100090 kqread syslogd 16855 31560 1 0 3 0x100082 netio syslogd 54607 400693 1 0 3 0x100080 kqread resolvd 56970 521663 58350 77 2 0x100092 dhcpleased 66927 82237 58350 77 3 0x100092 kqread dhcpleased 58350 306584 1 0 3 0x80 kqread dhcpleased 11942 260115 0 0 3 0x14200 bored smr 46357 208368 0 0 2 0x14200 zerothread 33463 208843 0 0 3 0x14200 aiodoned aiodoned 843 159957 0 0 3 0x14200 syncer update 80656 371265 0 0 3 0x14200 cleaner cleaner 85622 164357 0 0 3 0x14200 reaper reaper 11022 71047 0 0 3 0x14200 pgdaemon pagedaemon 91912 211408 0 0 3 0x14200 bored viomb 67167 224141 0 0 3 0x40014200 acpi0 acpi0 93754 6702 0 0 7 0x40014200 idle1 2404 36657 0 0 3 0x14200 bored softnet 49440 331699 0 0 3 0x14200 bored systqmp 67815 341247 0 0 3 0x14200 bored systq 98740 442198 0 0 2 0x40014200 softclock 94556 486073 0 0 3 0x40014200 idle0 1 258361 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 66572 (syz-executor.2) thread 0xffff8000211422a8 (436833) exclusive rwlock clonelk r = 0 (0xffffffff828e4a20) #0 witness_lock+02115 #1 if_clone_destroy+0111 #2 soo_ioctl+01154 #3 sys_ioctl+02242 #4 syscall+02211 #5 Xsyscall+0450 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82a3d4a8) #0 witness_lock+02115 #1 soo_ioctl+01132 #2 sys_ioctl+02242 #3 syscall+02211 #4 Xsyscall+0450 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10235 6512K 7420K 78643K 129865 0 pcb 15 20K 24K 78643K 10292 0 rtable 308 35K 36K 78643K 14131 0 ifaddr 113 31K 33K 78643K 5802 0 sysctl 3 1K 5K 78643K 8 0 counters 58 35K 36K 78643K 1032 0 ioctlops 0 0K 8K 78643K 15069 0 iov 0 0K 16K 78643K 6532 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1549 97K 97K 78643K 40676 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 3 5K 13K 78643K 547 0 VM map 2 1K 1K 78643K 2 0 sem 21 36K 72K 78643K 4567 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 16 57K 89K 78643K 53415 0 sigio 0 0K 0K 78643K 487 0 proc 108 89K 124K 78643K 5927 0 subproc 104 6K 6K 78643K 1596 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 2214 0 in_multi 82 5K 6K 78643K 4018 0 ether_multi 1 0K 0K 78643K 587 0 mrt 2 0K 0K 78643K 251 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 319 1420K 1420K 78643K 319 0 exec 0 0K 2K 78643K 11351 0 pfkey data 0 0K 1K 78643K 16 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 920 2508K 2527K 78643K 665118 0 UVM aobj 131 5K 5K 78643K 142 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 2668 0 NDP 15 0K 2K 78643K 1015 0 temp 172 4769K 8866K 78643K 570454 0 kqueue 12 18K 28K 78643K 3052 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 3358 0 3354 47 46 1 5 0 8 0 rtentry 112 2622 0 2524 5 1 4 4 0 8 0 unpcb 136 121360 0 121333 649 647 2 15 0 8 0 syncache 