panic: kernel diagnostic assertion "ifp != NULL" failed: file "/syzkaller/managers/setuid/kernel/sys/netinet/if_ether.c", line 759 Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *259636 42155 0 0x14000 0x200 1 softclockmp 377353 9927 0 0x14000 0x40000200 0 softclock db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff827ae56f) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff828297c0,ffffffff82875394,2f7,ffffffff8277525c) at __assert+0x29 sys/kern/subr_prf.c:157 arptfree(fffffd80694d7ef8) at arptfree+0x132 sys/netinet/if_ether.c:759 arptimer(ffffffff82cc04f8) at arptimer+0x88 sys/netinet/if_ether.c:135 timeout_run(ffffffff82cc04f8) at timeout_run+0xd0 sys/kern/kern_timeout.c:665 softclock_thread_mp(ffff800021158000) at softclock_thread_mp+0xc4 sys/kern/kern_timeout.c:833 end trace frame: 0x0, count: 8 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: kernel diagnostic assertion "ifp != NULL" failed: file "/syzkaller/managers/setuid/kernel/sys/netinet/if_ether.c", line 759 ddb{1}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff827ae56f) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff828297c0,ffffffff82875394,2f7,ffffffff8277525c) at __assert+0x29 sys/kern/subr_prf.c:157 arptfree(fffffd80694d7ef8) at arptfree+0x132 sys/netinet/if_ether.c:759 arptimer(ffffffff82cc04f8) at arptimer+0x88 sys/netinet/if_ether.c:135 timeout_run(ffffffff82cc04f8) at timeout_run+0xd0 sys/kern/kern_timeout.c:665 softclock_thread_mp(ffff800021158000) at softclock_thread_mp+0xc4 sys/kern/kern_timeout.c:833 end trace frame: 0x0, count: -7 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff80002116b960 rbx 0xffff800020d49ba7 rdx 0 rcx 0xffff800021158000 rax 0xffff800020d48ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x238db212708e4e6a r11 0x793240ee8ce97c08 r12 0xffff800020d499a8 r13 0 r14 0 r15 0x1 rip 0xffffffff8272b5ec db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff80002116b950 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb{1}> show proc PROC (softclockmp) tid=259636 pid=42155 tcnt=1 stat=onproc flags process=14000 proc=200 runpri=0, usrpri=50, slppri=0, nice=20 wchan=0x0, wmesg=, ps_single=0x0 forw=0xffffffffffffffff, list=0xffff8000211582a8,0xffff800021158808 process=0xffff8000ffffc860 user=0xffff800021166000, vmspace=0xffffffff82d366b8 estcpu=0, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 24399 332272 18524 32767 3 0x90 piperd syz-executor.4 18524 441574 69848 0 3 0x82 wait syz-executor.4 43167 280344 75214 32767 3 0x90 piperd syz-executor.7 75214 8822 69848 0 3 0x82 wait syz-executor.7 15770 1088 33085 32767 3 0x90 piperd syz-executor.5 33085 146524 69848 0 3 0x82 wait syz-executor.5 63280 190747 69848 0 3 0x82 wait syz-executor.0 92473 168462 5557 32767 3 0x90 piperd syz-executor.1 5557 16510 69848 0 3 0x82 wait syz-executor.1 6666 217490 10899 32767 3 0x90 piperd syz-executor.2 10899 444882 69848 0 3 0x82 wait syz-executor.2 62836 369269 44419 32767 3 0x90 piperd syz-executor.6 44419 43425 69848 0 3 0x82 wait syz-executor.6 13907 329757 55261 32767 3 0x90 piperd syz-executor.3 55261 9424 69848 0 3 0x82 wait syz-executor.3 88420 64877 0 0 3 0x14200 bored sosplice 69848 427953 88298 0 3 0x2000082 wait syz-fuzzer 69848 451876 88298 0 3 0x6000082 thrsleep syz-fuzzer 69848 