panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *361163 3233 0 0 0x4000000 0K syz-executor.1 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000d5a800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff80002e3a7630) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd8073a35690,80206979,ffff80002e3a7630,ffff80002121e548) at soo_ioctl+0x26c sys_ioctl(ffff80002121e548,ffff80002e3a7748,ffff80002e3a77a0) at sys_ioctl+0x4a2 syscall(ffff80002e3a7810) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002e3a7810) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x589fc0c54f0, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000d5a800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff80002e3a7630) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd8073a35690,80206979,ffff80002e3a7630,ffff80002121e548) at soo_ioctl+0x26c sys_ioctl(ffff80002121e548,ffff80002e3a7748,ffff80002e3a77a0) at sys_ioctl+0x4a2 syscall(ffff80002e3a7810) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002e3a7810) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x589fc0c54f0, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80002e3a7440 rbx 0xffffffff82920bff cpu_info_full_primary+0x2bff rdx 0 rcx 0 rax 0xffff80002121e548 r8 0 r9 0x8080808080808080 r10 0x207bb9f3594de94b r11 0xe7bdfc08257a3397 r12 0xffffffff82920a00 cpu_info_full_primary+0x2a00 r13 0 r14 0 r15 0x1 rip 0xffffffff8147cfe8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80002e3a7430 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.1) pid=361163 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=83, nice=20 forw=0xffffffffffffffff, list=0xffff80002121f508,0xffff80002d13b518 process=0xffff80002b92edd0 user=0xffff80002e3a2000, vmspace=0xfffffd80584a7d10 estcpu=33, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 22784 224330 81101 0 2 0 syz-executor.3 22784 286136 81101 0 3 0x4000080 fsleep syz-executor.3 5538 246590 42007 0 2 0 syz-executor.4 5538 489194 42007 0 2 0x4000000 syz-executor.4 3233 45189 79688 0 2 0 syz-executor.1 * 3233 361163 79688 0 7 0x4000000 syz-executor.1 53755 61886 19830 0 2 0 syz-executor.0 53755 421579 19830 0 3 0x4000080 fsleep syz-executor.0 16745 35792 0 0 3 0x14200 acct acct 79688 133221 76535 0 2 0x482 syz-executor.1 81101 207018 76535 0 3 0x82 nanoslp syz-executor.3 42007 334376 76535 0 3 0x82 nanoslp syz-executor.4 52517 384431 76535 0 3 0x82 piperd syz-executor.7 62236 185745 1 0 3 0x100083 ttyin getty 74626 432700 76535 0 2 0x482 syz-executor.2 8401 369707 76535 0 3 0x82 piperd syz-executor.6 14387 334249 76535 0 3 0x82 piperd syz-executor.5 19830 329166 76535 0 2 0x482 syz-executor.0 95378 387407 0 0 3 0x14200 bored sosplice 76535 378643 99751 0 3 0x82 thrsleep syz-fuzzer 76535 305793 99751 0 3 0x4000082 thrsleep syz-fuzzer 76535 65260 99751 0 3 0x4000082 thrsleep syz-fuzzer 76535 242313 99751 0 3 0x4000082 kqread syz-fuzzer 76535 163778 99751 0 3 0x4000082 thrsleep syz-fuzzer 76535 166608 99751 0 3 0x4000082 thrsleep syz-fuzzer 76535 411902 99751 0 3 0x4000082 thrsleep syz-fuzzer 76535 119682 99751 0 3 0x4000082 thrsleep syz-fuzzer 76535 110380 99751 0 3 0x4000082 thrsleep syz-fuzzer 76535 58424 99751 0 3 0x4000082 thrsleep syz-fuzzer 99751 230409 83504 0 3 0x10008a sigsusp ksh 83504 340479 23647 0 3 0x9a kqread sshd 23647 354159 1 0 3 0x88 kqread sshd 27005 191684 14054 74 3 0x100092 bpf pflogd 14054 168527 1 0 3 0x80 netio pflogd 86595 144534 24169 73 3 0x100090 kqread syslogd 24169 480135 1 0 3 0x100082 netio syslogd 36440 260174 1 0 3 0x100080 kqread resolvd 39422 117410 56456 77 2 0x100092 dhcpleased 11863 281651 56456 77 3 0x100092 kqread dhcpleased 56456 444222 1 0 3 0x80 kqread dhcpleased 76091 443703 0 0 3 0x14200 bored smr 34248 343780 0 0 2 0x14200 