panic: kernel diagnostic assertion "rt->rt_ifa->ifa_ifp != NULL" failed: file "/syzkaller/managers/multicore/kernel/sys/net/route.c", line 848 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *109742 6761 0 0 0x4000000 1K syz-executor.0 181439 22896 0 0 0 0 syz-executor.1 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 __assert(ffffffff8220951b,ffffffff821d1c53,350,ffffffff821a9916) at __assert+0x2b sys/kern/subr_prf.c:154 rtrequest(b,ffff800023b96b78,83,ffff800023b96c18,0) at rtrequest+0xbd2 sys/net/route.c:951 rt_clone(ffff800023b96c88,fffffd806f6cfc88,0) at rt_clone+0x78 sys/net/route.c:266 rtalloc_mpath(fffffd806f6cfc88,fffffd80640566f8,0) at rtalloc_mpath+0xba rt_match sys/net/route.c:244 [inline] rtalloc_mpath(fffffd806f6cfc88,fffffd80640566f8,0) at rtalloc_mpath+0xba sys/net/route.c:359 ip_output(fffffd8064056600,0,fffffd806f6cfc78,20,0,fffffd806f6cfc08) at ip_output+0x4f2 sys/netinet/ip_output.c:204 rip_output(fffffd8064056600,fffffd806f6d0180,ffff800023b96e98,ffff800023964000) at rip_output+0x252 sys/netinet/raw_ip.c:289 rip_usrreq(fffffd806f6d0180,9,fffffd8064056600,0,0,ffff800020abe9f8) at rip_usrreq+0x46a sys/netinet/raw_ip.c:538 sosend(fffffd806f6d0180,0,ffff800023b970b8,0,0,0) at sosend+0x645 sys/kern/uipc_socket.c:524 dofilewritev(ffff800020abe9f8,3,ffff800023b970b8,0,ffff800023b971a0) at dofilewritev+0x1b7 sys/kern/sys_generic.c:364 sys_write(ffff800020abe9f8,ffff800023b97158,ffff800023b971a0) at sys_write+0x83 sys/kern/sys_generic.c:284 syscall(ffff800023b97220) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] syscall(ffff800023b97220) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 Xsyscall(6,0,c,0,3,6b7cf43d010) at Xsyscall+0x128 end of kernel end trace frame: 0x6baac730510, count: 1 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic kernel diagnostic assertion "rt->rt_ifa->ifa_ifp != NULL" failed: file "/syzkaller/managers/multicore/kernel/sys/net/route.c", line 848 ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic() at panic+0x15c sys/kern/subr_prf.c:207 __assert(ffffffff8220951b,ffffffff821d1c53,350,ffffffff821a9916) at __assert+0x2b sys/kern/subr_prf.c:154 rtrequest(b,ffff800023b96b78,83,ffff800023b96c18,0) at rtrequest+0xbd2 sys/net/route.c:951 rt_clone(ffff800023b96c88,fffffd806f6cfc88,0) at rt_clone+0x78 sys/net/route.c:266 rtalloc_mpath(fffffd806f6cfc88,fffffd80640566f8,0) at rtalloc_mpath+0xba rt_match sys/net/route.c:244 [inline] rtalloc_mpath(fffffd806f6cfc88,fffffd80640566f8,0) at rtalloc_mpath+0xba sys/net/route.c:359 ip_output(fffffd8064056600,0,fffffd806f6cfc78,20,0,fffffd806f6cfc08) at