panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 303 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *204136 73708 0 0 0x4000000 0K syz-executor.5 389408 1286 0 0x14000 0x200 1 reaper db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff825a4dbd) at panic+0x177 sys/kern/subr_prf.c:198 __assert(ffffffff82619844,ffffffff82664e58,12f,ffffffff8262ee38) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000d41000) at tun_clone_destroy+0x278 sys/net/if_tun.c:303 if_clone_destroy(ffff8000285399e0) at if_clone_destroy+0x132 sys/net/if.c:1276 soo_ioctl(fffffd8072b76ef8,80206979,ffff8000285399e0,ffff8000ffff57a8) at soo_ioctl+0x24e sys/kern/sys_socket.c:133 sys_ioctl(ffff8000ffff57a8,ffff800028539af8,ffff800028539b40) at sys_ioctl+0x4a2 syscall(ffff800028539bc0) at syscall+0x4c3 mi_syscall sys/sys/syscall_mi.h:101 [inline] syscall(ffff800028539bc0) at syscall+0x4c3 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x305a4161cf0, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 303 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff825a4dbd) at panic+0x177 sys/kern/subr_prf.c:198 __assert(ffffffff82619844,ffffffff82664e58,12f,ffffffff8262ee38) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000d41000) at tun_clone_destroy+0x278 sys/net/if_tun.c:303 if_clone_destroy(ffff8000285399e0) at if_clone_destroy+0x132 sys/net/if.c:1276 soo_ioctl(fffffd8072b76ef8,80206979,ffff8000285399e0,ffff8000ffff57a8) at soo_ioctl+0x24e sys/kern/sys_socket.c:133 sys_ioctl(ffff8000ffff57a8,ffff800028539af8,ffff800028539b40) at sys_ioctl+0x4a2 syscall(ffff800028539bc0) at syscall+0x4c3 mi_syscall sys/sys/syscall_mi.h:101 [inline] syscall(ffff800028539bc0) at syscall+0x4c3 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x305a4161cf0, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff8000285397f0 rbx 0xffffffff829aab8f cpu_info_full_primary+0x2b8f rdx 0xffff800000ba6f00 rcx 0 rax 0xffff8000ffff57a8 r8 0 r9 0x8080808080808080 r10 0x489c4da5016897a2 r11 0x1fd68e8c6c19c75e r12 0xffffffff829aa990 cpu_info_full_primary+0x2990 r13 0 r14 0 r15 0x1 rip 0xffffffff81e38978 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff8000285397e0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.5) pid=204136 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff8000ffff5508,0xffffffff82a5fd18 process=0xffff8000ffff14e0 user=0xffff800028534000, vmspace=0xfffffd806f0e8008 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 73708 230056 73663 0 2 0 syz-executor.5 *73708 204136 73663 0 7 0x4000000 syz-executor.5 22504 298747 52260 0 2 0 syz-executor.7 22504 357136 52260 0 3 0x4000080 fsleep syz-executor.7 22504 81615 52260 0 3 0x4000080 fsleep syz-executor.7 22504 55356 52260 0 2 