panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/main/kernel/sys/net/if_tun.c", line 303 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 31382 58389 0 0 0x4000000 0 syz-executor.7 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82574758) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff825ea5f6,ffffffff82617445,12f,ffffffff825f9455) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000bf3000) at tun_clone_destroy+0x234 sys/net/if_tun.c:303 if_clone_destroy(ffff80002e9b90a0) at if_clone_destroy+0x132 sys/net/if.c:1276 sys_ioctl(ffff80002170afc0,ffff80002e9b91b8,ffff80002e9b9210) at sys_ioctl+0x49e syscall(ffff80002e9b9280) at syscall+0x447 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1dee52e6140, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/main/kernel/sys/net/if_tun.c", line 303 ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82574758) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff825ea5f6,ffffffff82617445,12f,ffffffff825f9455) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000bf3000) at tun_clone_destroy+0x234 sys/net/if_tun.c:303 if_clone_destroy(ffff80002e9b90a0) at if_clone_destroy+0x132 sys/net/if.c:1276 sys_ioctl(ffff80002170afc0,ffff80002e9b91b8,ffff80002e9b9210) at sys_ioctl+0x49e syscall(ffff80002e9b9280) at syscall+0x447 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1dee52e6140, count: -8 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002e9b8f30 rbx 0x80206979 __kernel_virt_to_phys+0x206979 rdx 0 rcx 0 rax 0xffff80002170afc0 r8 0 r9 0x8080808080808080 r10 0xa2c4a43c8f35f8df r11 0xa6e9a536534073dd r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff824ed858 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80002e9b8f20 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor.7) pid=31382 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=84, nice=20 forw=0xffffffffffffffff, list=0xffff80002170b500,0xffff80002170aa90 process=0xffff80002170cbd0 user=0xffff80002e9b4000, vmspace=0xfffffd8069943118 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 50540 75447 93047 0 2 0 syz-executor.5 83087 213402 86807 0 2 0 syz-executor.4 83087 128684 86807 0 2 0x4000000 syz-executor.4 83087 344960 86807 0 3 0x4000080 fsleep syz-executor.4 58389 286890 23818 0 2 0 syz-executor.7 *58389 31382 23818 0 7 0x4000000 syz-executor.7 21928 469004 21574 0 3 0x80 nanoslp syz-executor.2 21928 223804 21574 0 3 0x4000080 kqpoll syz-executor.2 21928 432060 21574 0 3 0x4000080 fsleep syz-executor.2 23818 391790 48209 0 2 0x482 syz-executor.7 86807 48620 48209 0 2 0x482 syz-executor.4 21574 30692 48209 0 3 0x82 nanoslp syz-executor.2 13737 234795 48209 0 2 0x2 syz-executor.6 549 406513 48209 0 2 0x2 syz-executor.3 93047 282755 48209 0 3 0x82 nanoslp syz-executor.5 91578 318793 48209 0 2 0x2 syz-executor.1 75662 365116 48209 0 3 0x82 piperd syz-executor.0 61706 220573 1 0 3 0x100083 ttyin getty 52104 376420 0 0 3 0x14280 nfsidl nfsio 31973 47905 0 0 3 0x14280 nfsidl nfsio 64766 185877 0 0 3 0x14280 