panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 68208 24781 0 0 0x4000000 0K syz-executor.5 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff82579a90) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825ec6cc,ffffffff82633a76,131,ffffffff825feb3f) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000e11000) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff800027b59c20) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd8067503a28,80206979,ffff800027b59c20,ffff8000ffff5a40) at soo_ioctl+0x26c sys_ioctl(ffff8000ffff5a40,ffff800027b59d38,ffff800027b59d90) at sys_ioctl+0x4a2 syscall(ffff800027b59e00) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800027b59e00) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd46b72a720, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff82579a90) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825ec6cc,ffffffff82633a76,131,ffffffff825feb3f) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000e11000) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff800027b59c20) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd8067503a28,80206979,ffff800027b59c20,ffff8000ffff5a40) at soo_ioctl+0x26c sys_ioctl(ffff8000ffff5a40,ffff800027b59d38,ffff800027b59d90) at sys_ioctl+0x4a2 syscall(ffff800027b59e00) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800027b59e00) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd46b72a720, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff800027b59a30 rbx 0xffffffff828ecbff cpu_info_full_primary+0x2bff rdx 0 rcx 0 rax 0xffff8000ffff5a40 r8 0 r9 0x8080808080808080 r10 0xd9383543325078e2 r11 0xd110fc8fd7eb1918 r12 0xffffffff828eca00 cpu_info_full_primary+0x2a00 r13 0 r14 0 r15 0x1 rip 0xffffffff82237da8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800027b59a20 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.5) pid=68208 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=84, nice=20 forw=0xffffffffffffffff, list=0xffff8000ffff3268,0xffff8000ffff57b0 process=0xffff800027d17200 user=0xffff800027b54000, vmspace=0xfffffd806fc23000 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 93730 103145 64506 0 2 0 syz-executor.7 72251 515876 20313 0 2 0 syz-executor.6 72251 237926 20313 0 3 0x4000080 fsleep syz-executor.6 24781 471877 62530 0 2 0 syz-executor.5 *24781 68208 62530 0 7 0x4000000 syz-executor.5 24781 156485 62530 0 3 0x4000080 fsleep syz-executor.5 17587 234450 6449 0 2 0 syz-executor.3 17587 37521 6449 0 3 0x4000080 fsleep syz-executor.3 63670 489490 51814 0 2 0x482 syz-executor.2 6449 318765 51814 0 3 0x82 nanoslp syz-executor.3 62530 40183 51814 0 2 0x482 syz-executor.5 64506 429497 51814 0 2 0x482 syz-executor.7 20313 362262 51814 0 3 0x82 nanoslp syz-executor.6 37470 20672 1 0 3 0x100083 ttyin getty 47195 97141 51814 0 2 0x2 syz-executor.1 47485 395657 51814 0 2 0x482 syz-executor.0 135 408478 51814 0 2 0x2 syz-executor.4 1684 487242 0 0 3 0x14200 bored sosplice 51814 460901 17121 0 3 0x82 kqread syz-fuzzer 51814 500027 17121 0 3 0x4000082 nanoslp syz-fuzzer 51814 336408 17121 0 3 0x4000082 thrsleep syz-fuzzer 51814 323437 17121 0 3 0x4000082 nanoslp syz-fuzzer 51814 109964 17121 0 3 0x4000082 