IᙂmF9tIᙂmF9tIᙂmF9tIᙂmF9tIᙂmF9tpanic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *242856 63911 0 0 0x4000000 0K syz-executor.0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000bf3800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff800028139000) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd805e8a7098,80206979,ffff800028139000,ffff80002bb46d30) at soo_ioctl+0x26c sys_ioctl(ffff80002bb46d30,ffff800028139118,ffff800028139170) at sys_ioctl+0x4a2 syscall(ffff8000281391e0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000281391e0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xbc0c74588f0, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000bf3800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff800028139000) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd805e8a7098,80206979,ffff800028139000,ffff80002bb46d30) at soo_ioctl+0x26c sys_ioctl(ffff80002bb46d30,ffff800028139118,ffff800028139170) at sys_ioctl+0x4a2 syscall(ffff8000281391e0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000281391e0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xbc0c74588f0, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800028138e10 rbx 0xffffffff82920bff cpu_info_full_primary+0x2bff rdx 0 rcx 0 rax 0xffff80002bb46d30 r8 0 r9 0x8080808080808080 r10 0x365795fd1ec9f76b r11 0xa12539eb5392e247 r12 0xffffffff82920a00 cpu_info_full_primary+0x2a00 r13 0 r14 0 r15 0x1 rip 0xffffffff8147cfe8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800028138e00 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.0) pid=242856 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=83, nice=20 forw=0xffffffffffffffff, list=0xffff80002bb46a90,0xffff80002bb462c0 process=0xffff800029537620 user=0xffff800028134000, vmspace=0xfffffd805f224310 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 298 135754 90166 0 2 0 syz-executor.5 298 262093 90166 0 3 0x4000080 fsleep syz-executor.5 10818 101631 57360 0 2 0 syz-executor.4 10818 39613 57360 0 3 0x4000080 fsleep syz-executor.4 35298 50601 90968 0 2 0 syz-executor.2 35298 176113 90968 0 3 0x4000080 fsleep syz-executor.2 65600 83875 73030 0 2 0 syz-executor.3 65600 73278 73030 0 3 0x4000080 fsleep syz-executor.3 63911 521142 68271 0 2 0 syz-executor.0 *63911 242856 68271 0 7 0x4000000 syz-executor.0 63911 523464 68271 0 3 0x4000080 fsleep syz-executor.0 20928 313467 58755 0 2 0 syz-executor.1 20928 240725 58755 0 3 0x4000080 fsleep syz-executor.1 88755 156253 78925 0 2 0 syz-executor.7 88755 415399 78925 0 3 0x4000080 fsleep syz-executor.7 23030 177795 3520 0 2 0 syz-executor.6 23030 224731 3520 0 3 0x4000080 fsleep syz-executor.6 57360 21138 48883 0 3 0x82 nanoslp syz-executor.4 80549 82247 1 0 3 0x100083 ttyin getty 3520 239471 48883 0 3 0x82 nanoslp syz-executor.6 41065 461225 0 0 3 0x14200 acct acct 90968 