panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 953 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833409fb) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8337a9b6,ffffffff833db592,3b9,ffffffff833b56b0) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c9615a8,ffffffff8333346e) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(205b9a,ffff80003c9615a0) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff80003c94ba10) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff800031507510) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8069d6f518,1,fffffd8007bfb618,ffff80003c94ba10) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806a040628,ffff80003c94ba10) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806a040628,ffff80003c94ba10) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806a040628,ffff80003c94ba10) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806a040628,ffff80003c94ba10) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80003c94ba10) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80003c94ba10,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003c94ba10,ffff800031507870,ffff8000315077c0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 end trace frame: 0xffff800031507860, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 953 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833409fb) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8337a9b6,ffffffff833db592,3b9,ffffffff833b56b0) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c9615a8,ffffffff8333346e) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(205b9a,ffff80003c9615a0) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff80003c94ba10) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff800031507510) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8069d6f518,1,fffffd8007bfb618,ffff80003c94ba10) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806a040628,ffff80003c94ba10) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806a040628,ffff80003c94ba10) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806a040628,ffff80003c94ba10) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806a040628,ffff80003c94ba10) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80003c94ba10) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80003c94ba10,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003c94ba10,ffff800031507870,ffff8000315077c0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff800031507870) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff800031507870) at syscall+0x962 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x75fffb22dc20, count: -16 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff8000315072f0 rbx 0 rdx 0 rcx 0 rax 0xffff80003c94ba10 r8 0x101010101010101 r9 0x8080808080808080 r10 0x2bd178119766ba50 r11 0xb1366195a247a9c6 r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff821e3365 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff8000315072e0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=37444 pid=7048 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80003c94ba10 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff80002a7c14d8,0xffff80002a7c1250 process=0xffff8000ffffba98 user=0xffff800031502000, vmspace=0xfffffd806bb89b90 estcpu=36, cpticks=2, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 64883 166852 83310 0 2 0 syz-executor 64883 292491 83310 0 3 0x4000000 smrbar syz-executor 23127 464993 76856 0 2 0 syz-executor 21437 164246 82220 0 2 0 syz-executor 21437 401961 82220 0 3 0x4000080 sbwait syz-executor 21437 517162 82220 0 3 0x4000080 sbwait syz-executor 27901 412877 1391 0 2 0 syz-executor 27901 313256 1391 0 3 0x4000080 fsleep syz-executor 27901 177917 1391 0 3 0x4000080 fsleep syz-executor 97820 41054 63592 0 2 0 syz-executor 97820 280256 63592 0 3 0x4000080 ttyout syz-executor 97820 335796 63592 0 3 0x4000080 fsleep syz-executor 87576 215402 24218 60928 2 0xc90 syz-executor 87576 200046 24218 60928 3 0x4000090 kqsel syz-executor 87576 322390 24218 60928 3 0x4000090 fsleep syz-executor 43255 301180 0 0 3 0x14200 bored sosplice 63592 67649 79364 0 2 0xc82 syz-executor 82220 335731 79364 0 3 0x82 nanoslp syz-executor 83310 365301 79364 0 3 0x82 nanoslp syz-executor 18731 141423 79364 0 2 0xc82 syz-executor 43178 44846 79364 0 2 0xc82 syz-executor 76856 257246 79364 0 3 0x82 nanoslp