ip_output+0x4f2 sys/netinet/ip_output.c:204 rip_output(fffffd8064056600,fffffd806f6d0180,ffff800023b96e98,ffff800023964000) at rip_output+0x252 sys/netinet/raw_ip.c:289 rip_usrreq(fffffd806f6d0180,9,fffffd8064056600,0,0,ffff800020abe9f8) at rip_usrreq+0x46a sys/netinet/raw_ip.c:538 sosend(fffffd806f6d0180,0,ffff800023b970b8,0,0,0) at sosend+0x645 sys/kern/uipc_socket.c:524 dofilewritev(ffff800020abe9f8,3,ffff800023b970b8,0,ffff800023b971a0) at dofilewritev+0x1b7 sys/kern/sys_generic.c:364 sys_write(ffff800020abe9f8,ffff800023b97158,ffff800023b971a0) at sys_write+0x83 sys/kern/sys_generic.c:284 syscall(ffff800023b97220) at syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] syscall(ffff800023b97220) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 Xsyscall(6,0,c,0,3,6b7cf43d010) at Xsyscall+0x128 end of kernel end trace frame: 0x6baac730510, count: -14 ddb{1}> show registers rdi 0xffffffff8120bfe7 db_enter+0x17 rsi 0x3bd9 __ALIGN_SIZE+0x2bd9 rbp 0xffff800023b96990 rbx 0xffff800023b96a40 rdx 0x3bda __ALIGN_SIZE+0x2bda rcx 0xffff800023964000 rax 0xffff800023964000 r8 0xffffffff81d00c7f kprintf+0x16f r9 0x1 r10 0x25 r11 0x644477076fb0e066 r12 0x3000000008 r13 0xffff800023b969a0 r14 0x100 r15 0x1 rip 0xffffffff8120bfe8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800023b96980 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor.0) pid=109742 stat=onproc flags process=0 proc=4000000 pri=79, usrpri=79, nice=20 forw=0xffffffffffffffff, list=0xffff800020abf160,0xffffffff8266a260 process=0xffff800020adc380 user=0xffff800023b92000, vmspace=0xfffffd807f00acf0 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 6761 111464 53973 0 2 0 syz-executor.0 * 6761 109742 53973 0 7 0x4000000 syz-executor.0 22896 181439 95645 0 7 0 syz-executor.1 22896 296989 95645 0 2 0x4000000 syz-executor.1 95645 274189 78319 0 3 0x82 nanosleep syz-executor.1 53973 109229 78319 0 3 0x82 nanosleep syz-executor.0 43391 480488 1 0 3 0x100083 ttyin getty 96382 511677 0 0 3 0x14200 bored sosplice 78319 255956 56639 0 3 0x82 thrsleep syz-fuzzer 78319 365995 56639 0 3 0x4000082 thrsleep syz-fuzzer 78319 146323 56639 0 3 0x4000082 thrsleep syz-fuzzer 78319 340405 56639 0 3 0x4000082 kqread syz-fuzzer 78319 503627 56639 0 3 0x4000082 thrsleep syz-fuzzer 78319 318697 56639 0 3 0x4000082 thrsleep syz-fuzzer 78319 493110 56639 0 3 0x4000082 thrsleep syz-fuzzer 78319 414618 56639 0 3 0x4000082 thrsleep syz-fuzzer 78319 141225 56639 0 3 0x4000082 thrsleep syz-fuzzer 78319 143238 56639 0 3 0x4000082 thrsleep syz-fuzzer 56639 504740 26419 0 3 0x10008a pause ksh 26419 462349 67712 0 3 0x92 select