panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/main/kernel/sys/net/if_tun.c", line 303 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *340181 20164 0 0 0x4000000 0 syz-executor.6 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82722fa9) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff827a0c27,ffffffff827d0fab,12f,ffffffff827b1468) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000cf7000) at tun_clone_destroy+0x234 sys/net/if_tun.c:303 if_clone_destroy(ffff80002cc01ad0) at if_clone_destroy+0x132 sys/net/if.c:1247 sys_ioctl(ffff80002170b5f0,ffff80002cc01be8,ffff80002cc01c30) at sys_ioctl+0x49e syscall(ffff80002cc01cb0) at syscall+0x446 sys/arch/amd64/amd64/trap.c:599 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73122091de0, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/main/kernel/sys/net/if_tun.c", line 303 ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82722fa9) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff827a0c27,ffffffff827d0fab,12f,ffffffff827b1468) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000cf7000) at tun_clone_destroy+0x234 sys/net/if_tun.c:303 if_clone_destroy(ffff80002cc01ad0) at if_clone_destroy+0x132 sys/net/if.c:1247 sys_ioctl(ffff80002170b5f0,ffff80002cc01be8,ffff80002cc01c30) at sys_ioctl+0x49e syscall(ffff80002cc01cb0) at syscall+0x446 sys/arch/amd64/amd64/trap.c:599 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73122091de0, count: -8 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002cc01960 rbx 0x80206979 __kernel_virt_to_phys+0x206979 rdx 0xffff800000e6b9c0 rcx 0 rax 0xffff80002170b5f0 r8 0x101010101010101 r9 0x8080808080808080 r10 0xea24c98447b83385 r11 0x6f18c70f2f38a1f4 r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff82521338 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80002cc01950 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor.6) pid=340181 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=82, nice=20 forw=0xffffffffffffffff, list=0xffff80002170adc8,0xffff80002170b8b8 process=0xffff80002171afc8 user=0xffff80002cbfc000, vmspace=0xfffffd807f014000 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 20164 11336 58773 0 2 0 syz-executor.6 *20164 340181 58773 0 7 0x4000000 syz-executor.6 53530 484428 88623 0 2 0 syz-executor.3 53530 135847 88623 0 3 0x4000080 fsleep syz-executor.3 91291 295558 6765 0 2 0 syz-executor.7 91291 321091 6765 0 3 0x4000080 fsleep syz-executor.7 42608 260230 6578 0 2 0x10 syz-executor.4 42608 355310 6578 0 3 0x4000090 fsleep syz-executor.4 18479 522459 41580 0 2 0 syz-executor.1 18479 48144 41580 0 3 0x4000080 fsleep syz-executor.1 96681 464417 19745 0 2 0 syz-executor.0 96681 457265 19745 0 3 0x4000080 fsleep syz-executor.0 96681 219757 19745 0 3 0x4000080 fsleep syz-executor.0 27658 9896 78019 0 2 0x10 syz-executor.2 27658 120165 78019 0 3 0x4000090 fsleep syz-executor.2 78914 482353 59297 0 2 0x10 syz-executor.5 78914 385324 59297 0 3 0x4000090 fsleep syz-executor.5 78019 419879 