panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 957 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83414075) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833c4c2c,ffffffff8330ca27,3bd,ffffffff833c5f62) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800038d27618,ffffffff8330c3f3) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:958 pppx_if_destroy(0,ffff800038d27610) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b9a,1,2000,ffff80002a7c2018) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff800038d33860) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd805d84a110,1,fffffd807f7d7750,ffff80002a7c2018) at VOP_CLOSE+0x12a sys/kern/vfs_vops.c:156 vn_closefile(fffffd805e504e98,ffff80002a7c2018) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd805e504e98,ffff80002a7c2018) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd805e504e98,ffff80002a7c2018) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd805e504e98,ffff80002a7c2018) at closef+0x18d sys/kern/kern_descrip.c:1249 fdfree(ffff80002a7c2018) at fdfree+0x115 sys/kern/kern_descrip.c:1181 exit1(ffff80002a7c2018,0,0,1) at exit1+0x58f sys/kern/kern_exit.c:214 sys_exit(ffff80002a7c2018,ffff800038d33bd0,ffff800038d33b20) at sys_exit+0x1a sys/kern/kern_exit.c:-1 end trace frame: 0xffff800038d33bc0, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 957 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83414075) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833c4c2c,ffffffff8330ca27,3bd,ffffffff833c5f62) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800038d27618,ffffffff8330c3f3) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:958 pppx_if_destroy(0,ffff800038d27610) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b9a,1,2000,ffff80002a7c2018) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff800038d33860) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd805d84a110,1,fffffd807f7d7750,ffff80002a7c2018) at VOP_CLOSE+0x12a sys/kern/vfs_vops.c:156 vn_closefile(fffffd805e504e98,ffff80002a7c2018) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd805e504e98,ffff80002a7c2018) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd805e504e98,ffff80002a7c2018) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd805e504e98,ffff80002a7c2018) at closef+0x18d sys/kern/kern_descrip.c:1249 fdfree(ffff80002a7c2018) at fdfree+0x115 sys/kern/kern_descrip.c:1181 exit1(ffff80002a7c2018,0,0,1) at exit1+0x58f sys/kern/kern_exit.c:214 sys_exit(ffff80002a7c2018,ffff800038d33bd0,ffff800038d33b20) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff800038d33bd0) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff800038d33bd0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7bcb1b136f10, count: -16 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff800038d33640 rbx 0xffffffff81339620 pppxclose rdx 0 rcx 0 rax 0xffff80002a7c2018 r8 0 r9 0x8080808080808080 r10 0xf368b6a480600aa8 r11 0xee7fad256627067f r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff817f7625 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff800038d33630 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=366640 pid=1721 tcnt=0 stat=onproc flags process=1008 proc=2000 runpri=32, usrpri=73, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80002a7c2018 