panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *207929 83198 0 0 0x4000000 0K syz-executor.2 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825760e8) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825ea380,ffffffff826331db,131,ffffffff825fdf80) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000c71800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff80002e1e7c30) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd80724533a0,80206979,ffff80002e1e7c30,ffff8000212187e8) at soo_ioctl+0x26c sys_ioctl(ffff8000212187e8,ffff80002e1e7d48,ffff80002e1e7da0) at sys_ioctl+0x4a2 syscall(ffff80002e1e7e10) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002e1e7e10) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa79b0001c40, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825760e8) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825ea380,ffffffff826331db,131,ffffffff825fdf80) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000c71800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff80002e1e7c30) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd80724533a0,80206979,ffff80002e1e7c30,ffff8000212187e8) at soo_ioctl+0x26c sys_ioctl(ffff8000212187e8,ffff80002e1e7d48,ffff80002e1e7da0) at sys_ioctl+0x4a2 syscall(ffff80002e1e7e10) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002e1e7e10) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa79b0001c40, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80002e1e7a40 rbx 0xffffffff82902bff cpu_info_full_primary+0x2bff rdx 0xffff800000d76440 rcx 0 rax 0xffff8000212187e8 r8 0 r9 0x8080808080808080 r10 0x6912c76b0bba63a r11 0xff2f919b4565dd99 r12 0xffffffff82902a00 cpu_info_full_primary+0x2a00 r13 0 r14 0 r15 0x1 rip 0xffffffff81e72788 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80002e1e7a30 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.2) pid=207929 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff800021218008,0xffff80002c933cf0 process=0xffff80002e1fdd40 user=0xffff80002e1e2000, vmspace=0xfffffd806121ad18 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 83198 466840 90500 0 2 0 syz-executor.2 *83198 207929 90500 0 7 0x4000000 syz-executor.2 4727 128400 68335 0 2 0 syz-executor.1 4727 106252 68335 0 3 0x4000080 fsleep syz-executor.1 6814 277898 98745 0 2 0 syz-executor.5 6814 55613 98745 0 3 0x4000080 fsleep syz-executor.5 25172 47810 3864 0 2 0 syz-executor.6 86080 404039 83609 0 2 0 syz-executor.7 86080 362671 83609 0 3 0x4000080 fsleep syz-executor.7 11421 319766 16941 0 2 0 syz-executor.4 11421 119503 16941 0 3 0x4000080 fsleep syz-executor.4 22500 504939 84630 0 2 0x480 syz-executor.0 22500 425864 84630 0 2 0x4000480 syz-executor.0 22500 139227 84630 0 2 0x4000480 syz-executor.0 22500 153424 84630 0 3 0x4000080 fsleep syz-executor.0 68335 335790 21875 0 3 0x82 nanoslp syz-executor.1 98745 382764 21875 0 2 0x482 syz-executor.5 8873 90725 0 0 3 0x14200 acct acct 38794 70318 21875 0 2 0x482 syz-executor.3 27198 97888 0 0 3 0x14280 nfsidl nfsio 93266 18843 0 0 3 0x14280 nfsidl nfsio 50141 323387 0 0 3 0x14280 