panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 953 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *517873 14927 0 0x1000 0x4080000 0 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8335bced) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8339c727,ffffffff833f7eff,3b9,ffffffff833d10bb) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c96b620,ffffffff83353664) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(0,ffff80003c96b618) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff800035d13788) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c9550c0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8062267368,1,fffffd8007bfb820,ffff800035d13788) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806c032900,ffff800035d13788) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806c032900,ffff800035d13788) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806c032900,ffff800035d13788) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806c032900,ffff800035d13788) at closef+0x190 sys/kern/kern_descrip.c:1264 syscall(ffff80003c955310) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c955310) at syscall+0x962 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf69784e9170, count: 2 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 953 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8335bced) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8339c727,ffffffff833f7eff,3b9,ffffffff833d10bb) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c96b620,ffffffff83353664) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(0,ffff80003c96b618) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff800035d13788) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c9550c0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8062267368,1,fffffd8007bfb820,ffff800035d13788) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806c032900,ffff800035d13788) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806c032900,ffff800035d13788) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806c032900,ffff800035d13788) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806c032900,ffff800035d13788) at closef+0x190 sys/kern/kern_descrip.c:1264 syscall(ffff80003c955310) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c955310) at syscall+0x962 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf69784e9170, count: -13 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003c954ea0 rbx 0 rdx 0 rcx 0 rax 0xffff800035d13788 r8 0x101010101010101 r9 0x8080808080808080 r10 0x4878efcb7995654f r11 0x9eda3a3ad8ccd612 r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff832540c5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c954e90 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=517873 pid=14927 tcnt=2 stat=onproc flags process=1000 proc=4080000 runpri=32, usrpri=78, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff800035d0fa10 scnt=1 ecnt=0 forw=0xffffffffffffffff, list=0xffff800035d12030,0xffff800035d12aa0 process=0xffff80003c9c04a0 user=0xffff80003c950000, vmspace=0xfffffd806c1302f8 estcpu=28, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 53743 222010 64728 0 2 0 syz-executor 53743 510139 64728 0 2 0x4000000 syz-executor 14927 492743 94600 0 3 0x3000 suspend syz-executor *14927 517873 94600 0 7 0x4081000 syz-executor 28777 347048 54438 0 2 0xc80 syz-executor 28777 332619 54438 0 3 0x4000080 ttyin syz-executor 28777 78379 54438 0 3 