sshd 67712 484529 1 0 3 0x80 select sshd 81240 385423 41263 74 3 0x100092 bpf pflogd 41263 259177 1 0 3 0x80 netio pflogd 28507 23361 1565 73 3 0x100090 kqread syslogd 1565 388613 1 0 3 0x100082 netio syslogd 40370 497519 0 0 2 0x14200 zerothread 83736 398469 0 0 3 0x14200 aiodoned aiodoned 25079 152950 0 0 3 0x14200 syncer update 19851 494422 0 0 3 0x14200 cleaner cleaner 88807 409012 0 0 3 0x14200 reaper reaper 94803 110823 0 0 3 0x14200 pgdaemon pagedaemon 12208 463760 0 0 3 0x14200 bored crynlk 24359 107 0 0 3 0x14200 bored crypto 49997 250773 0 0 3 0x40014200 acpi0 acpi0 48133 140870 0 0 3 0x40014200 idle1 80232 331867 0 0 3 0x14200 bored softnet 27641 450999 0 0 3 0x14200 bored systqmp 82673 167187 0 0 3 0x14200 bored systq 28320 241858 0 0 3 0x40014200 bored softclock 91968 453802 0 0 3 0x40014200 idle0 87200 140729 0 0 3 0x14200 bored smr 1 6311 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{1}> show all locks Process 6761 (syz-executor.0) thread 0xffff800020abe9f8 (109742) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82623a10) #0 witness_lock+0x52e sys/kern/subr_witness.c:1163 #1 rt_clone+0x5c sys/net/route.c:266 #2 rtalloc_mpath+0xba rt_match sys/net/route.c:244 [inline] #2 rtalloc_mpath+0xba sys/net/route.c:359 #3 ip_output+0x4f2 sys/netinet/ip_output.c:204 #4 rip_output+0x252 sys/netinet/raw_ip.c:289 #5 rip_usrreq+0x46a sys/netinet/raw_ip.c:538 #6 sosend+0x645 sys/kern/uipc_socket.c:524 #7 dofilewritev+0x1b7 sys/kern/sys_generic.c:364 #8 sys_write+0x83 sys/kern/sys_generic.c:284 #9 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] #9 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 #10 Xsyscall+0x128 exclusive rwlock netlock r = 0 (0xffffffff824c0f78) #0 witness_lock+0x52e sys/kern/subr_witness.c:1163 #1 solock+0x5a sys/kern/uipc_socket2.c:282 #2 sosend+0x51b sys/kern/uipc_socket.c:512 #3 dofilewritev+0x1b7 sys/kern/sys_generic.c:364 #4 sys_write+0x83 sys/kern/sys_generic.c:284 #5 syscall+0x4a4 mi_syscall sys/sys/syscall_mi.h:92 [inline] #5 syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555 #6 Xsyscall+0x128 ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim devbuf 9647 7070K 8426K 78643K 52329 0 0 pcb 14 12K 14K 78643K 3737 0 0 rtable 216 20K 21K 78643K 7451 0 0 ifaddr 148 40K 45K 78643K 3104 0 0 counters 39 33K 33K 78643K 39 0 0 ioctlops 0 0K 4K 78643K 2336 0 0 iov 0 0K 32K 78643K 3341 0 0 mount 1 1K 1K 78643K 1 0 0 vnodes 1214 76K 78K 78643K 17324 0 0 UFS quota 1 32K 32K 78643K 1 0 0 UFS mount 5 36K 36K 78643K 5 0 0 shm 2 1K 5K 78643K 196 0 0 VM map 116 58K 58K 78643K 184 0 0 sem 12 0K 0K 78643K 4553 0 0 