panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *295016 71823 0 0 0x4000000 0K syz-executor.0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000dc8800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff800026096a70) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd80690c7860,80206979,ffff800026096a70,ffff80002e4c97a0) at soo_ioctl+0x26c sys_ioctl(ffff80002e4c97a0,ffff800026096b88,ffff800026096be0) at sys_ioctl+0x4a2 syscall(ffff800026096c50) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800026096c50) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x15dafed7a40, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000dc8800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff800026096a70) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd80690c7860,80206979,ffff800026096a70,ffff80002e4c97a0) at soo_ioctl+0x26c sys_ioctl(ffff80002e4c97a0,ffff800026096b88,ffff800026096be0) at sys_ioctl+0x4a2 syscall(ffff800026096c50) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800026096c50) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x15dafed7a40, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800026096880 rbx 0xffffffff82920bff cpu_info_full_primary+0x2bff rdx 0 rcx 0 rax 0xffff80002e4c97a0 r8 0 r9 0x8080808080808080 r10 0x307ddf10f608aa55 r11 0xbac4dfed86283d49 r12 0xffffffff82920a00 cpu_info_full_primary+0x2a00 r13 0 r14 0 r15 0x1 rip 0xffffffff8147cfe8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800026096870 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.0) pid=295016 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff80002e4c9ce0,0xffff8000ffff4010 process=0xffff80002e50f628 user=0xffff800026091000, vmspace=0xfffffd80683458c0 estcpu=36, cpticks=3, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 14416 407560 26355 0 2 0 syz-executor.4 14416 342806 26355 0 2 0x4000000 syz-executor.4 45404 515736 29629 0 2 0 syz-executor.7 45404 153322 29629 0 3 0x4000080 fsleep syz-executor.7 35820 422620 75753 0 2 0 syz-executor.1 35820 111826 75753 0 3 0x4000080 fsleep syz-executor.1 71823 333128 56590 0 2 0 syz-executor.0 *71823 295016 56590 0 7 0x4000000 syz-executor.0 71823 57389 56590 0 3 0x4000080 fsleep syz-executor.0 91380 474309 41636 0 2 0x480 syz-executor.6 91380 175933 41636 0 3 0x4000080 kqpoll syz-executor.6 91380 276106 41636 0 3 0x4000080 fsleep syz-executor.6 41636 12136 46334 0 3 0x82 nanoslp syz-executor.6 27745 373447 46334 0 3 0x82 piperd syz-executor.5 56590 456498 46334 0 2 0x482 syz-executor.0 57683 252439 46334 0 2 0x2 syz-executor.3 29629 23408 46334 0 3 0x82 nanoslp syz-executor.7 98172 425881 46334 0 2 0x2 syz-executor.2 75753 147188 46334 0 2 0x482 syz-executor.1 26355 219435 46334 0 2 0x482 syz-executor.4 21696 180918 1 0 3 0x100083 ttyin getty 35294 141046 0 0 3 0x14200 bored sosplice 46334 159338 33313 0 3 0x82 thrsleep syz-fuzzer 46334 340362 33313 0 3 0x4000082 nanoslp syz-fuzzer 46334 73399 33313 0 3 0x4000082 thrsleep syz-fuzzer 46334 516588 33313 0 3 0x4000082 thrsleep syz-fuzzer 46334 36254 33313 0 2 0x4000482 syz-fuzzer 46334 494842 33313 0 3 0x4000082 kqread syz-fuzzer 46334 419755 