syz-executor 24218 270027 79364 0 3 0x82 nanoslp syz-executor 1391 93340 79364 0 2 0xc82 syz-executor 79364 215494 65016 0 3 0x82 kqread syz-executor 65016 162360 51668 0 3 0x10008a sigsusp ksh 51668 228832 94837 0 3 0x98 kqread sshd-session 94837 485518 27300 0 3 0x92 kqread sshd-session 26815 163812 1 0 3 0x100083 ttyin getty 27300 368264 1 0 3 0x88 kqread sshd 2116 287312 2773 73 3 0x1100090 kqread syslogd 2773 405736 1 0 3 0x100082 sbwait syslogd 16891 127816 1 0 3 0x100080 kqread resolvd 71347 240990 40949 77 3 0x100092 kqread dhcpleased 67873 289239 40949 77 3 0x100092 kqread dhcpleased 40949 459120 1 0 3 0x80 kqread dhcpleased 99061 471670 0 0 3 0x14200 bored smr 80791 126611 0 0 2 0x14200 zerothread 76658 205702 0 0 3 0x14200 aiodoned aiodoned 78838 358140 0 0 3 0x14200 syncer update 6298 166710 0 0 3 0x14200 cleaner cleaner 77961 177541 0 0 3 0x14200 reaper reaper 23485 194067 0 0 3 0x14200 pgdaemon pagedaemon 45649 364640 0 0 3 0x14200 bored viomb 9848 3617 0 0 3 0x40014200 acpi0 acpi0 96326 437263 0 0 3 0x14200 bored softnet0 23760 444645 0 0 3 0x14200 smrbar systqmp 6608 235871 0 0 3 0x14200 bored systq 4807 270706 0 0 3 0x40014200 tmoslp softclock 21158 267568 0 0 3 0x40014200 idle0 1 92774 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10177 11044K 11430K 166960K 11585 0 pcb 17 12K 12K 166960K 83 0 rtable 208 8K 8K 166960K 327 0 pf 35 13K 14K 166960K 121 0 ifaddr 44 7K 8K 166960K 60 0 ifgroup 59 2K 2K 166960K 78 0 sysctl 3 1K 9K 166960K 7 0 counters 36 18K 18K 166960K 53 0 ioctlops 0 0K 4K 166960K 65 0 iov 1 12K 18K 166960K 59 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1404 88K 89K 166960K 1773 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 6 0 VM map 2 1K 1K 166960K 2 0 sem 9 0K 0K 166960K 13 0 dirhash 12 2K 2K 166960K 12 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 240K 166960K 385 0 sigio 1 0K 0K 166960K 8 0 proc 60 59K 124K 166960K 521 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 64 0 in_multi 97 7K 7K 166960K 121 0 ether_multi 1 0K 0K 166960K 5 0 mrt 1 0K 0K 166960K 10 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 67 307K 307K 166960K 67 0 exec 0 0K 1K 166960K 362 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 233 159K 177K 166960K 4700 0 UVM aobj 6 2K 2K 166960K 6 0 pinsyscall 39 78K 96K 166960K 1394 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 17 0 NDP 13 0K 2K 166960K 38 0 temp 44 8636K 8700K 166960K 15753 0 kqueue 14 22K 28K 166960K 71 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 119 0 116 3 0 3 3 0 8 2 rtentry 136 109 0 23 4 0 4 4 0 8 0 unpcb 144 240 0 223 4 0 4 4 0 8 3 syncache 336 3 0 3 1 0 1 1 0 8 1 tcpcb 736 66 0 62 1 0 1 1 0 8 0 arp 96 11 0 0 1 0 1 1 0 8 0 ipq 40 2 0 1 1 0 1 1 0 8 0 ipqe 40 3 0 2 1 0 1 1 0 8 0 inpcb 328 236 0 228 2 0 2 2 0 8 1 ip6q 72 1 0 1 1 0 1 1 0 8 1 ip6af 40 2 0 2 1 0 1 1 0 8 1 nd6 112 20 0 4 1 0 1 1 0 8 0 pkpcb 40 3 0 3 1 0 1 1 0 8 1 kcovpl 48 8 0 0 1 0 1 1 0 8 0 ppxss 1072 18 0 16 1 0 1 1 0 8 0 pppxif 1384 4 0 2 1 0 1 1 0 8 0 pftag 88 1 0 0 1 0 1 1 0 8 0 pfrule 1344 2 0 2 1 0 1 1 0 8 1 rttmr 136 2 0 2 1 0 1 1 0 8 1 art_heap8 4096 3 0 0 3 0 3 3 0 8 0 art_heap4 256 530 0 126 30 0 30 30 0 8 3 art_table 40 533 0 126 5 0 5 5 0 8 0 art_node 32 108 0 32 1 0 1 1 0 8 0 sysvmsgpl 40 4 0 2 1 0 1 1 0 8 0 semupl 112 1 0 1 1 0 1 1 0 8 1 semapl 112 11 0 4 1 0 1 1 0 8 0 shmpl 112 3 0 0 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 2161 0 657 95 0 95 95 0 8 0 ffsino 256 2161 0 657 95 0 95 95 0 8 0 nchpl 144 2726 0 1043 63 0 63 63 0 8 0 rtmask 32 4 0 4 1 0 1 1 0 8 1 uvmvnodes 80 2391 0 0 49 0 49 49 0 8 0 vnodes 216 2391 0 0 133 0 133 133 0 8 0 namei 1024 8150 0 8150 2 0 2 2 0 8 2 kstatmem 264 42 0 16 2 0 2 2 0 8 0 acpiwqpl 32 1 0 1 1 0 1 1 1 8 1 scsiplug 72 1 0 1 1 0 1 1 0 8 1 scxspl 216 8724 0 8724 8 0 8 8 1 8 8 plimitpl 152 187 0 171 1 0 1 1 0 8 0 sigapl 424 648 0 604 6 0 6 6 0 8 0 knotepl 120 12955 0 12906 13 0 13 13 0 8 11 kqueuepl 184 116 0 104 1 0 1 1 0 8 0 pipepl 304 118 0 89 3 0 3 3 0 8 0 fdescpl 448 633 0 603 5 0 5 5 0 8 1 filepl 120 3421 0 3204 12 0 12 12 0 8 4 lockfpl 104 238 0 235 2 0 2 2 0 8 1 lockfspl 48 114 0 111 1 0 1 1 0 8 0 sessionpl 144 21 0 13 1 0 1 1 0 8 0 pgrppl 48 36 0 19 1 0 1 1 0 8 0 ucredpl 104 901 0 887 1 0 1 1 0 8 0 zombiepl 144 606 0 604 1 0 1 1 0 8 0 processpl 1152 648 0 604 4 0 4 4 0 8 0 procpl 664 1005 0 952 5 0 5 5 0 8 0 sosppl 168 5 0 5 1 0 1 1 0 8 1 sockpl 