panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 955 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8337f0db) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833bbc3a,ffffffff8341eaa3,3bb,ffffffff833f847a) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800035d12b48,ffffffff83377599) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:956 pppx_if_destroy(285b9a,ffff800035d12b40) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(285b9a,41,2000,ffff80002a7bc018) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c944ca0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8069171998,41,fffffd8007bfd548,ffff80002a7bc018) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8068a684b0,ffff80002a7bc018) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8068a684b0,ffff80002a7bc018) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8068a684b0,ffff80002a7bc018) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8068a684b0,ffff80002a7bc018) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a7bc018) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a7bc018,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a7bc018,ffff80003c945000,ffff80003c944f50) at sys_exit+0x1a sys/kern/kern_exit.c:-1 end trace frame: 0xffff80003c944ff0, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 955 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8337f0db) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833bbc3a,ffffffff8341eaa3,3bb,ffffffff833f847a) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800035d12b48,ffffffff83377599) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:956 pppx_if_destroy(285b9a,ffff800035d12b40) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(285b9a,41,2000,ffff80002a7bc018) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c944ca0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8069171998,41,fffffd8007bfd548,ffff80002a7bc018) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8068a684b0,ffff80002a7bc018) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8068a684b0,ffff80002a7bc018) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8068a684b0,ffff80002a7bc018) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8068a684b0,ffff80002a7bc018) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a7bc018) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a7bc018,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a7bc018,ffff80003c945000,ffff80003c944f50) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c945000) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c945000) at syscall+0x962 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7d11888a8610, count: -16 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003c944a80 rbx 0 rdx 0 rcx 0 rax 0xffff80002a7bc018 r8 0x101010101010101 r9 0x8080808080808080 r10 0x75bff8dff72e7797 r11 0x128a753fe5472b85 r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff82018885 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c944a70 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=437495 pid=65366 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=32, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80002a7bc018 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff80002a7bc7e0,0xffff80002a7bd250 process=0xffff8000ffff8498 user=0xffff80003c940000, vmspace=0xfffffd806cb1a748 estcpu=36, cpticks=3, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 1581 499546 4975 0 2 0 syz-executor 1581 223697 4975 0 3 0x4000000 smrbar syz-executor 1581 133567 4975 0 3 0x4000080 fsleep syz-executor 6585 769 68969 0 2 0 syz-executor 6585 43663 68969 0 3 0x4000080 lockf syz-executor 6585 273834 68969 0 3 0x4000080 fsleep syz-executor 56112 445147 68532 0 2 0 syz-executor 26751 522918 16957 0 2 0xc80 syz-executor 26751 515343 16957 0 3 0x4000080 ttyin syz-executor 26751 494200 16957 0 3 0x4000080 fsleep syz-executor 15426 122761 16271 0 2 0 syz-executor 15426 243425 16271 0 3 0x4000080 ttyout syz-executor 15426 75734 16271 0 3 0x4000080 fsleep syz-executor 95247 417038 1 0 3 0x100083 ttyin getty 68969 46493 36789 0 2 0xc82 syz-executor 4975 330763 36789 0 3 0x82 nanoslp syz-executor 68532 484190 36789 0 2 0xc82 syz-executor 72441 220720 36789 0 2 0x2 syz-executor 16957 394123 36789 0 3 0x82 nanoslp syz-executor 66048 43497 36789 0 2 0xc82 syz-executor 16271 363109 36789 0 3 0x82 nanoslp syz-executor 