panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 953 Stopped at db_enter+37: addq $8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 207649 71948 0 0 0 0 syz-executor * 43909 57873 0 0 0x4000000 1K syz-executor db_enter() at db_enter+37 panic(ffffffff833959d9) at panic+485 __assert(ffffffff833d5dca,ffffffff833e1a34,3b9,ffffffff8340b62e) at __assert+41 refcnt_finalize(ffff8000337e7560,ffffffff8338931c) at refcnt_finalize+475 pppx_if_destroy(ffff8000313dc000,ffff8000337e7558) at pppx_if_destroy+61 pppxclose(285b9a,41,2000,ffff80002ebd4fb8) at pppxclose+160 spec_close(ffff80003c486ff0) at spec_close+1047 VOP_CLOSE(fffffd8066e338b8,41,fffffd80097fb888,ffff80002ebd4fb8) at VOP_CLOSE+306 vn_closefile(fffffd805fb37af0,ffff80002ebd4fb8) at vn_closefile+299 fdrop(fffffd805fb37af0,ffff80002ebd4fb8) at fdrop+289 closef(fffffd805fb37af0,ffff80002ebd4fb8) at closef+402 syscall(ffff80003c487250) at syscall+3028 Xsyscall() at Xsyscall+296 end of kernel end trace frame: 0xd2c5f83d60, count: 2 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 953 ddb{1}> trace db_enter() at db_enter+37 panic(ffffffff833959d9) at panic+485 __assert(ffffffff833d5dca,ffffffff833e1a34,3b9,ffffffff8340b62e) at __assert+41 refcnt_finalize(ffff8000337e7560,ffffffff8338931c) at refcnt_finalize+475 pppx_if_destroy(ffff8000313dc000,ffff8000337e7558) at pppx_if_destroy+61 pppxclose(285b9a,41,2000,ffff80002ebd4fb8) at pppxclose+160 spec_close(ffff80003c486ff0) at spec_close+1047 VOP_CLOSE(fffffd8066e338b8,41,fffffd80097fb888,ffff80002ebd4fb8) at VOP_CLOSE+306 vn_closefile(fffffd805fb37af0,ffff80002ebd4fb8) at vn_closefile+299 fdrop(fffffd805fb37af0,ffff80002ebd4fb8) at fdrop+289 closef(fffffd805fb37af0,ffff80002ebd4fb8) at closef+402 syscall(ffff80003c487250) at syscall+3028 Xsyscall() at Xsyscall+296 end of kernel end trace frame: 0xd2c5f83d60, count: -13 ddb{1}> show registers rdi 0 rsi 1 rbp 18446603337232575936 rbx 18446603336919477727 rdx 18446603336242877760 rcx 18446603337005354936 rax 18446603336919474160 r8 72340172838076673 r9 9259542123273814144 r10 4396995524808627947 r11 3227357678414702764 r12 18446603336919477216 r13 0 r14 0 r15 1 rip 18446744071600597781 db_enter+37 cs 8 rflags 582 rsp 18446603337232575920 ss 16 db_enter+37: addq $8,%rsp ddb{1}> show proc PROC (syz-executor) tid=43909 pid=57873 tcnt=4 stat=onproc flags process=0 proc=4000000 runpri=84, usrpri=84, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002ebd4a88,0xffff80002ebd4d30 process=0xffff80002a3cf9d8 user=0xffff80003c482000, vmspace=0xfffffd806c1a5200 estcpu=34, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 65661 150531 5637 0 2 0 syz-executor 65661 308101 5637 0 3 0x4000080 fsleep syz-executor 65661 519986 5637 0 2 0x4000000 syz-executor 96041 193199 18661 0 2 0x1 syz-executor 96041 235975 18661 0 3 0x4000080 fsleep