panic: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 951 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *171350 52618 -1 0x10 0x4000000 0 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83430e1e) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833df0e4,ffffffff8332f2db,3b7,ffffffff833e7e38) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c9930b0,ffffffff8332c7dc) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(0,ffff80003c9930a8) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b92,41,2000,ffff80003c95e038) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff80003c9cdcc0) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806a9981f8,41,fffffd8007bfb478,ffff80003c95e038) at VOP_CLOSE+0x12a sys/kern/vfs_vops.c:156 vn_closefile(fffffd806c27ee18,ffff80003c95e038) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806c27ee18,ffff80003c95e038) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806c27ee18,ffff80003c95e038) at fdrop+0x126 sys/kern/kern_descrip.c:1267 closef(fffffd806c27ee18,ffff80003c95e038) at closef+0x18d sys/kern/kern_descrip.c:1251 syscall(ffff80003c9cdf20) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9cdf20) at syscall+0x97e sys/arch/amd64/amd64/trap.c:579 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x101b8006450, count: 2 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "refs != ~0" failed: file "/syzkaller/managers/main/kernel/sys/kern/kern_synch.c", line 951 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83430e1e) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833df0e4,ffffffff8332f2db,3b7,ffffffff833e7e38) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c9930b0,ffffffff8332c7dc) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(0,ffff80003c9930a8) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b92,41,2000,ffff80003c95e038) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff80003c9cdcc0) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806a9981f8,41,fffffd8007bfb478,ffff80003c95e038) at VOP_CLOSE+0x12a sys/kern/vfs_vops.c:156 vn_closefile(fffffd806c27ee18,ffff80003c95e038) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806c27ee18,ffff80003c95e038) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806c27ee18,ffff80003c95e038) at fdrop+0x126 sys/kern/kern_descrip.c:1267 closef(fffffd806c27ee18,ffff80003c95e038) at closef+0x18d sys/kern/kern_descrip.c:1251 syscall(ffff80003c9cdf20) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9cdf20) at syscall+0x97e sys/arch/amd64/amd64/trap.c:579 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x101b8006450, count: -13 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003c9cdaa0 rbx 0xffffffff82388620 pppxclose rdx 0 rcx 0 rax 0xffff80003c95e038 r8 0 r9 0x8080808080808080 r10 0x5fef4832c328c2e9 r11 0x8a7303dc96edaedc r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff82d07ac5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c9cda90 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=171350 pid=52618 tcnt=4 stat=onproc flags process=10 proc=4000000 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80003c95ed08,0xffff80003c95f9e8 process=0xffff8000ffff4db0 user=0xffff80003c9c8000, vmspace=0xfffffd806c42f178 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 71603 402126 34681 0 2 0 syz-executor 71603 39286 34681 0 3 0x4000080 kqpoll syz-executor 58486 376354 70940 0 2 0 syz-executor 58486 255179 70940 0 2 0x4000000 syz-executor 58486 412439 70940 0 3 0x4000080 