panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 944 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *183062 50802 0 0 0x4000000 0 syz-executor 340632 19231 0 0x2 0 1 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8343c757) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff833e8993,ffffffff833f208a,3b0,ffffffff833f20d2) at __assert+0x29 refcnt_finalize(ffff8000394d2850,ffffffff83333bf3) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:945 pppx_if_destroy(ffff800034cb7000,ffff8000394d2848) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b9a,1,2000,ffff8000ffff8030) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff8000394ceb70) at spec_close+0x412 VOP_CLOSE(fffffd806a9cc6d0,1,fffffd807f7d37b8,ffff8000ffff8030) at VOP_CLOSE+0x133 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806bdd6430,ffff8000ffff8030) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806bdd6430,ffff8000ffff8030) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd806bdd6430,ffff8000ffff8030) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd806bdd6430,ffff8000ffff8030) at closef+0x192 sys/kern/kern_descrip.c:1249 syscall(ffff8000394cedd0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff8000394cedd0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x865326856c0, count: 2 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 944 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8343c757) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff833e8993,ffffffff833f208a,3b0,ffffffff833f20d2) at __assert+0x29 refcnt_finalize(ffff8000394d2850,ffffffff83333bf3) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:945 pppx_if_destroy(ffff800034cb7000,ffff8000394d2848) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b9a,1,2000,ffff8000ffff8030) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff8000394ceb70) at spec_close+0x412 VOP_CLOSE(fffffd806a9cc6d0,1,fffffd807f7d37b8,ffff8000ffff8030) at VOP_CLOSE+0x133 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806bdd6430,ffff8000ffff8030) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806bdd6430,ffff8000ffff8030) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd806bdd6430,ffff8000ffff8030) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd806bdd6430,ffff8000ffff8030) at closef+0x192 sys/kern/kern_descrip.c:1249 syscall(ffff8000394cedd0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff8000394cedd0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x865326856c0, count: -13 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff8000394ce940 rbx 0xffffffff83865dc7 cpu_info_full_primary+0x2dc7 rdx 0xffff800001455900 rcx 0xffff8000ffff8030 rax 0xffffffff83864ff0 cpu_info_full_primary+0x1ff0 r8 0 r9 0x8080808080808080 r10 0x3e16c80755be1fec r11 0xa9f6a77af9b199f0 r12 0xffffffff83865bc8 cpu_info_full_primary+0x2bc8 r13 0 r14 0 r15 0x1 rip 0xffffffff82601ee5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff8000394ce930 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=183062 pid=50802 tcnt=2 stat=onproc flags process=0 proc=4000000 runpri=50, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000ffff67e8,0xffff80002a364a78 process=0xffff80003bce1490 user=0xffff8000394c9000, vmspace=0xfffffd806bec2018 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 