panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 951 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333df58) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8337ae08,ffffffff833d46d4,3b7,ffffffff833adced) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800037552078,ffffffff83337c3b) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(205b9a,ffff800037552070) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff80003ca002c8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c996e40) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8067913dd8,1,fffffd8007bfb888,ffff80003ca002c8) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8066305a68,ffff80003ca002c8) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8066305a68,ffff80003ca002c8) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8066305a68,ffff80003ca002c8) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8066305a68,ffff80003ca002c8) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80003ca002c8) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80003ca002c8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003ca002c8,ffff80003c9971a0,ffff80003c9970f0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 end trace frame: 0xffff80003c997190, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 951 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333df58) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8337ae08,ffffffff833d46d4,3b7,ffffffff833adced) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800037552078,ffffffff83337c3b) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(205b9a,ffff800037552070) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff80003ca002c8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c996e40) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8067913dd8,1,fffffd8007bfb888,ffff80003ca002c8) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8066305a68,ffff80003ca002c8) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8066305a68,ffff80003ca002c8) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8066305a68,ffff80003ca002c8) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8066305a68,ffff80003ca002c8) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80003ca002c8) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80003ca002c8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003ca002c8,ffff80003c9971a0,ffff80003c9970f0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c9971a0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9971a0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7520ad682960, count: -16 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003c996c20 rbx 0 rdx 0 rcx 0 rax 0xffff80003ca002c8 r8 0x101010101010101 r9 0x8080808080808080 r10 0xeeba0ff891697fd8 r11 0xdfda2072379c2941 r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff81a3a5c5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c996c10 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=353930 pid=39978 tcnt=0 stat=onproc flags process=1018 proc=2000 runpri=32, usrpri=83, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0xffff80003ca002c8 scnt=-1 ecnt=1 forw=0xffffffffffffffff, list=0xffff80002a81a020,0xffff80003ca00570 process=0xffff80003393c4b0 user=0xffff80003c992000, vmspace=0xfffffd806ba3b2f0 estcpu=33, cpticks=13, pctcpu=0.11, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 62776 238267 97206 0 2 0 syz-executor 