fsleep syz-executor 52618 354697 62524 -1 2 0xc90 syz-executor 52618 393435 62524 -1 3 0x4000090 fsleep syz-executor *52618 171350 62524 -1 7 0x4000010 syz-executor 52618 204730 62524 -1 3 0x4000090 fsleep syz-executor 8182 442772 74163 -1 2 0x400c90 syz-executor 8182 148122 74163 -1 3 0x4400090 kqsel syz-executor 8182 173795 74163 -1 3 0x4400090 fsleep syz-executor 62372 514943 70266 0 2 0xc80 syz-executor 62372 163465 70266 0 3 0x4000080 kqpoll syz-executor 62372 433921 70266 0 3 0x4000080 fsleep syz-executor 37196 378032 42295 -1 2 0xc90 syz-executor 37196 12811 42295 -1 3 0x4000090 kqsel syz-executor 37196 226213 42295 -1 3 0x4000090 fsleep syz-executor 37196 135572 42295 -1 3 0x4000090 fsleep syz-executor 41810 127949 0 0 3 0x14200 acct acct 66107 371165 0 0 3 0x14280 nfsidl nfsio 30086 79911 0 0 3 0x14280 nfsidl nfsio 2844 165560 0 0 3 0x14280 nfsidl nfsio 53300 478256 0 0 3 0x14280 nfsidl nfsio 71983 383021 0 0 3 0x14280 nfsidl nfsio 88662 137849 0 0 3 0x14280 nfsidl nfsio 82332 15492 0 0 3 0x14280 nfsidl nfsio 30021 330141 0 0 3 0x14280 nfsidl nfsio 11401 366899 0 0 3 0x14280 nfsidl nfsio 75191 495312 0 0 3 0x14280 nfsidl nfsio 75027 345087 0 0 3 0x14280 nfsidl nfsio 25531 400554 0 0 3 0x14280 nfsidl nfsio 22510 175007 0 0 3 0x14280 nfsidl nfsio 5013 471069 0 0 3 0x14280 nfsidl nfsio 5268 386332 0 0 3 0x14280 nfsidl nfsio 8138 301260 0 0 3 0x14280 nfsidl nfsio 35198 43575 0 0 3 0x14280 nfsidl nfsio 35554 213674 0 0 3 0x14280 nfsidl nfsio 79224 419567 0 0 3 0x14280 nfsidl nfsio 43324 475470 0 0 3 0x14280 nfsidl nfsio 38048 122333 1 0 3 0x100083 ttyin getty 53718 72645 0 0 3 0x14200 bored sosplice 42295 303006 81941 0 2 0xc82 syz-executor 70940 36127 81941 0 2 0xc82 syz-executor 17779 313169 81941 0 2 0x2 syz-executor 34681 81397 81941 0 2 0xc82 syz-executor 70266 14524 81941 0 2 0xc82 syz-executor 62524 380355 81941 0 2 0xc82 syz-executor 41189 481300 81941 0 2 0xc82 syz-executor 74163 437419 81941 0 2 0xc82 syz-executor 81941 442697 57465 0 3 0x82 kqread syz-executor 57465 323462 42848 0 3 0x10008a sigsusp ksh 42848 209195 30849 0 3 0x98 kqread sshd-session 30849 162317 1338 0 3 0x92 kqread sshd-session 1338 18180 1 0 3 0x88 kqread sshd 51042 337712 52381 73 2 0x1100010 syslogd 52381 65769 1 0 3 0x100082 sbwait syslogd 57623 222861 1 0 3 0x100080 kqread resolvd 75923 94193 76967 77 2 0x100012 dhcpleased 7049 221509 76967 77 3 0x100092 kqread dhcpleased 76967 222058 1 0 3 0x80 kqread dhcpleased 41182 414855 0 0 3 0x14200 bored smr 82056 440881 0 0 2 0x14200 zerothread 25517 236129 0 0 3 0x14200 aiodoned aiodoned 80892 445525 0 0 3 0x14200 syncer update 79186 1649 0 0 3 0x14200 cleaner cleaner 66496 345468 0 0 3 0x14200 reaper reaper 42428 216618 0 0 3 0x14200 pgdaemon pagedaemon 85949 71469 0 0 3 0x14200 bored viomb 92863 387755 0 0 3 0x40014200 acpi0 acpi0 64183 197732 0 0 3 0x14200 bored softnet3 71099 101031 0 0 3 0x14200 bored softnet2 44195 486441 0 0 3 0x14200 bored softnet1 90912 362017 0 0 2 0x14200 softnet0 55159 247487 0 0 3 0x14200 bored systqmp 42330 522219 0 0 3 0x14200 bored systq 77531 42195 0 0 3 0x40014200 tmoslp softclock 9737 263900 0 0 3 0x40014200 idle0 1 516361 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10228 11122K 11576K 166960K 12520 0 pcb 17 12K 12K 166960K 99 0 rtable 154 6K 7K 166960K 427 0 pf 31 13K 21K 166960K 80 0 ifaddr 32 5K 7K 166960K 78 0 ifgroup 50 2K 2K 166960K 116 0 sysctl 2 1K 9K 166960K 6 0 counters 33 17K 18K 166960K 130 0 ioctlops 0 0K 4K 166960K 149 0 iov 0 0K 16K 166960K 39 