dirhash 12 2K 2K 78643K 12 0 0 ACPI 1808 196K 290K 78643K 12765 0 0 file desc 6 17K 25K 78643K 16328 0 0 sigio 0 0K 0K 78643K 216 0 0 proc 57 51K 95K 78643K 6357 0 0 subproc 32 2K 2K 78643K 1617 0 0 NFS srvsock 1 0K 0K 78643K 1 0 0 NFS daemon 1 16K 16K 78643K 1 0 0 ip_moptions 0 0K 1K 78643K 1419 0 0 in_multi 48 3K 3K 78643K 2081 0 0 ether_multi 1 0K 0K 78643K 193 0 0 mrt 1 0K 0K 78643K 99 0 0 ISOFS mount 1 32K 32K 78643K 1 0 0 MSDOSFS mount 1 16K 16K 78643K 1 0 0 ttys 126 556K 556K 78643K 126 0 0 exec 0 0K 1K 78643K 2993 0 0 pfkey data 0 0K 0K 78643K 4 0 0 pagedep 1 8K 8K 78643K 1 0 0 inodedep 1 32K 32K 78643K 1 0 0 newblk 1 0K 0K 78643K 1 0 0 VM swap 7 26K 26K 78643K 7 0 0 UVM amap 322 934K 950K 78643K 59922 0 0 UVM aobj 130 7K 7K 78643K 145 0 0 memdesc 1 4K 4K 78643K 1 0 0 crypto data 1 1K 1K 78643K 1 0 0 ip6_options 0 0K 2K 78643K 3891 0 0 NDP 27 0K 1K 78643K 978 0 0 temp 279 3562K 4202K 78643K 476741 0 0 kqueue 0 0K 0K 78643K 176 0 0 SYN cache 2 16K 16K 78643K 2 0 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 238 0 233 1 0 1 1 0 8 0 plcache 128 20 0 0 1 0 1 1 0 8 0 rtpcb 80 1460 0 1460 9 8 1 1 0 8 1 rtentry 112 1588 0 1498 3 0 3 3 0 8 0 unpcb 120 17994 0 17980 22 21 1 2 0 8 0 syncache 264 95 0 95 37 37 0 1 0 8 0 tcpqe 32 50 0 50 26 26 0 1 0 8 0 tcpcb 544 9912 0 9908 98 95 3 13 0 8 2 ipq 40 1 0 1 1 1 0 1 0 8 0 ipqe 40 2 0 2 1 1 0 1 0 8 0 inpcb 280 26546 0 26540 137 134 3 13 0 8 2 rttmr 72 34 0 33 5 4 1 1 0 8 0 ip6q 72 19 0 19 10 10 0 1 0 8 0 ip6af 40 41 0 41 11 11 0 1 0 8 0 nd6 48 267 0 265 9 8 1 1 0 8 0 pkpcb 40 108 0 108 35 34 1 1 0 8 1 swfcl 56 6 0 0 1 0 1 1 0 8 0 ppxss 1128 446 0 446 52 51 1 1 0 8 1 pffrag 232 493 0 493 45 45 0 1 0 482 0 pffrnode 88 488 0 488 45 45 0 1 0 8 0 pffrent 40 16080 0 16080 42 42 0 1 0 8 0 pfosfp 40 846 0 423 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 1803 0 1715 1 0 1 1 0 8 0 pfstkey 112 1808 0 1720 9 5 4 5 0 8 0 pfstate 328 1808 0 1720 32 23 9 13 0 8 1 pfrule 1360 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 16 0 10 14 8 6 8 0 8 0 art_heap4 256 7358 0 7015 74 51 23 27 0 8 0 art_table 32 7374 0 7025 7 3 4 4 0 8 0 art_node 16 1577 0 1512 1 0 1 1 0 8 0 sysvmsgpl 40 50 0 36 1 0 1 1 0 8 0 semapl 112 4551 0 4541 1 0 1 1 0 8 0 shmpl 112 143 0 15 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino1pl 128 27285 0 25802 49 1 48 48 0 8 0 ffsino 272 27285 0 25802 100 1 99 99 0 8 0 nchpl 144 55314 0 54839 61 41 20 61 0 8 0 uvmvnodes 72 8591 0 0 157 0 157 157 0 8 0 vnodes 208 8591 0 0 453 0 453 453 0 8 0 namei 1024 193832 0 193832 10 9 1 1 0 8 1 percpumem 16 30 0 0 1 0 1 1 0 8 0 vcpupl 1984 114 0 0 15 0 15 