panic: kernel diagnostic assertion "rn != NULL" failed: file "/syzkaller/managers/main/kernel/sys/net/pipex.c", line 501 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333c2a7) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83379931,ffffffff832d0363,1f5,ffffffff8333261d) at __assert+0x29 sys/kern/subr_prf.c:-1 pipex_unlink_session_locked(ffff80003c995d58) at pipex_unlink_session_locked+0x402 pipex_destroy_all_sessions(ffff800001471800) at pipex_destroy_all_sessions+0xd9 pipex_rele_session sys/net/pipex.c:-1 [inline] pipex_destroy_all_sessions(ffff800001471800) at pipex_destroy_all_sessions+0xd9 sys/net/pipex.c:153 pppacclose(637e,41,2000,ffff80002a7f8d18) at pppacclose+0x16f sys/net/if_pppx.c:1335 spec_close(ffff80003815b560) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806a807db0,41,fffffd8007bfb618,ffff80002a7f8d18) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd80683269e0,ffff80002a7f8d18) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd80683269e0,ffff80002a7f8d18) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd80683269e0,ffff80002a7f8d18) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd80683269e0,ffff80002a7f8d18) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a7f8d18) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a7f8d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a7f8d18,ffff80003815b8c0,ffff80003815b810) at sys_exit+0x1a sys/kern/kern_exit.c:-1 end trace frame: 0xffff80003815b8b0, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "rn != NULL" failed: file "/syzkaller/managers/main/kernel/sys/net/pipex.c", line 501 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333c2a7) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83379931,ffffffff832d0363,1f5,ffffffff8333261d) at __assert+0x29 sys/kern/subr_prf.c:-1 pipex_unlink_session_locked(ffff80003c995d58) at pipex_unlink_session_locked+0x402 pipex_destroy_all_sessions(ffff800001471800) at pipex_destroy_all_sessions+0xd9 pipex_rele_session sys/net/pipex.c:-1 [inline] pipex_destroy_all_sessions(ffff800001471800) at pipex_destroy_all_sessions+0xd9 sys/net/pipex.c:153 pppacclose(637e,41,2000,ffff80002a7f8d18) at pppacclose+0x16f sys/net/if_pppx.c:1335 spec_close(ffff80003815b560) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806a807db0,41,fffffd8007bfb618,ffff80002a7f8d18) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd80683269e0,ffff80002a7f8d18) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd80683269e0,ffff80002a7f8d18) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd80683269e0,ffff80002a7f8d18) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd80683269e0,ffff80002a7f8d18) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a7f8d18) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a7f8d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a7f8d18,ffff80003815b8c0,ffff80003815b810) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003815b8c0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003815b8c0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x707a0c0191c0, count: -16 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003815b340 rbx 0x1 rdx 0 rcx 0 rax 0xffff80002a7f8d18 r8 0x101010101010101 r9 0x8080808080808080 r10 0xc3d53c18d79cd756 r11 0x9417469ab3ebdd37 r12 0 r13 0xffff80003c9965b8 r14 0 r15 0x1 rip 0xffffffff83188ce5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003815b330 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=458781 