92836 41204 10282 0 2 0 syz-executor 92836 147890 10282 0 3 0x4000080 fsleep syz-executor 18195 101681 99761 0 2 0 syz-executor 18195 390744 99761 0 3 0x4000000 smrbar syz-executor 37139 243053 60049 0 2 0 syz-executor 37139 250758 60049 0 3 0x4000080 fsleep syz-executor 59044 486193 29813 0 2 0 syz-executor 59044 345453 29813 0 3 0x4000080 fsleep syz-executor 90195 297371 67609 0 2 0 syz-executor 90195 69566 67609 0 3 0x4000080 fsleep syz-executor 16905 142467 89386 0 2 0xc80 syz-executor 16905 424015 89386 0 3 0x4000080 kqpoll syz-executor 16905 347659 89386 0 3 0x4000080 fsleep syz-executor 89386 18653 12024 0 2 0xc82 syz-executor 67609 115602 12024 0 2 0xc82 syz-executor 85310 253336 12024 0 2 0xc82 syz-executor 60049 196498 12024 0 2 0xc82 syz-executor 7886 84140 1 0 3 0x100083 ttyin getty 68161 276992 0 0 3 0x14200 bored sosplice 29813 86960 12024 0 2 0xc82 syz-executor 99761 372743 12024 0 2 0xc82 syz-executor 97206 502013 12024 0 3 0x82 nanoslp syz-executor 10282 491117 12024 0 2 0xc82 syz-executor 12024 442052 20035 0 2 0x2 syz-executor 20035 261895 35658 0 3 0x10008a sigsusp ksh 35658 482803 66362 0 3 0x98 kqread sshd-session 66362 496388 2139 0 3 0x92 kqread sshd-session 2139 11306 1 0 3 0x88 kqread sshd 39193 285490 44749 73 3 0x1100090 kqread syslogd 44749 431897 1 0 3 0x100082 sbwait syslogd 27483 326778 1 0 3 0x100080 kqread resolvd 12323 38642 10325 77 3 0x100092 kqread dhcpleased 25304 378615 10325 77 3 0x100092 kqread dhcpleased 10325 450349 1 0 3 0x80 kqread dhcpleased 37250 245381 0 0 3 0x14200 bored smr 73170 9632 0 0 2 0x14200 zerothread 16603 2727 0 0 3 0x14200 aiodoned aiodoned 90628 523795 0 0 3 0x14200 syncer update 21246 183692 0 0 3 0x14200 cleaner cleaner 74190 240007 0 0 3 0x14200 reaper reaper 4378 464257 0 0 3 0x14200 pgdaemon pagedaemon 5034 25026 0 0 3 0x14200 bored viomb 81338 73838 0 0 3 0x40014200 acpi0 acpi0 54780 483514 0 0 3 0x14200 bored softnet7 66355 315210 0 0 3 0x14200 bored softnet6 17556 401979 0 0 3 0x14200 bored softnet5 75432 478544 0 0 3 0x14200 bored softnet4 72436 117555 0 0 3 0x14200 bored softnet3 94903 320983 0 0 3 0x14200 bored softnet2 44539 312024 0 0 3 0x14200 bored softnet1 63123 239496 0 0 3 0x14200 bored softnet0 52326 463627 0 0 3 0x14200 bored systqmp 15975 178865 0 0 3 0x14200 bored systq 89773 219452 0 0 3 0x40014200 tmoslp softclock 63007 15703 0 0 3 0x40014200 idle0 1 267187 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10218 11120K 12134K 166960K 13452 0 pcb 17 17K 19K 166960K 253 0 rtable 180 9K 9K 166960K 992 0 pf 38 14K 17K 166960K 167 0 ifaddr 38 6K 8K 166960K 122 0 ifgroup 59 2K 2K 166960K 205 0 sysctl 3 1K 9K 166960K 14 0 counters 36 18K 18K 166960K 101 0 ioctlops 0 0K 4K 166960K 326 0 iov 0 0K 28K 166960K 158 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1528 96K 96K 166960K 2864 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 21 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 43 0 dirhash 12 2K 3K 166960K 33 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 18 65K 240K 166960K 1217 0 sigio 0 0K 0K 166960K 94 0 proc 60 59K 100K 166960K 692 0 subproc 72 4K 4K 166960K 108 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 126 0 in_multi 75 5K 6K 166960K 183 0 ether_multi 1 0K 0K 166960K 3 0 mrt 0 0K 0K 166960K 4 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 223 996K 996K 166960K 223 0 exec 0 0K 1K 166960K 528 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 