syz-executor 96041 377896 18661 0 3 0x4000080 fsleep syz-executor 71948 207649 50173 0 7 0 syz-executor 71948 442608 50173 0 2 0x4000000 syz-executor 71948 151426 50173 0 3 0x4000080 fsleep syz-executor 72398 315573 67604 0 2 0x1 syz-executor 72398 19277 67604 0 3 0x4000080 fsleep syz-executor 87483 278387 64682 0 4 0x82004 syz-executor 87483 304160 64682 0 2 0x4002004 syz-executor 87483 225033 64682 0 4 0x4082004 syz-executor 57873 426727 7156 0 2 0x1 syz-executor 57873 150415 7156 0 3 0x4000080 kqsel syz-executor 57873 498840 7156 0 3 0x4000000 smrbar syz-executor *57873 43909 7156 0 7 0x4000000 syz-executor 21857 428492 32912 0 3 0x3000 suspend syz-executor 21857 480193 32912 0 3 0x4081000 biowait syz-executor 21857 505299 32912 0 3 0x4081000 inode syz-executor 21857 1812 32912 0 3 0x4081000 inode syz-executor 73287 112546 0 0 3 0x14200 acct acct 24388 362284 0 0 3 0x14280 nfsidl nfsio 8595 380428 0 0 3 0x14280 nfsidl nfsio 34572 523235 0 0 3 0x14280 nfsidl nfsio 53435 185115 0 0 3 0x14280 nfsidl nfsio 41657 466415 54276 0 2 0x3 syz-executor 64682 14673 54276 0 2 0x3 syz-executor 7156 489804 54276 0 2 0x3 syz-executor 74337 110724 97992 0 3 0x82 sbwait sshd-session 67604 476351 54276 0 2 0x3 syz-executor 5637 302505 54276 0 2 0x3 syz-executor 32912 171409 54276 0 2 0x3 syz-executor 18661 420635 54276 0 2 0x3 syz-executor 50173 323600 54276 0 2 0x3 syz-executor 54276 234139 92637 0 3 0x82 kqread syz-executor 92637 23724 53144 0 3 0x10008a sigsusp ksh 53144 216575 69700 0 3 0x98 kqread sshd-session 69700 328327 97992 0 3 0x92 kqread sshd-session 35565 361582 1 0 3 0x100083 ttyopn getty 97992 474276 1 0 3 0x88 kqread sshd 2797 123065 97709 74 3 0x1100092 bpf pflogd 97709 40227 1 0 3 0x80 sbwait pflogd 76088 370637 17357 73 3 0x1100090 kqread syslogd 17357 126606 1 0 3 0x100082 sbwait syslogd 23718 396267 1 0 3 0x100080 kqread resolvd 17977 59785 32396 77 3 0x100092 kqread dhcpleased 27977 426572 32396 77 3 0x100092 kqread dhcpleased 32396 231177 1 0 3 0x80 kqread dhcpleased 44403 519729 0 0 3 0x14200 bored smr 90858 114560 0 0 2 0x14200 zerothread 21987 84640 0 0 3 0x14200 aiodoned aiodoned 33444 448661 0 0 3 0x14200 syncer update 28567 43999 0 0 3 0x14200 cleaner cleaner 32048 140842 0 0 3 0x14200 reaper reaper 26677 77974 0 0 3 0x14200 pgdaemon pagedaemon 65030 135707 0 0 3 0x14200 bored viomb 79512 61330 0 0 3 0x40014200 acpi0 acpi0 1827 279325 0 0 3 0x40014200 idle1 21229 207957 0 0 3 0x14200 bored softnet1 1731 311090 0 0 3 0x14200 bored softnet0 43140 495696 0 0 3 0x14200 bored systqmp 53428 119933 0 0 3 0x14200 bored systq 67464 43741 0 0 3 0x14200 tmoslp softclockmp 66008 270554 0 0 3 0x40014200 tmoslp softclock 87848 484274 0 0 3 0x40014200 idle0 1 503780 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{1}> show all locks Process 65661 (syz-executor) thread 