3682 230423 88431 0 2 0 syz-executor 3682 278874 88431 0 2 0x4000000 syz-executor 50802 437432 19231 0 2 0 syz-executor *50802 183062 19231 0 7 0x4000000 syz-executor 65228 311297 27723 0 2 0 syz-executor 65228 67902 27723 0 3 0x4000080 sbwait syz-executor 63605 186999 7481 0 3 0x80 nanoslp syz-executor 63605 394380 7481 0 3 0x4000000 smrbar syz-executor 63605 521664 7481 0 3 0x4000080 fsleep syz-executor 43935 188618 39338 0 2 0 syz-executor 43935 128872 39338 0 3 0x4000080 fsleep syz-executor 43935 333050 39338 0 3 0x4000080 fsleep syz-executor 43935 71324 39338 0 3 0x4000080 fsleep syz-executor 98175 49481 36494 0 2 0 syz-executor 98175 46411 36494 0 3 0x4000080 fsleep syz-executor 98175 433819 36494 0 3 0x4000080 fsleep syz-executor 50459 22682 1 0 3 0x100083 ttyin getty 56617 498466 49851 0 2 0x2 syz-executor 99242 391436 0 0 3 0x14200 bored sosplice 33423 296865 0 0 3 0x14280 nfsidl nfsio 9520 290344 0 0 3 0x14280 nfsidl nfsio 89600 267625 0 0 3 0x14280 nfsidl nfsio 98753 276683 0 0 3 0x14280 nfsidl nfsio 2486 492197 0 0 3 0x14280 nfsidl nfsio 54295 448556 0 0 3 0x14280 nfsidl nfsio 98199 515149 0 0 3 0x14280 nfsidl nfsio 63096 434896 0 0 3 0x14280 nfsidl nfsio 49199 130407 0 0 3 0x14280 nfsidl nfsio 22658 434919 0 0 3 0x14280 nfsidl nfsio 69443 273936 0 0 3 0x14280 nfsidl nfsio 72151 268748 0 0 3 0x14280 nfsidl nfsio 57193 305242 0 0 3 0x14280 nfsidl nfsio 85347 444678 0 0 3 0x14280 nfsidl nfsio 33876 281497 0 0 3 0x14280 nfsidl nfsio 52932 69240 0 0 3 0x14280 nfsidl nfsio 64052 396883 0 0 3 0x14280 nfsidl nfsio 22353 284044 0 0 3 0x14280 nfsidl nfsio 50228 515922 0 0 3 0x14280 nfsidl nfsio 99857 17903 0 0 3 0x14280 nfsidl nfsio 92228 164818 94776 0 3 0x100082 sbwait arp 94776 484247 76144 0 3 0x10008a sigsusp sh 88431 414226 49851 0 3 0x82 nanoslp syz-executor 39338 415972 49851 0 2 0x482 syz-executor 19231 340632 49851 0 7 0x2 syz-executor 36494 436468 49851 0 3 0x82 nanoslp syz-executor 76144 40583 49851 0 3 0x82 wait syz-executor 7481 44629 49851 0 2 0x482 syz-executor 27723 446764 49851 0 2 0x482 syz-executor 49851 248333 99831 0 2 0x482 syz-executor 99831 314661 95419 0 3 0x10008a sigsusp ksh 95419 39984 65029 0 3 0x98 kqread sshd-session 65029 345245 20960 0 3 0x92 kqread sshd-session 20960 23740 1 0 3 0x88 kqread sshd 49767 340052 3297 74 3 0x1100092 bpf pflogd 3297 448575 1 0 3 0x80 sbwait pflogd 41186 187041 46511 73 3 0x1100090 kqread syslogd 46511 149444 1 0 3 0x100082 sbwait syslogd 60908 115612 1 0 3 0x100080 kqread resolvd 42902 358777 65790 77 3 0x100092 kqread dhcpleased 24377 172270 65790 77 3 0x100092 kqread dhcpleased 65790 251482 1 0 3 0x80 kqread dhcpleased 45656 443394 0 0 3 0x14200 bored smr 13101 518248 0 0 2 0x14200 zerothread 1111 236612 0 0 3 0x14200 aiodoned aiodoned 58543 344645 0 0 3 0x14200 syncer update 2747 77428 0 0 3 0x14200 cleaner cleaner 81403 363342 0 0 3 0x14200 reaper reaper 98631 43147 0 0 3 0x14200 pgdaemon pagedaemon 8343 101464 0 0 3 0x14200 bored viomb 4507 104356 0 0 3 0x40014200 acpi0 acpi0 85463 220860 0 0 3 0x40014200 idle1 59375 206588 0 0 3 0x14200 bored softnet3 46945 193772 0 0 3 0x14200 bored softnet2 48457 493657 0 0 3 0x14200 bored softnet1 90692 340879 0 0 2 0x14200 softnet0 2607 344267 0 0 3 0x14200 bored systqmp 59505 457902 0 0 3 0x14200 bored