296 35 0 35 10 10 0 1 0 8 0 tcpqe 32 72 0 72 7 7 0 1 0 8 0 tcpcb 736 24842 0 24836 708 706 2 19 0 8 1 arp 120 277 0 259 1 0 1 1 0 8 0 inpcb 304 56061 0 56051 714 711 3 16 0 8 1 rttmr 72 58 0 58 19 19 0 1 0 8 0 nd6 48 674 0 651 1 0 1 1 0 8 0 pkpcb 40 229 0 229 35 34 1 1 0 8 1 kcovpl 48 122 0 114 1 0 1 1 0 8 0 ppxss 1248 223 0 223 44 44 0 1 0 8 0 pfstscr 40 23 0 23 5 5 0 1 0 8 0 pffrag 232 279 0 276 29 28 1 1 0 482 0 pffrnode 88 277 0 274 29 28 1 1 0 8 0 pffrent 40 1092 0 1089 32 31 1 1 0 8 0 pfosfp 40 1431 0 1007 5 0 5 5 0 8 0 pfosfpen 112 1431 0 714 21 0 21 21 0 8 0 pfrke_plain 168 261 0 261 5 5 0 1 0 8 0 pfrktable 1344 2965 0 2927 6 2 4 4 0 8 0 pftag 88 22 0 17 1 0 1 1 0 8 0 pfstitem 24 95 0 93 1 0 1 1 0 8 0 pfstkey 112 129 0 127 1 0 1 1 0 8 0 pfstate 320 109 0 107 2 1 1 2 0 8 0 pfrule 1360 1710 0 1561 15 2 13 13 0 8 0 art_heap8 4096 7 0 6 5 4 1 4 0 8 0 art_heap4 256 13794 0 13415 87 63 24 30 0 8 0 art_table 32 13801 0 13421 4 0 4 4 0 8 0 art_node 16 2609 0 2523 1 0 1 1 0 8 0 sysvmsgpl 40 112 0 76 1 0 1 1 0 8 0 semupl 112 2 0 2 1 1 0 1 0 8 0 semapl 112 4559 0 4540 1 0 1 1 0 8 0 shmpl 112 139 0 11 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 75953 0 74373 99 0 99 99 0 8 0 ffsino 272 75953 0 74373 107 1 106 106 0 8 0 nchpl 144 148180 0 146550 63 0 63 63 0 8 0 rtmask 32 342 0 342 5 5 0 1 0 8 0 uvmvnodes 80 6169 0 0 126 0 126 126 0 8 0 vnodes 224 6169 0 0 363 0 363 363 0 8 0 namei 1024 531718 0 531718 20 19 1 2 0 8 1 percpumem 16 528 0 487 1 0 1 1 0 8 0 vcpupl 2048 418 0 1 53 0 53 53 0 8 0 vmpool 560 513 0 96 32 2 30 30 0 8 0 pfiaddrpl 120 1464 0 1386 3 0 3 3 0 8 0 scsiplug 72 16 0 16 5 5 0 1 0 8 0 scxspl 216 452462 0 452462 70 69 1 8 0 8 1 plimitpl 152 6007 0 5991 1 0 1 1 0 8 0 sigapl 424 53593 0 53548 12 6 6 8 0 8 0 futexpl 64 544317 0 544310 13 12 1 1 0 8 0 knotepl 120 1632 0 0 18 11 7 11 0 8 0 kqueuepl 216 12502 0 12492 273 272 1 8 0 8 0 pipepl 336 13904 0 13875 351 343 8 14 0 8 5 fdescpl 496 53472 0 53443 7 3 4 5 0 8 0 filepl 152 467103 0 466839 827 812 15 28 0 8 4 lockfpl 104 13661 0 13659 33 32 1 4 0 8 0 lockfspl 48 3862 0 3860 1 0 1 1 0 8 0 sessionpl 144 140 0 123 1 0 1 1 0 8 0 pgrppl 48 361 0 344 1 0 1 1 0 8 0 ucredpl 96 62525 0 62512 1 0 1 1 0 8 0 zombiepl 144 53548 0 53546 8 7 1 1 0 8 0 processpl 1064 53593 0 53546 5 0 5 5 0 8 0 procpl 672 143503 0 143436 80 72 8 9 0 8 0 srpgc 96 120 0 120 32 32 0 1 0 8 0 sosppl 168 418 0 418 76 76 0 1 0 8 0 sockpl 480 181163 0 181122 4703 4695 8 54 0 8 2 mcl64k 65536 9 0 0 2 0 2 2 0 8 0 mcl16k 16384 2 0 0 1 0 1 1 0 8 0 mcl12k 12288 3 0 0 1 0 1 1 0 8 0 mcl9k 9216 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 6 0 0 1 0 1 1 0 8 0 mcl4k 4096 5 0 0 1 0 1 1 0 8 0 mcl2k2 2112 