login: panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 953 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333a905) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833791b8,ffffffff833d60a9,3b9,ffffffff833afa84) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003ca170b0,ffffffff833337a7) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(0,ffff80003ca170a8) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b92,41,2000,ffff80002cd28fb8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c9aace0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806f8da798,41,fffffd8007bfb820,ffff80002cd28fb8) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8072e29d30,ffff80002cd28fb8) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8072e29d30,ffff80002cd28fb8) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8072e29d30,ffff80002cd28fb8) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8072e29d30,ffff80002cd28fb8) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002cd28fb8) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002cd28fb8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002cd28fb8,ffff80003c9ab040,ffff80003c9aaf90) at sys_exit+0x1a sys/kern/kern_exit.c:-1 end trace frame: 0xffff80003c9ab030, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 953 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333a905) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833791b8,ffffffff833d60a9,3b9,ffffffff833afa84) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003ca170b0,ffffffff833337a7) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(0,ffff80003ca170a8) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b92,41,2000,ffff80002cd28fb8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c9aace0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806f8da798,41,fffffd8007bfb820,ffff80002cd28fb8) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8072e29d30,ffff80002cd28fb8) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8072e29d30,ffff80002cd28fb8) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8072e29d30,ffff80002cd28fb8) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8072e29d30,ffff80002cd28fb8) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002cd28fb8) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002cd28fb8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002cd28fb8,ffff80003c9ab040,ffff80003c9aaf90) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c9ab040) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9ab040) at syscall+0x962 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7b4079f92310, count: -16 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003c9aaac0 rbx 0 rdx 0 rcx 0 rax 0xffff80002cd28fb8 r8 0x101010101010101 r9 0x8080808080808080 r10 0xde3429c00ec450e5 r11 0x5c69e925111d2eb4 r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff81963515 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c9aaab0 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=113277 pid=3141 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=32, usrpri=80, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80002cd28fb8 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff80002a80c548,0xffff80002cd28d30 process=0xffff80003c988030 user=0xffff80003c9a6000, vmspace=0xfffffd800b36ce78 estcpu=30, cpticks=3, pctcpu=0.2, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 12994 236355 69306 0 2 0 syz-executor 94713 517942 40628 0 3 0x80 nanoslp syz-executor 94713 92653 40628 0 2 0x4000000 syz-executor 51484 238885 6459 0 3 0x80 nanoslp syz-executor 51484 149097 6459 0 3 0x4000080 kqsel syz-executor 51484 268925 6459 0 3 0x4000080 fsleep syz-executor 48775 84957 3640 0 3 0x80 nanoslp syz-executor 48775 289669 3640 0 3 0x4000080 sbwait syz-executor 48775 23766 3640 0 3 0x4000080 fsleep syz-executor 36907 223088 20822 0 3 0x80 nanoslp syz-executor 36907 56081 20822 0 3 0x4000080 kqsel syz-executor 36907 476108 20822 0 3 0x4000080 fsleep syz-executor 60596 392584 0 0 3 0x14200 acct acct 38908 478874 1 0 3 0x100083 ttyin getty 85425 20858 0 0 3 0x14200 bored sosplice 82452 64022 37811 0 3 0x82 wait syz-executor 6459 349647 37811 0 3 0x82 nanoslp syz-executor 3640 450410 37811 0 3 0x82 nanoslp syz-executor 40628 222428 37811 0 3 0x82 nanoslp syz-executor 29690 309567 37811 0 3 0x82 nanoslp syz-executor 20822 360526 37811 0 3 0x82 nanoslp syz-executor 99083 153338 37811 0 3 0x82 nanoslp syz-executor 69306 218040 