panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 985 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 105448 952 0 0 0 1 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8345c52e) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff83404b86,ffffffff83407745,3d9,ffffffff8340778d) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c43af08,ffffffff833505cc) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:986 pppx_if_destroy(205b92,ffff80003c43af00) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b92,1,2000,ffff80003b402f88) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff80003c42fa80) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd80655d4a48,1,fffffd807f7d3340,ffff80003b402f88) at VOP_CLOSE+0x133 sys/kern/vfs_vops.c:156 vn_closefile(fffffd805de5c880,ffff80003b402f88) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd805de5c880,ffff80003b402f88) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd805de5c880,ffff80003b402f88) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd805de5c880,ffff80003b402f88) at closef+0x192 sys/kern/kern_descrip.c:1249 fdfree(ffff80003b402f88) at fdfree+0x116 sys/kern/kern_descrip.c:1181 exit1(ffff80003b402f88,0,0,1) at exit1+0x58f sys/kern/kern_exit.c:214 sys_exit(ffff80003b402f88,ffff80003c42fdf0,ffff80003c42fd40) at sys_exit+0x1a sys/kern/kern_exit.c:-1 end trace frame: 0xffff80003c42fde0, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 985 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8345c52e) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff83404b86,ffffffff83407745,3d9,ffffffff8340778d) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c43af08,ffffffff833505cc) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:986 pppx_if_destroy(205b92,ffff80003c43af00) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b92,1,2000,ffff80003b402f88) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff80003c42fa80) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd80655d4a48,1,fffffd807f7d3340,ffff80003b402f88) at VOP_CLOSE+0x133 sys/kern/vfs_vops.c:156 vn_closefile(fffffd805de5c880,ffff80003b402f88) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd805de5c880,ffff80003b402f88) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd805de5c880,ffff80003b402f88) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd805de5c880,ffff80003b402f88) at closef+0x192 sys/kern/kern_descrip.c:1249 fdfree(ffff80003b402f88) at fdfree+0x116 sys/kern/kern_descrip.c:1181 exit1(ffff80003b402f88,0,0,1) at exit1+0x58f sys/kern/kern_exit.c:214 sys_exit(ffff80003b402f88,ffff80003c42fdf0,ffff80003c42fd40) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c42fdf0) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c42fdf0) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x74d965372460, count: -16 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80003c42f850 rbx 0xffffffff8389edcf cpu_info_full_primary+0x2dcf rdx 0 rcx 0xffff80003b402f88 rax 0xffffffff8389dff0 cpu_info_full_primary+0x1ff0 r8 0 r9 0x8080808080808080 r10 0x4b18a506b965d971 r11 0x101645490f359a24 r12 0xffffffff8389ebd0 cpu_info_full_primary+0x2bd0 r13 0 r14 0 r15 0x1 rip 0xffffffff81a8d175 