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 792 0 0 25 6 19 20 0 8 0 mtagpl 96 2890 0 0 25 0 25 25 0 8 0 mbufpl 256 12034 0 0 664 0 664 664 0 8 0 bufpl 288 112640 0 106454 453 3 450 453 0 8 0 anonpl 24 15011162 0 14988600 844 673 171 187 0 186 11 amapchunkpl 152 1626446 0 1625536 370 331 39 53 0 158 0 amappl16 200 145826 0 144822 431 371 60 67 0 8 1 amappl15 192 10363 0 10359 1 0 1 1 0 8 0 amappl14 184 5894 0 5883 2 1 1 1 0 8 0 amappl13 176 5535 0 5530 1 0 1 1 0 8 0 amappl12 168 5761 0 5751 1 0 1 1 0 8 0 amappl11 160 9222 0 9204 1 0 1 1 0 8 0 amappl10 152 10641 0 10628 1 0 1 1 0 8 0 amappl9 144 6619 0 6615 1 0 1 1 0 8 0 amappl8 136 8443 0 8194 10 0 10 10 0 8 0 amappl7 128 4788 0 4776 1 0 1 1 0 8 0 amappl6 120 6770 0 6727 6 4 2 2 0 8 0 amappl5 112 49645 0 49616 1 0 1 1 0 8 0 amappl4 104 21524 0 21478 2 0 2 2 0 8 0 amappl3 96 14004 0 13982 1 0 1 1 0 8 0 amappl2 88 11448 0 11340 5 2 3 3 0 8 0 amappl1 80 948748 0 948156 35 21 14 19 0 8 0 amappl 88 661258 0 660796 16 4 12 12 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 141 0 11 3 0 3 3 0 8 0 uaddrrnd 24 53985 0 53539 3 0 3 3 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 53985 0 53539 3 0 3 3 0 8 0 vmmpekpl 168 361564 0 361449 6 0 6 6 0 8 0 vmmpepl 168 4835654 0 4831670 1357 1158 199 218 0 357 2 vmsppl 368 53984 0 53539 44 3 41 41 0 8 0 rwobjpl 56 1142543 0 1133767 185 58 127 128 0 8 0 pdppl 4096 107977 0 107495 2325 1839 486 486 0 8 4 pvpl 32 25293989 0 25271166 1385 1145 240 278 0 265 20 pmappl 248 53984 0 53539 30 2 28 28 0 8 0 extentpl 40 58 0 38 1 0 1 1 0 8 0 phpool 112 4967 0 2991 58 1 57 57 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+030 panic(ffffffff825739a5) at panic+0567 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+045 tun_clone_destroy(ffff800000be9000) at tun_clone_destroy+01170 if_clone_destroy(ffff80002e42b460) at if_clone_destroy+0462 soo_ioctl(fffffd80639e4390,80206979,ffff80002e42b460,ffff8000211422a8) at soo_ioctl+01154 sys_ioctl(ffff8000211422a8,ffff80002e42b578,ffff80002e42b5d0) at sys_ioctl+02242 syscall(ffff80002e42b640) at syscall+02211 Xsyscall() at Xsyscall+0450 end of kernel end trace frame: 0x4d7c7503b80, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+032: addq $010,%rsp x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+032 x86_ipi_handler() at x86_ipi_handler+0267 Xresume_lapic_ipi() at Xresume_lapic_ipi+043 acpicpu_idle() at acpicpu_idle+01422 sched_idle(ffff800020ce8ff0) at sched_idle+02027 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+032 x86_ipi_handler() at x86_ipi_handler+0267 Xresume_lapic_ipi() at Xresume_lapic_ipi+043 acpicpu_idle() at acpicpu_idle+01422 sched_idle(ffff800020ce8ff0) at sched_idle+02027 end trace frame: 0x0, count: -5