37811 0 3 0x82 nanoslp syz-executor 37811 256030 18000 0 3 0x82 kqread syz-executor 18000 45551 27771 0 3 0x10008a sigsusp ksh 27771 153953 45513 0 3 0x98 kqread sshd-session 45513 147309 13244 0 3 0x92 kqread sshd-session 13244 193279 1 0 3 0x88 kqread sshd 19502 51049 68763 73 3 0x1100090 kqread syslogd 68763 339289 1 0 3 0x100082 sbwait syslogd 41683 139410 1 0 3 0x100080 kqread resolvd 32950 398611 26773 77 2 0x100012 dhcpleased 84844 56765 26773 77 3 0x100092 kqread dhcpleased 26773 479386 1 0 3 0x80 kqread dhcpleased 24182 516362 0 0 3 0x14200 bored smr 85140 461591 0 0 3 0x14200 pgzero zerothread 79238 102823 0 0 3 0x14200 aiodoned aiodoned 67503 69546 0 0 3 0x14200 syncer update 61769 479165 0 0 3 0x14200 cleaner cleaner 15375 96513 0 0 3 0x14200 reaper reaper 12732 158265 0 0 3 0x14200 pgdaemon pagedaemon 51089 407459 0 0 3 0x14200 bored viomb 56033 245918 0 0 3 0x40014200 acpi0 acpi0 21654 488505 0 0 3 0x14200 bored softnet7 71618 476491 0 0 3 0x14200 bored softnet6 73214 80549 0 0 3 0x14200 bored softnet5 26908 37815 0 0 3 0x14200 bored softnet4 98830 348579 0 0 3 0x14200 bored softnet3 80120 236626 0 0 3 0x14200 bored softnet2 42781 446195 0 0 3 0x14200 bored softnet1 67931 432229 0 0 2 0x14200 softnet0 48078 383650 0 0 3 0x14200 smrbar systqmp 29844 51109 0 0 3 0x14200 bored systq 57651 339972 0 0 3 0x40014200 tmoslp softclock 32586 455274 0 0 3 0x40014200 idle0 1 299301 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10192 11049K 11614K 166960K 11809 0 pcb 18 12K 12K 166960K 154 0 rtable 192 10K 11K 166960K 557 0 pf 31 13K 15K 166960K 82 0 ifaddr 37 6K 7K 166960K 82 0 ifgroup 53 2K 2K 166960K 122 0 sysctl 4 1K 9K 166960K 14 0 counters 33 17K 18K 166960K 74 0 ioctlops 0 0K 4K 166960K 155 0 iov 0 0K 16K 166960K 50 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1430 90K 91K 166960K 1877 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 17 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 85 0 dirhash 12 2K 2K 166960K 27 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 122K 166960K 756 0 sigio 0 0K 0K 166960K 17 0 proc 61 59K 108K 166960K 568 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 1 0K 0K 166960K 96 0 in_multi 80 5K 7K 166960K 128 0 ether_multi 1 0K 0K 166960K 2 0 mrt 0 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 115 519K 519K 166960K 115 0 exec 0 0K 1K 166960K 556 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 232 143K 157K 166960K 8301 0 UVM aobj 29 2K 2K 166960K 36 0 pinsyscall 39 78K 94K 166960K 1809 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 53 0 NDP 11 0K 2K 166960K 51 0 temp 78 8640K 8712K 166960K 24481 0 kqueue 15 24K 30K 166960K 168 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 107 0 104 2 0 2 2 0 8 1 rtentry 136 136 0 66 4 0 4 4 0 8 0 unpcb 144 569 0 549 4 0 4 4 0 8 3 syncache 336 9 0 9 2 1 1 1 0 8 1 tcpqe 32 3 0 3 1 0 1 1 0 8 1 tcpcb 736 252 0 245 4 0 4 4 0 8 3 arp 88 20 0 10 1 0 1 1 0 8 0 ipq 40 4 0 1 1 0 1 1 0 8 0 ipqe 40 9 0 5 1 0 1 1 0 8 0 inpcb 328 609 0 596 5 0 5 5 0 8 3 ip6q 72 4 0 2 1 0 1 1 0 8 0 ip6af 40 9 0 8 1 0 1 1 0 8 0 nd6 104 22 0 9 1 0 1 1 0 8 0 pkpcb 40 9 0 9 1 0 1 1 0 8 1 kcovpl 48 8 0 0 1 0 1 1 0 8 0 ppxss 1072 33 0 32 1 0 1 1 0 8 0 pppxif 1384 5 0 4 1 0 1 1 0 8 0 pfrule 1344 1 0 1 1 0 1 1 0 8 1 art_heap8 4096 3 0 0 3 0 3 3 0 8 0 art_heap4 256 596 0 239 31 0 31 31 0 8 6 art_table 40 599 0 239 5 0 5 5 0 8 0 art_node 32 136 0 74 1 0 1 1 0 8 0 sysvmsgpl 40 2 0 2 1 0 1 1 0 8 1 semapl 112 82 0 72 1 0 1 1 0 8 0 shmpl 112 33 0 7 1 0 1 1 0 8 0 dirhash 1024 27 0 10 3 0 3 3 0 8 0 dino2pl 256 2866 0 1366 95 0 95 95 0 8 0 ffsino 256 2866 0 1366 95 0 95 95 0 8 0 nchpl 144 3971 0 2283 63 0 63 63 0 8 0 rtmask 32 8 0 8 1 0 1 1 0 8 1 uvmvnodes 80 3127 0 0 64 0 64 64 0 8 0 vnodes 216 3127 0 0 174 0 174 174 0 8 0 namei 1024 13966 0 13966 2 1 1 2 0 8 1 kstatmem 264 70 0 48 3 0 3 3 0 8 1 scsiplug 72 3 0 3 1 0 1 1 0 8 1 scxspl 216 16704 0 16704 12 4 8 8 1 8 8 plimitpl 152 267 0 251 1 0 1 1 0 8 0 sigapl 424 1065 0 1013 9 1 8 8 0 8 2 knotepl 120 29897 0 29634 25 14 11 17 0 8 2 kqueuepl 184 271 0 255 1 0 1 1 0 8 0 pipepl 304 257 0 230 8 0 8 8 0 8 5 fdescpl 448 1019 0 989 5 1 4 5 0 8 0 filepl 120 6619 0 6394 15 0 15 15 0 8 7 lockfpl 104 189 0 186 1 0 1 1 0 8 0 lockfspl 48 88 0 85 1 0 1 1 0 8 0 sessionpl 144 27 0 19 1 0 1 1 0 8 0 pgrppl 48 46 0 30 1 0 1 1 0 8 0 ucredpl 104 1091 0 1080 1 0 1 1 0 8 0 zombiepl 144 1016 0 1013 1 0 1 1 0 8 0 processpl 1152 1065 0 1013 7 1 6 6 0 8 1 procpl 664 2003 