58009 48883 0 3 0x82 nanoslp syz-executor.2 68271 362253 48883 0 2 0x482 syz-executor.0 78925 105967 48883 0 2 0x482 syz-executor.7 73030 18584 48883 0 3 0x82 nanoslp syz-executor.3 58755 145228 48883 0 2 0x482 syz-executor.1 90166 323398 48883 0 2 0x482 syz-executor.5 27809 401886 0 0 3 0x14200 bored sosplice 48883 15088 98282 0 3 0x82 thrsleep syz-fuzzer 48883 480320 98282 0 3 0x4000082 thrsleep syz-fuzzer 48883 209278 98282 0 3 0x4000082 thrsleep syz-fuzzer 48883 151027 98282 0 3 0x4000082 thrsleep syz-fuzzer 48883 119441 98282 0 3 0x4000082 thrsleep syz-fuzzer 48883 298400 98282 0 3 0x4000082 kqread syz-fuzzer 48883 37048 98282 0 3 0x4000082 thrsleep syz-fuzzer 48883 175744 98282 0 3 0x4000082 thrsleep syz-fuzzer 98282 31156 85735 0 3 0x10008a sigsusp ksh 85735 77811 25225 0 3 0x9a kqread sshd 25225 298510 1 0 3 0x88 kqread sshd 15002 68861 68041 74 3 0x100092 bpf pflogd 68041 260293 1 0 3 0x80 netio pflogd 98338 263448 13779 73 3 0x100090 kqread syslogd 13779 347662 1 0 3 0x100082 netio syslogd 93339 361987 1 0 3 0x100080 kqread resolvd 82558 262836 3641 77 2 0x100092 dhcpleased 30012 232021 3641 77 3 0x100092 kqread dhcpleased 3641 217752 1 0 3 0x80 kqread dhcpleased 33661 118568 0 0 3 0x14200 bored smr 76320 303602 0 0 2 0x14200 zerothread 70093 24506 0 0 3 0x14200 aiodoned aiodoned 35132 520350 0 0 3 0x14200 syncer update 76333 464024 0 0 3 0x14200 cleaner cleaner 92409 29054 0 0 3 0x14200 reaper reaper 69394 159198 0 0 3 0x14200 pgdaemon pagedaemon 17181 95872 0 0 3 0x14200 bored viomb 79298 210949 0 0 3 0x40014200 acpi0 acpi0 40625 49693 0 0 7 0x40014200 idle1 80484 272515 0 0 3 0x14200 bored softnet 4083 127506 0 0 3 0x14200 bored systqmp 12396 5876 0 0 3 0x14200 bored systq 19381 167878 0 0 2 0x40014200 softclock 1265 337791 0 0 3 0x40014200 idle0 1 225052 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 63911 (syz-executor.0) thread 0xffff80002bb46d30 (242856) exclusive rwlock clonelk r = 0 (0xffffffff828e4a20) #0 witness_lock+0x44d #1 if_clone_destroy+0x49 #2 soo_ioctl+0x26c #3 sys_ioctl+0x4a2 #4 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #4 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #5 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82a3d4a8) #0 witness_lock+0x44d #1 soo_ioctl+0x25a sys/kern/sys_socket.c:136 #2 sys_ioctl+0x4a2 #3 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #3 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #4 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10249 6713K 7558K 78643K 92106 0 pcb 47 23K 26K 78643K 3075 0 rtable 272 26K 30K 78643K 4860 0 ifaddr 107 25K 27K 78643K 2147 0 sysctl 3 1K 1K 78643K 3 0 counters 58 35K 36K 78643K 508 0 ioctlops 0 0K 6K 78643K 6634 0 iov 0 0K 20K 78643K 2003 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1427 89K 90K 78643K 24379 