thrsleep syz-fuzzer 51814 247654 17121 0 3 0x4000082 thrsleep syz-fuzzer 51814 187793 17121 0 3 0x4000082 thrsleep syz-fuzzer 51814 150684 17121 0 3 0x4000082 thrsleep syz-fuzzer 51814 258267 17121 0 3 0x4000082 thrsleep syz-fuzzer 17121 276702 14450 0 3 0x10008a sigsusp ksh 14450 142962 294 0 3 0x9a kqread sshd 294 103709 1 0 3 0x88 kqread sshd 97935 510727 16462 74 3 0x100092 bpf pflogd 16462 127449 1 0 3 0x80 netio pflogd 97161 395659 98417 73 3 0x100090 kqread syslogd 98417 470583 1 0 3 0x100082 netio syslogd 38958 147755 1 0 3 0x100080 kqread resolvd 85159 26839 43240 77 2 0x100092 dhcpleased 29527 277203 43240 77 3 0x100092 kqread dhcpleased 43240 486717 1 0 3 0x80 kqread dhcpleased 30725 408252 0 0 3 0x14200 bored smr 9944 409186 0 0 2 0x14200 zerothread 17551 514386 0 0 3 0x14200 aiodoned aiodoned 48740 334685 0 0 3 0x14200 syncer update 82958 462662 0 0 3 0x14200 cleaner cleaner 52057 60828 0 0 3 0x14200 reaper reaper 59252 171615 0 0 3 0x14200 pgdaemon pagedaemon 64883 88007 0 0 3 0x14200 bored viomb 52477 204714 0 0 3 0x40014200 acpi0 acpi0 87967 500019 0 0 7 0x40014200 idle1 50955 238561 0 0 3 0x14200 bored softnet 97741 101869 0 0 3 0x14200 bored systqmp 47352 316278 0 0 3 0x14200 bored systq 34303 205058 0 0 2 0x40014200 softclock 49841 361807 0 0 3 0x40014200 idle0 1 19712 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 24781 (syz-executor.5) thread 0xffff8000ffff5a40 (68208) exclusive rwlock clonelk r = 0 (0xffffffff8298b730) #0 witness_lock+0x44d #1 if_clone_destroy+0x49 #2 soo_ioctl+0x26c #3 sys_ioctl+0x4a2 #4 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #4 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #5 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82ac44c8) #0 witness_lock+0x44d #1 soo_ioctl+0x25a sys/kern/sys_socket.c:136 #2 sys_ioctl+0x4a2 #3 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #3 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #4 Xsyscall+0x128 Process 47195 (syz-executor.1) thread 0xffff8000ffff6fd0 (97141) exclusive rrwlock inode r = 0 (0xfffffd806c360f78) #0 witness_lock+0x44d #1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310 #2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461 #3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534 #4 ufs_ihashins+0x42 sys/ufs/ufs/ufs_ihash.c:140 #5 ffs_vget+0x141 sys/ufs/ffs/ffs_vfsops.c:1347 #6 ffs_inode_alloc+0x1be sys/ufs/ffs/ffs_alloc.c:394 #7 ufs_mkdir+0xf4 sys/ufs/ufs/ufs_vnops.c:1162 #8 VOP_MKDIR+0xbf sys/kern/vfs_vops.c:404 #9 domkdirat+0x121 sys/kern/vfs_syscalls.c:3100 #10 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #10 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #11 Xsyscall+0x128 exclusive rrwlock inode r = 0 (0xfffffd806701c0a0) #0 witness_lock+0x44d #1 rw_enter+0x3e1 sys/kern/kern_rwlock.c:310 #2 rrw_enter+0x8b sys/kern/kern_rwlock.c:461 #3 VOP_LOCK+0x87 sys/kern/vfs_vops.c:534 #4 vn_lock+0x84 sys/kern/vfs_vnops.c:579 #5 vfs_lookup+0xd1 sys/kern/vfs_lookup.c:413 #6 namei+0x36a sys/kern/vfs_lookup.c:245 #7 domkdirat+0x75 sys/kern/vfs_syscalls.c:3085 #8 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #8 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #9 