nfsidl nfsio 59153 467225 0 0 3 0x14280 nfsidl nfsio 54463 340627 0 0 3 0x14280 nfsidl nfsio 75079 413133 0 0 3 0x14280 nfsidl nfsio 42553 488299 0 0 3 0x14280 nfsidl nfsio 64572 18809 0 0 3 0x14280 nfsidl nfsio 35355 32493 0 0 3 0x14280 nfsidl nfsio 30750 37120 0 0 3 0x14280 nfsidl nfsio 20585 378364 0 0 3 0x14280 nfsidl nfsio 13446 207003 0 0 3 0x14280 nfsidl nfsio 41606 332416 0 0 3 0x14280 nfsidl nfsio 80358 317396 0 0 3 0x14280 nfsidl nfsio 72423 24485 0 0 3 0x14280 nfsidl nfsio 73974 102171 0 0 3 0x14280 nfsidl nfsio 84726 344200 0 0 3 0x14280 nfsidl nfsio 28334 316883 0 0 3 0x14280 nfsidl nfsio 94754 366252 0 0 3 0x14280 nfsidl nfsio 33855 40929 0 0 3 0x14280 nfsidl nfsio 83609 172471 21875 0 2 0x482 syz-executor.7 90500 272197 21875 0 2 0x482 syz-executor.2 3864 427092 21875 0 2 0x2 syz-executor.6 84630 470155 21875 0 2 0x482 syz-executor.0 16941 384342 21875 0 2 0x482 syz-executor.4 23856 82726 0 0 3 0x14200 bored sosplice 21875 460768 71350 0 3 0x82 thrsleep syz-fuzzer 21875 212010 71350 0 3 0x4000082 thrsleep syz-fuzzer 21875 89866 71350 0 3 0x4000082 thrsleep syz-fuzzer 21875 204070 71350 0 3 0x4000082 kqread syz-fuzzer 21875 468246 71350 0 3 0x4000082 thrsleep syz-fuzzer 21875 263736 71350 0 3 0x4000082 thrsleep syz-fuzzer 21875 303770 71350 0 3 0x4000082 thrsleep syz-fuzzer 21875 351222 71350 0 3 0x4000082 thrsleep syz-fuzzer 21875 355913 71350 0 3 0x4000082 thrsleep syz-fuzzer 71350 479634 10558 0 3 0x10008a sigsusp ksh 10558 461917 46412 0 3 0x9a kqread sshd 25616 407024 1 0 3 0x100083 ttyopn getty 46412 354295 1 0 3 0x88 kqread sshd 76888 12360 83875 74 3 0x100092 bpf pflogd 83875 459447 1 0 3 0x80 netio pflogd 78108 109982 82528 73 3 0x100090 kqread syslogd 82528 334113 1 0 3 0x100082 netio syslogd 93844 206168 1 0 3 0x100080 kqread resolvd 68185 183737 28845 77 2 0x100092 dhcpleased 23844 130704 28845 77 3 0x100092 kqread dhcpleased 28845 291581 1 0 3 0x80 kqread dhcpleased 28600 472762 0 0 3 0x14200 bored smr 61786 19264 0 0 2 0x14200 zerothread 16527 415945 0 0 3 0x14200 aiodoned aiodoned 58490 205205 0 0 3 0x14200 syncer update 45251 159665 0 0 3 0x14200 cleaner cleaner 89088 10198 0 0 3 0x14200 reaper reaper 51057 349572 0 0 3 0x14200 pgdaemon pagedaemon 27656 362472 0 0 3 0x14200 bored viomb 40280 11449 0 0 3 0x40014200 acpi0 acpi0 34728 439259 0 0 7 0x40014200 idle1 86901 447260 0 0 3 0x14200 bored softnet 83834 289861 0 0 3 0x14200 bored systqmp 68807 46564 0 0 3 0x14200 bored systq 13985 345025 0 0 2 0x40014200 softclock 23581 167062 0 0 3 0x40014200 idle0 1 300293 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 83198 (syz-executor.2) thread 0xffff8000212187e8 (207929) exclusive rwlock clonelk r = 0 (0xffffffff8299a850) #0 witness_lock+0x44d #1 if_clone_destroy+0x49 #2 soo_ioctl+0x26c #3 sys_ioctl+0x4a2 #4 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #4 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #5 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82b5bf28) #0 witness_lock+0x44d #1 soo_ioctl+0x25a sys/kern/sys_socket.c:136 #2 sys_ioctl+0x4a2 #3 