panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 955 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND * 40775 70503 0 0 0x4000000 0 syz-executor 150517 64496 0 0x2 0 1 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff834b9c76) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff834f9bf9,ffffffff83509c6d,3bb,ffffffff83532eb1) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c3eb148,ffffffff834afea3) at refcnt_finalize+0x1db sys/kern/kern_synch.c:956 pppx_if_destroy(ffff80003379e000,ffff80003c3eb140) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff8000353a42b8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c3d5960) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffb007e16d480,1,fffffb00097fd270,ffff8000353a42b8) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156 vn_closefile(fffffb0068b8d7d8,ffff8000353a42b8) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:298 [inline] vn_closefile(fffffb0068b8d7d8,ffff8000353a42b8) at vn_closefile+0x12b sys/kern/vfs_vnops.c:621 fdrop(fffffb0068b8d7d8,ffff8000353a42b8) at fdrop+0x121 sys/kern/kern_descrip.c:1281 closef(fffffb0068b8d7d8,ffff8000353a42b8) at closef+0x192 sys/kern/kern_descrip.c:1265 sys_closefrom(ffff8000353a42b8,ffff80003c3d5c30,ffff80003c3d5b80) at sys_closefrom+0x13c sys/kern/kern_descrip.c:1471 syscall(ffff80003c3d5c30) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c3d5c30) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xe9acb189680, count: 1 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 955 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff834b9c76) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff834f9bf9,ffffffff83509c6d,3bb,ffffffff83532eb1) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c3eb148,ffffffff834afea3) at refcnt_finalize+0x1db sys/kern/kern_synch.c:956 pppx_if_destroy(ffff80003379e000,ffff80003c3eb140) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff8000353a42b8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c3d5960) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffb007e16d480,1,fffffb00097fd270,ffff8000353a42b8) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156 vn_closefile(fffffb0068b8d7d8,ffff8000353a42b8) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:298 [inline] vn_closefile(fffffb0068b8d7d8,ffff8000353a42b8) at vn_closefile+0x12b sys/kern/vfs_vnops.c:621 fdrop(fffffb0068b8d7d8,ffff8000353a42b8) at fdrop+0x121 sys/kern/kern_descrip.c:1281 closef(fffffb0068b8d7d8,ffff8000353a42b8) at closef+0x192 sys/kern/kern_descrip.c:1265 sys_closefrom(ffff8000353a42b8,ffff80003c3d5c30,ffff80003c3d5b80) at sys_closefrom+0x13c sys/kern/kern_descrip.c:1471 syscall(ffff80003c3d5c30) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c3d5c30) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xe9acb189680, count: -14 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80003c3d5730 rbx 0xffffffff8393ee07 cpu_info_full_primary+0x2e07 rdx 0xffff8000015fd140 rcx 0xffff8000353a42b8 rax 0xffffffff8393dff0 cpu_info_full_primary+0x1ff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0x11287f81cae20d5b r11 0x34f9a4ea8d27fc17 r12 0xffffffff8393ec08 cpu_info_full_primary+0x2c08 r13 0 r14 0 r15 0x1 rip 0xffffffff81ccf9d5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c3d5720 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor) tid=40775 