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c42f840 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=322267 pid=61465 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=32, usrpri=81, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80003b402f88 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff8000ffffc008,0xffff80003b402038 process=0xffff80003c414e18 user=0xffff80003c42a000, vmspace=0xfffffd806bd0e020 estcpu=31, cpticks=1, pctcpu=0.4, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 40857 180108 53052 0 2 0 syz-executor 952 105448 44582 0 7 0 syz-executor 952 426376 44582 0 2 0x4000000 syz-executor 67012 31719 60508 0 2 0 syz-executor 67012 130787 60508 0 3 0x4000000 smrbar syz-executor 51333 252101 47150 0 2 0xc80 syz-executor 51333 243764 47150 0 3 0x4000080 dtread syz-executor 51333 185838 47150 0 3 0x4000080 fsleep syz-executor 89436 184537 13564 -1 2 0xc90 syz-executor 89436 445324 13564 -1 3 0x4000090 kqread syz-executor 89436 266683 13564 -1 3 0x4000090 fsleep syz-executor 89436 83016 13564 -1 3 0x4000090 fsleep syz-executor 97351 168752 81599 0 2 0xc80 syz-executor 97351 344208 81599 0 3 0x4000080 msgwait syz-executor 97351 248101 81599 0 3 0x4000080 msgwait syz-executor 97351 465505 81599 0 3 0x4000080 fsleep syz-executor 72136 493119 0 0 3 0x14200 acct acct 35254 165579 0 0 3 0x14200 bored sosplice 60508 444779 61849 0 3 0x82 nanoslp syz-executor 92464 306556 61849 0 2 0xc82 syz-executor 98441 68594 61849 0 2 0xc82 syz-executor 81599 35187 61849 0 2 0xc82 syz-executor 13564 166078 61849 0 3 0x82 nanoslp syz-executor 44582 523872 61849 0 2 0xc82 syz-executor 53052 465755 61849 0 3 0x82 nanoslp syz-executor 47150 445026 61849 0 3 0x82 nanoslp syz-executor 61849 80007 44197 0 3 0x82 kqread syz-executor 44197 265293 84575 0 3 0x10008a sigsusp ksh 84575 275422 40219 0 3 0x98 kqread sshd-session 40219 288707 4877 0 3 0x92 kqread sshd-session 7923 486782 1 0 3 0x100083 ttyin getty 4877 126632 1 0 3 0x88 kqread sshd 54842 269191 34256 74 3 0x1100092 bpf pflogd 34256 29952 1 0 3 0x80 sbwait pflogd 34643 64863 91057 73 3 0x1100090 kqread syslogd 91057 191061 1 0 3 0x100082 sbwait syslogd 36930 136950 1 0 3 0x100080 kqread resolvd 72920 139665 53531 77 3 0x100092 kqread dhcpleased 17248 158886 53531 77 3 0x100092 kqread dhcpleased 53531 164877 1 0 3 0x80 kqread dhcpleased 68439 127736 0 0 3 0x14200 bored smr 94757 356405 0 0 2 0x14200 zerothread 32050 75051 0 0 3 0x14200 aiodoned aiodoned 834 99924 0 0 3 0x14200 syncer update 36125 330715 0 0 3 0x14200 cleaner cleaner 65558 14881 0 0 3 0x14200 reaper reaper 48213 318447 0 0 3 0x14200 pgdaemon pagedaemon 40872 425516 0 0 3 0x14200 bored viomb 67071 143303 0 0 3 0x40014200 acpi0 acpi0 75295 1599 0 0 3 0x40014200 idle1 82708 69844 0 0 3 0x14200 bored softnet3 97692 209308 0 0 3 0x14200 bored softnet2 46990 48192 0 0 3 0x14200 bored softnet1 4868 377676 0 0 3 0x14200 bored softnet0 87732 509049 0 0 3 0x14200 bored systqmp 66938 53802 0 0 3 0x14200 bored systq 2832 39912 0 0 3 0x14200 tmoslp softclockmp 65665 424894 0 0 2 0x40014200 softclock 84774 297189 0 0 3 0x40014200 idle0 1 302148 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10213 11145K 11371K 166960K 11733 0 pcb 18 12K 12K 