485124 88298 0 3 0x6000082 kqread syz-fuzzer 69848 219852 88298 0 3 0x6000082 thrsleep syz-fuzzer 69848 512176 88298 0 3 0x6000082 thrsleep syz-fuzzer 69848 480287 88298 0 3 0x6000082 wait syz-fuzzer 69848 252983 88298 0 3 0x6000082 wait syz-fuzzer 69848 188639 88298 0 3 0x6000082 thrsleep syz-fuzzer 69848 397778 88298 0 3 0x6000082 thrsleep syz-fuzzer 69848 502159 88298 0 3 0x6000082 thrsleep syz-fuzzer 69848 48961 88298 0 3 0x6000082 wait syz-fuzzer 69848 247067 88298 0 3 0x6000082 wait syz-fuzzer 69848 129615 88298 0 3 0x6000082 wait syz-fuzzer 69848 44984 88298 0 3 0x6000082 thrsleep syz-fuzzer 69848 5485 88298 0 3 0x6000082 wait syz-fuzzer 69848 220597 88298 0 3 0x6000082 wait syz-fuzzer 88298 28556 6126 0 3 0x10008a sigsusp ksh 6126 261387 23619 0 3 0x9a kqread sshd 43511 434017 1 0 3 0x100083 ttyin getty 23619 216808 1 0 3 0x88 kqread sshd 90753 114230 15428 73 3 0x1100090 kqread syslogd 15428 452038 1 0 3 0x100082 netio syslogd 96577 350903 1 0 3 0x100080 kqread resolvd 9318 428177 79578 77 3 0x100092 kqread dhcpleased 15491 88380 79578 77 3 0x100092 kqread dhcpleased 79578 184314 1 0 3 0x80 kqread dhcpleased 5963 261347 0 0 2 0x14200 smr 60645 215024 0 0 3 0x14200 pgzero zerothread 72291 390200 0 0 3 0x14200 aiodoned aiodoned 67652 463167 0 0 3 0x14200 syncer update 85668 518395 0 0 3 0x14200 cleaner cleaner 52980 353404 0 0 3 0x14200 reaper reaper 50555 120955 0 0 3 0x14200 pgdaemon pagedaemon 80652 220412 0 0 3 0x14200 bored viomb 16576 69578 0 0 3 0x40014200 acpi0 acpi0 55814 427693 0 0 3 0x40014200 idle1 5 292925 0 0 3 0x14200 bored softnet3 84550 120604 0 0 3 0x14200 bored softnet2 47100 31346 0 0 3 0x14200 bored softnet1 65436 104227 0 0 3 0x14200 bored softnet0 59888 426590 0 0 3 0x14200 bored systqmp 77160 459595 0 0 3 0x14200 bored systq *42155 259636 0 0 7 0x14200 softclockmp 9927 377353 0 0 7 0x40014200 softclock 54748 491144 0 0 3 0x40014200 idle0 1 313932 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 42155 (softclockmp) thread 0xffff800021158000 (259636) exclusive rwlock netlock r = 0 (0xffffffff82b92af0) #0 witness_lock+0x447 #1 rw_enter+0x3c8 sys/kern/kern_rwlock.c:309 #2 arptimer+0x26 sys/netinet/if_ether.c:132 #3 timeout_run+0xd0 sys/kern/kern_timeout.c:665 #4 softclock_thread_mp+0xc4 sys/kern/kern_timeout.c:833 #5 proc_trampoline+0x10 shared rwlock timeout r = 0 (0xffffffff82c13190) #0 witness_lock+0x447 #1 timeout_run+0xbb sys/kern/kern_timeout.c:661 #2 softclock_thread_mp+0xc4 sys/kern/kern_timeout.c:833 #3 proc_trampoline+0x10 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10218 6413K 6420K 78643K 11415 0 pcb 13 16K 20K 78643K 19 0 rtable 242 6K 7K 78643K 1914 0 pf 29 8K 8K 78643K 107 0 ifaddr 44 15K 16K 78643K 206 0 ifgroup 50 2K 2K 78643K 206 0 sysctl 4 1K 1K 78643K 4 0 counters 60 35K 35K 78643K 138 0 ioctlops 0 0K 2K 78643K 163 0 iov 0 0K 32K 78643K 1082 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1279 80K 80K 78643K 3574 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 137 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 1K 78643K 1625 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 18 65K 121K 78643K 10041 0 sigio 0 0K 0K 78643K 211 0 proc 56 78K 103K 78643K 2278 0 subproc 104 6K 6K 78643K 611 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 