nfsidl nfsio 14426 161608 0 0 3 0x14280 nfsidl nfsio 37048 212810 0 0 3 0x14280 nfsidl nfsio 89286 127298 0 0 3 0x14280 nfsidl nfsio 1882 288290 0 0 3 0x14280 nfsidl nfsio 79950 36084 0 0 3 0x14280 nfsidl nfsio 21919 147213 0 0 3 0x14280 nfsidl nfsio 60870 292802 0 0 3 0x14280 nfsidl nfsio 8979 47069 0 0 3 0x14280 nfsidl nfsio 53581 87100 0 0 3 0x14280 nfsidl nfsio 34748 423073 0 0 3 0x14280 nfsidl nfsio 17073 272445 0 0 3 0x14280 nfsidl nfsio 51860 177229 0 0 3 0x14280 nfsidl nfsio 48183 277090 0 0 3 0x14280 nfsidl nfsio 4156 348027 0 0 3 0x14280 nfsidl nfsio 96635 1425 0 0 3 0x14280 nfsidl nfsio 65019 72812 0 0 3 0x14280 nfsidl nfsio 93740 93331 0 0 3 0x14280 nfsidl nfsio 29964 186686 0 0 3 0x14200 acct acct 22856 322863 0 0 3 0x14200 bored sosplice 48209 10283 3348 0 3 0x82 thrsleep syz-fuzzer 48209 272025 3348 0 3 0x4000082 nanoslp syz-fuzzer 48209 17999 3348 0 3 0x4000082 wait syz-fuzzer 48209 268547 3348 0 3 0x4000082 wait syz-fuzzer 48209 494672 3348 0 3 0x4000082 wait syz-fuzzer 48209 210709 3348 0 3 0x4000082 thrsleep syz-fuzzer 48209 515624 3348 0 3 0x4000082 wait syz-fuzzer 48209 440503 3348 0 3 0x4000082 thrsleep syz-fuzzer 48209 371267 3348 0 3 0x4000082 thrsleep syz-fuzzer 48209 37375 3348 0 3 0x4000082 wait syz-fuzzer 48209 324785 3348 0 3 0x4000082 wait syz-fuzzer 48209 191267 3348 0 3 0x4000082 wait syz-fuzzer 48209 418360 3348 0 3 0x4000082 wait syz-fuzzer 48209 53035 3348 0 3 0x4000082 kqread syz-fuzzer 3348 118284 23529 0 3 0x10008a sigsusp ksh 23529 415922 42009 0 3 0x9a kqread sshd 42009 76226 1 0 3 0x88 kqread sshd 33763 471576 84232 73 3 0x1100090 kqread syslogd 84232 413300 1 0 3 0x100082 netio syslogd 99144 411869 1 0 3 0x100080 kqread resolvd 54514 20234 13118 77 2 0x100092 dhcpleased 61325 142513 13118 77 3 0x100092 kqread dhcpleased 13118 99609 1 0 3 0x80 kqread dhcpleased 33868 456295 0 0 3 0x14200 bored smr 12055 372082 0 0 2 0x14200 zerothread 89928 56666 0 0 3 0x14200 aiodoned aiodoned 9392 150508 0 0 3 0x14200 syncer update 94186 112339 0 0 3 0x14200 cleaner cleaner 27651 128365 0 0 3 0x14200 reaper reaper 74249 278956 0 0 3 0x14200 pgdaemon pagedaemon 23491 318827 0 0 3 0x14200 bored viomb 34949 445447 0 0 3 0x40014200 acpi0 acpi0 6914 144241 0 0 3 0x14200 bored softnet 37829 416967 0 0 3 0x14200 bored softnet 9552 350713 0 0 3 0x14200 bored softnet 9720 231968 0 0 3 0x14200 bored softnet 58755 263184 0 0 3 0x14200 bored systqmp 36416 146256 0 0 3 0x14200 bored systq 46755 230569 0 0 2 0x40014200 softclock 74403 325499 0 0 3 0x40014200 idle0 1 349116 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10194 6422K 7218K 78643K 28377 0 pcb 14 18K 21K 78643K 1819 0 rtable 185 15K 17K 78643K 4314 0 ifaddr 119 30K 34K 78643K 1299 0 sysctl 3 1K 1K 78643K 3 0 counters 25 17K 17K 78643K 225 0 ioctlops 0 0K 4K 78643K 2313 0 iov 0 0K 28K 78643K 1586 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1484 93K 94K 78643K 9170 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 130 0 VM map 2 0K 0K 78643K 2 0 sem 12 1K 1K 78643K 18 