166960K 45 0 rtable 208 8K 9K 166960K 392 0 pf 38 18K 21K 166960K 76 0 ifaddr 41 7K 7K 166960K 57 0 ifgroup 60 2K 2K 166960K 79 0 sysctl 3 1K 1K 166960K 3 0 counters 68 36K 37K 166960K 224 0 ioctlops 0 0K 4K 166960K 1599 0 iov 0 0K 32K 166960K 17 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1381 87K 87K 166960K 1608 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 7 0 VM map 2 1K 1K 166960K 2 0 sem 10 0K 0K 166960K 12 0 dirhash 12 2K 2K 166960K 12 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 97K 166960K 401 0 sigio 0 0K 0K 166960K 6 0 proc 72 91K 152K 166960K 572 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 21 0 in_multi 91 6K 7K 166960K 104 0 ether_multi 1 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 85 387K 387K 166960K 85 0 exec 0 0K 1K 166960K 391 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 253 168K 170K 166960K 5402 0 UVM aobj 11 2K 4K 166960K 12 0 pinsyscall 43 86K 104K 166960K 1479 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 17 0 NDP 13 0K 2K 166960K 36 0 temp 46 8684K 8759K 166960K 15369 0 kqueue 15 24K 30K 166960K 75 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 121 0 118 2 0 2 2 0 8 1 rtentry 176 117 0 26 5 0 5 5 0 8 0 unpcb 144 158 0 141 1 0 1 1 0 8 0 syncache 336 4 0 4 2 1 1 1 0 8 1 tcpcb 808 66 0 61 2 0 2 2 0 8 1 arp 128 20 0 4 1 0 1 1 0 8 0 inpcb 384 295 0 282 9 7 2 8 0 8 0 nd6 144 26 0 2 1 0 1 1 0 8 0 pkpcb 40 3 0 3 1 1 0 1 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 mppekey 1024 65 0 65 1 0 1 1 0 8 1 ppxss 1192 77 0 76 2 1 1 1 0 8 0 pppxif 1504 67 0 66 1 0 1 1 0 8 0 pffrag 232 2 0 1 2 1 1 1 0 482 0 pffrnode 88 2 0 1 2 1 1 1 0 8 0 pffrent 40 6 0 5 2 1 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfanchor 1288 1 0 0 1 0 1 1 0 8 0 pfqueue 320 1 0 1 1 1 0 1 0 8 0 pfstitem 24 33 0 1 1 0 1 1 0 8 0 pfstkey 128 43 0 11 2 0 2 2 0 8 0 pfstate 384 37 0 6 4 0 4 4 0 8 0 pfrule 1344 24 0 18 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 463 0 65 28 0 28 28 0 8 1 art_table 32 464 0 65 4 0 4 4 0 8 0 art_node 16 115 0 34 1 0 1 1 0 8 0 sysvmsgpl 40 3 0 1 2 1 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 10 0 2 1 0 1 1 0 8 0 shmpl 112 9 0 1 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 2024 0 512 95 0 95 95 0 8 0 ffsino 288 2024 0 512 109 0 109 109 0 8 0 nchpl 144 2587 0 896 63 0 63 63 0 8 0 rtmask 32 2 0 2 1 0 1 1 0 8 1 uvmvnodes 80 2272 0 0 47 0 47 47 0 8 0 vnodes 216 2272 0 0 127 0 127 127 0 8 0 namei 1024 8227 0 8227 3 2 1 2 0 8 1 percpumem 16 127 0 78 1 0 1 1 0 8 0 kstatmem 264 40 0 14 2 0 2 2 0 8 0 scxspl 216 8696 0 8696 11 9 2 8 1 8 2 plimitpl 152 128 0 110 1 0 1 1 0 8 0 sigapl 424 701 0 649 7 1 6 7 0 8 0 futexpl 64 4184 0 4180 1 0 1 1 0 8 0 knotepl 120 523 0 0 16 0 16 16 0 8 0 kqueuepl 224 114 0 101 2 0 2 2 0 8 0 pipepl 336 127 0 100 3 0 3 3 0 8 0 fdescpl 520 681 0 649 3 0 3 3 0 8 0 filepl 160 3242 0 3016 13 2 11 12 0 8 1 lockfpl 104 144 0 142 1 0 1 1 0 8 0 lockfspl 48 34 0 32 1 0 1 1 0 8 0 sessionpl 144 22 0 13 1 0 1 1 0 8 0 pgrppl 48 34 0 16 1 0 1 1 0 8 0 ucredpl 104 387 0 373 1 0 1 1 0 8 0 zombiepl 144 651 0 649 2 1 1 1 0 8 0 processpl 1192 701 0 649 5 0 5 5 0 8 0 procpl 656 1172 0 1110 6 0 6 6 0 8 0 sockpl 728 582 0 549 12 6 6 9 0 8 2 