zerothread 41129 165447 0 0 3 0x14200 aiodoned aiodoned 53778 57281 0 0 3 0x14200 syncer update 23439 409528 0 0 3 0x14200 cleaner cleaner 64510 238451 0 0 3 0x14200 reaper reaper 9170 223689 0 0 3 0x14200 pgdaemon pagedaemon 25426 518136 0 0 3 0x14200 bored viomb 69611 144266 0 0 3 0x40014200 acpi0 acpi0 6454 82660 0 0 7 0x40014200 idle1 62366 513359 0 0 3 0x14200 bored softnet 49775 23494 0 0 3 0x14200 bored systqmp 78575 441473 0 0 3 0x14200 bored systq 69158 81344 0 0 2 0x40014200 softclock 99919 427100 0 0 3 0x40014200 idle0 1 71366 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 3233 (syz-executor.1) thread 0xffff80002121e548 (361163) exclusive rwlock clonelk r = 0 (0xffffffff828e4a20) #0 witness_lock+0x44d #1 if_clone_destroy+0x49 #2 soo_ioctl+0x26c #3 sys_ioctl+0x4a2 #4 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #4 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #5 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82a3d4a8) #0 witness_lock+0x44d #1 soo_ioctl+0x25a sys/kern/sys_socket.c:136 #2 sys_ioctl+0x4a2 #3 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #3 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #4 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10231 6523K 6974K 78643K 68405 0 pcb 15 28K 32K 78643K 5029 0 rtable 282 27K 29K 78643K 7940 0 ifaddr 109 30K 33K 78643K 3122 0 sysctl 3 1K 1K 78643K 7 0 counters 58 35K 36K 78643K 900 0 ioctlops 0 0K 4K 78643K 8270 0 iov 0 0K 32K 78643K 3375 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1405 88K 88K 78643K 21285 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 17K 78643K 365 0 VM map 2 1K 1K 78643K 2 0 sem 22 6K 10K 78643K 738 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 15 53K 85K 78643K 36456 0 sigio 0 0K 0K 78643K 567 0 proc 70 87K 124K 78643K 5313 0 subproc 104 6K 6K 78643K 1598 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 1526 0 in_multi 82 5K 6K 78643K 2418 0 ether_multi 1 0K 0K 78643K 320 0 mrt 2 0K 0K 78643K 208 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 253 1129K 1129K 78643K 253 0 exec 0 0K 2K 78643K 8305 0 pfkey data 0 0K 0K 78643K 20 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 983 3090K 3090K 78643K 443916 0 UVM aobj 131 4K 4K 78643K 165 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 2 0K 0K 78643K 1688 0 NDP 13 0K 2K 78643K 759 0 temp 146 4715K 4795K 78643K 313075 0 kqueue 12 18K 30K 78643K 2575 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 2404 0 2401 30 29 1 5 0 8 0 rtentry 112 2134 0 2033 6 2 4 4 0 8 0 unpcb 136 24692 0 24677 190 188 2 9 0 8 1 syncache 296 84 0 84 22 22 0 1 0 8 0 tcpqe 32 154 0 154 16 16 0 1 0 8 0 tcpcb 736 13167 0 13158 412 411 1 32 0 8 0 arp 120 296 0 276 1 0 1 1 0 8 0 inpcb 304 35268 0 35253 414 412 2 19 0 8 0 rttmr 72 122 0 122 8 8 0 1 0 8 0 nd6 48 498 0 476 1 0 1 1 0 8 0 pkpcb 40 345 0 345 25 25 0 2 0 8 0 kcovpl 48 122 0 114 1 0 1 1 0 8 0 ppxss 1248 195 0 195 33 33 0 1 0 8 0 pfstscr 40 16 0 16 4 4 0 1 0 8 0 pffrag 232 294 0 294 7 7 0 1 0 482 0 pffrnode 88 294 0 294 7 7 0 1 0 8 0 pffrent 40 1111 0 1111 7 7 0 1 0 8 0 pfosfp 40 1436 0 1435 6 5 1 5 0 8 0 pfosfpen 112 1436 0 1434 22 21 1 21 0 8 0 pfrke_plain 168 29 0 23 5 4 1 1 0 8 0 pfrktable 1344 517 0 494 18 16 2 3 0 8 0 pftag 88 35 0 27 1 0 1 1 0 8 0 pfqueue 264 4 0 0 1 0 1 1 0 8 0 pfstitem 24 88 0 86 1 0 1 1 0 8 0 pfstkey 112 110 0 108 2 1 1 2 0 8 0 pfstate 320 97 0 95 4 3 1 4 0 8 0 pfrule 1360 666 0 609 7 2 5 6 0 8 0 art_heap8 4096 5 0 3 5 3 2 2 0 8 0 art_heap4 256 8872 0 8476 71 44 27 33 0 8 0 art_table 32 8877 0 8479 5 1 4 5 0 8 0 art_node 16 2023 0 1936 1 0 1 1 0 8 0 sysvmsgpl 40 20 0 5 1 0 1 1 0 8 0 semapl 112 732 0 712 1 0 1 1 0 8 0 shmpl 112 162 0 34 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 49326 