0x4000000 syz-executor.7 22504 433741 52260 0 3 0x4000080 fsleep syz-executor.7 80637 140207 59631 0 2 0 syz-executor.2 80637 250875 59631 0 3 0x4000080 fsleep syz-executor.2 70842 219743 42506 0 2 0 syz-executor.0 70842 94839 42506 0 2 0x4000000 syz-executor.0 46384 51983 31227 0 2 0 syz-executor.6 46384 471528 31227 0 3 0x4000080 piperd syz-executor.6 11380 356180 42544 60928 2 0x490 syz-executor.4 11380 387924 42544 60928 3 0x4000090 piperd syz-executor.4 11380 255074 42544 60928 3 0x4000090 fsleep syz-executor.4 42506 509118 33038 0 2 0x2 syz-executor.0 42732 455970 33038 0 2 0x2 syz-executor.1 42544 345886 33038 0 3 0x82 nanoslp syz-executor.4 82964 119402 33038 0 3 0x82 nanoslp syz-executor.3 59631 190851 33038 0 2 0x2 syz-executor.2 73663 211678 33038 0 2 0x482 syz-executor.5 25886 459111 1 0 3 0x100083 ttyin getty 31227 321919 33038 0 3 0x82 nanoslp syz-executor.6 11550 42414 0 0 3 0x14280 nfsidl nfsio 10643 233090 0 0 3 0x14280 nfsidl nfsio 31863 67913 0 0 3 0x14280 nfsidl nfsio 69066 337269 0 0 3 0x14280 nfsidl nfsio 7232 124038 0 0 3 0x14280 nfsidl nfsio 65091 5425 0 0 3 0x14280 nfsidl nfsio 57427 158263 0 0 3 0x14280 nfsidl nfsio 18719 156254 0 0 3 0x14280 nfsidl nfsio 21043 314126 0 0 3 0x14280 nfsidl nfsio 48877 61616 0 0 3 0x14280 nfsidl nfsio 3940 479553 0 0 3 0x14280 nfsidl nfsio 15383 82276 0 0 3 0x14280 nfsidl nfsio 30318 103311 0 0 3 0x14280 nfsidl nfsio 85116 203123 0 0 3 0x14280 nfsidl nfsio 18038 478903 0 0 3 0x14280 nfsidl nfsio 16132 21576 0 0 3 0x14280 nfsidl nfsio 25943 33771 0 0 3 0x14280 nfsidl nfsio 50513 316586 0 0 3 0x14280 nfsidl nfsio 77854 169449 0 0 3 0x14280 nfsidl nfsio 99158 404122 0 0 3 0x14280 nfsidl nfsio 52260 338881 33038 0 2 0x482 syz-executor.7 48743 252024 0 0 3 0x14200 acct acct 89212 171010 0 0 3 0x14200 bored sosplice 33038 86808 5158 0 3 0x82 wait syz-fuzzer 33038 120390 5158 0 2 0x4000482 syz-fuzzer 33038 26588 5158 0 3 0x4000082 wait syz-fuzzer 33038 213418 5158 0 3 0x4000082 thrsleep syz-fuzzer 33038 449814 5158 0 3 0x4000082 kqread syz-fuzzer 33038 437537 5158 0 3 0x4000082 wait syz-fuzzer 33038 303104 5158 0 3 0x4000082 thrsleep syz-fuzzer 33038 42234 5158 0 3 0x4000082 wait syz-fuzzer 33038 337711 5158 0 3 0x4000082 thrsleep syz-fuzzer 33038 323538 5158 0 3 0x4000082 wait syz-fuzzer 33038 435477 5158 0 3 0x4000082 thrsleep syz-fuzzer 33038 66188 5158 0 3 0x4000082 wait syz-fuzzer 33038 243809 5158 0 3 0x4000082 thrsleep syz-fuzzer 33038 64047 5158 0 3 0x4000082 wait syz-fuzzer 33038 97925 5158 0 3 0x4000082 thrsleep syz-fuzzer 33038 235015 5158 0 3 0x4000082 wait syz-fuzzer 5158 499923 29192 0 3 0x10008a sigsusp ksh 29192 506194 51653 0 3 0x9a kqread sshd 51653 7873 1 0 3 0x88 kqread sshd 1253 262369 89943 74 3 