panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 951 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83337658) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833784cd,ffffffff833da6a5,3b7,ffffffff833b4797) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c977618,ffffffff8332fe3b) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(0,ffff80003c977610) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b92,41,2000,ffff80002a822548) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c97cf30) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8065b1f110,41,fffffd8007bfb6e8,ffff80002a822548) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd800a66b718,ffff80002a822548) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd800a66b718,ffff80002a822548) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd800a66b718,ffff80002a822548) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd800a66b718,ffff80002a822548) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a822548) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a822548,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a822548,ffff80003c97d290,ffff80003c97d1e0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 end trace frame: 0xffff80003c97d280, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 951 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83337658) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833784cd,ffffffff833da6a5,3b7,ffffffff833b4797) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c977618,ffffffff8332fe3b) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(0,ffff80003c977610) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b92,41,2000,ffff80002a822548) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c97cf30) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8065b1f110,41,fffffd8007bfb6e8,ffff80002a822548) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd800a66b718,ffff80002a822548) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd800a66b718,ffff80002a822548) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd800a66b718,ffff80002a822548) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd800a66b718,ffff80002a822548) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a822548) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a822548,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a822548,ffff80003c97d290,ffff80003c97d1e0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c97d290) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c97d290) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73c5befc2880, count: -16 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003c97cd10 rbx 0 rdx 0 rcx 0 rax 0xffff80002a822548 r8 0x101010101010101 r9 0x8080808080808080 r10 0x9f366d0257237258 r11 0xca9135fdcef66bf6 r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff81a1fec5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c97cd00 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=487414 pid=72974 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=32, usrpri=79, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80002a822548 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff80002a823770,0xffff80003ca3ad40 process=0xffff80003ca18490 user=0xffff80003c978000, vmspace=0xfffffd806ba562f0 estcpu=29, cpticks=4, pctcpu=0.2, user=0, sys=2, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 86589 478081 26843 0 2 0 syz-executor 86589 394966 26843 0 3 0x4000080 fsleep syz-executor 6004 341545 83166 0 2 0 syz-executor 75760 448155 7026 0 2 0 syz-executor 75760 408348 7026 0 3 0x4000080 msgwait syz-executor 29176 335394 98840 0 2 0 syz-executor 29176 502211 98840 0 2 0x4000000 syz-executor 34379 420973 15726 0 2 0xc80 syz-executor 34379 101620 15726 0 3 0x4000080 kqsel syz-executor 34379 229048 15726 0 3 0x4000080 fsleep syz-executor 32705 247587 30624 0 2 0xc80 syz-executor 32705 302623 30624 0 3 0x4000080 fsleep syz-executor 32705 33059 30624 0 3 0x4000080 kqread syz-executor 32705 202959 30624 0 3 0x4000080 fsleep syz-executor 50150 150566 73070 0 2 0xc80 syz-executor 50150 239471 73070 0 3 0x4000080 kqsel syz-executor 50150 197815 73070 0 3 0x4000080 fsleep syz-executor 84373 3985 0 0 3 0x14200 bored sosplice 83166 6705 67271 0 2 0x2 syz-executor 73070 101241 67271 0 2 0xc82 syz-executor 26843 360448 67271 0 2 0xc82 syz-executor 15726 409764 67271 0 2 0xc82 syz-executor 30624 332045 67271 0 2 0xc82 syz-executor 61534 107233 67271 0 2 0xc82 syz-executor 7026 188214 67271 0 2 0xc82 