pid=70503 tcnt=3 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=56, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff8000353a5778,0xffff8000fffee2c0 process=0xffff80002a37e698 user=0xffff80003c3d0000, vmspace=0xfffffb000f8ffd78 estcpu=6, cpticks=3, pctcpu=0.1, user=0, sys=3, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 76016 357101 45825 0 2 0x100002 sh 70503 485226 20131 0 2 0 syz-executor *70503 40775 20131 0 7 0x4000000 syz-executor 70503 357722 20131 0 3 0x4000080 fsleep syz-executor 57796 136167 39443 0 2 0xc80 syz-executor 57796 274277 39443 0 3 0x4000080 kqsel syz-executor 57796 489614 39443 0 3 0x4000000 smrbar syz-executor 57796 136904 39443 0 3 0x4000080 fsleep syz-executor 67865 96333 50004 0 2 0 syz-executor 67865 500886 50004 0 3 0x4000080 msgwait syz-executor 83639 266592 66637 0 4 0x82000 syz-executor 83639 73678 66637 0 3 0x4082000 smrbar syz-executor 83639 51784 66637 0 3 0x4002000 suspend syz-executor 45825 248262 16707 0 3 0x82 wait syz-executor 66637 343724 16707 0 3 0x82 nanoslp syz-executor 20131 226249 16707 0 2 0x2 syz-executor 39443 194805 16707 0 3 0x82 nanoslp syz-executor 15983 442170 16707 0 3 0x82 piperd syz-executor 50004 392889 16707 0 2 0x2 syz-executor 64496 150517 16707 0 7 0x2 syz-executor 16707 278180 30157 0 3 0x82 wait syz-executor 30157 340968 73 0 3 0x10008a sigsusp ksh 73 479628 11547 0 3 0x98 kqread sshd-session 11547 319374 30253 0 3 0x92 kqread sshd-session 32055 285904 1 0 3 0x100083 ttyin getty 30253 485748 1 0 3 0x88 kqread sshd 64668 374978 69925 74 3 0x1100092 bpf pflogd 69925 81653 1 0 3 0x80 sbwait pflogd 35832 286291 87481 73 3 0x1100090 kqread syslogd 87481 341502 1 0 3 0x100082 sbwait syslogd 76945 39275 1 0 3 0x100080 kqread resolvd 79145 297708 89892 77 3 0x100092 kqread dhcpleased 82918 258424 89892 77 3 0x100092 kqread dhcpleased 89892 514814 1 0 3 0x80 kqread dhcpleased 85634 421603 0 0 2 0x14a00 smr 98752 101618 0 0 2 0x14200 zerothread 1657 159225 0 0 3 0x14200 aiodoned aiodoned 84922 201435 0 0 3 0x14200 syncer update 56037 348891 0 0 3 0x14200 cleaner cleaner 80718 148565 0 0 3 0x14200 reaper reaper 26041 85074 0 0 3 0x14200 pgdaemon pagedaemon 94189 456473 0 0 3 0x14200 bored viomb 5705 498519 0 0 3 0x40014200 acpi0 acpi0 32034 107861 0 0 3 0x40014200 idle1 14137 304388 0 0 3 0x14200 bored softnet1 16252 55438 0 0 3 0x14200 bored softnet0 14763 196858 0 0 3 0x14200 smrbar systqmp 22133 129395 0 0 3 0x14200 bored systq 91399 275111 0 0 3 0x14200 tmoslp softclockmp 58956 227200 0 0 3 0x40014200 tmoslp softclock 40439 216713 0 0 3 0x40014200 idle0 1 194549 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 70503 (syz-executor) thread 0xffff8000353a42b8 (40775) exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83a8ac40) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 vn_closefile+0x41 sys/kern/vfs_vnops.c:614 #2 fdrop+0x121 sys/kern/kern_descrip.c:1281 #3 closef+0x192 sys/kern/kern_descrip.c:1265 #4 sys_closefrom+0x13c sys/kern/kern_descrip.c:1471 #5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] #5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783 #6 Xsyscall+0x128 Process 83639 (syz-executor) thread 0xffff8000353a4d18 (73678) exclusive rwlock clonelk r = 0 (0xffffffff83970fd8) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320 #2 if_clone_destroy+0x93 sys/net/if.c:-1 #3 ifioctl+0x59d sys/net/if.c:2160 #4 sys_ioctl+0x674 sys/kern/sys_generic.c:-1 #5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] #5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783 #6 Xsyscall+0x128 Process 14763 (systqmp) thread 0xffff8000ffffe298 (196858) shared rwlock systqmp r = 0 (0xffffffff83984028) #0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline] #0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160 #1 taskq_thread+0x12a sys/kern/kern_task.c:442 #2 proc_trampoline+0x10 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 11083 12287K 12415K 166960K 12411 0 pcb 17 12K 12K 166960K 42 0 rtable 221 6K 8K 166960K 368 0 pf 49 20K 21K 166960K 79 0 ifaddr 48 7K 7K 166960K 61 0 ifgroup 74 3K 3K 166960K 87 0 sysctl 3 1K 9K 166960K 7 0 counters 88 38K 39K 166960K 106 0 ioctlops 0 0K 4K 166960K 1539 0 iov 0 0K 0K 166960K 1 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1297 82K 82K 166960K 1438 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 3 5K 5K 166960K 3 0 VM map 2 1K 1K 166960K 2 0 sem 4 0K 0K 166960K 5 0 dirhash 12 2K 2K 166960K 12 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 16 57K 93K 166960K 207 0 sigio 0 0K 0K 166960K 1 0 proc 71 115K 163K 166960K 567 0 subproc 72 4K 4K 166960K 81 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 8 0 in_multi 90 6K 7K 166960K 107 0 ether_multi 1 0K 0K 166960K 2 0 mrt 0 0K 0K 166960K 4 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 61 281K 281K 166960K 61 0 exec 0 0K 1K 166960K 393 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 228 160K 169K 166960K 3562 0 UVM aobj 3 2K 2K 166960K 3 0 pinsyscall 41 82K 104K 166960K 1373 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 1 0 NDP 18 0K 2K 166960K 38 0 temp 37 9114K 9120K 166960K 4113 0 kqueue 17 26K 26K 166960K 41 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 34 0 31 1 0 1 1 0 8 0 rtentry 176 115 0 14 6 0 6 6 0 8 0 unpcb 144 67 0 50 1 0 1 1 0 8 0 syncache 336 6 0 6 1 0 1 1 0 8 1 tcpcb 736 56 0 51 4 0 4 4 0 8 3 arp 136 18 0 2 1 0 1 1 0 8 0 inpcb 328 167 0 155 4 0 4 4 0 8 2 nd6 152 24 0 3 1 0 1 1 0 8 0 kcovpl 48 9 0 1 1 0 1 1 0 8 0 ppxss 1192 13 0 7 1 0 1 1 0 8 0 pppxif 1576 4 0 1 1 0 1 1 0 8 0 pfstscr 40 2 0 2 1 0 1 1 0 8 1 pffrag 232 1 0 0 1 0 1 1 0 482 0 pffrnode 88 1 0 0 1 0 1 1 0 8 0 pffrent 40 2 0 0 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 3 0 3 1 0 1 1 0 8 1 pfsrclim 320 1 0 1 1 0 1 1 0 8 1 pfanchor 1288 1 0 1 1 0 1 1 0 8 1 pftag 88 2 0 2 1 0 1 1 0 8 1 pfstitem 24 20 0 0 1 0 1 1 0 8 0 pfstkey 128 22 0 2 1 0 1 1 0 8 0 pfstate 448 21 0 1 3 0 3 3 0 8 0 pfrule 1360 25 0 18 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 471 0 50 29 0 29 29 0 8 1 art_table 40 472 0 50 5 0 5 5 0 8 0 art_node 32 115 0 22 1 0 1 1 0 8 0 sysvmsgpl 40 1 0 1 1 0 1 1 0 8 1 semapl 72 3 0 1 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 1685 0 211 93 0 93 93 0 8 0 ffsino 296 1685 0 211 114 0 114 114 0 8 0 nchpl 144 1965 0 256 64 0 64 64 0 8 0 vnodes 216 1824 0 0 102 0 102 102 0 8 0 namei 1024 6240 0 6240 2 0 2 2 0 8 2 percpumem 16 68 0 9 1 0 1 1 0 8 0 pfiaddrpl 120 1 0 1 1 0 1 1 0 8 1 kstatmem 264 47 0 8 3 0 3 3 0 8 0 scxspl 216 6635 0 6635 3 2 1 2 1 8 1 plimitpl 152 39 0 21 1 0 1 1 0 8 0 sigapl 424 522 0 476 7 0 7 7 0 8 1 knotepl 120 267 0 0 9 0 9 9 0 8 0 kqueuepl 