9652 403663 36789 0 3 0x82 wait syz-executor 36789 68847 39704 0 3 0x82 kqread syz-executor 39704 319690 46199 0 3 0x10008a sigsusp ksh 46199 447805 10620 0 3 0x98 kqread sshd-session 10620 77970 73634 0 3 0x92 kqread sshd-session 73634 514720 1 0 3 0x88 kqread sshd 63946 316446 81644 73 2 0x1100010 syslogd 81644 127093 1 0 3 0x100082 sbwait syslogd 33273 334742 1 0 3 0x100080 kqread resolvd 58963 207507 11112 77 3 0x100092 kqread dhcpleased 72150 55262 11112 77 3 0x100092 kqread dhcpleased 11112 27816 1 0 3 0x80 kqread dhcpleased 37796 465725 0 0 3 0x14200 bored smr 49440 466802 0 0 2 0x14200 zerothread 1713 400605 0 0 3 0x14200 aiodoned aiodoned 29762 399544 0 0 3 0x14200 syncer update 89470 436320 0 0 3 0x14200 cleaner cleaner 80973 39654 0 0 3 0x14200 reaper reaper 31525 468369 0 0 3 0x14200 pgdaemon pagedaemon 89971 496878 0 0 3 0x14200 bored viomb 32397 376861 0 0 3 0x40014200 acpi0 acpi0 85509 365967 0 0 3 0x14200 bored softnet0 82706 362010 0 0 3 0x14200 smrbar systqmp 54116 130523 0 0 3 0x14200 bored systq 26442 100746 0 0 2 0x40014200 softclock 59363 399437 0 0 3 0x40014200 idle0 1 475263 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10186 11056K 11494K 166960K 12064 0 pcb 17 13K 14K 166960K 196 0 rtable 215 9K 10K 166960K 457 0 pf 37 14K 14K 166960K 78 0 ifaddr 43 7K 7K 166960K 72 0 ifgroup 63 2K 2K 166960K 115 0 sysctl 1 1K 9K 166960K 5 0 counters 38 18K 18K 166960K 69 0 ioctlops 0 0K 4K 166960K 125 0 iov 0 0K 12K 166960K 16 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1406 88K 89K 166960K 1725 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 11 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 24 0 dirhash 12 2K 2K 166960K 12 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 17 61K 93K 166960K 495 0 sigio 0 0K 0K 166960K 14 0 proc 60 59K 100K 166960K 535 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 78 0 in_multi 85 6K 7K 166960K 124 0 ether_multi 1 0K 0K 166960K 3 0 mrt 0 0K 0K 166960K 4 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 91 413K 413K 166960K 91 0 exec 0 0K 1K 166960K 427 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 2 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 229 151K 165K 166960K 5983 0 UVM aobj 15 4K 4K 166960K 18 0 pinsyscall 38 76K 95K 166960K 1577 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 24 0 NDP 14 0K 2K 166960K 48 0 temp 52 8665K 8729K 166960K 25242 0 kqueue 14 22K 28K 166960K 96 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 73 0 70 1 0 1 1 0 8 0 rtentry 136 125 0 40 4 0 4 4 0 8 0 unpcb 144 231 0 216 1 0 1 1 0 8 0 syncache 336 6 0 6 1 0 1 1 0 8 1 tcpqe 32 4 0 4 1 0 1 1 0 8 1 tcpcb 736 145 0 137 4 0 4 4 0 8 3 arp 96 19 0 3 1 0 1 1 0 8 0 ipq 40 3 0 1 1 0 1 1 0 8 0 ipqe 40 4 0 2 1 0 1 1 0 8 0 inpcb 328 581 0 570 7 0 7 7 0 8 5 nd6 112 26 0 6 1 0 1 1 0 8 0 pkpcb 40 5 0 5 1 0 1 1 0 8 1 kcovpl 48 8 0 0 1 0 1 1 0 8 0 ppxss 1072 27 0 25 1 0 1 1 0 8 0 pppxif 1384 4 0 2 1 0 1 1 0 8 0 pfrktable 1344 2 0 2 1 0 1 1 0 8 1 rttmr 136 1 0 1 1 0 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 547 0 154 30 0 30 30 0 8 2 art_table 40 548 0 154 5 0 5 5 0 8 0 art_node 32 123 0 46 1 0 1 1 0 8 0 sysvmsgpl 40 3 0 2 1 0 1 1 0 8 0 semapl 112 21 0 11 1 0 1 1 0 8 0 shmpl 112 14 0 3 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 2225 0 720 95 0 95 95 0 8 0 ffsino 256 2225 0 720 95 0 95 95 0 8 0 nchpl 144 2944 0 1247 64 0 64 64 0 8 0 rtmask 32 7 0 7 1 0 1 1 0 8 1 vnodes 216 2541 0 0 142 0 142 142 0 8 0 namei 1024 8962 0 8962 2 0 2 2 0 8 2 vcpupl 3904 1 0 0 1 0 1 1 0 8 0 vmpool 800 1 0 0 1 0 1 1 0 8 0 kstatmem 264 62 0 34 2 0 2 2 0 8 0 scxspl 216 9516 0 9516 8 0 8 8 1 8 8 plimitpl 152 250 0 232 1 0 1 1 0 8 0 sigapl 424 784 0 742 6 0 6 6 0 8 1 knotepl 120 16764 0 16716 10 0 10 10 0 8 7 kqueuepl 184 129 0 118 1 0 1 1 0 8 0 pipepl 304 138 0 111 3 0 3 3 0 8 0 fdescpl 448 771 0 742 5 0 5 5 0 8 1 filepl 120 3740 0 3520 9 0 9 9 0 8 1 lockfpl 104 228 0 224 1 0 1 1 0 8 0 lockfspl 48 105 0 102 1 0 1 1 0 8 0 sessionpl 144 24 0 16 1 0 1 1 0 8 0 pgrppl 48 33 0 17 1 0 1 1 0 8 0 ucredpl 104 496 0 485 1 0 1 1 0 8 0 zombiepl 144 744 0 742 1 0 1 1 0 8 0 processpl 1152 784 0 742 4 0 4 4 0 8 0 procpl 664 1279 0 1229 5 0 5 5 0 8 0 sosppl 176 4 0 4 1 0 1 1 0 8 1 sockpl 552 902 0 873 7 0 7 7 0 8 4 mcl64k 65536 91 0 91 1 0 1 1 0 8 1 mcl16k 16384 1 0 1 1 0 1 1 0 8 1 mcl9k 9216 1 0 1 1 0 1 1 0 8 1 mcl8k 8192 7 0 7 1 0 1 1 