0x4000080 fsleep syz-executor 14032 109390 38247 -1 2 0xc90 syz-executor 14032 404402 38247 -1 2 0x4000c90 syz-executor 14032 130020 38247 -1 3 0x4000090 fsleep syz-executor 14032 283237 38247 -1 3 0x4000090 fsleep syz-executor 96794 19313 43205 0 2 0xc80 syz-executor 96794 95096 43205 0 3 0x4000080 sbwait syz-executor 96794 119705 43205 0 3 0x4000080 fsleep syz-executor 69552 126038 95796 0 2 0xc80 syz-executor 69552 138726 95796 0 3 0x4000080 nanoslp syz-executor 69552 191012 95796 0 3 0x4000080 fsleep syz-executor 69552 258796 95796 0 3 0x4000080 fsleep syz-executor 10509 136689 29330 0 2 0xc80 syz-executor 10509 149865 29330 0 3 0x4000080 fifor syz-executor 10509 451105 29330 0 3 0x4000080 fifor syz-executor 10509 477369 29330 0 3 0x4000080 fsleep syz-executor 61891 332161 0 0 3 0x14280 nfsidl nfsio 56765 331125 0 0 3 0x14280 nfsidl nfsio 87907 199392 0 0 3 0x14280 nfsidl nfsio 12587 382248 0 0 3 0x14280 nfsidl nfsio 54155 188498 0 0 3 0x14280 nfsidl nfsio 81612 344542 0 0 3 0x14280 nfsidl nfsio 91658 59456 0 0 3 0x14280 nfsidl nfsio 50794 63146 0 0 3 0x14280 nfsidl nfsio 86524 482096 0 0 3 0x14280 nfsidl nfsio 62713 411983 0 0 3 0x14280 nfsidl nfsio 99727 214749 0 0 3 0x14280 nfsidl nfsio 91481 336262 0 0 3 0x14280 nfsidl nfsio 84832 458240 0 0 3 0x14280 nfsidl nfsio 5502 181784 0 0 3 0x14280 nfsidl nfsio 20300 239331 0 0 3 0x14280 nfsidl nfsio 42612 140213 0 0 3 0x14280 nfsidl nfsio 21825 130 0 0 3 0x14280 nfsidl nfsio 25798 148720 0 0 3 0x14280 nfsidl nfsio 28413 62687 0 0 3 0x14280 nfsidl nfsio 34994 18423 0 0 3 0x14280 nfsidl nfsio 45719 163536 12163 0 2 0x10000c82 syz-executor 43205 432772 12163 0 2 0xc82 syz-executor 29330 273664 12163 0 2 0xc82 syz-executor 95796 216067 12163 0 2 0xc82 syz-executor 54438 232920 12163 0 2 0xc82 syz-executor 64728 370185 12163 0 3 0x82 nanoslp syz-executor 38247 342790 12163 0 2 0xc82 syz-executor 94600 221440 12163 0 3 0x82 nanoslp syz-executor 12163 357248 19721 0 2 0x2 syz-executor 19721 354207 14090 0 3 0x10008a sigsusp ksh 14090 393083 84681 0 3 0x98 kqread sshd-session 84681 424540 85296 0 3 0x92 kqread sshd-session 64605 503649 1 0 3 0x100083 ttyin getty 85296 380622 1 0 3 0x88 kqread sshd 52260 192442 45159 73 3 0x1100090 kqread syslogd 45159 77888 1 0 3 0x100082 sbwait syslogd 17330 70260 1 0 3 0x100080 kqread resolvd 24116 61621 33356 77 2 0x100012 dhcpleased 61151 188593 33356 77 3 0x100092 kqread dhcpleased 33356 485650 1 0 3 0x80 kqread dhcpleased 66129 487448 0 0 3 0x14200 bored smr 85661 490825 0 0 2 0x14200 zerothread 87951 202561 0 0 3 0x14200 aiodoned aiodoned 33053 89966 0 0 3 0x14200 syncer update 25626 61318 0 0 3 0x14200 cleaner cleaner 41310 81348 0 0 3 0x14200 reaper reaper 90753 454195 0 0 3 0x14200 pgdaemon pagedaemon 1867 203571 0 0 3 0x14200 bored viomb 91798 508316 0 0 3 0x40014200 acpi0 acpi0 43621 506589 0 0 2 0x14200 softnet0 57830 358872 0 0 3 0x14200 smrbar systqmp 93869 86779 0 0 3 0x14200 bored systq 92798 426078 0 0 3 0x40014200 tmoslp softclock 70275 289712 0 0 3 0x40014200 idle0 1 274038 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10184 11069K 11577K 166960K 12225 0 pcb 19 14K 15K 166960K 147 0 rtable 230 8K 9K 166960K 442 0 pf 33 13K 67480K 166960K 87 0 ifaddr 42 7K 8K 166960K 77 0 ifgroup 52 2K 2K 166960K 114 0 sysctl 3 1K 9K 166960K 8 0 counters 34 17K 18K 166960K 67 0 ioctlops 0 0K 4K 166960K 147 0 iov 0 0K 24K 166960K 30 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1473 93K 93K 