0x1100092 bpf pflogd 89943 222340 1 0 3 0x80 netio pflogd 17391 385922 38429 73 3 0x1100090 kqread syslogd 38429 235564 1 0 3 0x100082 netio syslogd 77478 496993 1 0 3 0x100080 kqread resolvd 98272 306286 4528 77 2 0x100092 dhcpleased 67424 492649 4528 77 3 0x100092 kqread dhcpleased 4528 243790 1 0 3 0x80 kqread dhcpleased 94369 102295 0 0 3 0x14200 bored smr 19789 89433 0 0 2 0x14200 zerothread 52783 510813 0 0 3 0x14200 aiodoned aiodoned 30153 150500 0 0 3 0x14200 syncer update 70548 286947 0 0 3 0x14200 cleaner cleaner 1286 389408 0 0 7 0x14200 reaper 33914 283124 0 0 3 0x14200 pgdaemon pagedaemon 44696 494633 0 0 3 0x14200 bored viomb 23730 349376 0 0 3 0x40014200 acpi0 acpi0 40339 103345 0 0 3 0x40014200 idle1 63436 131028 0 0 3 0x14200 bored softnet 88549 169969 0 0 3 0x14200 bored softnet 5765 263908 0 0 3 0x14200 bored softnet 18280 410090 0 0 3 0x14200 bored softnet 14947 473237 0 0 3 0x14200 bored systqmp 7295 221416 0 0 3 0x14200 bored systq 21228 273210 0 0 2 0x40014200 softclock 32335 112594 0 0 3 0x40014200 idle0 1 469783 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10251 6662K 10812K 78643K 92705 0 pcb 14 18K 23K 78643K 4432 0 rtable 259 24K 26K 78643K 6615 0 ifaddr 192 51K 55K 78643K 2690 0 sysctl 3 1K 2K 78643K 7 0 counters 54 35K 36K 78643K 728 0 ioctlops 0 0K 8K 78643K 9942 0 iov 0 0K 32K 78643K 4421 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1647 103K 103K 78643K 35562 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 273 0 VM map 2 1K 1K 78643K 2 0 sem 16 5K 10K 78643K 598 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 16 57K 87K 78643K 29035 0 sigio 1 0K 0K 78643K 472 0 proc 74 91K 116K 78643K 5000 0 subproc 104 6K 7K 78643K 1567 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 1469 0 in_multi 68 4K 6K 78643K 2520 0 ether_multi 1 0K 0K 78643K 134 0 mrt 2 0K 0K 78643K 74 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 247 1102K 1102K 78643K 247 0 exec 0 0K 2K 78643K 6759 0 pfkey data 0 0K 0K 78643K 6 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 565 712K 1350K 78643K 175977 0 UVM aobj 131 4K 4K 78643K 174 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 635 0 NDP 15 0K 2K 78643K 741 0 temp 134 4734K 5759K 78643K 253059 0 kqueue 12 18K 28K 78643K 2597 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 1613 0 1610 21 20 1 3 0 8 0 rtentry 112 1934 0 1852 5 2 3 4 0 8 0 unpcb 144 25620 0 25604 216 215 1 10 0 8 0 syncache 296 97 0 97 21 21 0 1 0 8 0 tcpqe 32 187 0 187 9 9 0 1 0 8 0 tcpcb 768 8503 0 8497 267 254 13 22 0 8 12 arp 120 270 0 256 1 0 1 1 0 8 0 inpcb 368 23137 0 23127 316 307 9 17 0 8 8 nd6 48 458 0 438 1 0 1 1 0 8 0 pkpcb 40 41 0 41 8 8 0 1 0 8 0 kcovpl 48 120 0 112 1 0 1 1 0 8 0 ppxss 