780 0 in_multi 99 7K 7K 78643K 645 0 ether_multi 1 0K 0K 78643K 19 0 mrt 1 0K 0K 78643K 2 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 247 1102K 1102K 78643K 247 0 exec 0 0K 1K 78643K 1776 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 392 91K 110K 78643K 99121 0 UVM aobj 131 4K 4K 78643K 155 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 290 0 NDP 11 0K 2K 78643K 144 0 temp 74 5920K 5986K 78643K 30049 0 kqueue 12 18K 27K 78643K 952 0 SYN cache 2 16K 16K 78643K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 933 0 930 10 9 1 3 0 8 0 rtentry 112 568 0 454 4 0 4 4 0 8 0 unpcb 144 11350 0 11337 96 92 4 11 0 8 3 syncache 312 173 0 173 21 20 1 1 0 8 1 tcpqe 32 216 0 216 24 23 1 1 0 8 1 tcpcb 808 13382 0 13328 198 186 12 21 0 8 3 arp 120 101 0 82 1 0 1 1 0 8 0 ipq 40 25 0 25 6 5 1 1 0 8 1 ipqe 40 71 0 71 6 5 1 1 0 8 1 inpcb 368 18440 0 18383 229 218 11 24 0 8 2 nd6 136 164 0 137 2 1 1 2 0 8 0 kcovpl 48 47 0 39 1 0 1 1 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 2276 0 1808 37 7 30 30 0 8 0 art_table 32 2277 0 1808 4 0 4 4 0 8 0 art_node 16 567 0 463 1 0 1 1 0 8 0 sysvmsgpl 40 15 0 4 1 0 1 1 0 8 0 semupl 112 4 0 4 2 2 0 1 0 8 0 semapl 112 1623 0 1613 1 0 1 1 0 8 0 shmpl 112 152 0 24 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 14055 0 12610 91 0 91 91 0 8 0 ffsino 272 14055 0 12610 97 0 97 97 0 8 0 nchpl 144 26721 0 25085 63 0 63 63 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 92986 0 92986 5 4 1 2 0 8 1 percpumem 16 82 0 39 1 0 1 1 0 8 0 kstatmem 264 100 0 78 2 0 2 2 0 8 0 scxspl 216 78649 0 78649 26 25 1 8 1 8 1 plimitpl 152 1810 0 1787 16 15 1 2 0 8 0 sigapl 424 10258 0 10210 7 0 7 7 0 8 0 futexpl 64 80170 0 80170 2 1 1 1 0 8 1 knotepl 120 766 0 0 11 0 11 11 0 8 0 kqueuepl 216 2389 0 2381 40 39 1 8 0 8 0 pipepl 320 4142 0 4114 99 93 6 13 0 8 3 fdescpl 496 10239 0 10210 8 3 5 6 0 8 0 filepl 152 78584 0 78351 149 134 15 21 0 8 5 lockfpl 104 1116 0 1114 1 0 1 1 0 8 0 lockfspl 48 350 0 348 1 0 1 1 0 8 0 sessionpl 144 62 0 46 1 0 1 1 0 8 0 pgrppl 48 1153 0 1137 1 0 1 1 0 8 0 ucredpl 104 9813 0 9795 1 0 1 1 0 8 0 zombiepl 144 10211 0 10210 1 0 1 1 0 8 0 processpl 1072 10258 0 10210 5 1 4 5 0 8 0 procpl 680 27523 0 27460 27 19 8 8 0 8 1 sosppl 168 176 0 173 10 9 1 1 0 8 0 sockpl 488 31288 0 31215 618 600 18 39 0 8 2 mcl64k 65536 33 0 0 4 1 3 3 0 8 0 mcl16k 16384 17 0 0 3 0 3 3 0 8 0 mcl12k 12288 24 0 0 2 0 2 2 0 8 0 mcl9k 9216 25 0 0 2 0 2 2 0 8 0 mcl8k 8192 25 0 0 4 1 3 3 0 8 0 mcl4k 4096 42 0 0 4 1 3 3 0 8 0 mcl2k2 2112 12 0 0 1 0 1 1 0 8 0 mcl2k 2048 360 0 0 33 15 18 33 0 8 0 mtagpl 96 4 0 0 1 0 1 1 0 8 0 mbufpl 256 1429 0 0 65 0 65 65 0 8 0 bufpl 288 18003 0 11680 452 0 452 452 0 8 0 anonpl 24 1019646 0 1008044 173 84 89 96 0 186 0 amapchunkpl 152 324050 0 323292 117 74 43 51 0 158 5 amappl16 200 19392 0 19091 98 81 17 29 0 8 0 amappl15 192 8 0 7 1 0 1 1 0 8 0 amappl14 184 277 0 263 2 1 1 2 0 8 0 amappl13 176 24 0 23 1 0 1 1 0 8 0 amappl12 168 11489 0 11455 2 0 2 2 0 8 0 amappl11 160 51 0 41 1 0 1 1 0 8 0 amappl10 152 104 0 90 1 0 1 1 0 8 0 amappl9 144 266 0 266 21 21 0 1 0 8 0 amappl8 136 738 0 592 7 1 6 6 0 8 0 amappl7 128 301 0 276 2 0 2 2 0 8 0 amappl6 120 947 0 937 1 0 1 1 0 8 0 amappl5 112 331 0 322 1 0 1 1 0 8 0 amappl4 104 937 0 906 2 1 1 2 0 8 0 amappl3 