panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 315 Stopped at db_enter+0x1c: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *438258 9196 0 0x8000000 0x4000000 0K syz-executor.5 273577 99025 77 0x18100012 0 1 dhcpleased db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8294fdae) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff82909147,ffffffff828df3ea,13b,ffffffff828e89be) at __assert+0x29 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000e02800) at tun_clone_destroy+0x278 sys/net/if_tun.c:315 if_clone_destroy(ffff80002f8eee50) at if_clone_destroy+0x132 sys/net/if.c:1384 ifioctl(ffff800000e62b30,80206979,ffff80002f8eee50,ffff8000ffffcce0) at ifioctl+0x44b sys_ioctl(ffff8000ffffcce0,ffff80002f8ef030,ffff80002f8eef80) at sys_ioctl+0x4a9 syscall(ffff80002f8ef030) at syscall+0x8cf mi_syscall sys/sys/syscall_mi.h:180 [inline] syscall(ffff80002f8ef030) at syscall+0x8cf sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xb164cefe1a0, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 315 ddb{0}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8294fdae) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff82909147,ffffffff828df3ea,13b,ffffffff828e89be) at __assert+0x29 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000e02800) at tun_clone_destroy+0x278 sys/net/if_tun.c:315 if_clone_destroy(ffff80002f8eee50) at if_clone_destroy+0x132 sys/net/if.c:1384 ifioctl(ffff800000e62b30,80206979,ffff80002f8eee50,ffff8000ffffcce0) at ifioctl+0x44b sys_ioctl(ffff8000ffffcce0,ffff80002f8ef030,ffff80002f8eef80) at sys_ioctl+0x4a9 syscall(ffff80002f8ef030) at syscall+0x8cf mi_syscall sys/sys/syscall_mi.h:180 [inline] syscall(ffff80002f8ef030) at syscall+0x8cf sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xb164cefe1a0, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80002f8eec00 rbx 0xffffffff82d50cbf cpu_info_full_primary+0x2cbf rdx 0xffff800000ecbe40 rcx 0xffff8000ffffcce0 rax 0xffffffff82d4fff0 cpu_info_full_primary+0x1ff0 r8 0 r9 0x8080808080808080 r10 0xc8623fe200e2713a r11 0x718ff9b3deffe2fd r12 0xffffffff82d50ac0 cpu_info_full_primary+0x2ac0 r13 0 r14 0 r15 0x1 rip 0xffffffff826964fc db_enter+0x1c cs 0x8 rflags 0x246 rsp 0xffff80002f8eebf0 ss 0x10 db_enter+0x1c: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.5) tid=438258 pid=9196 tcnt=2 stat=onproc flags process=8000000 proc=4000000 runpri=32, usrpri=82, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 forw=0xffffffffffffffff, list=0xffff80002f114d10,0xffff80002a1aed00 process=0xffff80002f2c6818 user=0xffff80002f8ea000, vmspace=0xfffffd806b5b9dd8 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 94984 186617 4377 0 2 0x8000000 syz-executor.1 9196 212731 68487 0 2 0x8000000 syz-executor.5 * 9196 438258 68487 0 7 0xc000000 syz-executor.5 