0 8 1 mcl4k 4096 2935 0 2878 16 0 16 16 0 8 8 mcl2k 2048 722 0 718 3 0 3 3 0 8 2 mtagpl 96 20 0 10 1 0 1 1 0 8 0 mbufpl 256 8773 0 8596 17 0 17 17 0 8 4 bufpl 280 3224 0 119 222 0 222 222 0 8 0 anonpl 24 127944 0 124806 44 0 44 44 0 187 19 amapchunkpl 152 18883 0 18404 28 0 28 28 0 158 7 amappl16 200 2042 0 2009 14 3 11 14 0 8 8 amappl15 192 33 0 33 1 0 1 1 0 8 1 amappl14 184 6 0 6 1 0 1 1 0 8 1 amappl13 176 407 0 405 1 0 1 1 0 8 0 amappl12 168 1154 0 1116 2 0 2 2 0 8 0 amappl11 160 3 0 3 1 0 1 1 0 8 1 amappl10 152 40 0 30 1 0 1 1 0 8 0 amappl9 144 258 0 258 1 0 1 1 0 8 1 amappl8 136 19 0 18 1 0 1 1 0 8 0 amappl7 128 82 0 81 1 0 1 1 0 8 0 amappl6 120 293 0 281 1 0 1 1 0 8 0 amappl5 112 73 0 64 1 0 1 1 0 8 0 amappl4 104 384 0 359 1 0 1 1 0 8 0 amappl3 96 3637 0 3531 3 0 3 3 0 8 0 amappl2 88 528 0 472 2 0 2 2 0 8 0 amappl1 80 10783 0 10253 13 0 13 13 0 8 1 amappl 88 5209 0 5049 5 0 5 5 0 92 0 uvmvnodes 80 105 0 0 3 0 3 3 0 8 0 dma4096 4096 1 0 1 1 0 1 1 0 8 1 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 0 1 1 0 8 1 dma128 128 253 0 253 1 0 1 1 0 8 1 dma64 64 7 0 7 1 0 1 1 0 8 1 dma32 32 7 0 7 1 0 1 1 0 8 1 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 17 0 3 1 0 1 1 0 8 0 uaddrrnd 24 771 0 742 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 771 0 742 1 0 1 1 0 8 0 vmmpekpl 168 7565 0 7537 2 0 2 2 0 8 0 vmmpepl 168 55437 0 53660 90 0 90 90 0 357 8 vmsppl 368 770 0 742 4 0 4 4 0 8 1 rwobjpl 40 17135 0 16173 12 0 12 12 0 8 1 pdppl 4096 1550 0 1485 98 29 69 80 0 8 4 pvpl 32 346829 0 338039 114 0 114 114 0 265 28 pmappl 216 771 0 742 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 380 0 29 11 0 11 11 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8337f0db) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833bbc3a,ffffffff8341eaa3,3bb,ffffffff833f847a) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800035d12b48,ffffffff83377599) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:956 pppx_if_destroy(285b9a,ffff800035d12b40) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(285b9a,41,2000,ffff80002a7bc018) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c944ca0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8069171998,41,fffffd8007bfd548,ffff80002a7bc018) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8068a684b0,ffff80002a7bc018) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8068a684b0,ffff80002a7bc018) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8068a684b0,ffff80002a7bc018) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8068a684b0,ffff80002a7bc018) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a7bc018) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a7bc018,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a7bc018,ffff80003c945000,ffff80003c944f50) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c945000) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c945000) at syscall+0x962 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7d11888a8610, count: -16 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8337f0db) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833bbc3a,ffffffff8341eaa3,3bb,ffffffff833f847a) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800035d12b48,ffffffff83377599) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:956 pppx_if_destroy(285b9a,ffff800035d12b40) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(285b9a,41,2000,ffff80002a7bc018) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c944ca0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8069171998,41,fffffd8007bfd548,ffff80002a7bc018) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8068a684b0,ffff80002a7bc018) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8068a684b0,ffff80002a7bc018) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8068a684b0,ffff80002a7bc018) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8068a684b0,ffff80002a7bc018) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a7bc018) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a7bc018,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a7bc018,ffff80003c945000,ffff80003c944f50) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c945000) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c945000) at syscall+0x962 sys/arch/amd64/amd64/trap.c:775 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7d11888a8610, count: -16