1256 157 0 157 27 27 0 1 0 8 0 pfstscr 40 141 0 134 1 0 1 1 0 8 0 pffrag 232 123 0 122 10 9 1 1 0 482 0 pffrnode 88 123 0 122 10 9 1 1 0 8 0 pffrent 40 837 0 836 14 13 1 1 0 8 0 pfosfp 40 1485 0 1060 5 0 5 5 0 8 0 pfosfpen 112 1485 0 767 21 0 21 21 0 8 0 pfrktable 1344 257 0 231 4 1 3 3 0 8 0 pfanchor 1280 874 71 362 45 2 43 43 0 8 0 pfpktdelay 88 11 0 11 8 8 0 1 0 8 0 pftag 88 10 0 3 1 0 1 1 0 8 0 pfqueue 264 10 0 10 3 3 0 1 0 8 0 pfstitem 24 104 0 94 1 0 1 1 0 8 0 pfstkey 120 352 0 347 2 0 2 2 0 8 0 pfstate 336 223 0 217 3 2 1 3 0 8 0 pfsrctr 152 15 0 15 1 1 0 1 0 8 0 pfrule 1360 1378 0 903 46 6 40 40 0 8 0 rttmr 136 16 0 16 5 5 0 1 0 8 0 art_heap8 4096 14 0 13 9 8 1 3 0 8 0 art_heap4 256 10514 0 10190 45 21 24 30 0 8 0 art_table 32 10528 0 10203 4 0 4 4 0 8 0 art_node 16 1891 0 1820 1 0 1 1 0 8 0 sysvmsgpl 40 8 0 3 1 0 1 1 0 8 0 semupl 112 9 0 9 2 2 0 1 0 8 0 semapl 112 585 0 571 1 0 1 1 0 8 0 shmpl 112 171 0 43 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 39466 0 37913 98 0 98 98 0 8 0 ffsino 272 39466 0 37913 104 0 104 104 0 8 0 nchpl 144 78457 0 77894 63 38 25 63 0 8 0 rtmask 32 11 0 11 4 4 0 1 0 8 0 uvmvnodes 80 8197 0 0 168 0 168 168 0 8 0 vnodes 216 8197 0 0 456 0 456 456 0 8 0 namei 1024 298557 0 298556 11 10 1 2 0 8 0 percpumem 16 376 0 337 1 0 1 1 0 8 0 vcpupl 2048 90 0 0 12 0 12 12 0 8 0 vmpool 568 93 0 3 7 0 7 7 0 8 0 pfiaddrpl 120 280 0 44 8 0 8 8 0 8 0 kstatmem 264 640 0 614 8 5 3 3 0 8 0 scsiplug 72 22 0 22 8 8 0 1 0 8 0 scxspl 216 226896 0 226896 59 56 3 8 0 8 3 plimitpl 152 3266 0 3250 1 0 1 1 0 8 0 sigapl 424 29189 0 29120 11 3 8 8 0 8 0 futexpl 64 245848 0 245843 10 9 1 1 0 8 0 knotepl 120 1621 0 0 19 0 19 19 0 8 0 kqueuepl 216 6731 0 6723 106 105 1 7 0 8 0 pipepl 320 10927 0 10896 188 185 3 13 0 8 0 fdescpl 496 29108 0 29079 8 4 4 5 0 8 0 filepl 152 218593 0 218341 286 271 15 23 0 8 5 lockfpl 104 8005 0 8003 20 19 1 2 0 8 0 lockfspl 48 2515 0 2513 1 0 1 1 0 8 0 sessionpl 144 137 0 120 1 0 1 1 0 8 0 pgrppl 48 581 0 564 1 0 1 1 0 8 0 ucredpl 104 22016 0 22001 1 0 1 1 0 8 0 zombiepl 144 29121 0 29120 1 0 1 1 0 8 0 processpl 1064 29189 0 29120 6 1 5 5 0 8 0 procpl 672 85799 0 85705 40 30 10 11 0 8 2 srpgc 96 224 0 224 36 35 1 1 0 8 1 sosppl 168 167 0 167 39 38 1 1 0 8 1 sockpl 488 50472 0 50440 1023 1011 12 35 0 8 7 mcl64k 65536 25 0 0 3 0 3 3 0 8 0 mcl16k 16384 33 0 0 3 0 3 3 0 8 0 mcl12k 12288 41 0 0 2 0 2 2 0 8 0 mcl9k 9216 41 0 0 3 1 2 2 0 8 0 mcl8k 8192 49 0 0 6 3 3 5 0 8 0 mcl4k 4096 75 0 0 5 2 3 3 0 8 0 mcl2k2 2112 21 0 0 2 0 2 2 0 8 0 mcl2k 2048 585 0 0 46 24 22 46 0 8 0 mtagpl 96 1124 0 0 13 1 12 13 0 8 0 mbufpl 256 4114 0 0 216 0 216 216 0 8 0 bufpl 288 46158 0 37961 586 0 586 586 0 8 0 anonpl 24 5942889 0 5923771 457 297 160 163 0 