[ 325.8051749] panic: kernel diagnostic assertion "sn->sn_opencnt" failed: file "/syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/miscfs/specfs/spec_vnops.c", line 1665 
[ 325.8251590] cpu1: Begin traceback...
[ 325.8451596] vpanic() at netbsd:vpanic+0x2f2 sys/kern/subr_prf.c:293
[ 325.9151633] kern_assert() at netbsd:kern_assert+0x65 sys/arch/amd64/amd64/db_disasm.c:1074
[ 325.9751615] spec_close() at netbsd:spec_close+0x8a0 sys/miscfs/specfs/spec_vnops.c:1665
[ 326.0251592] VOP_CLOSE() at netbsd:VOP_CLOSE+0x132 sys/kern/vnode_if.c:605
[ 326.0651590] cnclose() at netbsd:cnclose+0x10a sys/dev/cons.c:159
[ 326.1151589] cdev_close() at netbsd:cdev_close+0x181 sys/kern/subr_devsw.c:1200
[ 326.1651595] spec_close() at netbsd:spec_close+0x5c1 sys/miscfs/specfs/spec_vnops.c:1710
[ 326.2151590] VOP_CLOSE() at netbsd:VOP_CLOSE+0x132 sys/kern/vnode_if.c:605
[ 326.2651593] vn_close() at netbsd:vn_close+0x4c sys/kern/vfs_vnops.c:480
[ 326.3051590] closef() at netbsd:closef+0x1cd sys/kern/kern_descrip.c:832
[ 326.3551601] fd_free() at netbsd:fd_free+0x4dc sys/kern/kern_descrip.c:1571
[ 326.4051610] exit1() at netbsd:exit1+0x3a7 sys/kern/kern_exit.c:301
[ 326.4551578] sys_exit() at netbsd:sys_exit+0xd4 sys/kern/kern_exit.c:180
[ 326.5051592] syscall() at netbsd:syscall+0x2da sy_call sys/sys/syscallvar.h:65 [inline]
[ 326.5051592] syscall() at netbsd:syscall+0x2da sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 326.5051592] syscall() at netbsd:syscall+0x2da sys/arch/x86/x86/syscall.c:138
[ 326.5151583] --- syscall (number 1) ---
[ 326.5351590] netbsd:syscall+0x2da:
[ 326.5351590] cpu1: End traceback...
[ 326.5351590] fatal breakpoint trap in supervisor mode
[ 326.5451575] trap type 1 code 0 rip 0xffffffff80221ab5 cs 0x8 rflags 0x246 cr2 0x413eb0 ilevel 0 rsp 0xffffd980c80b4a30
[ 326.5551575] curlwp 0xfffffb684f402080 pid 9096.9096 lowest kstack 0xffffd980c80b02c0
[ 326.5651574] Skipping crash dump on recursive panic
[ 326.5651574] panic: UBSan: Undefined Behavior in /syzkaller/managers/ci2-netbsd-kubsan/kernel/sys/dev/wsfb/genfb.c:988:28, member access within null pointer of type 'struct genfb_private'

[ 326.5651574] cpu1: Begin traceback...
[ 326.5651574] vpanic() at netbsd:vpanic+0x2f2 sys/kern/subr_prf.c:293
[ 326.5651574] Report() at netbsd:Report+0x3b sys/../common/lib/libc/misc/ubsan.c:1352
[ 326.5651574] HandleTypeMismatch() at netbsd:HandleTypeMismatch+0x1fb sys/../common/lib/libc/misc/ubsan.c:429
[ 326.5651574] genfb_enable_polling() at netbsd:genfb_enable_polling+0x17e sys/dev/wsfb/genfb.c:988
[ 326.5651574] x86_genfb_ddb_trap_callback() at netbsd:x86_genfb_ddb_trap_callback+0x39 sys/arch/x86/x86/genfb_machdep.c:97
[ 326.5651574] db_trap() at netbsd:db_trap+0x68 sys/ddb/db_trap.c:73
[ 326.5651574] kdb_trap() at netbsd:kdb_trap+0x1aa sys/arch/amd64/amd64/db_interface.c:251
[ 326.5651574] trap() at netbsd:trap+0x5b2 sys/arch/amd64/amd64/trap.c:315
[ 326.5651574] --- trap (number 1) ---
[ 326.5651574] breakpoint() at netbsd:breakpoint+0x5
[ 326.5651574] db_panic() at netbsd:db_panic+0xec sys/ddb/db_panic.c:69
[ 326.5651574] vpanic() at netbsd:vpanic+0x2f2 sys/kern/subr_prf.c:293
[ 326.5651574] kern_assert() at netbsd:kern_assert+0x65 sys/arch/amd64/amd64/db_disasm.c:1074
[ 326.5651574] spec_close() at netbsd:spec_close+0x8a0 sys/miscfs/specfs/spec_vnops.c:1665
[ 326.5651574] VOP_CLOSE() at netbsd:VOP_CLOSE+0x132 sys/kern/vnode_if.c:605
[ 326.5651574] cnclose() at netbsd:cnclose+0x10a sys/dev/cons.c:159
[ 326.5651574] cdev_close() at netbsd:cdev_close+0x181 sys/kern/subr_devsw.c:1200
[ 326.5651574] spec_close() at netbsd:spec_close+0x5c1 sys/miscfs/specfs/spec_vnops.c:1710
[ 326.5651574] VOP_CLOSE() at netbsd:VOP_CLOSE+0x132 sys/kern/vnode_if.c:605
[ 326.5651574] vn_close() at netbsd:vn_close+0x4c sys/kern/vfs_vnops.c:480
[ 326.5651574] closef() at netbsd:closef+0x1cd sys/kern/kern_descrip.c:832
[ 326.5651574] fd_free() at netbsd:fd_free+0x4dc sys/kern/kern_descrip.c:1571
[ 326.5651574] exit1() at netbsd:exit1+0x3a7 sys/kern/kern_exit.c:301
[ 326.5651574] sys_exit() at netbsd:sys_exit+0xd4 sys/kern/kern_exit.c:180
[ 326.5651574] syscall() at netbsd:syscall+0x2da sy_call sys/sys/syscallvar.h:65 [inline]
[ 326.5651574] syscall() at netbsd:syscall+0x2da sy_invoke sys/sys/syscallvar.h:94 [inline]
[ 326.5651574] syscall() at netbsd:syscall+0x2da sys/arch/x86/x86/syscall.c:138
[ 326.5651574] --- syscall (number 1) ---
[ 326.5651574] netbsd:syscall+0x2da:
[ 326.5651574] cpu1: End traceback...