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff800038d35738,0xffff800038d35c68 process=0xffff800035d14018 user=0xffff800038d2e000, vmspace=0xfffffd806c07f178 estcpu=23, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 83958 277068 98659 0 2 0 syz-executor 82908 150157 44241 0 2 0 syz-executor 82908 92857 44241 0 2 0x4000000 syz-executor 76577 277542 65195 0 2 0 syz-executor 76577 129640 65195 0 3 0x4000080 fsleep syz-executor 5463 345114 13675 0 3 0x80 nanoslp syz-executor 5463 108349 13675 0 2 0x4000000 syz-executor 44241 387813 84878 0 2 0x2 syz-executor 17955 174987 1 0 3 0x100083 ttyin getty 14569 75169 0 0 3 0x14200 bored sosplice 54778 343230 84878 0 2 0x482 syz-executor 19619 419675 84878 0 2 0x10000082 syz-executor 13675 19727 84878 0 2 0x482 syz-executor 98659 44445 84878 0 2 0x482 syz-executor 65195 497890 84878 0 2 0x482 syz-executor 42745 507906 84878 0 3 0x82 wait syz-executor 84878 10298 19467 0 3 0x82 wait syz-executor 19467 191834 15725 0 3 0x10008a sigsusp ksh 15725 30376 74988 0 3 0x98 kqread sshd-session 74988 178945 97293 0 3 0x92 kqread sshd-session 97293 129580 1 0 3 0x88 kqread sshd 15372 314714 27017 73 3 0x1100090 kqread syslogd 27017 466091 1 0 3 0x100082 sbwait syslogd 2217 147172 1 0 3 0x100080 kqread resolvd 26359 174170 72680 77 2 0x100012 dhcpleased 88515 496333 72680 77 3 0x100092 kqread dhcpleased 72680 513796 1 0 3 0x80 kqread dhcpleased 12188 394999 0 0 3 0x14200 bored smr 16680 443224 0 0 2 0x14200 zerothread 18151 143246 0 0 3 0x14200 aiodoned aiodoned 56909 313801 0 0 3 0x14200 syncer update 38808 231321 0 0 3 0x14200 cleaner cleaner 12516 91320 0 0 3 0x14200 reaper reaper 12693 510919 0 0 3 0x14200 pgdaemon pagedaemon 33888 208753 0 0 3 0x14200 bored viomb 43861 126789 0 0 3 0x40014200 acpi0 acpi0 61769 95506 0 0 3 0x14200 bored softnet3 60822 40038 0 0 3 0x14200 bored softnet2 8912 43073 0 0 3 0x14200 bored softnet1 76712 134951 0 0 3 0x14200 bored softnet0 35461 105313 0 0 3 0x14200 bored systqmp 44622 458528 0 0 3 0x14200 bored systq 42594 278629 0 0 2 0x40014200 softclock 86889 242641 0 0 3 0x40014200 idle0 1 247960 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10181 11047K 11373K 166960K 12083 0 pcb 17 14K 15K 166960K 125 0 rtable 244 7K 7K 166960K 849 0 pf 32 13K 14K 166960K 104 0 ifaddr 43 7K 8K 166960K 134 0 ifgroup 54 2K 2K 166960K 172 0 sysctl 3 1K 1K 166960K 3 0 counters 32 17K 18K 166960K 75 0 ioctlops 0 0K 4K 166960K 168 0 iov 0 0K 16K 166960K 36 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1434 90K 90K 166960K 1978 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 3 5K 5K 166960K 22 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 21 0 dirhash 12 2K 2K 166960K 21 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 16 57K 97K 166960K 971 0 sigio 0 0K 0K 166960K 16 0 proc 60 59K 116K 166960K 938 0 subproc 72 4K 4K 166960K 207 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 66 0 in_multi 99 7K 7K 166960K 293 0 ether_multi 1 0K 0K 166960K 7 0 mrt 0 0K 0K 166960K 4 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 73 334K 334K 166960K 73 0 exec 0 0K 1K 166960K 688 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 2 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 201 151K 161K 166960K 9097 0 UVM aobj 28 2K 2K 