0 47759 99 0 99 99 0 8 0 ffsino 272 49326 0 47759 105 0 105 105 0 8 0 nchpl 144 107787 0 106154 63 0 63 63 0 8 0 rtmask 32 26 0 23 5 4 1 1 0 8 0 uvmvnodes 80 8621 0 0 176 0 176 176 0 8 0 vnodes 224 8621 0 0 508 0 508 508 0 8 0 namei 1024 371922 0 371922 15 14 1 2 0 8 1 percpumem 16 462 0 421 1 0 1 1 0 8 0 vcpupl 2048 361 0 0 46 0 46 46 0 8 0 vmpool 560 482 0 121 26 0 26 26 0 8 0 pfiaddrpl 120 266 0 236 2 1 1 1 0 8 0 scsiplug 72 22 0 22 7 7 0 1 0 8 0 scxspl 216 297245 0 297245 46 45 1 8 0 8 1 plimitpl 152 4527 0 4512 1 0 1 1 0 8 0 sigapl 424 36631 0 36587 13 6 7 8 0 8 0 futexpl 64 351381 0 351379 10 9 1 1 0 8 0 knotepl 120 982 0 0 12 4 8 11 0 8 0 kqueuepl 216 22184 0 22175 268 267 1 12 0 8 0 pipepl 336 8981 0 8920 195 189 6 14 0 8 0 fdescpl 496 36517 0 36489 7 3 4 5 0 8 0 filepl 152 282216 0 281901 422 408 14 30 0 8 0 lockfpl 104 12025 0 12023 24 23 1 2 0 8 0 lockfspl 48 3119 0 3117 1 0 1 1 0 8 0 sessionpl 144 143 0 126 1 0 1 1 0 8 0 pgrppl 48 218 0 201 1 0 1 1 0 8 0 ucredpl 96 33052 0 33030 1 0 1 1 0 8 0 zombiepl 144 36588 0 36587 4 3 1 1 0 8 0 processpl 1064 36631 0 36587 7 3 4 5 0 8 0 procpl 672 90891 0 90834 53 46 7 10 0 8 0 srpgc 96 128 0 128 33 33 0 1 0 8 0 sosppl 168 360 0 360 50 50 0 1 0 8 0 sockpl 480 62966 0 62936 1285 1277 8 44 0 8 4 mcl64k 65536 18 0 0 3 0 3 3 0 8 0 mcl16k 16384 13 0 0 2 0 2 2 0 8 0 mcl12k 12288 8 0 0 1 0 1 1 0 8 0 mcl9k 9216 7 0 0 1 0 1 1 0 8 0 mcl8k 8192 15 0 0 2 0 2 2 0 8 0 mcl4k 4096 9 0 0 2 0 2 2 0 8 0 mcl2k2 2112 3 0 0 1 0 1 1 0 8 0 mcl2k 2048 689 0 0 32 7 25 28 0 8 0 mtagpl 96 1840 0 0 26 0 26 26 0 8 0 mbufpl 256 14057 0 0 852 0 852 852 0 8 0 bufpl 288 64002 0 55381 616 0 616 616 0 8 0 anonpl 24 10284196 0 10259574 647 498 149 166 0 186 0 amapchunkpl 152 1101442 0 1100509 197 158 39 52 0 158 0 amappl16 200 112901 0 111892 541 487 54 58 0 8 0 amappl15 192 6176 0 6168 1 0 1 1 0 8 0 amappl14 184 7281 0 7273 1 0 1 1 0 8 0 amappl13 176 6806 0 6803 1 0 1 1 0 8 0 amappl12 168 4985 0 4977 1 0 1 1 0 8 0 amappl11 160 3075 0 3059 1 0 1 1 0 8 0 amappl10 152 4850 0 4838 1 0 1 1 0 8 0 amappl9 144 4015 0 4009 1 0 1 1 0 8 0 amappl8 136 6402 0 6199 9 1 8 8 0 8 0 amappl7 128 3529 0 3513 1 0 1 1 0 8 0 amappl6 120 4130 0 4092 3 1 2 2 0 8 0 amappl5 112 33732 0 33704 2 1 1 2 0 8 0 amappl4 104 11555 0 11513 13 11 2 2 0 8 0 amappl3 96 8577 0 8555 1 0 1 1 0 8 0 amappl2 88 11800 0 11691 12 9 3 3 0 8 0 amappl1 80 638837 0 638261 32 19 13 19 0 8 0 amappl 88 440476 0 440001 13 1 12 12 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 164 0 34 3 0 3 3 0 8 0 uaddrrnd 24 36999 0 36610 3 0 3 3 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 36999 0 36610 3 0 3 3 0 8 0 vmmpekpl 168 245291 0 245188 7 1 6 6 0 8 0 vmmpepl 168 3319633 0 3315736 755 572 183 233 0 357 0 vmsppl 368 36998 0 36610 39 3 36 36 0 8 0 rwobjpl 56 780866 0 769673 238 80 158 159 0 8 0 pdppl 4096 74005 0 73581 1386 956 430 430 0 8 6 pvpl 32 17160396 0 17130623 1062 821 241 282 0 265 0 pmappl 248 36998 0 36610 26 1 25 25 0 8 0 extentpl 40 58 0 38 1 0 1 1 0 8 0 phpool 112 3895 0 1631 65 0 65 65 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff825739a5) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825e91ae,ffffffff82632dac,131,ffffffff825fdeb9) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000d5a800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff80002e3a7630) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd8073a35690,80206979,ffff80002e3a7630,ffff80002121e548) at soo_ioctl+0x26c sys_ioctl(ffff80002121e548,ffff80002e3a7748,ffff80002e3a77a0) at sys_ioctl+0x4a2 syscall(ffff80002e3a7810) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002e3a7810) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x589fc0c54f0, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: -5