229 152K 174K 166960K 11550 0 UVM aobj 100 6K 7K 166960K 106 0 pinsyscall 39 78K 93K 166960K 2308 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 75 0 NDP 13 0K 1K 166960K 82 0 temp 74 8643K 8899K 166960K 63316 0 kqueue 16 26K 32K 166960K 249 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 153 0 150 2 0 2 2 0 8 1 rtentry 136 355 0 287 4 0 4 4 0 8 0 unpcb 144 803 0 783 5 0 5 5 0 8 4 syncache 336 4 0 4 1 0 1 1 0 8 1 tcpqe 32 1 0 1 1 0 1 1 0 8 1 tcpcb 736 361 0 353 7 0 7 7 0 8 6 arp 88 86 0 75 1 0 1 1 0 8 0 ipq 40 4 0 0 1 0 1 1 0 8 0 ipqe 40 4 0 0 1 0 1 1 0 8 0 inpcb 328 1409 0 1396 12 3 9 12 0 8 7 ip6q 72 7 0 3 1 0 1 1 0 8 0 ip6af 40 11 0 7 1 0 1 1 0 8 0 nd6 104 26 0 14 1 0 1 1 0 8 0 pkpcb 40 2 0 2 1 0 1 1 0 8 1 kcovpl 48 12 0 4 1 0 1 1 0 8 0 ppxss 1072 46 0 44 1 0 1 1 0 8 0 pppxif 1384 12 0 10 1 0 1 1 0 8 0 pfstscr 40 1 0 1 1 0 1 1 0 8 1 pfosfp 40 1 0 0 1 0 1 1 0 8 0 pfosfpen 112 1 0 0 1 0 1 1 0 8 0 pfrktable 1344 2 0 2 1 0 1 1 0 8 1 pfstkey 128 4 0 4 1 0 1 1 0 8 1 pfstate 384 2 0 2 1 0 1 1 0 8 1 pfrule 1344 3 0 3 1 0 1 1 0 8 1 rttmr 136 1 0 1 1 0 1 1 0 8 1 art_heap8 4096 3 0 0 3 0 3 3 0 8 0 art_heap4 256 1036 0 732 45 17 28 45 0 8 8 art_table 40 1039 0 732 8 0 8 8 0 8 3 art_node 32 354 0 295 3 0 3 3 0 8 2 sysvmsgpl 40 15 0 9 1 0 1 1 0 8 0 semupl 112 1 0 1 1 0 1 1 0 8 1 semapl 112 40 0 30 1 0 1 1 0 8 0 shmpl 112 103 0 6 3 0 3 3 0 8 0 dirhash 1024 31 0 14 3 0 3 3 0 8 0 dino2pl 256 3877 0 2376 95 0 95 95 0 8 0 ffsino 256 3877 0 2376 95 0 95 95 0 8 0 nchpl 144 5435 0 3736 64 0 64 64 0 8 0 rtmask 32 7 0 7 1 0 1 1 0 8 1 uvmvnodes 80 4689 0 0 96 0 96 96 0 8 0 vnodes 216 4689 0 0 261 0 261 261 0 8 0 namei 1024 19637 0 19637 2 0 2 2 0 8 2 kstatmem 264 116 0 90 2 0 2 2 0 8 0 scsiplug 72 5 0 5 1 0 1 1 0 8 1 scxspl 216 19942 0 19942 8 0 8 8 1 8 8 plimitpl 152 246 0 230 1 0 1 1 0 8 0 sigapl 424 1468 0 1417 9 0 9 9 0 8 3 knotepl 120 174477 0 174177 59 49 10 32 0 8 0 kqueuepl 184 517 0 503 4 0 4 4 0 8 2 pipepl 304 225 0 198 5 0 5 5 0 8 2 fdescpl 448 1426 0 1396 5 0 5 5 0 8 1 filepl 120 10438 0 10220 14 0 14 14 0 8 5 lockfpl 104 406 0 404 1 0 1 1 0 8 0 lockfspl 48 174 0 172 1 0 1 1 0 8 0 sessionpl 144 27 0 19 1 0 1 1 0 8 0 pgrppl 48 50 0 34 1 0 1 1 0 8 0 ucredpl 104 2485 0 2473 1 0 1 1 0 8 0 zombiepl 144 1418 0 1417 1 0 1 1 0 8 0 processpl 1168 1468 0 1417 6 0 6 6 0 8 1 procpl 664 2987 0 2929 8 0 8 8 0 8 1 sosppl 168 6 0 5 1 0 1 1 0 8 0 sockpl 552 2398 0 2362 22 11 11 20 0 8 7 mcl64k 65536 176 0 176 1 0 1 1 0 8 1 mcl16k 16384 3 0 3 1 0 1 1 0 8 1 mcl12k 12288 2 0 2 1 0 1 1 0 8 1 mcl8k 8192 12 0 12 1 0 1 1 0 8 1 mcl4k 4096 3797 0 3743 15 0 15 15 0 8 7 mcl2k 2048 2424 0 2418 5 0 5 5 0 8 3 mtagpl 96 24 0 10 1 0 1 1 0 8 0 mbufpl 256 16125 0 15948 29 4 25 29 0 8 8 bufpl 280 8596 0 2368 445 0 445 445 0 8 0 anonpl 24 253412 0 245250 84 0 84 84 0 187 18 amapchunkpl 152 40511 0 39945 35 0 35 35 0 158 10 amappl16 200 5005 0 4765 45 19 26 28 0 8 5 amappl15 192 9 0 9 1 0 1 1 0 8 1 amappl14 184 111 0 101 1 0 1 1 0 8 0 amappl13 176 26 0 26 1 0 1 1 0 8 1 amappl12 168 2115 0 2086 3 0 3 3 0 8 1 amappl11 160 45 0 35 1 0 1 1 0 8 0 amappl10 152 12 0 12 1 0 1 1 0 8 1 amappl9 144 246 0 246 1 0 1 1 0 8 1 amappl8 136 29 0 26 1 0 1 1 0 8 0 amappl7 128 121 0 111 1 0 1 1 0 8 0 amappl6 120 235 0 232 1 0 1 1 0 8 0 amappl5 112 129 0 122 1 0 1 1 0 8 0 amappl4 104 285 0 268 1 0 1 1 0 8 0 amappl3 96 7735 0 7630 4 0 4 4 0 8 0 amappl2 88 689 0 633 2 0 2 2 0 8 0 amappl1 80 12481 0 11934 13 0 13 13 0 8 