552 608 0 580 8 0 8 8 0 8 5 mcl64k 65536 81 0 80 1 0 1 1 0 8 0 mcl16k 16384 2 0 2 1 0 1 1 0 8 1 mcl8k 8192 5 0 5 1 0 1 1 0 8 1 mcl4k 4096 2753 0 2701 14 0 14 14 0 8 6 mcl2k 2048 483 0 481 2 0 2 2 0 8 1 mtagpl 96 4 0 4 1 0 1 1 0 8 1 mbufpl 256 7052 0 6858 18 0 18 18 0 8 5 bufpl 280 3392 0 117 234 0 234 234 0 8 0 anonpl 24 101610 0 98421 46 0 46 46 0 187 24 amapchunkpl 152 15252 0 14756 35 0 35 35 0 158 14 amappl16 200 1461 0 1434 18 7 11 15 0 8 8 amappl15 192 1 0 1 1 0 1 1 0 8 1 amappl14 184 101 0 90 1 0 1 1 0 8 0 amappl12 168 1257 0 1228 3 0 3 3 0 8 1 amappl11 160 40 0 30 1 0 1 1 0 8 0 amappl10 152 18 0 18 1 0 1 1 0 8 1 amappl9 144 257 0 257 1 0 1 1 0 8 1 amappl8 136 28 0 27 1 0 1 1 0 8 0 amappl7 128 92 0 82 1 0 1 1 0 8 0 amappl6 120 165 0 162 1 0 1 1 0 8 0 amappl5 112 108 0 102 1 0 1 1 0 8 0 amappl4 104 266 0 251 1 0 1 1 0 8 0 amappl3 96 2472 0 2376 3 0 3 3 0 8 0 amappl2 88 848 0 778 2 0 2 2 0 8 0 amappl1 80 8861 0 8316 13 0 13 13 0 8 1 amappl 88 4027 0 3859 4 0 4 4 0 92 0 dma4096 4096 3 0 3 1 0 1 1 0 8 1 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 0 1 1 0 8 1 dma128 128 253 0 253 1 0 1 1 0 8 1 dma64 64 6 0 6 1 0 1 1 0 8 1 dma32 32 7 0 7 1 0 1 1 0 8 1 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 5 0 0 1 0 1 1 0 8 0 uaddrrnd 24 633 0 603 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 633 0 603 1 0 1 1 0 8 0 vmmpekpl 168 6323 0 6286 2 0 2 2 0 8 0 vmmpepl 168 44795 0 42928 93 0 93 93 0 357 10 vmsppl 368 632 0 603 4 0 4 4 0 8 1 rwobjpl 40 16119 0 12877 33 0 33 33 0 8 0 pdppl 4096 1272 0 1206 96 30 66 82 0 8 0 pvpl 32 281817 0 272931 125 0 125 125 0 265 44 pmappl 216 632 0 603 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 375 0 30 11 0 11 11 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833409fb) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8337a9b6,ffffffff833db592,3b9,ffffffff833b56b0) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c9615a8,ffffffff8333346e) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(205b9a,ffff80003c9615a0) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff80003c94ba10) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff800031507510) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8069d6f518,1,fffffd8007bfb618,ffff80003c94ba10) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806a040628,ffff80003c94ba10) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806a040628,ffff80003c94ba10) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806a040628,ffff80003c94ba10) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806a040628,ffff80003c94ba10) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80003c94ba10) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80003c94ba10,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003c94ba10,ffff800031507870,ffff8000315077c0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff800031507870) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff800031507870) at syscall+0x962 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x75fffb22dc20, count: -16 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff833409fb) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8337a9b6,ffffffff833db592,3b9,ffffffff833b56b0) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c9615a8,ffffffff8333346e) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(205b9a,ffff80003c9615a0) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff80003c94ba10) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff800031507510) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8069d6f518,1,fffffd8007bfb618,ffff80003c94ba10) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806a040628,ffff80003c94ba10) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806a040628,ffff80003c94ba10) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806a040628,ffff80003c94ba10) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806a040628,ffff80003c94ba10) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80003c94ba10) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80003c94ba10,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003c94ba10,ffff800031507870,ffff8000315077c0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff800031507870) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff800031507870) at syscall+0x962 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x75fffb22dc20, count: -16