mcl64k 65536 4 0 0 1 0 1 1 0 8 0 mcl16k 16384 5 0 0 1 0 1 1 0 8 0 mcl12k 12288 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 2 0 0 1 0 1 1 0 8 0 mcl4k 4096 115 0 0 15 0 15 15 0 8 0 mcl2k 2048 27 0 0 4 0 4 4 0 8 0 mtagpl 96 10 0 0 1 0 1 1 0 8 0 mbufpl 256 1164 0 0 73 0 73 73 0 8 0 bufpl 280 2919 0 126 200 0 200 200 0 8 0 anonpl 32 10937 0 0 89 0 89 89 0 246 0 amapchunkpl 152 16627 0 16030 36 5 31 31 0 158 2 amappl16 200 2841 0 2776 20 4 16 17 0 8 7 amappl15 192 5 0 5 2 2 0 1 0 8 0 amappl14 184 109 0 97 1 0 1 1 0 8 0 amappl13 176 8 0 7 1 0 1 1 0 8 0 amappl12 168 1317 0 1286 4 1 3 3 0 8 0 amappl11 160 56 0 41 1 0 1 1 0 8 0 amappl10 152 29 0 29 1 1 0 1 0 8 0 amappl9 144 241 0 241 1 1 0 1 0 8 0 amappl8 136 28 0 25 1 0 1 1 0 8 0 amappl7 128 116 0 104 1 0 1 1 0 8 0 amappl6 120 180 0 177 1 0 1 1 0 8 0 amappl5 112 129 0 119 1 0 1 1 0 8 0 amappl4 104 327 0 307 1 0 1 1 0 8 0 amappl3 96 3040 0 2925 6 2 4 4 0 8 0 amappl2 88 624 0 562 2 0 2 2 0 8 0 amappl1 80 9165 0 8553 14 1 13 14 0 8 0 amappl 88 4674 0 4495 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 11 0 1 1 0 1 1 0 8 0 uaddrrnd 24 682 0 650 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 682 0 650 1 0 1 1 0 8 0 vmmpekpl 168 6974 0 6933 3 0 3 3 0 8 0 vmmpepl 168 49658 0 47580 103 0 103 103 0 357 5 vmsppl 480 681 0 650 5 1 4 5 0 8 0 rwobjpl 72 18257 0 14988 63 0 63 63 0 8 0 pdppl 4096 1372 0 1300 104 32 72 88 0 8 0 pvpl 32 19997 0 0 163 1 162 163 0 265 0 pmappl 256 681 0 650 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 452 0 37 12 0 12 12 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8345c52e) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff83404b86,ffffffff83407745,3d9,ffffffff8340778d) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c43af08,ffffffff833505cc) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:986 pppx_if_destroy(205b92,ffff80003c43af00) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b92,1,2000,ffff80003b402f88) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff80003c42fa80) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd80655d4a48,1,fffffd807f7d3340,ffff80003b402f88) at VOP_CLOSE+0x133 sys/kern/vfs_vops.c:156 vn_closefile(fffffd805de5c880,ffff80003b402f88) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd805de5c880,ffff80003b402f88) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd805de5c880,ffff80003b402f88) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd805de5c880,ffff80003b402f88) at closef+0x192 sys/kern/kern_descrip.c:1249 fdfree(ffff80003b402f88) at fdfree+0x116 sys/kern/kern_descrip.c:1181 exit1(ffff80003b402f88,0,0,1) at exit1+0x58f sys/kern/kern_exit.c:214 sys_exit(ffff80003b402f88,ffff80003c42fdf0,ffff80003c42fd40) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c42fdf0) at syscall+0xb08 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c42fdf0) at syscall+0xb08 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x74d965372460, count: -16 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 end of kernel end trace frame: 0x71443a1d48f0, count: 12 ddb{1}> trace x86_ipi_db(ffff8000299ddff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 end of kernel end trace frame: 0x71443a1d48f0, count: -3