0 1944 8 0 8 8 0 8 1 sosppl 168 6 0 6 1 0 1 1 0 8 1 sockpl 552 1380 0 1344 10 0 10 10 0 8 6 mcl64k 65536 29 0 29 2 1 1 1 0 8 1 mcl16k 16384 1 0 1 1 0 1 1 0 8 1 mcl9k 9216 2 0 2 1 0 1 1 0 8 1 mcl8k 8192 12 0 12 2 1 1 1 0 8 1 mcl4k 4096 3287 0 3235 15 7 8 14 0 8 1 mcl2k 2048 1313 0 1310 6 1 5 5 0 8 4 mtagpl 96 14 0 14 1 0 1 1 0 8 1 mbufpl 256 11251 0 11095 49 28 21 49 0 8 8 bufpl 280 7218 0 990 445 0 445 445 0 8 0 anonpl 24 175388 0 172120 58 0 58 58 0 187 24 amapchunkpl 152 27261 0 26754 26 0 26 26 0 158 4 amappl16 200 3153 0 3117 25 12 13 22 0 8 8 amappl15 192 4 0 4 1 1 0 1 0 8 0 amappl14 184 114 0 104 1 0 1 1 0 8 0 amappl13 176 6 0 6 1 1 0 1 0 8 0 amappl12 168 1637 0 1608 3 1 2 3 0 8 0 amappl11 160 78 0 68 1 0 1 1 0 8 0 amappl10 152 16 0 16 1 1 0 1 0 8 0 amappl9 144 260 0 260 1 1 0 1 0 8 0 amappl8 136 26 0 25 1 0 1 1 0 8 0 amappl7 128 118 0 108 1 0 1 1 0 8 0 amappl6 120 194 0 189 1 0 1 1 0 8 0 amappl5 112 129 0 122 1 0 1 1 0 8 0 amappl4 104 298 0 280 1 0 1 1 0 8 0 amappl3 96 4620 0 4520 3 0 3 3 0 8 0 amappl2 88 1285 0 1212 2 0 2 2 0 8 0 amappl1 80 11406 0 10861 14 1 13 13 0 8 0 amappl 88 7489 0 7318 5 0 5 5 0 92 0 dma4096 4096 2 0 2 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 254 0 254 2 1 1 1 0 8 1 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 35 0 7 1 0 1 1 0 8 0 uaddrrnd 24 1019 0 989 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1019 0 989 1 0 1 1 0 8 0 vmmpekpl 168 9871 0 9835 3 0 3 3 0 8 0 vmmpepl 168 70104 0 68196 100 0 100 100 0 357 14 vmsppl 368 1018 0 989 4 1 3 4 0 8 0 rwobjpl 40 23348 0 19325 42 0 42 42 0 8 1 pdppl 4096 2044 0 1978 106 38 68 80 0 8 2 pvpl 32 461773 0 452664 136 0 136 136 0 265 46 pmappl 216 1018 0 989 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 428 0 82 11 0 11 11 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333a905) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833791b8,ffffffff833d60a9,3b9,ffffffff833afa84) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003ca170b0,ffffffff833337a7) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(0,ffff80003ca170a8) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b92,41,2000,ffff80002cd28fb8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c9aace0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806f8da798,41,fffffd8007bfb820,ffff80002cd28fb8) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8072e29d30,ffff80002cd28fb8) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8072e29d30,ffff80002cd28fb8) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8072e29d30,ffff80002cd28fb8) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8072e29d30,ffff80002cd28fb8) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002cd28fb8) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002cd28fb8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002cd28fb8,ffff80003c9ab040,ffff80003c9aaf90) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c9ab040) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9ab040) at syscall+0x962 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7b4079f92310, count: -16 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333a905) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833791b8,ffffffff833d60a9,3b9,ffffffff833afa84) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003ca170b0,ffffffff833337a7) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:954 pppx_if_destroy(0,ffff80003ca170a8) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b92,41,2000,ffff80002cd28fb8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c9aace0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806f8da798,41,fffffd8007bfb820,ffff80002cd28fb8) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8072e29d30,ffff80002cd28fb8) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8072e29d30,ffff80002cd28fb8) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8072e29d30,ffff80002cd28fb8) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8072e29d30,ffff80002cd28fb8) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80002cd28fb8) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80002cd28fb8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80002cd28fb8,ffff80003c9ab040,ffff80003c9aaf90) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c9ab040) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9ab040) at syscall+0x962 sys/arch/amd64/amd64/trap.c:746 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7b4079f92310, count: -16