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #3 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #4 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10249 6529K 7323K 78643K 76904 0 pcb 16 26K 30K 78643K 9938 0 rtable 203 15K 16K 78643K 45000 0 ifaddr 115 32K 38K 78643K 3759 0 sysctl 2 0K 4K 78643K 5 0 counters 62 36K 36K 78643K 1560 0 ioctlops 0 0K 4K 78643K 27856 0 iov 0 0K 28K 78643K 6183 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1461 91K 91K 78643K 23105 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 17K 78643K 415 0 VM map 2 1K 1K 78643K 2 0 sem 16 36K 72K 78643K 350 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 17 61K 93K 78643K 71330 0 sigio 0 0K 0K 78643K 1176 0 proc 81 88K 124K 78643K 5144 0 subproc 104 6K 8K 78643K 1306 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 1K 78643K 5609 0 in_multi 69 4K 6K 78643K 3510 0 ether_multi 1 0K 0K 78643K 764 0 mrt 2 0K 0K 78643K 159 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 265 1182K 1182K 78643K 265 0 exec 0 0K 2K 78643K 8545 0 pfkey data 0 0K 0K 78643K 16 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 1034 1623K 1624K 78643K 867043 0 UVM aobj 54 5K 5K 78643K 59 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 3887 0 NDP 19 0K 2K 78643K 1016 0 temp 158 4706K 8802K 78643K 371233 0 kqueue 12 18K 40K 78643K 4515 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 45422 0 45418 256 255 1 7 0 8 0 rtentry 112 2215 0 2131 7 3 4 4 0 8 0 unpcb 136 42865 0 42850 378 377 1 11 0 8 0 syncache 296 93 0 93 21 21 0 1 0 8 0 tcpqe 32 56 0 56 12 12 0 1 0 8 0 tcpcb 736 37696 0 37691 818 810 8 31 0 8 7 arp 120 255 0 243 1 0 1 1 0 8 0 inpcb 304 75675 0 75664 647 642 5 16 0 8 4 rttmr 72 38 0 38 7 7 0 1 0 8 0 nd6 48 372 0 351 1 0 1 1 0 8 0 pkpcb 40 742 0 742 24 24 0 1 0 8 0 kcovpl 48 97 0 89 1 0 1 1 0 8 0 ppxss 1248 103 0 102 18 17 1 1 0 8 0 pffrag 232 255 0 253 18 17 1 2 0 482 0 pffrnode 88 246 0 244 17 16 1 1 0 8 0 pffrent 40 4855 0 4853 19 18 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 2123 0 2111 2 1 1 2 0 8 0 pfstkey 112 2131 0 2119 17 16 1 8 0 8 0 pfstate 320 2127 0 2115 62 60 2 22 0 8 0 pfrule 1360 43 0 38 2 1 1 2 0 8 0 art_heap8 4096 83 0 81 12 10 2 4 0 8 0 art_heap4 256 8114 0 7771 77 53 24 32 0 8 0 art_table 32 8197 0 7852 8 4 4 5 0 8 0 art_node 16 2095 0 2025 1 0 1 1 0 8 0 semupl 112 11 0 11 2 2 0 1 0 8 0 semapl 112 328 0 314 1 0 1 1 0 8 0 shmpl 112 56 0 5 2 0 2 2 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 90634 0 89091 98 1 97 97 0 8 0 ffsino 272 90634 0 89091 106 2 104 104 0 8 0 nchpl 144 184056 0 182422 63 0 63 63 0 8 0 uvmvnodes 80 8091 0 0 166 0 166 166 0 8 0 vnodes 224 8091 0 0 476 0 476 476 0 8 0 namei 1024 566558 0 566558 22 21 1 2 0 8 1 percpumem 16 792 0 749 1 0 1 1 0 8 0 vcpupl 2048 237 0 0 30 0 30 30 0 8 0 vmpool 560 332 0 95 22 5 17 17 0 8 0 scsiplug 72 21 0 21 4 4 0 1 0 8 0 scxspl 216 508328 0 508328 55 54 1 8 0 8 1 plimitpl 152 4794 0 4778 1 0 1 1 0 8 0 sigapl 424 71529 0 71463 9 1 8 8 0 8 0 futexpl 64 671768 0 671763 15 14 1 1 0 8 0 knotepl 120 1752 0 0 18 8 10 11 0 8 0 kqueuepl 216 12798 0 12790 194 