systq 74992 516399 0 0 3 0x14200 tmoslp softclockmp 43549 191269 0 0 3 0x40014200 tmoslp softclock 18531 377342 0 0 3 0x40014200 idle0 1 16348 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 50802 (syz-executor) thread 0xffff8000ffff8030 (183062) Process 56617 (syz-executor) thread 0xffff8000ffff8550 (498466) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10227 11096K 11429K 166960K 12006 0 pcb 18 16K 18K 166960K 150 0 rtable 187 6K 7K 166960K 421 0 pf 43 19K 25K 166960K 86 0 ifaddr 40 6K 7K 166960K 67 0 ifgroup 64 2K 2K 166960K 96 0 sysctl 2 1K 2K 166960K 3 0 counters 70 37K 37K 166960K 104 0 ioctlops 0 0K 4K 166960K 1527 0 iov 0 0K 16K 166960K 24 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1401 88K 89K 166960K 1794 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 13K 166960K 12 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 16 0 dirhash 12 2K 2K 166960K 18 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 89K 166960K 484 0 sigio 0 0K 0K 166960K 10 0 proc 72 91K 115K 166960K 588 0 subproc 72 4K 4K 166960K 81 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 2 0K 0K 166960K 37 0 in_multi 76 5K 6K 166960K 121 0 ether_multi 1 0K 0K 166960K 2 0 mrt 0 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 223 996K 996K 166960K 223 0 exec 0 0K 1K 166960K 420 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 226 72K 77K 166960K 6157 0 UVM aobj 49 2K 2K 166960K 49 0 pinsyscall 44 88K 104K 166960K 1623 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 20 0 NDP 14 0K 2K 166960K 44 0 temp 40 8635K 8707K 166960K 31699 0 kqueue 15 24K 28K 166960K 100 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 24 0 0 1 0 1 1 0 8 0 rtpcb 120 53 0 49 1 0 1 1 0 8 0 rtentry 168 128 0 47 5 0 5 5 0 8 0 unpcb 144 559 0 540 10 4 6 6 0 8 5 syncache 336 5 0 5 1 1 0 1 0 8 0 tcpcb 808 184 0 180 11 0 11 11 0 8 10 arp 120 22 0 6 1 0 1 1 0 8 0 inpcb 376 532 0 521 11 1 10 11 0 8 8 nd6 136 25 0 7 1 0 1 1 0 8 0 kcovpl 48 9 0 1 1 0 1 1 0 8 0 ppxss 1168 14 0 13 1 0 1 1 0 8 0 pppxif 1472 3 0 2 2 1 1 1 0 8 0 pfstscr 40 2 0 2 1 1 0 1 0 8 0 pffrag 232 4 0 1 1 0 1 1 0 482 0 pffrnode 88 4 0 1 1 0 1 1 0 8 0 pffrent 40 9 0 6 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfanchor 1288 1 0 0 1 0 1 1 0 8 0 pfstitem 24 36 0 10 1 0 1 1 0 8 0 pfstkey 128 40 0 14 2 0 2 2 0 8 0 pfstate 376 37 0 12 4 0 4 4 0 8 0 pfrule 1344 25 0 18 2 0 2 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 569 0 194 27 1 26 27 0 8 1 art_table 32 570 0 194 4 0 4 4 0 8 0 art_node 16 126 0 54 1 0 1 1 0 8 0 sysvmsgpl 40 4 0 3 2 1 1 1 0 8 0 semapl 112 14 0 4 1 0 1 1 0 8 0 shmpl 112 46 0 0 2 0 2 2 0 8 0 dirhash 1024 21 0 4 3 0 3 3 0 8 0 dino2pl 256 2224 0 721 95 0 95 95 0 8 0 ffsino 280 2224 0 721 109 0 109 109 0 8 0 nchpl 144 2911 0 1221 64 0 64 64 0 8 0 rtmask 32 3 0 3 2 1 1 1 0 8 1 uvmvnodes 80 2622 0 0 54 0 54 54 0 8 0 vnodes 216 2622 0 0 146 0 146 146 0 8 0 namei 1024 10140 0 10140 1 0 1 1 0 8 1 percpumem 16 66 0 17 1 0 1 1 0 8 0 kstatmem 264 50 0 22 2 0 2 2 0 8 0 scsiplug 72 1 0 1 1 1 0 1 0 8 0 scxspl 216 9457 0 9457 10 2 8 8 1 8 8 plimitpl 152 106 0 88 1 0 1 1 0 8 0 sigapl 424 814 0 743 9 0 9 9 0 8 0 futexpl 64 5745 0 5739 1 0 1 1 0 8 0 knotepl 120 537 0 0 17 0 17 17 0 8 0 kqueuepl 216 246 0 233 7 4 3 5 0 8 2 pipepl 328 195 0 168 5 2 3 5 0 8 