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 14 49K 73K 78643K 13305 0 sigio 0 0K 0K 78643K 124 0 proc 60 59K 83K 78643K 2524 0 subproc 104 6K 6K 78643K 910 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 673 0 in_multi 53 3K 6K 78643K 1355 0 ether_multi 1 0K 0K 78643K 47 0 mrt 1 0K 0K 78643K 31 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 169 758K 758K 78643K 169 0 exec 0 0K 2K 78643K 4035 0 pfkey data 0 0K 0K 78643K 12 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 316 122K 135K 78643K 71303 0 UVM aobj 130 4K 4K 78643K 137 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 315 0 NDP 10 0K 1K 78643K 430 0 temp 122 4726K 5750K 78643K 136376 0 kqueue 12 18K 26K 78643K 884 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 1154 0 1151 16 15 1 5 0 8 0 rtentry 112 1391 0 1324 5 2 3 4 0 8 0 unpcb 144 7255 0 7240 86 85 1 8 0 8 0 syncache 296 18 0 18 4 4 0 1 0 8 0 sackhl 24 1 0 1 1 1 0 1 0 8 0 tcpqe 32 326 0 326 3 3 0 1 0 8 0 tcpcb 768 6864 0 6844 212 203 9 19 0 8 6 arp 88 149 0 136 1 0 1 1 0 8 0 ipq 40 10 0 10 3 3 0 1 0 8 0 ipqe 40 18 0 18 3 3 0 1 0 8 0 inpcb 336 17699 0 17690 197 188 9 20 0 8 8 nd6 48 297 0 283 1 0 1 1 0 8 0 pkpcb 40 122 0 122 6 6 0 1 0 8 0 kcovpl 48 70 0 62 1 0 1 1 0 8 0 ppxss 1160 66 0 66 13 13 0 1 0 8 0 pfstscr 40 12 0 2 1 0 1 1 0 8 0 pfosfp 40 71 0 68 1 0 1 1 0 8 0 pfosfpen 112 71 0 68 1 0 1 1 0 8 0 pfrke_plain 168 2 0 2 1 1 0 1 0 8 0 pfrktable 1344 71 0 63 1 0 1 1 0 8 0 pfanchor 1280 239 0 43 17 0 17 17 0 8 0 pftag 88 7 0 3 1 0 1 1 0 8 0 pfstitem 24 13 0 0 1 0 1 1 0 8 0 pfstkey 120 15 0 11 1 0 1 1 0 8 0 pfstate 336 9 0 2 1 0 1 1 0 8 0 pfrule 1360 53 0 37 3 1 2 2 0 8 0 rttmr 136 6 0 6 1 1 0 1 0 8 0 art_heap8 4096 3 0 2 3 2 1 2 0 8 0 art_heap4 256 5692 0 5430 55 38 17 29 0 8 0 art_table 32 5695 0 5432 4 1 3 4 0 8 0 art_node 16 1251 0 1194 1 0 1 1 0 8 0 semapl 112 10 0 0 1 0 1 1 0 8 0 shmpl 112 134 0 7 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 17858 0 16373 94 0 94 94 0 8 0 ffsino 240 17858 0 16373 88 0 88 88 0 8 0 nchpl 144 34891 0 34365 63 41 22 63 0 8 0 rtmask 32 2 0 2 1 1 0 1 0 8 0 uvmvnodes 80 6521 0 0 134 0 134 134 0 8 0 vnodes 216 6521 0 0 363 0 363 363 0 8 0 namei 1024 127773 0 127771 17 16 1 2 0 8 0 vcpupl 2048 7 0 0 1 0 1 1 0 8 0 vmpool 536 10 0 3 1 0 1 1 0 8 0 pfiaddrpl 120 33 0 17 1 0 1 1 0 8 0 kstatmem 264 414 0 394 11 9 2 3 0 8 0 scsiplug 72 15 0 15 4 4 0 1 0 8 0 scxspl 216 123450 0 123450 23 22 1 8 0 8 1 plimitpl 152 1726 0 1711 1 0 1 1 0 8 0 sigapl 424 13509 0 13446 9 1 8 8 0 8 0 futexpl 64 131341 0 131339 10 9 1 1 0 8 0 knotepl 120 200656 0 200576 119 115 4 15 0 8 1 kqueuepl 184 1762 0 1753 12 11 1 4 0 8 0 pipepl 288 7809 0 7781 123 116 7 14 0 8 4 fdescpl 432 13441 0 13416 8 4 4 4 0 8 0 filepl 120 101766 0 101527 168 155 13 18 0 8 5 lockfpl 104 3180 0 3178 7 6 1 2 0 8 0 lockfspl 48 823 0 821 1 0 1 1 0 8 0 sessionpl 144 86 0 70 1 0 1 1 0 8 0 pgrppl 48 89 0 73 1 0 1 1 0 8 0 ucredpl 104 10617 0 10607 1 0 1 1 0 8 0 zombiepl 144 13446 0 13446 3 2 1 1 0 8 1 processpl 1000 13509 0 13446 15 