186 12 amapchunkpl 152 571461 0 570687 785 748 37 659 0 158 0 amappl16 200 90338 0 89536 254 198 56 57 0 8 6 amappl15 192 3929 0 3928 4 3 1 1 0 8 0 amappl14 184 4199 0 4188 2 1 1 1 0 8 0 amappl13 176 4404 0 4400 1 0 1 1 0 8 0 amappl12 168 3862 0 3856 1 0 1 1 0 8 0 amappl11 160 3444 0 3421 2 0 2 2 0 8 0 amappl10 152 5162 0 5142 1 0 1 1 0 8 0 amappl9 144 3116 0 3115 1 0 1 1 0 8 0 amappl8 136 6878 0 6647 9 0 9 9 0 8 0 amappl7 128 4198 0 4171 3 2 1 2 0 8 0 amappl6 120 3672 0 3636 4 2 2 2 0 8 0 amappl5 112 25500 0 25479 1 0 1 1 0 8 0 amappl4 104 10795 0 10744 2 0 2 2 0 8 0 amappl3 96 93918 0 93852 3 1 2 3 0 8 0 amappl2 88 7333 0 7263 3 1 2 3 0 8 0 amappl1 80 724893 0 724080 34 16 18 23 0 8 0 amappl 88 172908 0 172659 8 1 7 7 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 173 0 43 3 0 3 3 0 8 0 uaddrrnd 24 29201 0 29082 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 29201 0 29082 1 0 1 1 0 8 0 vmmpekpl 168 238541 0 238446 5 0 5 5 0 8 0 vmmpepl 168 2895011 0 2891411 514 336 178 198 0 357 1 vmsppl 368 29200 0 29081 14 3 11 12 0 8 0 rwobjpl 56 720253 0 709640 208 54 154 155 0 8 3 pdppl 4096 58409 0 58252 1313 1154 159 161 0 8 2 pvpl 32 11733302 0 11712115 741 504 237 266 0 265 24 pmappl 248 29200 0 29081 8 0 8 8 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 2869 0 1569 38 0 38 38 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff825a4dbd) at panic+0x177 sys/kern/subr_prf.c:198 __assert(ffffffff82619844,ffffffff82664e58,12f,ffffffff8262ee38) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000d41000) at tun_clone_destroy+0x278 sys/net/if_tun.c:303 if_clone_destroy(ffff8000285399e0) at if_clone_destroy+0x132 sys/net/if.c:1276 soo_ioctl(fffffd8072b76ef8,80206979,ffff8000285399e0,ffff8000ffff57a8) at soo_ioctl+0x24e sys/kern/sys_socket.c:133 sys_ioctl(ffff8000ffff57a8,ffff800028539af8,ffff800028539b40) at sys_ioctl+0x4a2 syscall(ffff800028539bc0) at syscall+0x4c3 mi_syscall sys/sys/syscall_mi.h:101 [inline] syscall(ffff800028539bc0) at syscall+0x4c3 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x305a4161cf0, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020dd8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 __mp_lock(ffffffff82b495c8) at __mp_lock+0x129 __mp_lock_spin sys/kern/kern_lock.c:116 [inline] __mp_lock(ffffffff82b495c8) at __mp_lock+0x129 sys/kern/kern_lock.c:147 uvm_unmap_detach(ffff800021239a20,1) at uvm_unmap_detach+0x113 sys/uvm/uvm_map.c:1367 uvm_map_teardown(fffffd8069455478) at uvm_map_teardown+0x262 sys/uvm/uvm_map.c:2541 uvmspace_free(fffffd8069455478) at uvmspace_free+0xa6 sys/uvm/uvm_map.c:3436 reaper(ffff800021233268) at reaper+0x19a sys/kern/kern_exit.c:448 end trace frame: 0x0, count: 7 ddb{1}> tc No such command