33313 0 3 0x4000082 thrsleep syz-fuzzer 46334 357219 33313 0 3 0x4000082 thrsleep syz-fuzzer 46334 58273 33313 0 3 0x4000082 thrsleep syz-fuzzer 33313 269507 10754 0 3 0x10008a sigsusp ksh 10754 323433 46544 0 3 0x9a kqread sshd 46544 506461 1 0 3 0x88 kqread sshd 73468 363778 22067 74 3 0x100092 bpf pflogd 22067 367562 1 0 3 0x80 netio pflogd 35615 488397 95217 73 3 0x100090 kqread syslogd 95217 464852 1 0 3 0x100082 netio syslogd 53860 444398 1 0 3 0x100080 kqread resolvd 81848 203954 39362 77 2 0x100092 dhcpleased 89230 474641 39362 77 3 0x100092 kqread dhcpleased 39362 498980 1 0 3 0x80 kqread dhcpleased 41082 137427 0 0 3 0x14200 bored smr 9168 273901 0 0 2 0x14200 zerothread 30862 221759 0 0 3 0x14200 aiodoned aiodoned 67464 228492 0 0 3 0x14200 syncer update 87994 228818 0 0 3 0x14200 cleaner cleaner 6076 464259 0 0 3 0x14200 reaper reaper 54293 174949 0 0 3 0x14200 pgdaemon pagedaemon 5027 268334 0 0 3 0x14200 bored viomb 4460 488460 0 0 3 0x40014200 acpi0 acpi0 47765 283118 0 0 7 0x40014200 idle1 9246 22387 0 0 3 0x14200 bored softnet 92397 91312 0 0 3 0x14200 bored systqmp 3197 344423 0 0 3 0x14200 bored systq 23763 450140 0 0 3 0x40014200 bored softclock 643 399334 0 0 3 0x40014200 idle0 1 15993 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 71823 (syz-executor.0) thread 0xffff80002e4c97a0 (295016) exclusive rwlock clonelk r = 0 (0xffffffff828e4a20) #0 witness_lock+0x44d #1 if_clone_destroy+0x49 #2 soo_ioctl+0x26c #3 sys_ioctl+0x4a2 #4 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #4 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #5 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82a3d4a8) #0 witness_lock+0x44d #1 soo_ioctl+0x25a sys/kern/sys_socket.c:136 #2 sys_ioctl+0x4a2 #3 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #3 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #4 Xsyscall+0x128 Process 57683 (syz-executor.3) thread 0xffff80002e513a48 (252439) exclusive rrwlock inode r = 0 (0xfffffd8074411808) #0 witness_lock+0x44d #1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310 #2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461 #3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534 #4 vn_lock+0x84 sys/kern/vfs_vnops.c:579 #5 vget+0x1d3 sys/kern/vfs_subr.c:677 #6 ufs_ihashget+0x121 sys/ufs/ufs/ufs_ihash.c:119 #7 ffs_vget+0x7c sys/ufs/ffs/ffs_vfsops.c:1318 #8 ufs_lookup+0x13ba sys/ufs/ufs/ufs_lookup.c:487 #9 VOP_LOOKUP+0x58 sys/kern/vfs_vops.c:85 #10 vfs_lookup+0x6e5 sys/kern/vfs_lookup.c:561 #11 namei+0x36a sys/kern/vfs_lookup.c:245 #12 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1849 #13 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #13 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #14 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd80665c51b8) #0 witness_lock+0x44d #1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310 #2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461 #3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534 #4 vn_lock+0x84 sys/kern/vfs_vnops.c:579 #5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413 #6 namei+0x36a sys/kern/vfs_lookup.c:245 #7 dounlinkat+0x99 sys/kern/vfs_syscalls.c:1849 #8 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #8 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #9 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10224 6521K 6912K 78643K 41479 0 pcb 17 20K 23K 78643K 2715 0 rtable 307 35K 36K 78643K 3880 0 ifaddr 115 27K 29K 78643K 2294 0 sysctl 2 0K 0K 78643K 2 0 counters 58 35K 36K 78643K 442 0 ioctlops 0 0K 4K 78643K 24446 0 iov 0 0K 24K 78643K 1751 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1445 90K 91K 78643K 11623 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 194 0 VM map 2 1K 1K 78643K 2 0 sem 14 3K 5K 78643K 437 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 15 53K 85K 78643K 18264 0 sigio 0 0K 0K 78643K 272 0 proc 71 87K 123K 78643K 2610 0 subproc 104 6K 6K 78643K 720 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 1 0K 0K 78643K 1083 0 in_multi 92 6K 7K 78643K 1561 0 ether_multi 2 0K 0K 78643K 210 0 mrt 1 0K 0K 78643K 114 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 265 1182K 1182K 78643K 265 0 exec 0 0K 2K 78643K 4595 0 pfkey data 0 0K 1K 78643K 67 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 623 1146K 1148K 78643K 224646 0 UVM aobj 131 4K 4K 78643K 131 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 1044 0 NDP 13 0K 2K 78643K 423 0 temp 158 4743K 8797K 78643K 213436 0 kqueue 12 18K 26K 78643K 1078 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 1274 0 1271 15 14 1 3 0 8 0 rtentry 112 1045 0 946 5 2 3 4 0 8 0 unpcb 136 13827 0 13812 131 128 3 12 0 8 2 syncache 296 90 0 90 24 24 0 1 0 8 0 tcpqe 32 140 0 140 11 11 0 1 0 8 0 tcpcb 736 7663 0 7653 227 220 7 21 0 8 5 arp 120 123 0 105 1 0 1 1 0 8 0 inpcb 304 19825 0 19812 220 214 6 17 0 8 5 rttmr 72 79 0 79 10 10 0 1 0 8 0 nd6 48 295 0 271 1 0 1 1 0 8 0 pkpcb 40 133 0 133 8 8 0 1 0 8 0 kcovpl 48 55 0 47 1 0 1 1 0 8 0 ppxss 1248 48 0 48 11 10 1 1 0 8 1 pfstscr 40 179 0 179 9 9 0 1 0 8 0 pffrag 232 122 0 122 4 4 0 1 0 482 0 pffrnode 88 122 0 122 4 4 0 1 0 8 0 pffrent 40 425 0 425 4 4 0 1 0 8 0 pfosfp 40 1441 0 1017 5 0 5 5 0 8 0 pfosfpen 112 1441 0 719 21 0 21 21 0 8 0 pfrke_plain 168 4 0 4 1 1 0 1 0 8 0 pfrktable 1344 242 0 205 8 4 4 4 0 8 0 pftag 88 73 0 64 1 0 1 1 0 8 0 pfstitem 24 89 0 87 1 0 1 1 0 8 0 pfstkey 112 289 0 287 2 1 1 2 0 8 0 pfstate 320 183 0 181 5 4 1 5 0 8 0 pfrule 1360 700 0 575 13 2 11 11 0 8 0 art_heap8 4096 9 0 8 8 7 1 3 0 8 0 art_heap4 256 4557 0 4161 54 25 29 32 0 8 0 art_table 32 4566 0 4169 5 1 4 5 0 8 0 art_node 16 1006 0 920 1 0 1 1 0 8 0 sysvmsgpl 40 39 0 14 1 0 1 1 0 8 0 semupl 112 2 0 2 1 1 0 1 0 8 0 semapl 112 431 0 419 1 0 1 1 0 8 0 shmpl 112 128 0 0 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 26050 0 24526 96 0 96 96 0 8 0 ffsino 272 26050 0 24526 103 0 103 103 0 8 0 nchpl 144 49968 0 48347 63 0 63 63 0 8 0 rtmask 32 4 0 4 1 1 0 1 0 8 0 uvmvnodes 80 6258 0 0 128 0 128 128 0 8 0 vnodes 224 6258 0 0 369 0 369 369 0 8 0 namei 1024 195632 0 195632 7 6 1 2 0 8 1 percpumem 16 233 0 192 1 0 1 1 0 8 0 vcpupl 2048 164 0 1 21 0 21 21 0 8 0 vmpool 560 254 0 91 12 0 12 12 0 8 0 pfiaddrpl 120 171 0 107 2 0 2 2 0 