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10249 6656K 14947K 78643K 123704 0 pcb 15 24K 26K 78643K 4965 0 rtable 261 24K 25K 78643K 8890 0 ifaddr 151 40K 41K 78643K 4615 0 sysctl 3 1K 1K 78643K 7 0 counters 58 35K 36K 78643K 786 0 ioctlops 0 0K 4K 78643K 12617 0 iov 0 0K 32K 78643K 3348 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1693 106K 106K 78643K 33821 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 341 0 VM map 2 1K 1K 78643K 2 0 sem 30 20K 40K 78643K 2138 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 14 49K 89K 78643K 34034 0 sigio 1 0K 0K 78643K 743 0 proc 70 87K 136K 78643K 4163 0 subproc 104 6K 7K 78643K 1186 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 1905 0 in_multi 72 5K 6K 78643K 2003 0 ether_multi 1 0K 0K 78643K 351 0 mrt 1 0K 0K 78643K 152 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 259 1155K 1155K 78643K 259 0 exec 0 0K 2K 78643K 7045 0 pfkey data 0 0K 0K 78643K 39 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 832 2117K 2128K 78643K 417685 0 UVM aobj 70 8K 8K 78643K 79 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 2109 0 NDP 14 0K 2K 78643K 598 0 temp 181 4781K 8813K 78643K 366309 0 kqueue 12 18K 26K 78643K 1732 0 SYN cache 2 8K 16K 78643K 3 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 2137 0 2134 33 32 1 5 0 8 0 rtentry 112 2204 0 2109 4 0 4 4 0 8 0 unpcb 136 19879 0 19864 217 214 3 8 0 8 2 syncache 296 103 0 103 30 30 0 1 0 8 0 tcpqe 32 143 12 143 13 13 0 1 0 8 0 tcpcb 736 13838 0 13793 444 436 8 32 0 8 3 arp 120 250 0 235 1 0 1 1 0 8 0 inpcb 304 32349 0 32302 448 442 6 20 0 8 2 rttmr 72 36 0 36 11 11 0 1 0 8 0 nd6 48 353 0 328 1 0 1 1 0 8 0 pkpcb 40 215 0 215 12 11 1 1 0 8 1 kcovpl 48 91 0 83 1 0 1 1 0 8 0 ppxss 1248 116 0 116 24 23 1 1 0 8 1 pfstscr 40 232 0 232 17 17 0 1 0 8 0 pffrag 232 415 0 415 10 10 0 1 0 482 0 pffrnode 88 413 0 413 10 10 0 1 0 8 0 pffrent 40 1474 0 1474 13 12 1 1 0 8 1 pfosfp 40 1445 0 1019 5 0 5 5 0 8 0 pfosfpen 112 1445 0 722 21 0 21 21 0 8 0 pfrke_plain 168 274 0 272 4 3 1 1 0 8 0 pfrktable 1344 1214 0 1197 16 14 2 2 0 8 0 pftag 88 107 0 88 2 1 1 1 0 8 0 pfqueue 264 4 0 4 1 1 0 1 0 8 0 pfstitem 24 83 0 81 1 0 1 1 0 8 0 pfstkey 112 639 0 637 1 0 1 1 0 8 0 pfstate 320 353 0 351 3 2 1 3 0 8 0 pfrule 1360 2651 0 2148 53 10 43 43 0 8 1 art_heap8 4096 10 0 7 6 3 3 4 0 8 0 art_heap4 256 7158 0 6741 62 32 30 32 0 8 0 art_table 32 7168 0 6748 5 1 4 5 0 8 0 art_node 16 1803 0 1719 1 0 1 1 0 8 0 sysvmsgpl 40 6 0 3 1 0 1 1 0 8 0 semapl 112 2128 0 2100 1 0 1 1 0 8 0 shmpl 112 76 0 9 2 0 2 2 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 46543 0 44977 99 0 99 99 0 8 0 ffsino 272 46543 0 44977 105 0 105 105 0 8 0 nchpl 144 90629 0 89008 63 0 63 63 0 8 0 rtmask 32 548 0 546 4 3 1 1 0 8 0 uvmvnodes 80 8483 0 0 174 0 174 174 0 8 0 vnodes 224 8483 0 0 499 0 499 499 0 8 0 namei 1024 360291 0 360290 12 11 1 2 0 8 0 percpumem 16 405 0 364 1 0 1 1 0 8 0 vcpupl 2048 388 0 0 49 0 49 49 0 8 0 vmpool 560 512 0 124 28 0 28 28 0 8 0 pfiaddrpl 120 481 0 425 7 5 2 2 0 8 0 scsiplug 72 6 0 6 2 2 0 1 0 8 0 scxspl 216 273550 0 273550 38 37 1 8 0 8 1 plimitpl 152 3520 0 3505 1 0 1 1 0 8 0 sigapl 424 34208 0 34166 9 2 7 8 0 8 0 futexpl 64 