34378 252525 82550 0 2 0x8000480 syz-executor.3 34378 278969 82550 0 3 0xc000080 kqread syz-executor.3 34378 241289 82550 0 3 0xc000080 fsleep syz-executor.3 45295 179891 1 0 3 0x18000082 nanoslp getty 815 304311 50936 0 2 0x8000480 syz-executor.4 815 427985 50936 0 3 0xc000080 kqsel syz-executor.4 815 177219 50936 0 3 0xc000080 kqsel syz-executor.4 815 296543 50936 0 3 0xc000080 fsleep syz-executor.4 99858 239040 70701 0 2 0x8000480 syz-executor.7 99858 273022 70701 0 3 0xc000080 kqsel syz-executor.7 99858 148111 70701 0 3 0xc000080 kqsel syz-executor.7 99858 5489 70701 0 3 0xc000080 fsleep syz-executor.7 50936 381008 13881 0 2 0x8000482 syz-executor.4 82550 381473 13881 0 2 0x8000482 syz-executor.3 68487 47516 13881 0 2 0x8000482 syz-executor.5 70701 497557 13881 0 2 0x8000482 syz-executor.7 4377 429049 13881 0 2 0x8000482 syz-executor.1 81292 278284 13881 0 2 0x8000482 syz-executor.2 3989 215934 0 0 3 0x14200 acct acct 66259 112264 13881 0 2 0x8000482 syz-executor.0 46462 217362 0 0 3 0x14280 nfsidl nfsio 94962 157707 0 0 3 0x14280 nfsidl nfsio 49077 246840 0 0 3 0x14280 nfsidl nfsio 73918 520353 0 0 3 0x14280 nfsidl nfsio 36254 80377 0 0 3 0x14280 nfsidl nfsio 93660 206199 0 0 3 0x14280 nfsidl nfsio 85771 154016 0 0 3 0x14280 nfsidl nfsio 21583 232095 0 0 3 0x14280 nfsidl nfsio 26102 308196 0 0 3 0x14280 nfsidl nfsio 60177 77544 0 0 3 0x14280 nfsidl nfsio 66015 1145 0 0 3 0x14280 nfsidl nfsio 28805 237982 0 0 3 0x14280 nfsidl nfsio 54162 355210 0 0 3 0x14280 nfsidl nfsio 31855 237603 0 0 3 0x14280 nfsidl nfsio 72933 187027 0 0 3 0x14280 nfsidl nfsio 79358 512121 0 0 3 0x14280 nfsidl nfsio 77709 363917 0 0 3 0x14280 nfsidl nfsio 28283 344742 0 0 3 0x14280 nfsidl nfsio 19678 99629 0 0 3 0x14280 nfsidl nfsio 5948 35123 0 0 3 0x14280 nfsidl nfsio 24134 287614 0 0 3 0x14200 bored sosplice 13881 317782 51761 0 3 0x1a000082 thrsleep syz-fuzzer 13881 296711 51761 0 3 0x1e000082 thrsleep syz-fuzzer 13881 344763 51761 0 3 0x1e000082 wait syz-fuzzer 13881 443467 51761 0 3 0x1e000082 thrsleep syz-fuzzer 13881 390931 51761 0 3 0x1e000082 wait syz-fuzzer 13881 460699 51761 0 3 0x1e000082 wait syz-fuzzer 13881 301206 51761 0 3 0x1e000082 kqread syz-fuzzer 13881 155634 51761 0 3 0x1e000082 wait syz-fuzzer 13881 514178 51761 0 3 0x1e000082 thrsleep syz-fuzzer 13881 45938 51761 0 3 0x1e000082 thrsleep syz-fuzzer 13881 453123 51761 0 3 0x1e000082 thrsleep syz-fuzzer 13881 448780 51761 0 3 0x1e000082 thrsleep syz-fuzzer 13881 359497 51761 0 3 0x1e000082 wait syz-fuzzer 13881 123646 51761 0 3 0x1e000082 wait syz-fuzzer 13881 328136 51761 0 3 0x1e000082 wait syz-fuzzer 13881 167872 51761 0 3 0x1e000082 thrsleep syz-fuzzer 13881 98699 51761 0 3 0x1e000082 thrsleep syz-fuzzer 51761 211629 25406 0 3 0x810008a sigsusp ksh 25406 25175 13579 0 3 0x1800009a kqread sshd 