pid=75451 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=32, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80002a7f8d18 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff80002a7f9778,0xffff80002a7f8560 process=0xffff80003a56b6e0 user=0xffff800038156000, vmspace=0xfffffd806c3e2b90 estcpu=1, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 79558 140180 92319 0 2 0 syz-executor 79558 430893 92319 0 3 0x4000080 fsleep syz-executor 68985 168282 45936 0 2 0x10 syz-executor 68985 34658 45936 0 3 0x4000090 ttyin syz-executor 19472 26935 60781 0 3 0x80 nanoslp syz-executor 19472 181647 60781 0 3 0x4000080 bell syz-executor 19472 352799 60781 0 3 0x4000080 fsleep syz-executor 43806 192261 88975 0 3 0x80 nanoslp syz-executor 43806 231610 88975 0 3 0x4000080 kqsel syz-executor 43806 401678 88975 0 3 0x4000080 kqsel syz-executor 43806 427645 88975 0 3 0x4000080 fsleep syz-executor 59238 461503 67869 0 3 0x80 nanoslp syz-executor 59238 508195 67869 0 2 0x4000000 syz-executor 59238 392899 67869 0 3 0x4000000 fltagain2 syz-executor 69642 141120 0 0 3 0x14200 bored sosplice 97194 214953 37721 0 3 0x82 nanoslp syz-executor 92319 9499 37721 0 3 0x82 nanoslp syz-executor 16453 420778 37721 0 3 0x82 wait syz-executor 60781 182780 37721 0 3 0x82 nanoslp syz-executor 88975 511429 37721 0 3 0x82 nanoslp syz-executor 67869 110585 37721 0 3 0x82 nanoslp syz-executor 34272 307001 37721 0 3 0x82 nanoslp syz-executor 45936 394342 37721 0 3 0x82 nanoslp syz-executor 37721 115101 92600 0 3 0x82 kqread syz-executor 92600 263911 63264 0 3 0x10008a sigsusp ksh 63264 153536 33890 0 3 0x98 kqread sshd-session 33890 466820 84904 0 3 0x92 kqread sshd-session 83650 222555 1 0 3 0x100083 ttyin getty 84904 296899 1 0 3 0x88 kqread sshd 94126 485454 45937 73 3 0x1100090 kqread syslogd 45937 167385 1 0 3 0x100082 sbwait syslogd 34483 203970 1 0 3 0x100080 kqread resolvd 67650 234327 21660 77 2 0x100012 dhcpleased 82638 291454 21660 77 3 0x100092 kqread dhcpleased 21660 419814 1 0 3 0x80 kqread dhcpleased 82713 477597 0 0 3 0x14200 bored smr 5131 370280 0 0 2 0x14200 zerothread 44915 173466 0 0 3 0x14200 aiodoned aiodoned 70891 91729 0 0 3 0x14200 syncer update 15842 338446 0 0 3 0x14200 cleaner cleaner 86148 443090 0 0 3 0x14200 reaper reaper 65044 311032 0 0 3 0x14200 pgdaemon pagedaemon 32066 33607 0 0 3 0x14200 bored viomb 41099 201933 0 0 3 0x40014200 acpi0 acpi0 94900 133706 0 0 3 0x14200 bored softnet7 47665 276581 0 0 3 0x14200 bored softnet6 89176 139000 0 0 3 0x14200 bored softnet5 39923 422986 0 0 3 0x14200 bored softnet4 53149 296796 0 0 3 0x14200 bored softnet3 70466 338050 0 0 3 0x14200 bored softnet2 34163 80698 0 0 3 0x14200 bored softnet1 86252 186821 0 0 2 0x14200 softnet0 87029 435926 0 0 3 0x14200 bored systqmp 53181 26253 0 0 3 0x14200 bored systq 6788 76436 0 0 3 0x40014200 tmoslp softclock 98341 204681 0 0 3 0x40014200 idle0 1 75273 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10181 11041K 11300K 166960K 11445 0 pcb 18 14K 16K 166960K 139 0 rtable 158 6K 6K 166960K 282 0 pf 29 12K 131084K 166960K 50 0 ifaddr 36 6K 7K 166960K 58 0 ifgroup 44 1K 2K 166960K 70 0 sysctl 1 1K 9K 166960K 5 0 counters 34 17K 18K 166960K 115 0 ioctlops 0 0K 4K 166960K 153 0 iov 0 0K 16K 166960K 10 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1344 85K 85K 166960K 1472 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 4 0 VM map 2 1K 1K 166960K 2 0 sem 8 0K 0K 166960K 9 0 dirhash 12 2K 2K 166960K 12 