syz-executor 98840 495526 67271 0 2 0xc82 syz-executor 67271 115506 52711 0 3 0x82 kqread syz-executor 52711 154707 94354 0 3 0x10008a sigsusp ksh 94354 269387 88196 0 3 0x98 kqread sshd-session 88196 160069 71925 0 3 0x92 kqread sshd-session 70411 65011 1 0 3 0x100083 ttyin getty 71925 225389 1 0 3 0x88 kqread sshd 50490 353630 35767 73 3 0x1100090 kqread syslogd 35767 413673 1 0 3 0x100082 sbwait syslogd 90729 178231 1 0 3 0x100080 kqread resolvd 89012 497388 90303 77 2 0x100012 dhcpleased 61569 499683 90303 77 3 0x100092 kqread dhcpleased 90303 14282 1 0 3 0x80 kqread dhcpleased 24730 424016 0 0 3 0x14200 bored smr 34478 219879 0 0 2 0x14200 zerothread 82397 456682 0 0 3 0x14200 aiodoned aiodoned 57676 511681 0 0 3 0x14200 syncer update 42512 216802 0 0 3 0x14200 cleaner cleaner 31506 423517 0 0 3 0x14200 reaper reaper 79122 191523 0 0 3 0x14200 pgdaemon pagedaemon 12853 334070 0 0 3 0x14200 bored viomb 19657 34208 0 0 3 0x40014200 acpi0 acpi0 21203 334727 0 0 3 0x14200 bored softnet7 57106 176541 0 0 3 0x14200 bored softnet6 96953 9964 0 0 3 0x14200 bored softnet5 70973 330199 0 0 3 0x14200 bored softnet4 11536 505946 0 0 3 0x14200 bored softnet3 10772 149514 0 0 3 0x14200 bored softnet2 85396 464387 0 0 3 0x14200 bored softnet1 58822 220700 0 0 2 0x14200 softnet0 56803 395836 0 0 3 0x14200 smrbar systqmp 34891 34516 0 0 3 0x14200 bored systq 75283 18043 0 0 3 0x40014200 tmoslp softclock 9413 177831 0 0 3 0x40014200 idle0 1 190576 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10213 11048K 12097K 166960K 11901 0 pcb 18 16K 18K 166960K 185 0 rtable 160 7K 9K 166960K 384 0 pf 32 13K 17K 166960K 73 0 ifaddr 34 5K 7K 166960K 68 0 ifgroup 50 2K 2K 166960K 99 0 sysctl 4 1K 9K 166960K 8 0 counters 33 17K 18K 166960K 56 0 ioctlops 0 0K 4K 166960K 153 0 iov 0 0K 16K 166960K 26 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1496 94K 95K 166960K 1854 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 11 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 1K 166960K 24 0 dirhash 12 2K 2K 166960K 18 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 236K 166960K 546 0 sigio 0 0K 0K 166960K 10 0 proc 62 59K 124K 166960K 528 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 42 0 in_multi 69 4K 7K 166960K 130 0 ether_multi 1 0K 0K 166960K 4 0 mrt 0 0K 0K 166960K 2 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 247 1102K 1102K 166960K 247 0 exec 0 0K 1K 166960K 461 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 227 144K 159K 166960K 6249 0 UVM aobj 72 3K 3K 166960K 73 0 pinsyscall 39 78K 96K 166960K 1560 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 26 0 NDP 11 0K 2K 166960K 42 0 temp 49 8637K 8707K 166960K 15303 0 kqueue 16 24K 29K 166960K 119 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 69 0 64 1 0 1 1 0 8 0 rtentry 136 116 0 56 4 0 4 4 0 8 0 unpcb 144 550 0 533 6 5 1 6 0 8 0 syncache 336 4 0 4 1 1 0 1 0 8 0 tcpcb 736 111 0 107 1 0 1 1 0 8 0 arp 88 13 0 5 1 0 1 1 0 8 0 inpcb 328 535 0 525 7 3 4 7 0 8 2 ip6q 72 4 0 2 1 0 1 1 0 8 0 ip6af 40 7 0 5 1 0 1 1 0 8 0 nd6 104 18 0 7 1 0 1 1 0 8 0 pkpcb 40 5 0 5 1 1 0 1 0 8 0 kcovpl 48 8 0 0 1 0 1 1 0 8 0 ppxss 1072 16 0 15 2 1 1 1 0 8 0 pppxif 1384 5 0 4 1 0 1 1 0 8 0 pfstscr 40 4 0 4 1 1 0 1 0 8 0 pfosfp 40 2 0 1 1 0 1 1 0 8 0 pfosfpen 112 2 0 1 1 0 1 1 0 8 0 pfrktable 1344 1 0 1 1 1 0 1 0 8 0 pftag 88 2 0 1 1 0 1 1 0 8 0 pfstkey 128 6 0 6 1 1 0 1 0 8 0 pfstate 384 3 0 3 1 1 0 1 0 8 0 pfrule 1344 3 0 3 1 1 0 1 0 8 0 rttmr 136 1 0 1 1 1 0 1 0 8 0 art_heap8 4096 3 0 0 3 0 3 3 0 8 0 art_heap4 256 541 0 234 29 5 24 29 0 8 1 art_table 40 544 0 234 5 0 5 5 0 8 0 art_node 32 114 0 61 1 0 1 1 0 8 0 sysvmsgpl 40 6 0 4 1 0 1 1 0 8 0 semupl 112 6 0 6 1 1 0 1 0 8 0 semapl 112 21 0 11 1 0 1 1 0 8 0 shmpl 112 70 0 1 2 0 2 2 0 8 0 dirhash 1024 21 0 4 3 0 3 3 0 8 0 dino2pl 256 2468 0 963 95 0 95 95 0 8 0 ffsino 256 2468 0 963 95 0 95 95 0 8 0 nchpl 144 3231 0 1546 63 0 63 63 0 8 0 rtmask 32 1 0 1 1 1 0 1 0 8 0 uvmvnodes 80 2784 0 0 57 0 57 57 0 8 0 vnodes 216 2784 0 0 155 0 155 155 0 8 0 namei 1024 11633 0 11633 3 2 1 2 0 8 1 kstatmem 264 52 0 30 2 0 2 2 0 8 0 acpiwqpl 32 1 0 1 1 0 1 1 1 8 1 scsiplug 72 4 0 4 1 1 0 1 0 8 0 scxspl 216 12479 0 12479 8 7 1 8 1 8 1 plimitpl 152 259 0 243 1 0 1 1 0 8 0 sigapl 424 837 0 786 9 0 9 9 0 8 2 knotepl 120 20286 0 20237 24 12 12 15 0 8 10 kqueuepl 184 287 0 272 4 3 1 4 0 8 0 pipepl 304 129 0 100 3 0 3 3 0 8 0 fdescpl 448 795 0 765 5 1 4 5 0 8 0 filepl 120 5676 0 5447 15 6 9 14 0 8 1 lockfpl 104 129 0 127 1 0 1 1 0 8 0 lockfspl 48 56 0 54 