13579 49624 1 0 3 0x18000088 kqread sshd 36168 324780 18293 73 3 0x19100090 kqread syslogd 18293 402692 1 0 3 0x18100082 sbwait syslogd 37117 521369 1 0 3 0x18100080 kqread resolvd 99025 273577 7960 77 7 0x18100012 dhcpleased 26381 254842 7960 77 3 0x18100092 kqread dhcpleased 7960 47865 1 0 3 0x18000080 kqread dhcpleased 60984 206745 0 0 3 0x14200 bored smr 49923 420030 0 0 2 0x14200 zerothread 1738 61566 0 0 3 0x14200 aiodoned aiodoned 47223 284111 0 0 3 0x14200 syncer update 55638 49689 0 0 3 0x14200 cleaner cleaner 96592 440893 0 0 3 0x14200 reaper reaper 47351 65984 0 0 3 0x14200 pgdaemon pagedaemon 84483 366243 0 0 3 0x14200 bored viomb 6043 253830 0 0 3 0x40014200 acpi0 acpi0 9996 330863 0 0 3 0x40014200 idle1 71061 130425 0 0 3 0x14200 bored softnet3 87913 460908 0 0 3 0x14200 bored softnet2 4653 102558 0 0 3 0x14200 bored softnet1 35505 509258 0 0 3 0x14200 bored softnet0 38690 448378 0 0 3 0x14200 bored systqmp 70620 387873 0 0 3 0x14200 bored systq 30456 75337 0 0 3 0x14200 tmoslp softclockmp 57584 275891 0 0 2 0x40014200 softclock 69634 391599 0 0 3 0x40014200 idle0 1 142270 0 0 3 0x8080082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 9196 (syz-executor.5) thread 0xffff8000ffffcce0 (438258) ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10197 6642K 6896K 166960K 16621 0 pcb 15 11K 12K 166960K 622 0 rtable 176 6K 8K 166960K 2585 0 pf 29 9K 10K 166960K 291 0 ifaddr 36 14K 16K 166960K 344 0 ifgroup 49 2K 3K 166960K 495 0 sysctl 4 1K 2K 166960K 17 0 counters 62 36K 37K 166960K 282 0 ioctlops 0 0K 4K 166960K 1731 0 iov 0 0K 24K 166960K 393 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1446 91K 91K 166960K 4840 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 9K 166960K 103 0 VM map 2 1K 1K 166960K 2 0 sem 17 1K 1K 166960K 242 0 dirhash 12 2K 3K 166960K 159 0 ACPI 1697 195K 286K 166960K 12548 0 file desc 15 53K 89K 166960K 5777 0 sigio 1 0K 0K 166960K 195 0 proc 59 79K 128K 166960K 2712 0 subproc 91 5K 7K 166960K 875 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 4 0K 0K 166960K 965 0 in_multi 69 5K 7K 166960K 926 0 ether_multi 2 0K 0K 166960K 55 0 mrt 1 0K 0K 166960K 32 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 79 360K 360K 166960K 79 0 exec 0 0K 1K 166960K 1736 0 pfkey data 0 0K 0K 166960K 15 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 343 205K 215K 166960K 51963 0 UVM aobj 131 7K 9K 166960K 146 0 pinsyscall 35 70K 108K 166960K 8605 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 1K 166960K 424 0 NDP 10 0K 1K 166960K 253 0 temp 76 6815K 7311K 166960K 141667 0 kqueue 13 20K 29K 166960K 691 0 SYN cache 2 16K 16K 166960K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 24 0 0 1 0 1 1 0 8 0 rtpcb 120 716 0 713 3 2 1 3 0 8 0 rtentry 112 872 0 796 6 3 3 4 0 8 0 unpcb 144 4351 