166960K 32 0 pinsyscall 37 74K 96K 166960K 2387 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 41 0 NDP 14 0K 2K 166960K 90 0 temp 54 8679K 9030K 166960K 10100 0 kqueue 14 22K 28K 166960K 128 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 99 0 96 1 0 1 1 0 8 0 rtentry 136 294 0 181 4 0 4 4 0 8 0 unpcb 144 426 0 411 3 0 3 3 0 8 2 syncache 336 3 0 3 1 0 1 1 0 8 1 tcpcb 808 204 0 200 7 0 7 7 0 8 6 arp 88 51 0 32 1 0 1 1 0 8 0 ipq 40 1 0 0 1 0 1 1 0 8 0 ipqe 40 1 0 0 1 0 1 1 0 8 0 inpcb 344 936 0 928 8 0 8 8 0 8 6 nd6 104 72 0 46 1 0 1 1 0 8 0 pkpcb 40 7 0 7 1 0 1 1 0 8 1 kcovpl 48 23 0 15 1 0 1 1 0 8 0 ppxss 1072 20 0 19 1 0 1 1 0 8 0 pppxif 1384 10 0 9 1 0 1 1 0 8 0 pfrktable 1344 1 0 1 1 0 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 1188 0 714 31 0 31 31 0 8 1 art_table 32 1189 0 714 4 0 4 4 0 8 0 art_node 16 290 0 187 1 0 1 1 0 8 0 sysvmsgpl 40 11 0 8 1 0 1 1 0 8 0 semapl 112 18 0 8 1 0 1 1 0 8 0 shmpl 112 29 0 4 1 0 1 1 0 8 0 dirhash 1024 23 0 6 3 0 3 3 0 8 0 dino2pl 256 2677 0 1144 96 0 96 96 0 8 0 ffsino 248 2677 0 1144 96 0 96 96 0 8 0 nchpl 144 3756 0 2028 65 0 65 65 0 8 0 rtmask 32 1 0 1 1 0 1 1 0 8 1 uvmvnodes 80 3201 0 0 66 0 66 66 0 8 0 vnodes 216 3201 0 0 178 0 178 178 0 8 0 namei 1024 13549 0 13549 2 0 2 2 0 8 2 kstatmem 264 88 0 64 2 0 2 2 0 8 0 scsiplug 72 5 0 5 1 0 1 1 0 8 1 scxspl 216 11705 0 11705 8 0 8 8 1 8 8 plimitpl 152 226 0 210 1 0 1 1 0 8 0 sigapl 424 1221 0 1175 7 0 7 7 0 8 1 futexpl 64 9662 0 9661 1 0 1 1 0 8 0 knotepl 120 23046 0 22997 10 0 10 10 0 8 8 kqueuepl 184 307 0 295 4 0 4 4 0 8 3 pipepl 296 230 0 203 5 0 5 5 0 8 2 fdescpl 440 1203 0 1175 5 0 5 5 0 8 1 filepl 120 6294 0 6079 11 0 11 11 0 8 1 lockfpl 104 229 0 227 1 0 1 1 0 8 0 lockfspl 48 78 0 76 1 0 1 1 0 8 0 sessionpl 144 37 0 29 1 0 1 1 0 8 0 pgrppl 48 69 0 53 1 0 1 1 0 8 0 ucredpl 104 852 0 840 1 0 1 1 0 8 0 zombiepl 144 1179 0 1175 1 0 1 1 0 8 0 processpl 1112 1221 0 1175 4 0 4 4 0 8 0 procpl 656 2138 0 2089 6 0 6 6 0 8 0 sosppl 168 3 0 3 1 0 1 1 0 8 1 sockpl 528 1477 0 1452 7 0 7 7 0 8 5 mcl64k 65536 23 0 23 1 0 1 1 0 8 1 mcl9k 9216 1 0 1 1 0 1 1 0 8 1 mcl8k 8192 7 0 7 1 0 1 1 0 8 1 mcl4k 4096 3219 0 3168 15 0 15 15 0 8 8 mcl2k 2048 967 0 961 2 0 2 2 0 8 1 mtagpl 96 43 0 14 1 0 1 1 0 8 0 mbufpl 256 11699 0 11527 18 0 18 18 0 8 5 bufpl 280 3434 0 122 237 0 237 237 0 8 0 anonpl 24 134223 0 131262 34 0 34 34 0 187 8 amapchunkpl 152 28557 0 28155 30 0 30 30 0 158 10 amappl16 200 1163 0 1135 3 0 3 3 0 8 0 amappl15 192 4 0 4 1 0 1 1 0 8 1 amappl14 184 131 0 121 1 0 1 1 0 8 0 amappl13 176 5 0 5 1 0 1 1 0 8 1 amappl12 168 2047 0 2020 3 0 3 3 0 8 1 amappl11 160 49 0 38 1 0 1 1 0 8 0 amappl10 152 14 0 14 1 0 1 1 0 8 1 amappl9 144 269 0 269 1 0 1 1 0 8 1 amappl8 136 18 0 17 1 0 1 1 0 8 0 amappl7 128 123 0 113 1 0 1 1 0 8 0 amappl6 120 316 0 313 1 0 1 1 0 8 0 amappl5 112 181 0 175 1 0 1 1 0 8 0 amappl4 104 321 0 306 1 0 1 1 0 8 0 amappl3 96 5692 0 5599 4 0 4 4 0 8 0 amappl2 88 813 0 758 2 0 2 2 0 8 0 amappl1 80 12184 0 11643 13 0 13 13 0 8 1 amappl 88 8086 0 7949 5 0 5 5 0 92 0 dma16384 16384 1 0 1 1 0 1 1 0 8 1 dma4096 4096 1 0 1 1 0 1 1 0 8 1 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 0 1 1 0 8 1 dma128 128 255 0 255 1 0 1 1 0 8 1 dma64 64 6 0 6 1 0 1 1 0 8 1 dma32 32 7 0 7 1 0 1 1 0 8 1 