0xffff8000fffef240 (519986) Process 71948 (syz-executor) thread 0xffff800036fedcf0 (442608) Process 57873 (syz-executor) thread 0xffff80002ebd4fb8 (43909) Process 21857 (syz-executor) thread 0xffff8000fffeea78 (480193) Process 21857 (syz-executor) thread 0xffff800036fec598 (505299) ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10240 11059K 13658K 166960K 15288 0 pcb 17 22K 28K 166960K 1298 0 rtable 272 17K 18K 166960K 1629 0 pf 37 18K 67486K 166960K 556 0 ifaddr 42 9K 11K 166960K 338 0 ifgroup 56 2K 3K 166960K 659 0 sysctl 4 1K 9K 166960K 52 0 counters 70 37K 38K 166960K 860 0 ioctlops 0 0K 4K 166960K 3185 0 iov 0 0K 40K 166960K 739 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1521 96K 97K 166960K 5744 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 3 6K 14K 166960K 71 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 334 0 dirhash 12 2K 2K 166960K 132 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 240K 166960K 5997 0 sigio 0 0K 0K 166960K 137 0 proc 74 115K 180K 166960K 1443 0 subproc 72 4K 4K 166960K 185 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 2 0K 0K 166960K 989 0 in_multi 68 5K 7K 166960K 422 0 ether_multi 1 0K 0K 166960K 74 0 mrt 1 0K 0K 166960K 76 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 253 1129K 1129K 166960K 253 0 exec 0 0K 1K 166960K 1475 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 2 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 284 177K 196K 166960K 55987 0 UVM aobj 58 4K 6K 166960K 70 0 pinsyscall 45 90K 104K 166960K 7405 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 375 0 NDP 12 0K 2K 166960K 260 0 temp 188 8661K 8917K 166960K 299030 0 kqueue 14 22K 34K 166960K 1244 0 SYN cache 2 8K 16K 166960K 3 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 830 0 827 8 7 1 3 0 8 0 rtentry 176 477 0 379 8 2 6 6 0 8 0 unpcb 144 4316 0 4295 33 31 2 6 0 8 1 syncache 336 22 0 22 7 7 0 1 0 8 0 tcpqe 32 7 25 7 3 3 0 1 0 8 0 tcpcb 736 2306 0 2296 43 38 5 10 0 8 3 arp 136 57 0 37 1 0 1 1 0 8 0 inpcb 328 7108 0 7093 75 71 4 16 0 8 2 nd6 152 81 0 59 3 1 2 2 0 8 0 pkpcb 40 52 0 52 16 16 0 1 0 8 0 kcovpl 48 20 0 12 1 0 1 1 0 8 0 mppekey 1024 4 0 4 4 4 0 1 0 8 0 ppxss 1192 326 0 325 8 7 1 1 0 8 0 pppxif 1504 30 0 29 16 15 1 1 0 8 0 pffrag 232 87 0 80 1 0 1 1 0 482 0 pffrnode 88 82 0 77 1 0 1 1 0 8 0 pffrent 40 221 0 213 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 3 0 3 3 3 0 1 0 8 0 pfanchor 1288 1 0 1 1 1 0 1 0 8 0 pftag 88 1 0 1 1 1 0 1 0 8 0 pfstitem 24 311 0 251 1 0 1 1 0 8 0 pfstkey 128 311 0 252 3 0 3 3 0 8 0 pfstate 384 310 0 251 9 2 7 7 0 8 0 pfrule 1344 25 0 19 2 1 1 2 0 8 0 rttmr 136 9 0 9 4 4 0 1 0 8 0 art_heap8 4096 8 0 2 8 2 6 7 0 8 0 art_heap4 256 1904 0 1542 51 25 26 34 0 8 0 art_table 40 1912 0 1544 7 2 5 6 0 8 0 art_node 32 402 0 321 1 0 1 1 0 8 0 sysvmsgpl 40 11 0 6 1 0 