166960K 2021 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 12 0 VM map 2 1K 1K 166960K 2 0 sem 11 0K 0K 166960K 19 0 dirhash 15 2K 2K 166960K 15 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 17 61K 85K 166960K 638 0 sigio 0 0K 0K 166960K 9 0 proc 60 59K 83K 166960K 538 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 63 0 in_multi 96 7K 7K 166960K 121 0 ether_multi 1 0K 0K 166960K 7 0 mrt 2 0K 0K 166960K 11 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 79 360K 360K 166960K 79 0 exec 0 0K 1K 166960K 440 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 252 164K 182K 166960K 7289 0 UVM aobj 18 4K 4K 166960K 20 0 pinsyscall 38 76K 90K 166960K 1721 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 42 0 NDP 12 0K 2K 166960K 48 0 temp 51 8645K 8721K 166960K 50227 0 kqueue 18 30K 33K 166960K 138 0 SYN cache 2 8K 16K 166960K 3 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 69 0 65 1 0 1 1 0 8 0 rtentry 136 126 0 29 4 0 4 4 0 8 0 unpcb 144 357 0 338 3 0 3 3 0 8 2 syncache 336 5 0 5 2 1 1 1 0 8 1 tcpqe 32 2 0 2 1 0 1 1 0 8 1 tcpcb 736 317 0 306 10 6 4 7 0 8 2 arp 96 19 0 1 1 0 1 1 0 8 0 ipq 40 4 0 1 1 0 1 1 0 8 0 ipqe 40 7 0 3 1 0 1 1 0 8 0 inpcb 328 692 0 676 12 5 7 7 0 8 5 ip6q 72 1 0 0 1 0 1 1 0 8 0 ip6af 40 2 0 0 1 0 1 1 0 8 0 nd6 112 25 0 1 1 0 1 1 0 8 0 pkpcb 40 6 0 6 2 1 1 1 0 8 1 kcovpl 48 8 0 0 1 0 1 1 0 8 0 ppxss 1072 27 0 25 2 1 1 1 0 8 0 pppxif 1384 6 0 5 2 1 1 1 0 8 0 pfrktable 1344 1 0 1 1 0 1 1 0 8 1 pfstitem 24 2 0 0 1 0 1 1 0 8 0 pfstkey 128 4 0 2 1 0 1 1 0 8 0 pfstate 384 2 0 1 1 0 1 1 0 8 0 pfrule 1344 1 0 1 1 0 1 1 0 8 1 rttmr 136 1 0 1 1 0 1 1 0 8 1 art_heap8 4096 3 0 0 3 0 3 3 0 8 0 art_heap4 256 557 0 124 31 0 31 31 0 8 3 art_table 40 560 0 124 5 0 5 5 0 8 0 art_node 32 126 0 38 1 0 1 1 0 8 0 sysvmsgpl 40 6 0 1 1 0 1 1 0 8 0 semupl 112 2 0 2 1 0 1 1 0 8 1 semapl 112 14 0 5 1 0 1 1 0 8 0 shmpl 112 17 0 2 1 0 1 1 0 8 0 dirhash 1024 19 0 0 3 0 3 3 0 8 0 dino2pl 256 2608 0 1104 95 0 95 95 0 8 0 ffsino 256 2608 0 1104 95 0 95 95 0 8 0 nchpl 144 3546 0 1846 64 0 64 64 0 8 0 rtmask 32 5 0 5 2 1 1 1 0 8 1 vnodes 216 3071 0 0 171 0 171 171 0 8 0 namei 1024 12645 0 12645 2 1 1 2 0 8 1 kstatmem 264 64 0 40 2 0 2 2 0 8 0 scsiplug 72 2 0 2 2 1 1 1 0 8 1 scxspl 216 11166 0 11166 9 7 2 8 1 8 2 plimitpl 152 209 0 190 1 0 1 1 0 8 0 sigapl 424 953 0 890 8 0 8 8 0 8 0 knotepl 120 300511 0 300447 24 14 10 16 0 8 8 kqueuepl 184 296 0 279 4 0 4 4 0 8 3 pipepl 304 162 0 135 3 0 3 3 0 8 0 fdescpl 448 915 0 886 4 0 4 4 0 8 0 filepl 120 5889 0 5655 14 1 13 13 0 8 5 lockfpl 104 411 0 408 2 0 2 2 0 8 1 lockfspl 48 92 0 89 1 0 1 1 0 8 0 sessionpl 144 22 0 14 1 0 1 1 0 8 0 pgrppl 48 36 0 20 1 0 1 1 0 8 0 ucredpl 104 882 0 869 1 0 1 1 0 8 0 zombiepl 144 892 0 890 1 0 1 1 0 8 0 processpl 1152 953 0 890 5 0 5 5 0 8 0 procpl 664 1744 0 1666 7 0 7 7 0 8 0 sosppl 176 3 0 3 2 1 1 1 0 8 1 sockpl 552 1203 0 1164 11 4 7 7 0 8 4 mcl64k 65536 112 0 111 2 1 1 1 0 8 0 mcl12k 12288 1 0 1 1 0 1 1 0 8 1 mcl8k 8192 10 0 10 2 1 1 1 0 8 1 mcl4k 4096 3105 0 3049 13 5 8 13 0 8 0 mcl2k2 2112 2 0 2 1 1 0 1 0 8 0 mcl2k 2048 924 0 921 3 1 2 2 0 8 1 mtagpl 96 9 0 9 2 1 1 1 0 8 1 mbufpl 256 10280 0 10065 23 4 19 19 0 8 5 bufpl 280 3668 0 119 254 0 254 254 0 8 0 anonpl 24 167134 0 158848 97 22 75 75 0 187 0 amapchunkpl 152 24421 0 23810 41 11 30 33 0 158 4 amappl16 200 3754 0 3493 46 19 27 27 0 8 0 amappl15 192 9 0 9 1 1 0 1 0 8 0 amappl14 184 21 0 21 2 1 1 1 0 8 1 amappl13 176 410 0 