15 0 8 0 vmpool 552 182 0 68 11 2 9 9 0 8 0 scsiplug 64 22 0 22 13 13 0 1 0 8 0 scxspl 192 165750 0 165750 114 113 1 7 0 8 1 plimitpl 152 1372 0 1365 1 0 1 1 0 8 0 sigapl 432 16253 0 16239 3 1 2 3 0 8 0 futexpl 56 410057 0 410057 6 5 1 1 0 8 1 knotepl 112 3666 0 3647 17 16 1 3 0 8 0 kqueuepl 104 5014 0 5012 20 19 1 4 0 8 0 pipepl 112 10198 0 10179 22 21 1 2 0 8 0 fdescpl 488 16254 0 16239 3 0 3 3 0 8 0 filepl 152 163187 0 163096 138 131 7 14 0 8 3 lockfpl 104 9342 0 9342 4 3 1 1 0 8 1 lockfspl 48 3071 0 3071 4 3 1 1 0 8 1 sessionpl 112 117 0 108 1 0 1 1 0 8 0 pgrppl 48 332 0 323 1 0 1 1 0 8 0 ucredpl 96 20851 0 20841 1 0 1 1 0 8 0 zombiepl 144 16243 0 16243 5 4 1 1 0 8 1 processpl 896 16274 0 16243 4 0 4 4 0 8 0 procpl 632 53979 0 53937 5 0 5 5 0 8 0 srpgc 64 147 0 147 44 44 0 1 0 8 0 sosppl 128 640 0 640 58 57 1 1 0 8 1 sockpl 384 46355 0 46332 213 205 8 22 0 8 4 mcl64k 65536 1367 0 0 149 85 64 65 0 8 0 mcl16k 16384 41 0 0 5 2 3 3 0 8 0 mcl12k 12288 65 0 0 2 0 2 2 0 8 0 mcl9k 9216 57 0 0 4 2 2 2 0 8 0 mcl8k 8192 41 0 0 4 1 3 3 0 8 0 mcl4k 4096 33 0 0 3 0 3 3 0 8 0 mcl2k2 2112 19 0 0 2 0 2 2 0 8 0 mcl2k 2048 266 0 0 19 10 9 19 0 8 0 mtagpl 80 249 0 0 2 1 1 2 0 8 0 mbufpl 256 1784 0 0 45 1 44 44 0 8 0 bufpl 256 63935 0 55340 538 0 538 538 0 8 0 anonpl 16 1921837 0 1899516 480 380 100 109 0 124 4 amapchunkpl 152 121391 0 121188 193 182 11 22 0 158 0 amappl16 192 87960 0 86646 534 465 69 78 0 8 2 amappl15 184 2650 0 2649 1 0 1 1 0 8 0 amappl14 176 3461 0 3452 1 0 1 1 0 8 0 amappl13 168 1489 0 1489 12 12 0 1 0 8 0 amappl12 160 1300 0 1296 1 0 1 1 0 8 0 amappl11 152 3275 0 3266 1 0 1 1 0 8 0 amappl10 144 1785 0 1778 1 0 1 1 0 8 0 amappl9 136 4131 0 4128 1 0 1 1 0 8 0 amappl8 128 3781 0 3701 4 1 3 3 0 8 0 amappl7 120 2180 0 2171 1 0 1 1 0 8 0 amappl6 112 3095 0 3079 1 0 1 1 0 8 0 amappl5 104 2293 0 2282 1 0 1 1 0 8 0 amappl4 96 18637 0 18601 14 13 1 2 0 8 0 amappl3 88 4495 0 4478 1 0 1 1 0 8 0 amappl2 80 125695 0 125614 3 1 2 3 0 8 0 amappl1 72 376214 0 375791 25 15 10 20 0 8 0 amappl 80 56071 0 55968 4 1 3 3 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 17 0 17 1 1 0 1 0 8 0 aobjpl 64 144 0 15 3 0 3 3 0 8 0 uaddrrnd 24 16436 0 16239 2 0 2 2 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 16436 0 16239 2 0 2 2 0 8 0 vmmpekpl 168 126802 0 126744 3 0 3 3 0 8 0 vmmpepl 168 2091300 0 2088511 827 666 161 168 0 357 34 vmsppl 368 16253 0 16239 2 0 2 2 0 8 0 pdppl 4096 32879 0 32728 31 12 19 20 0 8 0 pvpl 32 4956350 0 4933239 908 691 217 232 0 265 19 pmappl 232 16435 0 16307 8 0 8 8 0 8 0 extentpl 40 41 0 26 1 0 1 1 0 8 0 phpool 112 1099 0 278 24 0 24 24 0 8 0