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 89K 166960K 305 0 sigio 0 0K 0K 166960K 3 0 proc 63 67K 100K 166960K 493 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 152 0 in_multi 81 5K 7K 166960K 113 0 ether_multi 1 0K 0K 166960K 2 0 mrt 0 0K 0K 166960K 3 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 67 307K 307K 166960K 67 0 exec 0 0K 1K 166960K 355 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 238 155K 159K 166960K 4183 0 UVM aobj 70 3K 3K 166960K 71 0 pinsyscall 39 78K 92K 166960K 1332 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 2 0K 0K 166960K 9 0 NDP 10 0K 2K 166960K 36 0 temp 40 8634K 8707K 166960K 8804 0 kqueue 15 24K 32K 166960K 68 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 45 0 42 1 0 1 1 0 8 0 rtentry 136 102 0 36 4 0 4 4 0 8 0 unpcb 144 213 0 194 3 0 3 3 0 8 2 syncache 336 4 0 4 2 1 1 1 0 8 1 tcpcb 736 60 0 56 2 0 2 2 0 8 1 arp 88 11 0 3 1 0 1 1 0 8 0 ipq 40 1 0 0 1 0 1 1 0 8 0 ipqe 40 1 0 0 1 0 1 1 0 8 0 inpcb 328 314 0 305 7 0 7 7 0 8 5 ip6q 72 3 0 1 1 0 1 1 0 8 0 ip6af 40 3 0 2 1 0 1 1 0 8 0 nd6 104 18 0 5 1 0 1 1 0 8 0 pkpcb 40 1 0 1 1 1 0 1 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 ppxss 1072 82 0 77 2 1 1 1 0 8 0 pfrule 1344 33 0 33 1 1 0 1 0 8 0 rttmr 136 1 0 1 1 0 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 517 0 204 29 0 29 29 0 8 7 art_table 40 518 0 204 5 0 5 5 0 8 0 art_node 32 102 0 44 1 0 1 1 0 8 0 sysvmsgpl 40 1 0 0 1 0 1 1 0 8 0 semupl 112 2 0 2 1 0 1 1 0 8 1 semapl 112 6 0 0 1 0 1 1 0 8 0 shmpl 112 68 0 1 2 0 2 2 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1863 0 357 95 0 95 95 0 8 0 ffsino 256 1863 0 357 95 0 95 95 0 8 0 nchpl 144 2296 0 606 63 0 63 63 0 8 0 rtmask 32 6 0 3 1 0 1 1 0 8 0 uvmvnodes 80 2007 0 0 41 0 41 41 0 8 0 vnodes 216 2007 0 0 112 0 112 112 0 8 0 namei 1024 7072 0 7072 3 2 1 2 0 8 1 kstatmem 264 40 0 20 2 0 2 2 0 8 0 scsiplug 72 2 0 2 1 0 1 1 0 8 1 scxspl 216 8159 0 8159 8 7 1 8 1 8 1 plimitpl 152 55 0 38 1 0 1 1 0 8 0 sigapl 424 588 0 537 7 1 6 7 0 8 0 knotepl 120 11904 0 11605 34 18 16 16 0 8 6 kqueuepl 184 157 0 141 4 3 1 4 0 8 0 pipepl 304 112 0 83 3 0 3 3 0 8 0 fdescpl 448 567 0 537 5 1 4 5 0 8 0 filepl 120 2502 0 2272 11 1 10 10 0 8 1 lockfpl 104 158 0 155 2 0 2 2 0 8 1 lockfspl 48 37 0 34 1 0 1 1 0 8 0 sessionpl 144 22 0 14 1 0 1 1 0 8 0 pgrppl 48 33 0 17 1 0 1 1 0 8 0 ucredpl 104 259 0 247 1 0 1 1 0 8 0 zombiepl 144 540 0 537 2 1 1 1 0 8 0 processpl 1168 588 0 537 5 1 4 5 0 8 0 procpl 664 853 0 793 6 0 6 6 0 8 0 sockpl 552 583 0 552 7 0 7 7 0 8 3 mcl64k 65536 9 0 9 1 0 1 1 0 8 1 mcl8k 8192 7 0 7 2 1 1 1 0 8 1 mcl4k 4096 2639 0 2589 14 7 7 14 0 8 0 mcl2k 2048 441 0 437 4 0 4 4 0 8 3 mtagpl 96 8 0 6 1 0 1 1 0 8 0 mbufpl 256 5773 0 5637 15 0 15 15 0 8 2 bufpl 280 3380 0 117 234 0 234 234 0 8 0 anonpl 24 100292 0 95748 66 34 32 56 0 187 4 amapchunkpl 152 12690 0 12111 30 5 25 25 0 158 2 amappl16 200 1549 0 1506 15 12 3 14 0 8 0 amappl15 192 1 0 1 1 1 0 1 0 8 0 amappl14 184 103 0 93 1 0 1 1 0 8 0 amappl13 176 6 0 6 1 1 0 1 0 8 0 amappl12 168 1170 0 1140 3 1 2 3 0 8 0 amappl11 160 42 0 32 1 0 1 1 0 8 0 amappl10 152 3 0 3 1 1 0 1 0 8 0 amappl9 144 249 0 249 1 1 0 1 0 8 0 amappl8 136 27 0 26 1 0 1 1 0 8 0 amappl7 128 92 0 82 1 0 1 1 0 8 0 amappl6 120 167 0 163 1 0 1 1 0 8 0 amappl5 112 112 0 106 1 0 1 1 0 8 0 amappl4 104 272 0 255 1 0 1 1 0 8 0 amappl3 96 2277 0 2161 3 0 3 3 0 8 0 amappl2 88 609 0 555 2 0 2 2 0 8 0 amappl1 80 8840 0 8292 15 1 14 14 0 8 0 amappl 88 3528 0 3355 