[ 326.5651574] fatal breakpoint trap in supervisor mode
[ 326.5651574] trap type 1 code 0 rip 0xffffffff80221ab5 cs 0x8 rflags 0x246 cr2 0x413eb0 ilevel 0x8 rsp 0xffffd980c80b4100
[ 326.5651574] curlwp 0xfffffb684f402080 pid 9096.9096 lowest kstack 0xffffd980c80b02c0
[ 326.5651574] uvm_fault(0xfffffb684be0e758, 0x0, 1) -> e
[ 326.5651574] fatal page fault in supervisor mode
[ 326.5651574] trap type 6 code 0 rip 0xffffffff830b6b5b cs 0x8 rflags 0x10217 cr2 0x1e8 ilevel 0x8 rsp 0xffffd980c80b3d30
[ 326.5651574] curlwp 0xfffffb684f402080 pid 9096.9096 lowest kstack 0xffffd980c80b02c0
kernel: page fault trap, code=0
[ 326.5651574] uvm_fault(0xfffffb684be0e758, 0x0, 1) -> e
[ 326.5651574] fatal page fault in supervisor mode
[ 326.5651574] trap type 6 code 0 rip 0xffffffff830b6b5b cs 0x8 rflags 0x10217 cr2 0x1e8 ilevel 0x8 rsp 0xffffd980c80b3960
[ 326.5651574] curlwp 0xfffffb684f402080 pid 9096.9096 lowest kstack 0xffffd980c80b02c0
kernel: page fault trap, code=0
[ 326.5651574] uvm_fault(0xfffffb684be0e758, 0x0, 1) -> e
[ 326.5651574] fatal page fault in supervisor mode
[ 326.5651574] trap type 6 code 0 rip 0xffffffff830b6b5b cs 0x8 rflags 0x10217 cr2 0x1e8 ilevel 0x8 rsp 0xffffd980c80b3590
[ 326.5651574] curlwp 0xfffffb684f402080 pid 9096.9096 lowest kstack 0xffffd980c80b02c0
kernel: page fault trap, code=0
[ 326.5651574] uvm_fault(0xfffffb684be0e758, 0x0, 1) -> e
[ 326.5651574] fatal page fault in supervisor mode
[ 326.5651574] trap type 6 code 0 rip 0xffffffff830b6b5b cs 0x8 rflags 0x10217 cr2 0x1e8 ilevel 0x8 rsp 0xffffd980c80b31c0
[ 326.5651574] curlwp 0xfffffb684f402080 pid 9096.9096 lowest kstack 0xffffd980c80b02c0
kernel: page fault trap, code=0
[ 326.5651574] uvm_fault(0xfffffb684be0e758, 0x0, 1) -> e
[ 326.5651574] fatal page fault in supervisor mode
[ 326.5651574] trap type 6 code 0 rip 0xffffffff830b6b5b cs 0x8 rflags 0x10217 cr2 0x1e8 ilevel 0x8 rsp 0xffffd980c80b2df0
[ 326.5651574] curlwp 0xfffffb684f402080 pid 9096.9096 lowest kstack 0xffffd980c80b02c0
kernel: page fault trap, code=0
[ 326.5651574] uvm_fault(0xfffffb684be0e758, 0x0, 1) -> e
[ 326.5651574] fatal page fault in supervisor mode
[ 326.5651574] trap type 6 code 0 rip 0xffffffff830b6b5b cs 0x8 rflags 0x10217 cr2 0x1e8 ilevel 0x8 rsp 0xffffd980c80b2a20
[ 326.5651574] curlwp 0xfffffb684f402080 pid 9096.9096 lowest kstack 0xffffd980c80b02c0
kernel: page fault trap, code=0
[ 326.5651574] uvm_fault(0xfffffb684be0e758, 0x0, 1) -> e