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 189 0 VM map 2 1K 1K 78643K 2 0 sem 18 2K 3K 78643K 155 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 18 65K 89K 78643K 21115 0 sigio 0 0K 0K 78643K 205 0 proc 72 87K 111K 78643K 3162 0 subproc 104 6K 6K 78643K 910 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 3449 0 in_multi 86 5K 7K 78643K 1507 0 ether_multi 1 0K 0K 78643K 202 0 mrt 1 0K 0K 78643K 104 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 313 1394K 1394K 78643K 313 0 exec 0 0K 2K 78643K 4117 0 pfkey data 0 0K 0K 78643K 3 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 684 1355K 1355K 78643K 267665 0 UVM aobj 131 9K 9K 78643K 142 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 1296 0 NDP 13 0K 1K 78643K 441 0 temp 162 4753K 8811K 78643K 260553 0 kqueue 13 20K 28K 78643K 1244 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 1179 0 1176 10 8 2 3 0 8 1 rtentry 112 1152 0 1054 4 1 3 4 0 8 0 unpcb 136 14066 0 14049 161 159 2 9 0 8 1 syncache 296 28 0 28 8 8 0 1 0 8 0 sackhl 24 1 0 1 1 1 0 1 0 8 0 tcpcb 736 11010 0 11001 283 275 8 19 0 8 6 arp 120 174 0 155 1 0 1 1 0 8 0 inpcb 304 22629 0 22583 252 245 7 16 0 8 3 rttmr 72 35 0 34 12 11 1 1 0 8 0 nd6 48 309 0 285 1 0 1 1 0 8 0 pkpcb 40 49 0 49 9 9 0 1 0 8 0 kcovpl 48 70 0 62 1 0 1 1 0 8 0 ppxss 1248 81 0 81 20 20 0 1 0 8 0 pfstscr 40 54 0 54 11 11 0 1 0 8 0 pffrag 232 113 0 110 3 2 1 1 0 482 0 pffrnode 88 113 0 110 3 2 1 1 0 8 0 pffrent 40 412 0 409 4 3 1 1 0 8 0 pfosfp 40 1434 0 1009 5 0 5 5 0 8 0 pfosfpen 112 1434 0 718 21 0 21 21 0 8 0 pfrke_plain 168 6 0 6 1 1 0 1 0 8 0 pfrktable 1344 504 0 484 13 10 3 3 0 8 1 pftag 88 23 0 12 3 2 1 1 0 8 0 pfstitem 24 77 0 75 1 0 1 1 0 8 0 pfstkey 112 231 0 229 1 0 1 1 0 8 0 pfstate 320 147 0 145 3 2 1 3 0 8 0 pfrule 1360 803 0 666 14 2 12 12 0 8 0 art_heap8 4096 2 0 1 2 1 1 2 0 8 0 art_heap4 256 4880 0 4441 54 26 28 32 0 8 0 art_table 32 4882 0 4442 6 2 4 5 0 8 0 art_node 16 1146 0 1059 1 0 1 1 0 8 0 sysvmsgpl 40 30 0 9 1 0 1 1 0 8 0 semapl 112 149 0 133 1 0 1 1 0 8 0 shmpl 112 139 0 11 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 28507 0 26989 96 0 96 96 0 8 0 ffsino 272 28507 0 26989 102 0 102 102 0 8 0 nchpl 144 55094 0 53457 63 0 63 63 0 8 0 rtmask 32 10 0 10 1 1 0 1 0 8 0 uvmvnodes 80 6169 0 0 126 0 126 126 0 8 0 vnodes 224 6169 0 0 363 0 363 363 0 8 0 namei 1024 202805 0 202805 8 7 1 2 0 8 1 percpumem 16 266 0 225 1 0 1 1 0 8 0 vcpupl 2048 260 0 0 33 0 33 33 0 8 0 vmpool 560 295 0 35 19 0 19 19 0 8 0 pfiaddrpl 120 161 0 135 3 2 1 1 0 8 0 scsiplug 72 14 0 14 5 5 0 1 0 8 0 scxspl 216 161553 0 161553 52 51 1 8 0 8 1 plimitpl 152 2560 0 2545 1 0 1 1 0 8 0 sigapl 424 21344 0 21297 10 3 7 8 0 8 0 futexpl 64 194386 0 194378 4 3 1 1 0 8 0 knotepl 120 890 0 0 13 2 11 11 0 8 0 kqueuepl 216 5014 0 5003 112 111 1 8 0 8 0 pipepl 336 6431 0 6401 157 