8 0 scsiplug 72 16 0 16 6 6 0 1 0 8 0 scxspl 216 139345 0 139345 25 23 2 8 0 8 2 plimitpl 152 1872 0 1857 1 0 1 1 0 8 0 sigapl 424 18495 0 18452 8 1 7 8 0 8 0 futexpl 64 181005 0 181001 7 6 1 1 0 8 0 knotepl 120 372 0 0 7 2 5 6 0 8 0 kqueuepl 216 4321 0 4312 85 79 6 8 0 8 5 pipepl 336 4498 0 4470 124 121 3 13 0 8 0 fdescpl 496 18459 0 18431 5 1 4 5 0 8 0 filepl 152 146254 0 146006 254 236 18 24 0 8 8 lockfpl 104 6457 0 6455 13 11 2 2 0 8 1 lockfspl 48 1783 0 1781 1 0 1 1 0 8 0 sessionpl 144 72 0 55 1 0 1 1 0 8 0 pgrppl 48 180 0 163 1 0 1 1 0 8 0 ucredpl 96 17835 0 17819 1 0 1 1 0 8 0 zombiepl 144 18452 0 18452 3 2 1 1 0 8 1 processpl 1064 18495 0 18452 5 0 5 5 0 8 0 procpl 672 46313 0 46255 17 10 7 9 0 8 0 srpgc 96 40 0 40 11 11 0 1 0 8 0 sosppl 168 170 0 170 24 24 0 1 0 8 0 sockpl 480 35079 0 35048 735 722 13 44 0 8 9 mcl64k 65536 11 0 0 2 0 2 2 0 8 0 mcl16k 16384 6 0 0 1 0 1 1 0 8 0 mcl12k 12288 4 0 0 1 0 1 1 0 8 0 mcl9k 9216 4 0 0 1 0 1 1 0 8 0 mcl8k 8192 12 0 0 2 0 2 2 0 8 0 mcl4k 4096 8 0 0 1 0 1 1 0 8 0 mcl2k2 2112 4 0 0 1 0 1 1 0 8 0 mcl2k 2048 393 0 0 26 3 23 24 0 8 0 mtagpl 96 1356 0 0 19 0 19 19 0 8 0 mbufpl 256 4834 0 0 270 2 268 268 0 8 0 bufpl 288 31397 0 25061 453 0 453 453 0 8 0 anonpl 24 5160427 0 5138748 428 266 162 170 0 186 13 amapchunkpl 152 553990 0 553149 159 113 46 50 0 158 10 amappl16 200 53863 0 53022 265 218 47 70 0 8 0 amappl15 192 2366 0 2360 1 0 1 1 0 8 0 amappl14 184 738 0 730 1 0 1 1 0 8 0 amappl13 176 3168 0 3164 1 0 1 1 0 8 0 amappl12 168 1445 0 1439 1 0 1 1 0 8 0 amappl11 160 3793 0 3777 1 0 1 1 0 8 0 amappl10 152 3354 0 3344 1 0 1 1 0 8 0 amappl9 144 2498 0 2494 1 0 1 1 0 8 0 amappl8 136 3911 0 3733 7 0 7 7 0 8 0 amappl7 128 2071 0 2058 1 0 1 1 0 8 0 amappl6 120 2415 0 2384 2 1 1 2 0 8 0 amappl5 112 17062 0 17044 1 0 1 1 0 8 0 amappl4 104 8947 0 8905 7 5 2 2 0 8 0 amappl3 96 3848 0 3833 1 0 1 1 0 8 0 amappl2 88 5174 0 5094 3 1 2 3 0 8 0 amappl1 80 325857 0 325274 19 5 14 19 0 8 0 amappl 88 222902 0 222567 10 1 9 9 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 130 0 0 3 0 3 3 0 8 0 uaddrrnd 24 18713 0 18522 2 0 2 2 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 18713 0 18522 2 0 2 2 0 8 0 vmmpekpl 168 126192 0 126109 6 1 5 5 0 8 0 vmmpepl 168 1670695 0 1667398 429 272 157 179 0 357 0 vmsppl 368 18712 0 18522 19 1 18 18 0 8 0 rwobjpl 56 395846 0 387395 152 32 120 121 0 8 0 pdppl 4096 37433 0 37207 756 524 232 232 0 8 6 pvpl 32 8504159 0 8479704 670 410 260 272 0 265 36 pmappl 248 18712 0 18522 15 2 13 13 0 8 0 extentpl 40 58 0 38 1 0 1 1 0 8 0 phpool 112 2189 0 913 38 1 37 37 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000dc8800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff800026096a70) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd80690c7860,80206979,ffff800026096a70,ffff80002e4c97a0) at soo_ioctl+0x26c sys_ioctl(ffff80002e4c97a0,ffff800026096b88,ffff800026096be0) at sys_ioctl+0x4a2 syscall(ffff800026096c50) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800026096c50) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x15dafed7a40, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: -5