409 1 0 1 1 0 8 0 amappl12 168 1261 0 1223 2 0 2 2 0 8 0 amappl11 160 4 0 4 1 1 0 1 0 8 0 amappl10 152 44 0 34 1 0 1 1 0 8 0 amappl9 144 251 0 251 1 1 0 1 0 8 0 amappl8 136 21 0 19 1 0 1 1 0 8 0 amappl7 128 98 0 97 1 0 1 1 0 8 0 amappl6 120 265 0 253 1 0 1 1 0 8 0 amappl5 112 76 0 68 1 0 1 1 0 8 0 amappl4 104 383 0 359 1 0 1 1 0 8 0 amappl3 96 4091 0 3993 3 0 3 3 0 8 0 amappl2 88 1049 0 977 2 0 2 2 0 8 0 amappl1 80 11253 0 10711 14 1 13 13 0 8 1 amappl 88 6487 0 6305 5 0 5 5 0 92 0 uvmvnodes 80 3071 0 0 63 0 63 63 0 8 0 dma32768 32768 2 0 2 1 0 1 1 0 8 1 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 2 0 1 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 255 0 255 2 1 1 1 0 8 1 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 19 0 2 1 0 1 1 0 8 0 uaddrrnd 24 915 0 886 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 915 0 886 1 0 1 1 0 8 0 vmmpekpl 168 8612 0 8581 2 0 2 2 0 8 0 vmmpepl 168 65472 0 63409 110 8 102 102 0 357 1 vmsppl 368 914 0 886 4 1 3 4 0 8 0 rwobjpl 40 23163 0 18967 44 0 44 44 0 8 0 pdppl 4096 1836 0 1772 96 30 66 76 0 8 2 pvpl 32 424965 0 411324 179 26 153 153 0 265 10 pmappl 216 914 0 886 2 0 2 2 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 392 0 53 10 0 10 10 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8335bced) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8339c727,ffffffff833f7eff,3b9,ffffffff833d10bb) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c96b620,ffffffff83353664) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(0,ffff80003c96b618) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff800035d13788) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c9550c0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8062267368,1,fffffd8007bfb820,ffff800035d13788) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806c032900,ffff800035d13788) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806c032900,ffff800035d13788) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806c032900,ffff800035d13788) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806c032900,ffff800035d13788) at closef+0x190 sys/kern/kern_descrip.c:1264 syscall(ffff80003c955310) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c955310) at syscall+0x962 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf69784e9170, count: -13 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8335bced) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8339c727,ffffffff833f7eff,3b9,ffffffff833d10bb) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c96b620,ffffffff83353664) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(0,ffff80003c96b618) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff800035d13788) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c9550c0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8062267368,1,fffffd8007bfb820,ffff800035d13788) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806c032900,ffff800035d13788) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806c032900,ffff800035d13788) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806c032900,ffff800035d13788) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806c032900,ffff800035d13788) at closef+0x190 sys/kern/kern_descrip.c:1264 syscall(ffff80003c955310) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c955310) at syscall+0x962 sys/arch/amd64/amd64/trap.c:765 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xf69784e9170, count: -13