193 1 6 0 8 0 pipepl 336 9069 0 9041 251 247 4 13 0 8 1 fdescpl 496 71436 0 71406 5 1 4 5 0 8 0 filepl 152 445501 0 445187 623 609 14 24 0 8 1 lockfpl 104 13685 0 13683 25 24 1 2 0 8 0 lockfspl 48 4242 0 4240 1 0 1 1 0 8 0 sessionpl 144 113 0 96 1 0 1 1 0 8 0 pgrppl 48 521 0 504 1 0 1 1 0 8 0 ucredpl 96 42935 0 42923 1 0 1 1 0 8 0 zombiepl 144 71463 0 71462 8 7 1 1 0 8 0 processpl 1064 71529 0 71462 6 1 5 5 0 8 0 procpl 672 172249 0 172166 44 36 8 9 0 8 1 srpgc 96 130 0 130 32 32 0 1 0 8 0 sosppl 168 371 0 371 53 53 0 1 0 8 0 sockpl 480 164820 0 164790 2847 2836 11 44 0 8 7 mcl64k 65536 8 0 0 1 0 1 1 0 8 0 mcl16k 16384 3 0 0 1 0 1 1 0 8 0 mcl12k 12288 7 0 0 1 0 1 1 0 8 0 mcl9k 9216 6 0 0 1 0 1 1 0 8 0 mcl8k 8192 17 0 0 3 0 3 3 0 8 0 mcl4k 4096 25 0 0 4 1 3 3 0 8 0 mcl2k2 2112 8 0 0 1 0 1 1 0 8 0 mcl2k 2048 2152 0 0 56 19 37 37 0 8 0 mtagpl 96 2679 0 0 22 0 22 22 0 8 0 mbufpl 256 19193 0 0 1127 0 1127 1127 0 8 0 bufpl 288 94749 0 86657 579 0 579 579 0 8 0 anonpl 24 15065694 0 15044585 709 571 138 153 0 186 0 amapchunkpl 152 2095484 0 2094643 337 301 36 46 0 158 1 amappl16 200 179608 0 178892 556 513 43 54 0 8 0 amappl15 192 11368 0 11362 1 0 1 1 0 8 0 amappl14 184 10599 0 10589 1 0 1 1 0 8 0 amappl13 176 10105 0 10099 1 0 1 1 0 8 0 amappl12 168 9198 0 9187 1 0 1 1 0 8 0 amappl11 160 9795 0 9776 1 0 1 1 0 8 0 amappl10 152 6089 0 6072 1 0 1 1 0 8 0 amappl9 144 14793 0 14788 1 0 1 1 0 8 0 amappl8 136 9311 0 8777 19 0 19 19 0 8 0 amappl7 128 5232 0 5217 1 0 1 1 0 8 0 amappl6 120 14858 0 14813 7 5 2 2 0 8 0 amappl5 112 59094 0 59077 1 0 1 1 0 8 0 amappl4 104 21331 0 21263 3 1 2 2 0 8 0 amappl3 96 20804 0 20789 1 0 1 1 0 8 0 amappl2 88 17023 0 16944 3 1 2 3 0 8 0 amappl1 80 1235680 0 1235088 34 20 14 19 0 8 0 amappl 88 863365 0 862966 12 2 10 10 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 58 0 5 1 0 1 1 0 8 0 uaddrrnd 24 71768 0 71501 2 0 2 2 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 71768 0 71501 2 0 2 2 0 8 0 vmmpekpl 168 414564 0 414467 6 1 5 5 0 8 0 vmmpepl 168 6308187 0 6304473 953 783 170 201 0 357 0 vmsppl 368 71767 0 71501 27 2 25 25 0 8 0 rwobjpl 56 1448496 0 1438016 220 71 149 150 0 8 0 pdppl 4096 143543 0 143239 1903 1597 306 306 0 8 2 pvpl 32 26747095 0 26722547 1437 1229 208 262 0 265 5 pmappl 248 71767 0 71501 17 0 17 17 0 8 0 extentpl 40 58 0 38 1 0 1 1 0 8 0 phpool 112 5123 0 2766 68 0 68 68 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825760e8) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825ea380,ffffffff826331db,131,ffffffff825fdf80) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000c71800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff80002e1e7c30) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd80724533a0,80206979,ffff80002e1e7c30,ffff8000212187e8) at soo_ioctl+0x26c sys_ioctl(ffff8000212187e8,ffff80002e1e7d48,ffff80002e1e7da0) at sys_ioctl+0x4a2 syscall(ffff80002e1e7e10) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002e1e7e10) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa79b0001c40, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: -5