0 amappl 88 10630 0 10466 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 0 1 1 0 8 1 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 8 0 8 1 0 1 1 0 8 1 dma128 128 254 0 254 1 0 1 1 0 8 1 dma64 64 7 0 7 1 0 1 1 0 8 1 dma32 32 7 0 7 1 0 1 1 0 8 1 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 105 0 6 2 0 2 2 0 8 0 uaddrrnd 24 1426 0 1396 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 1426 0 1396 1 0 1 1 0 8 0 vmmpekpl 168 11324 0 11276 3 0 3 3 0 8 0 vmmpepl 168 94190 0 92084 104 0 104 104 0 357 1 vmsppl 368 1425 0 1396 4 0 4 4 0 8 1 rwobjpl 40 30417 0 24571 62 0 62 62 0 8 0 pdppl 4096 2858 0 2792 112 46 66 80 0 8 0 pvpl 32 661723 0 646671 174 0 174 174 0 265 26 pmappl 216 1425 0 1396 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 433 0 67 11 0 11 11 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333df58) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8337ae08,ffffffff833d46d4,3b7,ffffffff833adced) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800037552078,ffffffff83337c3b) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(205b9a,ffff800037552070) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff80003ca002c8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c996e40) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8067913dd8,1,fffffd8007bfb888,ffff80003ca002c8) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8066305a68,ffff80003ca002c8) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8066305a68,ffff80003ca002c8) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8066305a68,ffff80003ca002c8) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8066305a68,ffff80003ca002c8) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80003ca002c8) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80003ca002c8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003ca002c8,ffff80003c9971a0,ffff80003c9970f0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c9971a0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9971a0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7520ad682960, count: -16 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333df58) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff8337ae08,ffffffff833d46d4,3b7,ffffffff833adced) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff800037552078,ffffffff83337c3b) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(205b9a,ffff800037552070) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff80003ca002c8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c996e40) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd8067913dd8,1,fffffd8007bfb888,ffff80003ca002c8) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd8066305a68,ffff80003ca002c8) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd8066305a68,ffff80003ca002c8) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd8066305a68,ffff80003ca002c8) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd8066305a68,ffff80003ca002c8) at closef+0x190 sys/kern/kern_descrip.c:1264 fdfree(ffff80003ca002c8) at fdfree+0x115 sys/kern/kern_descrip.c:1195 exit1(ffff80003ca002c8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215 sys_exit(ffff80003ca002c8,ffff80003c9971a0,ffff80003c9970f0) at sys_exit+0x1a sys/kern/kern_exit.c:-1 syscall(ffff80003c9971a0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9971a0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7520ad682960, count: -16