6 9 9 0 8 0 procpl 672 32607 0 32526 33 24 9 10 0 8 1 sosppl 168 86 0 86 17 17 0 1 0 8 0 sockpl 456 26246 0 26219 515 502 13 32 0 8 9 mcl64k 65536 450 0 450 32 31 1 1 0 8 1 mcl16k 16384 106 0 106 29 29 0 1 0 8 0 mcl12k 12288 376 0 376 31 30 1 1 0 8 1 mcl9k 9216 176 0 176 31 31 0 1 0 8 0 mcl8k 8192 482 0 482 38 37 1 1 0 8 1 mcl4k 4096 1171 0 1171 27 26 1 1 0 8 1 mcl2k2 2112 83 0 83 34 33 1 1 0 8 1 mcl2k 2048 96021 0 95951 33 23 10 20 0 8 0 mtagpl 96 818 0 818 12 12 0 5 0 8 0 mbufpl 256 245906 0 245252 265 221 44 70 0 8 0 bufpl 288 23751 0 17229 467 0 467 467 0 8 0 anonpl 24 2524168 0 2507095 282 164 118 136 0 188 1 amapchunkpl 152 209424 0 208796 112 84 28 40 0 158 1 amappl16 200 38710 0 38037 200 163 37 59 0 8 0 amappl15 192 1956 0 1954 2 1 1 1 0 8 0 amappl14 184 1698 0 1697 1 0 1 1 0 8 0 amappl13 176 2033 0 2027 1 0 1 1 0 8 0 amappl12 168 1495 0 1489 1 0 1 1 0 8 0 amappl11 160 2083 0 2065 1 0 1 1 0 8 0 amappl10 152 1550 0 1543 1 0 1 1 0 8 0 amappl9 144 1921 0 1919 1 0 1 1 0 8 0 amappl8 136 3589 0 3469 5 0 5 5 0 8 0 amappl7 128 2120 0 2096 1 0 1 1 0 8 0 amappl6 120 2029 0 2008 2 1 1 2 0 8 0 amappl5 112 11805 0 11789 1 0 1 1 0 8 0 amappl4 104 5248 0 5219 2 1 1 2 0 8 0 amappl3 96 38970 0 38926 2 0 2 2 0 8 0 amappl2 88 3477 0 3426 3 1 2 2 0 8 0 amappl1 80 323426 0 322749 41 24 17 21 0 8 0 amappl 88 69657 0 69493 6 1 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 136 0 7 3 0 3 3 0 8 0 uaddrrnd 24 13451 0 13419 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 13451 0 13419 1 0 1 1 0 8 0 vmmpekpl 168 120122 0 120066 4 0 4 4 0 8 0 vmmpepl 168 1313065 0 1310398 347 209 138 150 0 357 0 vmsppl 272 13450 0 13419 5 2 3 3 0 8 0 rwobjpl 24 310203 0 301782 56 4 52 53 0 8 0 pdppl 4096 26908 0 26845 738 667 71 73 0 8 8 pvpl 32 5082081 0 5060114 619 422 197 259 0 265 0 pmappl 216 13450 0 13419 3 1 2 3 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 2222 0 1399 25 1 24 24 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82574758) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff825ea5f6,ffffffff82617445,12f,ffffffff825f9455) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000bf3000) at tun_clone_destroy+0x234 sys/net/if_tun.c:303 if_clone_destroy(ffff80002e9b90a0) at if_clone_destroy+0x132 sys/net/if.c:1276 sys_ioctl(ffff80002170afc0,ffff80002e9b91b8,ffff80002e9b9210) at sys_ioctl+0x49e syscall(ffff80002e9b9280) at syscall+0x447 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1dee52e6140, count: -8 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82574758) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff825ea5f6,ffffffff82617445,12f,ffffffff825f9455) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000bf3000) at tun_clone_destroy+0x234 sys/net/if_tun.c:303 if_clone_destroy(ffff80002e9b90a0) at if_clone_destroy+0x132 sys/net/if.c:1276 sys_ioctl(ffff80002170afc0,ffff80002e9b91b8,ffff80002e9b9210) at sys_ioctl+0x49e syscall(ffff80002e9b9280) at syscall+0x447 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x1dee52e6140, count: -8