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 329 0 319 1 0 1 1 0 8 0 shmpl 112 67 0 12 2 0 2 2 0 8 0 dirhash 1024 98 0 81 3 0 3 3 0 8 0 dino2pl 256 12854 0 11312 97 0 97 97 0 8 0 ffsino 296 12854 0 11312 120 0 120 120 0 8 0 nchpl 144 20925 0 19183 65 0 65 65 0 8 0 rtmask 32 66 0 66 18 17 1 1 0 8 1 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 76698 0 76694 6 5 1 2 0 8 0 percpumem 16 445 0 395 1 0 1 1 0 8 0 kstatmem 264 438 0 410 3 0 3 3 0 8 0 scsiplug 72 30 0 30 10 10 0 1 0 8 0 scxspl 216 140603 0 140602 23 22 1 8 1 8 0 plimitpl 152 1938 0 1920 1 0 1 1 0 8 0 sigapl 424 6217 0 6163 9 2 7 8 0 8 0 knotepl 120 828 0 0 18 0 18 18 0 8 0 kqueuepl 224 2478 0 2466 22 20 2 5 0 8 1 pipepl 344 1035 0 1008 33 30 3 9 0 8 0 fdescpl 528 6148 0 6115 3 0 3 3 0 8 0 filepl 160 45921 0 45692 86 73 13 23 0 8 1 lockfpl 104 2864 0 2856 5 4 1 2 0 8 0 lockfspl 48 1003 0 995 1 0 1 1 0 8 0 sessionpl 144 51 0 41 1 0 1 1 0 8 0 pgrppl 48 235 0 217 1 0 1 1 0 8 0 ucredpl 104 8178 0 8164 1 0 1 1 0 8 0 zombiepl 144 8623 0 8621 3 2 1 1 0 8 0 processpl 1232 6217 0 6163 8 3 5 6 0 8 0 procpl 664 16341 0 16272 14 7 7 8 0 8 0 sosppl 176 45 0 44 10 9 1 1 0 8 0 sockpl 752 12689 0 12650 116 109 7 28 0 8 2 mcl64k 65536 31 0 0 4 0 4 4 0 8 0 mcl16k 16384 3 0 0 1 0 1 1 0 8 0 mcl12k 12288 2 0 0 1 0 1 1 0 8 0 mcl9k 9216 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 4 0 0 1 0 1 1 0 8 0 mcl4k 4096 139 0 0 17 1 16 17 0 8 0 mcl2k2 2112 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 81 0 0 5 0 5 5 0 8 0 mtagpl 96 3 0 0 1 0 1 1 0 8 0 mbufpl 256 1817 0 0 98 0 98 98 0 8 0 bufpl 280 55890 0 49753 439 0 439 439 0 8 0 anonpl 32 16225 0 0 130 1 129 129 0 246 0 amapchunkpl 152 216048 0 215426 123 92 31 42 0 158 4 amappl16 200 19156 0 19080 144 130 14 39 0 8 0 amappl15 192 31 0 31 1 1 0 1 0 8 0 amappl14 184 4 0 4 3 3 0 1 0 8 0 amappl13 176 593 0 592 1 0 1 1 0 8 0 amappl12 168 6638 0 6593 3 0 3 3 0 8 0 amappl11 160 35 0 35 3 3 0 1 0 8 0 amappl10 152 52 0 38 1 0 1 1 0 8 0 amappl9 144 278 0 277 2 1 1 1 0 8 0 amappl8 136 33 0 30 1 0 1 1 0 8 0 amappl7 128 134 0 133 1 0 1 1 0 8 0 amappl6 120 435 0 420 1 0 1 1 0 8 0 amappl5 112 89 0 77 1 0 1 1 0 8 0 amappl4 104 579 0 546 1 0 1 1 0 8 0 amappl3 96 35245 0 35134 4 1 3 3 0 8 0 amappl2 88 6367 0 6282 3 0 3 3 0 8 0 amappl1 80 37709 0 37028 17 1 16 16 0 8 0 amappl 88 53930 0 53732 5 0 5 5 0 92 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 dma65536 65536 3 0 3 3 3 0 1 0 8 0 dma32768 32768 1 0 1 1 1 0 1 0 8 0 dma16384 16384 2 0 2 2 2 0 1 0 8 0 dma8192 8192 1 0 1 1 1 0 1 0 8 0 dma4096 4096 3 0 3 3 3 0 1 0 8 0 dma1024 1024 2 0 1 1 0 1 1 0 8 0 dma256 256 8 0 8 3 3 0 1 0 8 0 dma128 128 258 0 258 4 4 0 1 0 8 0 dma64 64 7 0 7 2 2 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 69 0 12 2 0 2 2 0 8 0 uaddrrnd 24 6148 0 6115 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 6148 