0 4335 22 20 2 6 0 8 1 syncache 336 5 0 5 2 2 0 1 0 8 0 tcpqe 32 40 0 40 1 1 0 1 0 8 0 tcpcb 808 1896 0 1890 25 23 2 8 0 8 0 arp 120 174 0 158 1 0 1 1 0 8 0 inpcb 392 5852 0 5839 38 35 3 9 0 8 1 nd6 136 217 0 198 1 0 1 1 0 8 0 pkpcb 40 30 0 30 12 11 1 1 0 8 1 kcovpl 48 67 0 60 1 0 1 1 0 8 0 ppxss 1168 19 0 19 7 7 0 1 0 8 0 pffrag 232 25 0 20 3 2 1 1 0 482 0 pffrnode 88 25 0 20 3 2 1 1 0 8 0 pffrent 40 324 0 319 5 4 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfstitem 24 378 0 295 1 0 1 1 0 8 0 pfstkey 128 379 0 296 3 0 3 3 0 8 0 pfstate 376 379 0 296 9 0 9 9 0 8 0 pfrule 1344 21 0 16 2 1 1 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 3181 0 2881 57 38 19 30 0 8 0 art_table 32 3182 0 2881 7 3 4 4 0 8 0 art_node 16 861 0 798 1 0 1 1 0 8 0 sysvmsgpl 40 35 0 22 1 0 1 1 0 8 0 semupl 112 5 0 5 4 4 0 1 0 8 0 semapl 112 235 0 220 1 0 1 1 0 8 0 shmpl 112 143 0 15 4 0 4 4 0 8 0 dirhash 1024 115 0 98 3 0 3 3 0 8 0 dino2pl 256 9913 0 8384 97 0 97 97 0 8 0 ffsino 272 9913 0 8384 103 0 103 103 0 8 0 nchpl 144 17872 0 16145 67 0 67 67 0 8 0 uvmvnodes 80 6914 0 0 142 0 142 142 0 8 0 vnodes 216 6914 0 0 385 0 385 385 0 8 0 namei 1024 61788 0 61788 7 6 1 2 0 8 1 percpumem 16 155 0 110 1 0 1 1 0 8 0 vcpupl 2048 25 0 0 4 0 4 4 0 8 0 vmpool 696 40 0 15 3 0 3 3 0 8 0 kstatmem 264 242 0 222 3 1 2 3 0 8 0 scsiplug 72 15 0 15 5 4 1 1 0 8 1 scxspl 216 66756 0 66756 18 17 1 8 1 8 1 plimitpl 152 726 0 712 1 0 1 1 0 8 0 sigapl 424 6021 0 5954 11 2 9 9 0 8 0 futexpl 64 72022 0 72019 2 1 1 1 0 8 0 knotepl 120 555 0 0 11 0 11 11 0 8 0 kqueuepl 216 1335 0 1322 1 0 1 1 0 8 0 pipepl 320 879 0 854 3 0 3 3 0 8 0 fdescpl 496 5980 0 5954 5 0 5 5 0 8 0 filepl 152 34727 0 34501 37 24 13 16 0 8 2 lockfpl 104 1593 0 1589 1 0 1 1 0 8 0 lockfspl 48 653 0 649 1 0 1 1 0 8 0 sessionpl 144 94 0 80 1 0 1 1 0 8 0 pgrppl 48 238 0 224 1 0 1 1 0 8 0 ucredpl 104 5235 0 5224 1 0 1 1 0 8 0 zombiepl 144 5956 0 5954 4 3 1 1 0 8 0 processpl 1136 6021 0 5954 6 0 6 6 0 8 0 procpl 656 12511 0 12419 9 0 9 9 0 8 0 srpgc 96 101 0 101 13 13 0 1 0 8 0 sosppl 168 118 0 118 8 7 1 1 0 8 1 sockpl 568 11002 0 10971 45 41 4 13 0 8 1 mcl64k 65536 16 0 0 2 0 2 2 0 8 0 mcl16k 16384 8 0 0 1 0 1 1 0 8 0 mcl12k 12288 12 0 0 2 0 2 2 0 8 0 mcl9k 9216 7 0 0 1 0 1 1 0 8 0 mcl8k 8192 25 0 0 3 0 3 3 0 8 0 mcl4k 4096 32 0 0 3 0 3 3 0 8 0 mcl2k2 2112 11 0 0 1 0 1 1 0 8 0 mcl2k 2048 475 0 0 50 1 49 50 0 8 0 mtagpl 96 80 0 0 2 0 2 2 0 8 0 mbufpl 256 1268 0 0 62 0 62 62 0 8 0 bufpl 280 16332 0 9419 495 0 495 495 0 8 0 anonpl 24 758268 0 752036 154 87 67 93 0 186 0 amapchunkpl 152 163431 0 162754 82 50 32 40 0 158 1 amappl16 200 17038 0 16914 107 87 20 33 0 8 7 amappl15 192 15 0 15 3 3 0 1 0 8 0 amappl14 184 404 0 393 2 1 1 2 0 8 0 amappl13 176 17 0 17 3 2 1 1 0 8 1 amappl12 168 7626 0 7595 4 1 3 3 0 8 0 amappl11 