36032 0 3 0x82 nanoslp syz-executor.2 6765 427343 36032 0 3 0x82 nanoslp syz-executor.7 88623 261029 36032 0 3 0x82 nanoslp syz-executor.3 19745 175071 36032 0 3 0x82 nanoslp syz-executor.0 58773 361396 36032 0 3 0x82 nanoslp syz-executor.6 41580 338102 36032 0 3 0x82 nanoslp syz-executor.1 61346 60212 0 0 3 0x14200 acct acct 59297 25398 36032 0 3 0x82 nanoslp syz-executor.5 6578 492580 36032 0 3 0x82 nanoslp syz-executor.4 52829 115909 0 0 3 0x14280 nfsidl nfsio 84992 302855 0 0 3 0x14200 bored sosplice 36032 140688 47825 0 3 0x82 thrsleep syz-fuzzer 36032 438088 47825 0 3 0x4000082 thrsleep syz-fuzzer 36032 462913 47825 0 3 0x4000082 thrsleep syz-fuzzer 36032 170952 47825 0 3 0x4000082 wait syz-fuzzer 36032 51139 47825 0 3 0x4000082 thrsleep syz-fuzzer 36032 66018 47825 0 3 0x4000082 thrsleep syz-fuzzer 36032 208618 47825 0 3 0x4000082 wait syz-fuzzer 36032 405197 47825 0 3 0x4000082 wait syz-fuzzer 36032 398365 47825 0 3 0x4000082 thrsleep syz-fuzzer 36032 378481 47825 0 3 0x4000082 wait syz-fuzzer 36032 7383 47825 0 3 0x4000082 wait syz-fuzzer 36032 310395 47825 0 3 0x4000082 wait syz-fuzzer 36032 37403 47825 0 3 0x4000082 wait syz-fuzzer 36032 28007 47825 0 3 0x4000082 kqread syz-fuzzer 36032 132545 47825 0 3 0x4000082 wait syz-fuzzer 47825 127228 70168 0 3 0x10008a sigsusp ksh 70168 331066 88645 0 3 0x9a kqread sshd 80817 228921 1 0 3 0x100083 ttyin getty 88645 82909 1 0 3 0x88 kqread sshd 93295 116496 30794 73 3 0x1100090 kqread syslogd 30794 369581 1 0 3 0x100082 netio syslogd 6943 296181 1 0 3 0x100080 kqread resolvd 3770 513340 5932 77 2 0x100092 dhcpleased 87931 207130 5932 77 3 0x100092 kqread dhcpleased 5932 64573 1 0 3 0x80 kqread dhcpleased 45428 265421 0 0 3 0x14200 bored smr 50472 81346 0 0 2 0x14200 zerothread 23042 197509 0 0 3 0x14200 aiodoned aiodoned 44634 164118 0 0 3 0x14200 syncer update 35175 511126 0 0 3 0x14200 cleaner cleaner 91185 272957 0 0 3 0x14200 reaper reaper 69714 19065 0 0 3 0x14200 pgdaemon pagedaemon 97986 405486 0 0 3 0x14200 bored viomb 56002 316914 0 0 3 0x40014200 acpi0 acpi0 42335 210517 0 0 3 0x14200 bored softnet 48652 479342 0 0 3 0x14200 bored softnet 7140 342313 0 0 3 0x14200 bored softnet 88340 394361 0 0 3 0x14200 bored softnet 7864 287859 0 0 3 0x14200 bored systqmp 95787 161460 0 0 3 0x14200 bored systq 37766 205516 0 0 3 0x40014200 bored softclock 47840 519594 0 0 3 0x40014200 idle0 1 186053 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10242 6448K 7325K 78643K 33090 0 pcb 13 28K 34K 78643K 6370 0 rtable 168 16K 19K 78643K 3672 0 ifaddr 90 27K 30K 78643K 1504 0 sysctl 2 0K 2K 78643K 879 0 counters 27 17K 17K 78643K 593 0 ioctlops 0 0K 4K 78643K 2604 0 iov 0 0K 32K 78643K 2572 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1595 100K 100K 78643K 18142 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 210 0 VM map 2 0K 0K 78643K 2 0 sem 19 10K 20K 78643K 1569 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 18 65K 69K 78643K 25577 0 sigio 0 0K 0K 78643K 242 0 proc 