96 60838 0 60768 6 3 3 4 0 8 0 amappl2 88 11247 0 11172 3 1 2 3 0 8 0 amappl1 80 46317 0 45800 22 9 13 22 0 8 0 amappl 88 97983 0 97764 7 0 7 7 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 154 0 24 4 1 3 3 0 8 0 uaddrrnd 24 10239 0 10210 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 10239 0 10210 1 0 1 1 0 8 0 vmmpekpl 168 90405 0 90358 3 0 3 3 0 8 0 vmmpepl 168 617385 0 615215 282 149 133 139 0 357 12 vmsppl 464 10238 0 10210 7 2 5 6 0 8 0 rwobjpl 56 155168 0 147754 114 6 108 109 0 8 0 pdppl 4096 20486 0 20420 510 428 82 94 0 8 16 pvpl 32 2933010 0 2915731 466 300 166 334 0 265 0 pmappl 248 10238 0 10210 4 1 3 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 1787 0 902 27 0 27 27 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp x86_ipi_db(ffffffff82be8ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff82c5e6f8) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline] __mp_lock(ffffffff82c5e6f8) at __mp_lock+0x122 sys/kern/kern_lock.c:147 __mp_acquire_count(ffffffff82c5e6f8,1) at __mp_acquire_count+0x48 sys/kern/kern_lock.c:227 mi_switch() at mi_switch+0x46d sys/kern/sched_bsd.c:470 sleep_finish(0,1) at sleep_finish+0x19b sys/kern/kern_synch.c:414 msleep(ffffffff82d4d3c0,ffffffff82c13160,0,ffffffff8278a4ee,0) at msleep+0xea sys/kern/kern_synch.c:249 softclock_thread(ffff8000211582a8) at softclock_thread+0xd0 sys/kern/kern_timeout.c:805 end trace frame: 0x0, count: 6 ddb{0}> trace x86_ipi_db(ffffffff82be8ff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff82c5e6f8) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline] __mp_lock(ffffffff82c5e6f8) at __mp_lock+0x122 sys/kern/kern_lock.c:147 __mp_acquire_count(ffffffff82c5e6f8,1) at __mp_acquire_count+0x48 sys/kern/kern_lock.c:227 mi_switch() at mi_switch+0x46d sys/kern/sched_bsd.c:470 sleep_finish(0,1) at sleep_finish+0x19b sys/kern/kern_synch.c:414 msleep(ffffffff82d4d3c0,ffffffff82c13160,0,ffffffff8278a4ee,0) at msleep+0xea sys/kern/kern_synch.c:249 softclock_thread(ffff8000211582a8) at softclock_thread+0xd0 sys/kern/kern_timeout.c:805 end trace frame: 0x0, count: -9 ddb{0}> machine ddbcpu 1 Stopped at db_enter+0x1c: addq $0x8,%rsp db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff827ae56f) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff828297c0,ffffffff82875394,2f7,ffffffff8277525c) at __assert+0x29 sys/kern/subr_prf.c:157 arptfree(fffffd80694d7ef8) at arptfree+0x132 sys/netinet/if_ether.c:759 arptimer(ffffffff82cc04f8) at arptimer+0x88 sys/netinet/if_ether.c:135 timeout_run(ffffffff82cc04f8) at timeout_run+0xd0 sys/kern/kern_timeout.c:665 softclock_thread_mp(ffff800021158000) at softclock_thread_mp+0xc4 sys/kern/kern_timeout.c:833 end trace frame: 0x0, count: 8 ddb{1}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff827ae56f) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff828297c0,ffffffff82875394,2f7,ffffffff8277525c) at __assert+0x29 sys/kern/subr_prf.c:157 arptfree(fffffd80694d7ef8) at arptfree+0x132 sys/netinet/if_ether.c:759 arptimer(ffffffff82cc04f8) at arptimer+0x88 sys/netinet/if_ether.c:135 timeout_run(ffffffff82cc04f8) at timeout_run+0xd0 sys/kern/kern_timeout.c:665 softclock_thread_mp(ffff800021158000) at softclock_thread_mp+0xc4 sys/kern/kern_timeout.c:833 end trace frame: 0x0, count: -7