0 fdescpl 504 774 0 742 5 0 5 5 0 8 0 filepl 152 4689 0 4469 20 3 17 17 0 8 8 lockfpl 104 168 0 166 1 0 1 1 0 8 0 lockfspl 48 60 0 58 1 0 1 1 0 8 0 sessionpl 144 26 0 17 1 0 1 1 0 8 0 pgrppl 48 104 0 87 1 0 1 1 0 8 0 ucredpl 104 490 0 477 1 0 1 1 0 8 0 zombiepl 144 743 0 743 1 0 1 1 0 8 1 processpl 1168 814 0 743 6 0 6 6 0 8 0 procpl 656 1430 0 1349 8 0 8 8 0 8 0 srpgc 96 4 0 4 2 1 1 1 0 8 1 sosppl 168 3 0 3 1 0 1 1 0 8 1 sockpl 688 1147 0 1113 24 12 12 16 0 8 8 mcl64k 65536 2 0 0 1 0 1 1 0 8 0 mcl16k 16384 2 0 0 1 0 1 1 0 8 0 mcl12k 12288 1 0 0 1 0 1 1 0 8 0 mcl9k 9216 1 0 0 1 0 1 1 0 8 0 mcl8k 8192 7 0 0 1 0 1 1 0 8 0 mcl4k 4096 114 0 0 15 0 15 15 0 8 0 mcl2k 2048 45 0 0 5 0 5 5 0 8 0 mtagpl 96 140 0 0 4 0 4 4 0 8 0 mbufpl 256 269 0 0 17 0 17 17 0 8 0 bufpl 280 3159 0 133 217 0 217 217 0 8 0 anonpl 24 140889 0 137452 46 11 35 46 0 184 10 amapchunkpl 152 19243 0 18765 25 0 25 25 0 158 5 amappl16 200 2924 0 2893 15 9 6 14 0 8 3 amappl15 192 3 0 3 1 1 0 1 0 8 0 amappl14 184 122 0 109 1 0 1 1 0 8 0 amappl13 176 75 0 75 1 1 0 1 0 8 0 amappl12 168 1442 0 1409 3 1 2 2 0 8 0 amappl11 160 53 0 38 1 0 1 1 0 8 0 amappl10 152 5 0 5 1 1 0 1 0 8 0 amappl9 144 245 0 245 1 1 0 1 0 8 0 amappl8 136 23 0 21 1 0 1 1 0 8 0 amappl7 128 118 0 104 1 0 1 1 0 8 0 amappl6 120 190 0 185 1 0 1 1 0 8 0 amappl5 112 144 0 135 1 0 1 1 0 8 0 amappl4 104 331 0 311 1 0 1 1 0 8 0 amappl3 96 3625 0 3513 4 0 4 4 0 8 0 amappl2 88 680 0 614 2 0 2 2 0 8 0 amappl1 80 9500 0 8901 15 0 15 15 0 8 0 amappl 88 5736 0 5570 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 254 0 254 2 2 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 21 0 20 1 0 1 1 0 8 0 aobjpl 72 48 0 0 1 0 1 1 0 8 0 uaddrrnd 24 774 0 742 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 774 0 742 1 0 1 1 0 8 0 vmmpekpl 168 8283 0 8239 3 0 3 3 0 8 0 vmmpepl 168 54229 0 52338 94 4 90 94 0 357 3 vmsppl 456 773 0 742 5 0 5 5 0 8 0 rwobjpl 64 20601 0 16960 59 0 59 59 0 8 0 pdppl 4096 1555 0 1484 101 28 73 83 0 8 2 pvpl 32 15811 0 0 128 0 128 128 0 265 0 pmappl 248 773 0 742 3 0 3 3 0 8 0 extentpl 40 55 0 38 1 0 1 1 0 8 0 phpool 112 295 0 32 8 0 8 8 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8343c757) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff833e8993,ffffffff833f208a,3b0,ffffffff833f20d2) at __assert+0x29 refcnt_finalize(ffff8000394d2850,ffffffff83333bf3) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:945 pppx_if_destroy(ffff800034cb7000,ffff8000394d2848) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b9a,1,2000,ffff8000ffff8030) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff8000394ceb70) at spec_close+0x412 VOP_CLOSE(fffffd806a9cc6d0,1,fffffd807f7d37b8,ffff8000ffff8030) at VOP_CLOSE+0x133 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806bdd6430,ffff8000ffff8030) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806bdd6430,ffff8000ffff8030) at vn_closefile+0x12b sys/kern/vfs_vnops.c:615 fdrop(fffffd806bdd6430,ffff8000ffff8030) at fdrop+0x126 sys/kern/kern_descrip.c:1265 closef(fffffd806bdd6430,ffff8000ffff8030) at closef+0x192 sys/kern/kern_descrip.c:1249 syscall(ffff8000394cedd0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff8000394cedd0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x865326856c0, count: -13 ddb{0}> machine ddbcpu 1