67 59K 83K 78643K 2540 0 subproc 104 6K 6K 78643K 814 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 1485 0 in_multi 61 4K 7K 78643K 1122 0 ether_multi 1 0K 0K 78643K 103 0 mrt 1 0K 0K 78643K 68 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 259 1155K 1155K 78643K 259 0 exec 0 0K 1K 78643K 3586 0 pfkey data 0 0K 0K 78643K 8 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 438 96K 105K 78643K 168467 0 UVM aobj 131 4K 4K 78643K 134 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 852 0 NDP 14 0K 2K 78643K 488 0 temp 139 5766K 6790K 78643K 298518 0 kqueue 12 18K 30K 78643K 1944 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 1782 0 1779 26 25 1 5 0 8 0 rtentry 112 986 0 924 6 3 3 4 0 8 0 unpcb 144 45916 0 45895 282 277 5 11 0 8 4 syncache 296 128 0 128 34 34 0 1 0 8 0 tcpqe 32 143 0 143 20 20 0 1 0 8 0 tcpcb 776 49927 0 49915 685 676 9 28 0 8 7 arp 88 136 0 126 1 0 1 1 0 8 0 ipq 40 5 0 5 3 3 0 1 0 8 0 ipqe 40 8 0 8 3 3 0 1 0 8 0 inpcb 336 69513 0 69498 641 632 9 24 0 8 7 ip6q 72 3 0 3 1 1 0 1 0 8 0 ip6af 40 6 0 6 1 1 0 1 0 8 0 nd6 48 216 0 200 1 0 1 1 0 8 0 pkpcb 40 21 0 21 6 6 0 1 0 8 0 kcovpl 48 61 0 53 1 0 1 1 0 8 0 mppekey 1024 44 0 44 5 5 0 1 0 8 0 ppxss 1160 372 0 372 40 40 0 1 0 8 0 pppxif 1360 222 0 222 22 22 0 1 0 8 0 pfstscr 40 43 0 31 5 4 1 1 0 8 0 pfosfp 40 83 0 79 1 0 1 1 0 8 0 pfosfpen 112 83 0 78 1 0 1 1 0 8 0 pfanchor 1280 1099 104 587 47 4 43 43 0 8 0 pfqueue 264 4 0 4 2 2 0 1 0 8 0 pfstitem 24 16 0 8 1 0 1 1 0 8 0 pfstkey 128 53 0 47 6 5 1 1 0 8 0 pfstate 352 30 0 22 6 5 1 1 0 8 0 rttmr 136 13 0 13 4 4 0 1 0 8 0 art_heap8 4096 2 0 1 2 1 1 2 0 8 0 art_heap4 256 4663 0 4361 68 48 20 30 0 8 0 art_table 32 4665 0 4362 5 1 4 4 0 8 0 art_node 16 973 0 920 1 0 1 1 0 8 0 sysvmsgpl 40 55 0 15 1 0 1 1 0 8 0 semupl 112 3 0 3 2 2 0 1 0 8 0 semapl 112 1558 0 1541 1 0 1 1 0 8 0 shmpl 112 131 0 3 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 34382 0 32898 93 0 93 93 0 8 0 ffsino 240 34382 0 32898 88 0 88 88 0 8 0 nchpl 144 65596 0 63965 63 1 62 63 0 8 0 rtmask 32 6 0 6 3 3 0 1 0 8 0 uvmvnodes 80 6908 0 0 141 0 141 141 0 8 0 vnodes 216 6908 0 0 384 0 384 384 0 8 0 namei 1024 221297 0 221297 9 8 1 2 0 8 1 vmpool 664 80 0 80 12 12 0 1 0 8 0 kstatmem 264 684 0 656 11 8 3 3 0 8 0 scsiplug 72 13 0 13 4 4 0 1 0 8 0 scxspl 216 193517 0 193517 28 27 1 8 0 8 1 plimitpl 152 2128 0 2113 1 0 1 1 0 8 0 sigapl 424 25922 0 25874 9 1 8 8 0 8 0 futexpl 64 343797 0 343789 1 0 1 1 0 8 0 knotepl 120 499019 0 498938 128 124 4 14 0 8 0 kqueuepl 184 6919 0 6911 49 48 1 7 0 8 0 pipepl 288 6016 0 5988 101 98 3 12 0 8 0 fdescpl 432 25741 0 25712 4 0 4 4 0 8 0 filepl 120 235176 0 234926 332 319 13 20 0 8 4 lockfpl 104 4488 0 4486 11 10 1 2 0 8 0 lockfspl 48 1500 0 1498 1 0 1 1 0 8 0 sessionpl 144 76 0 60 1 0 1 1 0 8 0 pgrppl 48 260 0 244 1 0 1 1 0 8 0 ucredpl 104 20746 0 20733 1 0 1 1 0 8 0 zombiepl 144 25874 0 25874 3 2 1 1 0 8 1 processpl 1008 25922 0 25874 12 4 8 9 0 8 0 procpl 696 68129 0 68058 28 19 9 10 0 8 0 sosppl 168 165 