346276 0 346273 8 7 1 1 0 8 0 knotepl 120 583 0 0 9 4 5 6 0 8 0 kqueuepl 216 7054 0 7045 142 137 5 8 0 8 4 pipepl 336 7773 0 7745 237 234 3 13 0 8 0 fdescpl 496 34158 0 34131 9 5 4 5 0 8 0 filepl 152 257761 0 257483 470 455 15 27 0 8 4 lockfpl 104 10333 0 10329 22 21 1 3 0 8 0 lockfspl 48 3060 0 3056 2 1 1 2 0 8 0 sessionpl 144 111 0 94 1 0 1 1 0 8 0 pgrppl 48 217 0 200 1 0 1 1 0 8 0 ucredpl 96 29193 0 29179 1 0 1 1 0 8 0 zombiepl 144 34166 0 34164 5 4 1 1 0 8 0 processpl 1064 34208 0 34164 5 0 5 5 0 8 0 procpl 672 86214 0 86158 24 16 8 9 0 8 0 srpgc 96 108 0 108 29 29 0 1 0 8 0 sosppl 168 381 0 381 53 53 0 1 0 8 0 sockpl 480 54711 0 54648 1152 1140 12 34 0 8 3 mcl64k 65536 10 0 0 2 0 2 2 0 8 0 mcl16k 16384 3 0 0 1 0 1 1 0 8 0 mcl12k 12288 2 0 0 1 0 1 1 0 8 0 mcl9k 9216 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 8 0 0 1 0 1 1 0 8 0 mcl4k 4096 6 0 0 1 0 1 1 0 8 0 mcl2k2 2112 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 529 0 0 32 3 29 32 0 8 2 mtagpl 96 2349 0 0 33 1 32 32 0 8 0 mbufpl 256 6533 0 0 329 0 329 329 0 8 0 bufpl 288 56387 0 47904 607 0 607 607 0 8 0 anonpl 24 9515298 0 9493159 609 451 158 170 0 186 13 amapchunkpl 152 1022579 0 1021744 218 172 46 51 0 158 6 amappl16 200 94078 0 93220 334 284 50 63 0 8 0 amappl15 192 9987 0 9983 1 0 1 1 0 8 0 amappl14 184 6964 0 6957 1 0 1 1 0 8 0 amappl13 176 2780 0 2774 1 0 1 1 0 8 0 amappl12 168 3660 0 3651 2 1 1 1 0 8 0 amappl11 160 2866 0 2848 1 0 1 1 0 8 0 amappl10 152 6653 0 6643 1 0 1 1 0 8 0 amappl9 144 4308 0 4304 1 0 1 1 0 8 0 amappl8 136 4532 0 4325 9 1 8 8 0 8 0 amappl7 128 1913 0 1900 1 0 1 1 0 8 0 amappl6 120 4301 0 4274 2 1 1 2 0 8 0 amappl5 112 32788 0 32773 1 0 1 1 0 8 0 amappl4 104 10779 0 10730 4 2 2 2 0 8 0 amappl3 96 7409 0 7393 1 0 1 1 0 8 0 amappl2 88 6950 0 6864 3 1 2 3 0 8 0 amappl1 80 604956 0 604397 19 5 14 19 0 8 0 amappl 88 414928 0 414534 12 1 11 11 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 78 0 9 2 0 2 2 0 8 0 uaddrrnd 24 34670 0 34255 4 1 3 3 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 34670 0 34255 4 1 3 3 0 8 0 vmmpekpl 168 220607 0 220492 7 1 6 6 0 8 0 vmmpepl 168 3087257 0 3083501 812 632 180 213 0 357 3 vmsppl 368 34669 0 34255 43 4 39 39 0 8 0 rwobjpl 56 727697 0 716967 203 49 154 156 0 8 0 pdppl 4096 69347 0 68898 1715 1258 457 457 0 8 8 pvpl 32 16008243 0 15983115 966 725 241 270 0 265 18 pmappl 248 34669 0 34255 28 1 27 27 0 8 0 extentpl 40 58 0 38 1 0 1 1 0 8 0 phpool 112 3804 0 1993 55 2 53 53 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff82579a90) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825ec6cc,ffffffff82633a76,131,ffffffff825feb3f) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000e11000) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff800027b59c20) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd8067503a28,80206979,ffff800027b59c20,ffff8000ffff5a40) at soo_ioctl+0x26c sys_ioctl(ffff8000ffff5a40,ffff800027b59d38,ffff800027b59d90) at sys_ioctl+0x4a2 syscall(ffff800027b59e00) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff800027b59e00) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xd46b72a720, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: -5