0 6115 1 0 1 1 0 8 0 vmmpekpl 168 47234 0 47173 4 0 4 4 0 8 0 vmmpepl 168 391591 0 389381 199 95 104 125 0 357 1 vmsppl 488 6147 0 6115 5 0 5 5 0 8 0 rwobjpl 80 104247 0 97146 182 32 150 159 0 8 0 pdppl 4096 12303 0 12230 165 92 73 83 0 8 0 pvpl 32 23001 0 0 185 2 183 183 0 265 0 pmappl 256 6147 0 6115 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 527 0 187 10 0 10 10 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+39: addq $8,%rsp x86_ipi_db(ffffffff83893ff0) at x86_ipi_db+39 x86_ipi_handler() at x86_ipi_handler+217 Xresume_lapic_ipi() at Xresume_lapic_ipi+39 __mp_lock(ffffffff838dfec0) at __mp_lock+402 intr_handler(ffff80002a2f7fc0,ffff80000007aa80) at intr_handler+233 Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+399 end of kernel end trace frame: 0x70fee350f9e0, count: 9 ddb{0}> trace x86_ipi_db(ffffffff83893ff0) at x86_ipi_db+39 x86_ipi_handler() at x86_ipi_handler+217 Xresume_lapic_ipi() at Xresume_lapic_ipi+39 __mp_lock(ffffffff838dfec0) at __mp_lock+402 intr_handler(ffff80002a2f7fc0,ffff80000007aa80) at intr_handler+233 Xintr_ioapic_edge23_untramp() at Xintr_ioapic_edge23_untramp+399 end of kernel end trace frame: 0x70fee350f9e0, count: -6 ddb{0}> machine ddbcpu 1 Stopped at db_enter+37: addq $8,%rsp db_enter() at db_enter+37 panic(ffffffff833959d9) at panic+485 __assert(ffffffff833d5dca,ffffffff833e1a34,3b9,ffffffff8340b62e) at __assert+41 refcnt_finalize(ffff8000337e7560,ffffffff8338931c) at refcnt_finalize+475 pppx_if_destroy(ffff8000313dc000,ffff8000337e7558) at pppx_if_destroy+61 pppxclose(285b9a,41,2000,ffff80002ebd4fb8) at pppxclose+160 spec_close(ffff80003c486ff0) at spec_close+1047 VOP_CLOSE(fffffd8066e338b8,41,fffffd80097fb888,ffff80002ebd4fb8) at VOP_CLOSE+306 vn_closefile(fffffd805fb37af0,ffff80002ebd4fb8) at vn_closefile+299 fdrop(fffffd805fb37af0,ffff80002ebd4fb8) at fdrop+289 closef(fffffd805fb37af0,ffff80002ebd4fb8) at closef+402 syscall(ffff80003c487250) at syscall+3028 Xsyscall() at Xsyscall+296 end of kernel end trace frame: 0xd2c5f83d60, count: 2 ddb{1}> trace db_enter() at db_enter+37 panic(ffffffff833959d9) at panic+485 __assert(ffffffff833d5dca,ffffffff833e1a34,3b9,ffffffff8340b62e) at __assert+41 refcnt_finalize(ffff8000337e7560,ffffffff8338931c) at refcnt_finalize+475 pppx_if_destroy(ffff8000313dc000,ffff8000337e7558) at pppx_if_destroy+61 pppxclose(285b9a,41,2000,ffff80002ebd4fb8) at pppxclose+160 spec_close(ffff80003c486ff0) at spec_close+1047 VOP_CLOSE(fffffd8066e338b8,41,fffffd80097fb888,ffff80002ebd4fb8) at VOP_CLOSE+306 vn_closefile(fffffd805fb37af0,ffff80002ebd4fb8) at vn_closefile+299 fdrop(fffffd805fb37af0,ffff80002ebd4fb8) at fdrop+289 closef(fffffd805fb37af0,ffff80002ebd4fb8) at closef+402 syscall(ffff80003c487250) at syscall+3028 Xsyscall() at Xsyscall+296 end of kernel end trace frame: 0xd2c5f83d60, count: -13