160 64 0 53 1 0 1 1 0 8 0 amappl10 152 125 0 117 2 1 1 1 0 8 0 amappl9 144 396 0 396 7 7 0 1 0 8 0 amappl8 136 934 0 810 6 0 6 6 0 8 0 amappl7 128 180 0 161 1 0 1 1 0 8 0 amappl6 120 1186 0 1160 3 1 2 2 0 8 0 amappl5 112 482 0 470 1 0 1 1 0 8 0 amappl4 104 1264 0 1210 3 1 2 3 0 8 0 amappl3 96 31082 0 30999 3 0 3 3 0 8 0 amappl2 88 6919 0 6831 5 2 3 4 0 8 0 amappl1 80 34091 0 33604 23 10 13 23 0 8 0 amappl 88 50416 0 50208 6 0 6 6 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 145 0 15 3 0 3 3 0 8 0 uaddrrnd 24 6020 0 5969 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 6020 0 5969 1 0 1 1 0 8 0 vmmpekpl 168 43985 0 43910 4 0 4 4 0 8 0 vmmpepl 168 389068 0 387086 216 102 114 128 0 357 2 vmsppl 440 6019 0 5969 8 1 7 7 0 8 0 rwobjpl 56 100725 0 92464 132 10 122 122 0 8 3 pdppl 4096 12047 0 11963 376 286 90 95 0 8 6 pvpl 32 49258 0 0 399 1 398 398 0 265 0 pmappl 248 6019 0 5969 4 0 4 4 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 806 0 365 13 0 13 13 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x1c sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff8294fdae) at panic+0x17b sys/kern/subr_prf.c:198 __assert(ffffffff82909147,ffffffff828df3ea,13b,ffffffff828e89be) at __assert+0x29 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000e02800) at tun_clone_destroy+0x278 sys/net/if_tun.c:315 if_clone_destroy(ffff80002f8eee50) at if_clone_destroy+0x132 sys/net/if.c:1384 ifioctl(ffff800000e62b30,80206979,ffff80002f8eee50,ffff8000ffffcce0) at ifioctl+0x44b sys_ioctl(ffff8000ffffcce0,ffff80002f8ef030,ffff80002f8eef80) at sys_ioctl+0x4a9 syscall(ffff80002f8ef030) at syscall+0x8cf mi_syscall sys/sys/syscall_mi.h:180 [inline] syscall(ffff80002f8ef030) at syscall+0x8cf sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xb164cefe1a0, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1e: addq $0x8,%rsp x86_ipi_db(ffff800029cebff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff82e627e0) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline] __mp_lock(ffffffff82e627e0) at __mp_lock+0x122 sys/kern/kern_lock.c:147 syscall(ffff80002a1b8aa0) at syscall+0x83b mi_syscall sys/sys/syscall_mi.h:180 [inline] syscall(ffff80002a1b8aa0) at syscall+0x83b sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7d5815299cc0, count: 9 ddb{1}> trace x86_ipi_db(ffff800029cebff0) at x86_ipi_db+0x1e sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff82e627e0) at __mp_lock+0x122 __mp_lock_spin sys/kern/kern_lock.c:116 [inline] __mp_lock(ffffffff82e627e0) at __mp_lock+0x122 sys/kern/kern_lock.c:147 syscall(ffff80002a1b8aa0) at syscall+0x83b mi_syscall sys/sys/syscall_mi.h:180 [inline] syscall(ffff80002a1b8aa0) at syscall+0x83b sys/arch/amd64/amd64/trap.c:577 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x7d5815299cc0, count: -6