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 70 0 1 2 0 2 2 0 8 0 uaddrrnd 24 567 0 537 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 567 0 537 1 0 1 1 0 8 0 vmmpekpl 168 5998 0 5964 2 0 2 2 0 8 0 vmmpepl 168 41045 0 39139 97 10 87 92 0 357 4 vmsppl 368 566 0 537 4 1 3 4 0 8 0 rwobjpl 40 15528 0 12581 31 1 30 30 0 8 0 pdppl 4096 1141 0 1074 97 30 67 79 0 8 0 pvpl 32 258647 0 248184 153 52 101 127 0 265 13 pmappl 216 566 0 537 2 0 2 2 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 380 0 46 10 0 10 10 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333c2a7) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83379931,ffffffff832d0363,1f5,ffffffff8333261d) at __assert+0x29 sys/kern/subr_prf.c:-1 pipex_unlink_session_locked(ffff80003c995d58) at pipex_unlink_session_locked+0x402 pipex_destroy_all_sessions(ffff800001471800) at pipex_destroy_all_sessions+0xd9 pipex_rele_session sys/net/pipex.c:-1 [inline] pipex_destroy_all_sessions(ffff800001471800) at pipex_destroy_all_sessions+0xd9 sys/net/pipex.c:153 pppacclose(637e,41,2000,ffff80002a7f8d18) at pppacclose+0x16f sys/net/if_pppx.c:1335 spec_close(ffff80003815b560) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806a807db0,41,fffffd8007bfb618,ffff80002a7f8d18) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd80683269e0,ffff80002a7f8d18) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd80683269e0,ffff80002a7f8d18) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd80683269e0,ffff80002a7f8d18) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd80683269e0,ffff80002a7f8d18) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a7f8d18) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a7f8d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a7f8d18,ffff80003815b8c0,ffff80003815b810) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003815b8c0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003815b8c0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x707a0c0191c0, count: -16 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333c2a7) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83379931,ffffffff832d0363,1f5,ffffffff8333261d) at __assert+0x29 sys/kern/subr_prf.c:-1 pipex_unlink_session_locked(ffff80003c995d58) at pipex_unlink_session_locked+0x402 pipex_destroy_all_sessions(ffff800001471800) at pipex_destroy_all_sessions+0xd9 pipex_rele_session sys/net/pipex.c:-1 [inline] pipex_destroy_all_sessions(ffff800001471800) at pipex_destroy_all_sessions+0xd9 sys/net/pipex.c:153 pppacclose(637e,41,2000,ffff80002a7f8d18) at pppacclose+0x16f sys/net/if_pppx.c:1335 spec_close(ffff80003815b560) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806a807db0,41,fffffd8007bfb618,ffff80002a7f8d18) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd80683269e0,ffff80002a7f8d18) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd80683269e0,ffff80002a7f8d18) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd80683269e0,ffff80002a7f8d18) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd80683269e0,ffff80002a7f8d18) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a7f8d18) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a7f8d18,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a7f8d18,ffff80003815b8c0,ffff80003815b810) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003815b8c0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003815b8c0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x707a0c0191c0, count: -16