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1402 88K 88K 166960K 1926 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 3 5K 9K 166960K 18 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 14 0 dirhash 12 2K 2K 166960K 21 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 17 61K 240K 166960K 651 0 sigio 0 0K 0K 166960K 74 0 proc 60 59K 124K 166960K 552 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 376 0 in_multi 59 4K 7K 166960K 119 0 ether_multi 1 0K 0K 166960K 2 0 mrt 0 0K 0K 166960K 3 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 265 1182K 1182K 166960K 265 0 exec 0 0K 1K 166960K 466 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 231 143K 157K 166960K 7165 0 UVM aobj 8 2K 2K 166960K 8 0 pinsyscall 38 76K 96K 166960K 1664 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 29 0 NDP 11 0K 2K 166960K 49 0 temp 52 8681K 8746K 166960K 24312 0 kqueue 18 30K 30K 166960K 130 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 77 0 74 1 0 1 1 0 8 0 rtentry 136 130 0 66 4 0 4 4 0 8 0 unpcb 144 321 0 306 2 0 2 2 0 8 1 syncache 336 3 0 3 1 0 1 1 0 8 1 tcpcb 808 187 0 148 5 0 5 5 0 8 0 arp 88 22 0 9 1 0 1 1 0 8 0 ipq 40 2 0 0 1 0 1 1 0 8 0 ipqe 40 5 0 3 1 0 1 1 0 8 0 inpcb 328 624 0 577 7 0 7 7 0 8 2 nd6 104 27 0 13 1 0 1 1 0 8 0 pkpcb 40 10 0 10 1 0 1 1 0 8 1 kcovpl 48 8 0 0 1 0 1 1 0 8 0 ppxss 1072 89 0 88 1 0 1 1 0 8 0 pppxif 1384 71 0 70 1 0 1 1 0 8 0 pfstscr 40 1 0 1 1 0 1 1 0 8 1 pfstkey 128 2 0 2 1 0 1 1 0 8 1 pfstate 384 1 0 1 1 0 1 1 0 8 1 art_heap8 4096 2 0 0 2 0 2 2 0 8 0 art_heap4 256 544 0 250 29 0 29 29 0 8 8 art_table 32 546 0 250 4 0 4 4 0 8 0 art_node 16 127 0 70 1 0 1 1 0 8 0 sysvmsgpl 40 6 0 5 1 0 1 1 0 8 0 semapl 112 11 0 1 1 0 1 1 0 8 0 shmpl 112 5 0 0 1 0 1 1 0 8 0 dirhash 1024 24 0 7 3 0 3 3 0 8 0 dino2pl 256 2474 0 975 95 0 95 95 0 8 0 ffsino 248 2474 0 975 95 0 95 95 0 8 0 nchpl 144 3399 0 1714 63 0 63 63 0 8 0 rtmask 32 2 0 2 1 0 1 1 0 8 1 uvmvnodes 80 2978 0 0 61 0 61 61 0 8 0 vnodes 216 2978 0 0 166 0 166 166 0 8 0 namei 1024 12013 0 12013 2 0 2 2 0 8 2 kstatmem 264 66 0 44 2 0 2 2 0 8 0 acpiwqpl 32 1 0 1 1 0 1 1 1 8 1 scsiplug 72 2 0 2 1 0 1 1 0 8 1 scxspl 216 10762 0 10762 8 0 8 8 1 8 8 plimitpl 152 169 0 150 1 0 1 1 0 8 0 sigapl 424 939 0 872 8 0 8 8 0 8 0 knotepl 120 31146 0 30848 16 0 16 16 0 8 6 kqueuepl 184 195 0 176 1 0 1 1 0 8 0 pipepl 296 277 0 248 10 0 10 10 0 8 7 fdescpl 440 900 0 871 5 0 5 5 0 8 1 filepl 120 5604 0 5338 15 0 15 15 0 8 6 lockfpl 104 150 0 147 1 0 1 1 0 8 0 lockfspl 48 58 0 55 1 0 1 1 0 8 0 sessionpl 144 22 0 14 1 0 1 1 0 8 0 pgrppl 48 33 0 17 1 0 1 1 0 8 0 ucredpl 104 811 0 796 1 0 1 1 0 8 0 zombiepl 144 873 0 872 1 0 1 1 0 8 0 processpl 1160 939 0 872 5 0 5 5 0 8 0 procpl 656 1733 0 1653 8 0 8 8 0 8 0 sosppl 168 6 0 5 1 0 1 1 0 8 0 sockpl 528 1052 0 985 8 0 8 8 0 8 3 mcl64k 65536 51 0 50 1 0 1 1 0 8 0 mcl16k 16384 3 0 3 1 0 1 1 0 8 1 mcl9k 9216 2 0 2 1 0 1 1 0 8 1 mcl8k 8192 10 0 10 1 0 1 1 0 8 1 mcl4k 4096 3107 0 3058 14 0 14 14 0 8 7 mcl2k2 2112 1 0 1 1 0 1 1 0 8 1 mcl2k 2048 787 0 741 6 0 6 6 0 8 0 mtagpl 96 93 0 18 2 0 2 2 0 8 0 mbufpl 256 10511 0 10299 22 0 22 22 0 8 7 bufpl 280 3275 0 121 226 0 226 226 0 8 0 anonpl 24 148144 0 144882 45 0 45 45 0 187 19 amapchunkpl 152 23485 0 22990 32 0 32 32 0 158 11 amappl16 200 2877 0 2840 25 15 10 15 0 8 8 amappl15 192 9 0 9 1 0 1 1 0 8 1 amappl14 184 102 0 92 1 0 1 1 0 8 0 amappl13 176 5 0 5 1 0 1 1 0 8 1 amappl12 168 1506 0 1477 3 0 3 3 0 8 1 amappl11 160 52 0 42 1 0 1 1 0 8 0 amappl10 152 14 0 