224 41 0 27 1 0 1 1 0 8 0 pipepl 344 134 0 107 3 0 3 3 0 8 0 fdescpl 528 506 0 476 3 0 3 3 0 8 0 filepl 160 2111 0 1888 12 0 12 12 0 8 2 lockfpl 104 68 0 64 1 0 1 1 0 8 0 lockfspl 48 34 0 30 1 0 1 1 0 8 0 sessionpl 144 31 0 22 1 0 1 1 0 8 0 pgrppl 48 40 0 23 1 0 1 1 0 8 0 ucredpl 104 164 0 150 1 0 1 1 0 8 0 zombiepl 144 478 0 476 1 0 1 1 0 8 0 processpl 1232 522 0 476 5 0 5 5 0 8 1 procpl 664 635 0 581 6 0 6 6 0 8 1 sockpl 752 272 0 240 7 0 7 7 0 8 3 mcl64k 65536 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 2 0 0 1 0 1 1 0 8 0 mcl4k 4096 126 0 0 16 0 16 16 0 8 0 mcl2k2 2112 1 0 0 1 0 1 1 0 8 0 mcl2k 2048 18 0 0 3 0 3 3 0 8 0 mtagpl 96 5 0 0 1 0 1 1 0 8 0 mbufpl 256 127 0 0 8 0 8 8 0 8 0 bufpl 280 2360 0 105 162 0 162 162 0 8 0 anonpl 32 5553 0 0 45 0 45 45 0 246 0 amapchunkpl 152 10213 0 9759 29 1 28 28 0 158 9 amappl16 200 1558 0 1538 5 1 4 5 0 8 2 amappl15 192 2 0 2 1 1 0 1 0 8 0 amappl14 184 456 0 454 1 0 1 1 0 8 0 amappl13 176 139 0 127 1 0 1 1 0 8 0 amappl12 168 763 0 734 2 0 2 2 0 8 0 amappl11 160 8 0 8 1 1 0 1 0 8 0 amappl10 152 65 0 51 1 0 1 1 0 8 0 amappl9 144 272 0 272 1 1 0 1 0 8 0 amappl8 136 116 0 114 1 0 1 1 0 8 0 amappl7 128 162 0 149 1 0 1 1 0 8 0 amappl6 120 175 0 173 1 0 1 1 0 8 0 amappl5 112 94 0 84 1 0 1 1 0 8 0 amappl4 104 292 0 273 1 0 1 1 0 8 0 amappl3 96 1889 0 1782 4 0 4 4 0 8 1 amappl2 88 548 0 485 2 0 2 2 0 8 0 amappl1 80 10834 0 10227 14 0 14 14 0 8 1 amappl 88 2830 0 2674 5 0 5 5 0 92 0 uvmvnodes 80 101 0 0 3 0 3 3 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 2 0 0 1 0 1 1 0 8 0 uaddrrnd 24 506 0 476 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 506 0 476 1 0 1 1 0 8 0 vmmpekpl 168 6165 0 6123 2 0 2 2 0 8 0 vmmpepl 168 41270 0 39438 88 0 88 88 0 357 3 vmsppl 488 505 0 476 5 0 5 5 0 8 0 rwobjpl 80 14998 0 13965 24 0 24 24 0 8 1 pdppl 4096 1019 0 952 97 24 73 85 0 8 6 pvpl 32 11603 0 0 94 0 94 94 0 265 0 pmappl 256 505 0 476 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 270 0 27 8 0 8 8 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff834b9c76) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff834f9bf9,ffffffff83509c6d,3bb,ffffffff83532eb1) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c3eb148,ffffffff834afea3) at refcnt_finalize+0x1db sys/kern/kern_synch.c:956 pppx_if_destroy(ffff80003379e000,ffff80003c3eb140) at pppx_if_destroy+0x3d sys/net/if_pppx.c:794 pppxclose(205b9a,1,2000,ffff8000353a42b8) at pppxclose+0xa0 sys/net/if_pppx.c:541 spec_close(ffff80003c3d5960) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffb007e16d480,1,fffffb00097fd270,ffff8000353a42b8) at VOP_CLOSE+0x132 sys/kern/vfs_vops.c:156 vn_closefile(fffffb0068b8d7d8,ffff8000353a42b8) at vn_closefile+0x12b vn_close sys/kern/vfs_vnops.c:298 [inline] vn_closefile(fffffb0068b8d7d8,ffff8000353a42b8) at vn_closefile+0x12b sys/kern/vfs_vnops.c:621 fdrop(fffffb0068b8d7d8,ffff8000353a42b8) at fdrop+0x121 sys/kern/kern_descrip.c:1281 closef(fffffb0068b8d7d8,ffff8000353a42b8) at closef+0x192 sys/kern/kern_descrip.c:1265 sys_closefrom(ffff8000353a42b8,ffff80003c3d5c30,ffff80003c3d5b80) at sys_closefrom+0x13c sys/kern/kern_descrip.c:1471 syscall(ffff80003c3d5c30) at syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c3d5c30) at syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xe9acb189680, count: -14 ddb{0}> machine ddbcpu 1