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 31 0 4 1 0 1 1 0 8 0 uaddrrnd 24 1203 0 1175 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1203 0 1175 1 0 1 1 0 8 0 vmmpekpl 168 10427 0 10390 3 0 3 3 0 8 0 vmmpepl 168 77615 0 75836 85 0 85 85 0 357 1 vmsppl 360 1202 0 1175 4 0 4 4 0 8 1 rwobjpl 32 23432 0 19389 34 0 34 34 0 8 1 pdppl 4096 2412 0 2350 116 48 68 82 0 8 6 pvpl 32 450576 0 442734 116 0 116 116 0 265 40 pmappl 216 1202 0 1175 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 298 0 48 8 0 8 8 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83414075) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833c4c2c,ffffffff8330ca27,3bd,ffffffff833c5f62) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800038d27618,ffffffff8330c3f3) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:958 pppx_if_destroy(0,ffff800038d27610) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b9a,1,2000,ffff80002a7c2018) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff800038d33860) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd805d84a110,1,fffffd807f7d7750,ffff80002a7c2018) at VOP_CLOSE+0x12a sys/kern/vfs_vops.c:156 vn_closefile(fffffd805e504e98,ffff80002a7c2018) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd805e504e98,ffff80002a7c2018) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd805e504e98,ffff80002a7c2018) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd805e504e98,ffff80002a7c2018) at closef+0x18d sys/kern/kern_descrip.c:1249 fdfree(ffff80002a7c2018) at fdfree+0x115 sys/kern/kern_descrip.c:1181 exit1(ffff80002a7c2018,0,0,1) at exit1+0x58f sys/kern/kern_exit.c:214 sys_exit(ffff80002a7c2018,ffff800038d33bd0,ffff800038d33b20) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff800038d33bd0) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff800038d33bd0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7bcb1b136f10, count: -16 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83414075) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833c4c2c,ffffffff8330ca27,3bd,ffffffff833c5f62) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800038d27618,ffffffff8330c3f3) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:958 pppx_if_destroy(0,ffff800038d27610) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b9a,1,2000,ffff80002a7c2018) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff800038d33860) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd805d84a110,1,fffffd807f7d7750,ffff80002a7c2018) at VOP_CLOSE+0x12a sys/kern/vfs_vops.c:156 vn_closefile(fffffd805e504e98,ffff80002a7c2018) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd805e504e98,ffff80002a7c2018) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd805e504e98,ffff80002a7c2018) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd805e504e98,ffff80002a7c2018) at closef+0x18d sys/kern/kern_descrip.c:1249 fdfree(ffff80002a7c2018) at fdfree+0x115 sys/kern/kern_descrip.c:1181 exit1(ffff80002a7c2018,0,0,1) at exit1+0x58f sys/kern/kern_exit.c:214 sys_exit(ffff80002a7c2018,ffff800038d33bd0,ffff800038d33b20) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff800038d33bd0) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff800038d33bd0) at syscall+0x97e sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7bcb1b136f10, count: -16