12 1 0 1 1 0 8 0 amappl9 144 273 0 273 1 0 1 1 0 8 1 amappl8 136 25 0 24 1 0 1 1 0 8 0 amappl7 128 110 0 100 1 0 1 1 0 8 0 amappl6 120 165 0 162 1 0 1 1 0 8 0 amappl5 112 117 0 111 1 0 1 1 0 8 0 amappl4 104 284 0 267 1 0 1 1 0 8 0 amappl3 96 4499 0 4387 4 0 4 4 0 8 1 amappl2 88 630 0 574 2 0 2 2 0 8 0 amappl1 80 9860 0 9309 13 0 13 13 0 8 1 amappl 88 6419 0 6250 5 0 5 5 0 92 1 dma4096 4096 1 0 1 1 0 1 1 0 8 1 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 0 1 1 0 8 1 dma128 128 253 0 253 1 0 1 1 0 8 1 dma64 64 6 0 6 1 0 1 1 0 8 1 dma32 32 7 0 7 1 0 1 1 0 8 1 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 7 0 0 1 0 1 1 0 8 0 uaddrrnd 24 900 0 871 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 900 0 871 1 0 1 1 0 8 0 vmmpekpl 168 8896 0 8854 3 0 3 3 0 8 0 vmmpepl 168 61329 0 59444 94 0 94 94 0 357 9 vmsppl 360 899 0 871 4 0 4 4 0 8 1 rwobjpl 32 20688 0 16838 32 0 32 32 0 8 0 pdppl 4096 1806 0 1742 98 32 66 82 0 8 2 pvpl 32 400446 0 391547 115 0 115 115 0 265 35 pmappl 216 899 0 871 3 0 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 283 0 32 8 0 8 8 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83430e1e) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833df0e4,ffffffff8332f2db,3b7,ffffffff833e7e38) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c9930b0,ffffffff8332c7dc) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(0,ffff80003c9930a8) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b92,41,2000,ffff80003c95e038) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff80003c9cdcc0) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806a9981f8,41,fffffd8007bfb478,ffff80003c95e038) at VOP_CLOSE+0x12a sys/kern/vfs_vops.c:156 vn_closefile(fffffd806c27ee18,ffff80003c95e038) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806c27ee18,ffff80003c95e038) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806c27ee18,ffff80003c95e038) at fdrop+0x126 sys/kern/kern_descrip.c:1267 closef(fffffd806c27ee18,ffff80003c95e038) at closef+0x18d sys/kern/kern_descrip.c:1251 syscall(ffff80003c9cdf20) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9cdf20) at syscall+0x97e sys/arch/amd64/amd64/trap.c:579 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x101b8006450, count: -13 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff83430e1e) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff833df0e4,ffffffff8332f2db,3b7,ffffffff833e7e38) at __assert+0x29 sys/kern/subr_prf.c:-1 refcnt_finalize(ffff80003c9930b0,ffffffff8332c7dc) at refcnt_finalize+0x1c8 sys/kern/kern_synch.c:952 pppx_if_destroy(0,ffff80003c9930a8) at pppx_if_destroy+0x3d sys/net/if_pppx.c:806 pppxclose(205b92,41,2000,ffff80003c95e038) at pppxclose+0xa0 sys/net/if_pppx.c:553 spec_close(ffff80003c9cdcc0) at spec_close+0x412 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806a9981f8,41,fffffd8007bfb478,ffff80003c95e038) at VOP_CLOSE+0x12a sys/kern/vfs_vops.c:156 vn_closefile(fffffd806c27ee18,ffff80003c95e038) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806c27ee18,ffff80003c95e038) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806c27ee18,ffff80003c95e038) at fdrop+0x126 sys/kern/kern_descrip.c:1267 closef(fffffd806c27ee18,ffff80003c95e038) at closef+0x18d sys/kern/kern_descrip.c:1251 syscall(ffff80003c9cdf20) at syscall+0x97e mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003c9cdf20) at syscall+0x97e sys/arch/amd64/amd64/trap.c:579 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x101b8006450, count: -13