0 165 32 32 0 1 0 8 0 sockpl 456 117263 0 117224 2729 2718 11 47 0 8 6 mcl64k 65536 705 0 705 66 66 0 1 0 8 0 mcl16k 16384 567 0 567 70 70 0 1 0 8 0 mcl12k 12288 1567 0 1567 39 39 0 1 0 8 0 mcl9k 9216 232 0 232 66 66 0 1 0 8 0 mcl8k 8192 1719 0 1719 46 45 1 1 0 8 1 mcl4k 4096 3302 0 3302 22 21 1 2 0 8 1 mcl2k2 2112 179 0 179 59 58 1 1 0 8 1 mcl2k 2048 128642 0 128569 75 65 10 32 0 8 0 mtagpl 96 2041 0 1763 30 22 8 9 0 8 0 mbufpl 256 473327 0 472808 1110 1070 40 89 0 8 0 bufpl 288 41295 0 34387 494 0 494 494 0 8 0 anonpl 24 4842551 0 4823840 264 142 122 134 0 188 0 amapchunkpl 152 468037 0 467280 102 71 31 39 0 158 0 amappl16 200 39183 0 38560 188 155 33 45 0 8 0 amappl15 192 8 0 7 1 0 1 1 0 8 0 amappl14 184 343 0 328 2 0 2 2 0 8 0 amappl13 176 7 0 7 1 1 0 1 0 8 0 amappl12 168 1042 0 1038 1 0 1 1 0 8 0 amappl11 160 50 0 40 1 0 1 1 0 8 0 amappl10 152 95 0 85 1 0 1 1 0 8 0 amappl9 144 1007 0 1005 1 0 1 1 0 8 0 amappl8 136 914 0 742 7 1 6 6 0 8 0 amappl7 128 292 0 267 2 0 2 2 0 8 0 amappl6 120 511 0 489 1 0 1 1 0 8 0 amappl5 112 554 0 548 1 0 1 1 0 8 0 amappl4 104 1683 0 1648 2 1 1 2 0 8 0 amappl3 96 75908 0 75848 2 0 2 2 0 8 0 amappl2 88 27624 0 27547 3 1 2 3 0 8 0 amappl1 80 579076 0 578313 22 5 17 22 0 8 0 amappl 88 167101 0 166901 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 133 0 3 3 0 3 3 0 8 0 uaddrrnd 24 25821 0 25792 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 25821 0 25792 1 0 1 1 0 8 0 vmmpekpl 168 195315 0 195264 4 0 4 4 0 8 0 vmmpepl 168 2315549 0 2312463 598 457 141 166 0 357 0 vmsppl 272 25820 0 25792 3 1 2 2 0 8 0 rwobjpl 24 596751 0 587831 58 4 54 54 0 8 0 pdppl 4096 51648 0 51584 866 802 64 66 0 8 0 pvpl 32 9460789 0 9436124 590 385 205 266 0 265 0 pmappl 216 25820 0 25792 2 0 2 2 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 3787 0 2956 25 0 25 25 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82722fa9) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff827a0c27,ffffffff827d0fab,12f,ffffffff827b1468) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000cf7000) at tun_clone_destroy+0x234 sys/net/if_tun.c:303 if_clone_destroy(ffff80002cc01ad0) at if_clone_destroy+0x132 sys/net/if.c:1247 sys_ioctl(ffff80002170b5f0,ffff80002cc01be8,ffff80002cc01c30) at sys_ioctl+0x49e syscall(ffff80002cc01cb0) at syscall+0x446 sys/arch/amd64/amd64/trap.c:599 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73122091de0, count: -8 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82722fa9) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff827a0c27,ffffffff827d0fab,12f,ffffffff827b1468) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000cf7000) at tun_clone_destroy+0x234 sys/net/if_tun.c:303 if_clone_destroy(ffff80002cc01ad0) at if_clone_destroy+0x132 sys/net/if.c:1247 sys_ioctl(ffff80002170b5f0,ffff80002cc01be8,ffff80002cc01c30) at sys_ioctl+0x49e syscall(ffff80002cc01cb0) at syscall+0x446 sys/arch/amd64/amd64/trap.c:599 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x73122091de0, count: -8