1 0 1 1 0 8 0 sessionpl 144 22 0 14 1 0 1 1 0 8 0 pgrppl 48 34 0 18 1 0 1 1 0 8 0 ucredpl 104 926 0 915 1 0 1 1 0 8 0 zombiepl 144 787 0 786 1 0 1 1 0 8 0 processpl 1168 837 0 786 6 0 6 6 0 8 1 procpl 664 1476 0 1415 9 1 8 8 0 8 1 sosppl 168 5 0 5 1 1 0 1 0 8 0 sockpl 552 1170 0 1137 12 7 5 12 0 8 2 mcl64k 65536 34 0 34 3 2 1 2 0 8 1 mcl16k 16384 3 0 3 2 1 1 1 0 8 1 mcl9k 9216 3 0 3 2 1 1 1 0 8 1 mcl8k 8192 8 0 8 2 1 1 1 0 8 1 mcl4k 4096 2938 0 2885 14 6 8 14 0 8 1 mcl2k 2048 825 0 815 3 1 2 2 0 8 0 mtagpl 96 4 0 4 1 1 0 1 0 8 0 mbufpl 256 8387 0 8196 13 0 13 13 0 8 0 bufpl 280 4870 0 118 340 0 340 340 0 8 0 anonpl 24 151804 0 148592 96 26 70 70 0 187 27 amapchunkpl 152 20198 0 19717 32 7 25 29 0 158 3 amappl16 200 3142 0 3112 37 10 27 27 0 8 18 amappl15 192 6 0 5 1 0 1 1 0 8 0 amappl14 184 106 0 95 1 0 1 1 0 8 0 amappl13 176 5 0 5 1 1 0 1 0 8 0 amappl12 168 1403 0 1374 3 1 2 3 0 8 0 amappl11 160 63 0 53 1 0 1 1 0 8 0 amappl10 152 2 0 2 1 1 0 1 0 8 0 amappl9 144 278 0 278 1 1 0 1 0 8 0 amappl8 136 92 0 91 1 0 1 1 0 8 0 amappl7 128 119 0 109 1 0 1 1 0 8 0 amappl6 120 174 0 171 1 0 1 1 0 8 0 amappl5 112 111 0 105 1 0 1 1 0 8 0 amappl4 104 275 0 260 1 0 1 1 0 8 0 amappl3 96 3809 0 3700 4 0 4 4 0 8 1 amappl2 88 623 0 565 2 0 2 2 0 8 0 amappl1 80 9666 0 9127 13 1 12 13 0 8 0 amappl 88 5546 0 5383 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 8 0 8 2 1 1 1 0 8 1 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 72 0 1 2 0 2 2 0 8 0 uaddrrnd 24 795 0 765 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 795 0 765 1 0 1 1 0 8 0 vmmpekpl 168 7729 0 7694 2 0 2 2 0 8 0 vmmpepl 168 56059 0 54163 113 8 105 105 0 357 12 vmsppl 368 794 0 765 4 1 3 4 0 8 0 rwobjpl 40 20180 0 16480 43 0 43 43 0 8 1 pdppl 4096 1597 0 1530 99 32 67 83 0 8 0 pvpl 32 376577 0 367811 198 48 150 150 0 265 49 pmappl 216 794 0 765 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 385 0 55 11 0 11 11 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83337658) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833784cd,ffffffff833da6a5,3b7,ffffffff833b4797) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c977618,ffffffff8332fe3b) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(0,ffff80003c977610) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b92,41,2000,ffff80002a822548) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c97cf30) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8065b1f110,41,fffffd8007bfb6e8,ffff80002a822548) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd800a66b718,ffff80002a822548) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd800a66b718,ffff80002a822548) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd800a66b718,ffff80002a822548) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd800a66b718,ffff80002a822548) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a822548) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a822548,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a822548,ffff80003c97d290,ffff80003c97d1e0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c97d290) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c97d290) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73c5befc2880, count: -16 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83337658) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833784cd,ffffffff833da6a5,3b7,ffffffff833b4797) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c977618,ffffffff8332fe3b) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(0,ffff80003c977610) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b92,41,2000,ffff80002a822548) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c97cf30) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8065b1f110,41,fffffd8007bfb6e8,ffff80002a822548) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd800a66b718,ffff80002a822548) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd800a66b718,ffff80002a822548) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd800a66b718,ffff80002a822548) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd800a66b718,ffff80002a822548) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002a822548) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002a822548,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002a822548,ffff80003c97d290,ffff80003c97d1e0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c97d290) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c97d290) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73c5befc2880, count: -16