153 4 13 0 8 1 fdescpl 496 21279 0 21248 6 2 4 5 0 8 0 filepl 152 150383 0 150094 254 241 13 23 0 8 1 lockfpl 104 6368 0 6366 15 14 1 4 0 8 0 lockfspl 48 1930 0 1928 1 0 1 1 0 8 0 sessionpl 144 89 0 72 1 0 1 1 0 8 0 pgrppl 48 226 0 209 1 0 1 1 0 8 0 ucredpl 96 15823 0 15807 1 0 1 1 0 8 0 zombiepl 144 21297 0 21297 5 4 1 1 0 8 1 processpl 1064 21344 0 21297 5 0 5 5 0 8 0 procpl 672 60565 0 60502 35 28 7 9 0 8 0 srpgc 96 66 0 66 12 12 0 1 0 8 0 sosppl 168 143 0 143 28 28 0 1 0 8 0 sockpl 480 37939 0 37876 779 767 12 36 0 8 4 mcl64k 65536 42 0 0 3 0 3 3 0 8 0 mcl16k 16384 42 0 0 6 4 2 3 0 8 0 mcl12k 12288 33 0 0 2 0 2 2 0 8 0 mcl9k 9216 22 0 0 2 0 2 2 0 8 0 mcl8k 8192 25 0 0 4 1 3 3 0 8 0 mcl4k 4096 49 0 0 6 3 3 3 0 8 0 mcl2k2 2112 21 0 0 2 0 2 2 0 8 0 mcl2k 2048 481 0 0 28 2 26 28 0 8 0 mtagpl 96 2562 0 0 46 0 46 46 0 8 0 mbufpl 256 6621 0 0 366 0 366 366 0 8 0 bufpl 288 36999 0 30681 453 0 453 453 0 8 0 anonpl 24 6085543 0 6060572 464 303 161 194 0 186 7 amapchunkpl 152 645632 0 644688 119 80 39 49 0 158 2 amappl16 200 60864 0 59883 223 164 59 77 0 8 3 amappl15 192 4513 0 4505 1 0 1 1 0 8 0 amappl14 184 646 0 641 1 0 1 1 0 8 0 amappl13 176 4038 0 4035 1 0 1 1 0 8 0 amappl12 168 910 0 907 1 0 1 1 0 8 0 amappl11 160 709 0 693 1 0 1 1 0 8 0 amappl10 152 3652 0 3641 1 0 1 1 0 8 0 amappl9 144 3598 0 3594 1 0 1 1 0 8 0 amappl8 136 6191 0 6023 6 0 6 6 0 8 0 amappl7 128 4291 0 4275 1 0 1 1 0 8 0 amappl6 120 3554 0 3522 5 3 2 2 0 8 0 amappl5 112 22512 0 22486 1 0 1 1 0 8 0 amappl4 104 3514 0 3475 7 5 2 2 0 8 0 amappl3 96 4083 0 4071 1 0 1 1 0 8 0 amappl2 88 6324 0 6254 3 1 2 3 0 8 0 amappl1 80 380976 0 380353 19 5 14 19 0 8 0 amappl 88 265641 0 265264 14 5 9 9 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 141 0 11 3 0 3 3 0 8 0 uaddrrnd 24 21574 0 21283 2 0 2 2 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 21574 0 21283 2 0 2 2 0 8 0 vmmpekpl 168 162178 0 162086 5 0 5 5 0 8 0 vmmpepl 168 1946019 0 1942210 463 286 177 183 0 357 4 vmsppl 368 21573 0 21283 28 1 27 27 0 8 0 rwobjpl 56 471914 0 463403 158 36 122 124 0 8 0 pdppl 4096 43155 0 42826 983 654 329 329 0 8 0 pvpl 32 10197071 0 10171204 642 423 219 273 0 265 0 pmappl 248 21573 0 21283 20 1 19 19 0 8 0 extentpl 40 58 0 38 1 0 1 1 0 8 0 phpool 112 2632 0 1131 43 0 43 43 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000bf3800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff800028139000) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd805e8a7098,80206979,ffff800028139000,ffff80002bb46d30) at soo_ioctl+0x26c sys_ioctl(ffff80002bb46d30,ffff800028139118,ffff800028139170) at sys_ioctl+0x4a2 syscall(ffff8000281391e0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000281391e0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xbc0c74588f0, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: -5