panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/main/kernel/sys/net/if_tun.c", line 315 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *288021 81973 0 0 0x4000000 0 syz-executor.1 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82722f34) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff827a0c78,ffffffff827d347f,13b,ffffffff827b3ae6) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000d39000) at tun_clone_destroy+0x234 sys/net/if_tun.c:315 if_clone_destroy(ffff80002e8b72f0) at if_clone_destroy+0x132 sys/net/if.c:1247 sys_ioctl(ffff8000216deb08,ffff80002e8b7408,ffff80002e8b7450) at sys_ioctl+0x49e syscall(ffff80002e8b74d0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:625 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa9ddc4ec830, count: 7 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/main/kernel/sys/net/if_tun.c", line 315 ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82722f34) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff827a0c78,ffffffff827d347f,13b,ffffffff827b3ae6) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000d39000) at tun_clone_destroy+0x234 sys/net/if_tun.c:315 if_clone_destroy(ffff80002e8b72f0) at if_clone_destroy+0x132 sys/net/if.c:1247 sys_ioctl(ffff8000216deb08,ffff80002e8b7408,ffff80002e8b7450) at sys_ioctl+0x49e syscall(ffff80002e8b74d0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:625 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa9ddc4ec830, count: -8 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80002e8b7180 rbx 0x80206979 __kernel_virt_to_phys+0x206979 rdx 0xffff800000cf3980 rcx 0 rax 0xffff8000216deb08 r8 0 r9 0x8080808080808080 r10 0xa4a020b32f4e8117 r11 0x372f6c7e323e96ff r12 0 r13 0 r14 0 r15 0x1 rip 0xffffffff81a69eb8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80002e8b7170 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-executor.1) pid=288021 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=83, nice=20 forw=0xffffffffffffffff, list=0xffff80002ce482f8,0xffffffff82cf3498 process=0xffff800021703b90 user=0xffff80002e8b2000, vmspace=0xfffffd8070b2e410 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 81973 19086 51863 0 2 0 syz-executor.1 *81973 288021 51863 0 7 0x4000000 syz-executor.1 32117 221451 89489 0 2 0x482 syz-executor.2 26667 347935 89489 0 2 0x482 syz-executor.5 17464 27634 89489 0 2 0x482 syz-executor.0 15158 148643 89489 0 2 0x482 syz-executor.3 87760 449538 0 0 3 0x14280 nfsidl nfsio 51846 112981 0 0 3 0x14280 nfsidl nfsio 44075 178649 0 0 3 0x14280 nfsidl nfsio 96728 231226 0 0 3 0x14280 nfsidl nfsio 92509 500443 0 0 3 0x14280 nfsidl nfsio 10672 32491 0 0 3 0x14280 nfsidl nfsio 5561 469016 0 0 3 0x14280 nfsidl nfsio 80680 288826 0 0 3 0x14280 nfsidl nfsio 94687 47017 0 0 3 0x14280 nfsidl nfsio 80659 49603 0 0 3 0x14280 nfsidl nfsio 80994 407635 0 0 3 0x14280 nfsidl nfsio 99069 405884 0 0 3 0x14280 nfsidl nfsio 90378 519121 0 0 3 0x14280 nfsidl nfsio 84017 416185 0 0 3 0x14280 nfsidl nfsio 61511 136412 0 0 3 0x14280 nfsidl nfsio 96671 313608 0 0 3 0x14280 nfsidl nfsio 34084 301123 0 0 3 0x14280 nfsidl nfsio 96409 384797 0 0 3 0x14280 nfsidl nfsio 33585 285162 0 0 3 0x14280 nfsidl nfsio 52745 326487 0 0 3 0x14280 nfsidl nfsio 32275 309532 89489 0 2 0x482 syz-executor.4 23705 366590 89489 0 2 0x482 syz-executor.7 51863 255763 89489 0 2 0x482 syz-executor.1 56907 287446 89489 0 2 0x482 syz-executor.6 29282 87016 1 0 3 0x100083 ttyin getty 43962 183188 0 0 3 0x14200 bored sosplice 89489 289287 51061 0 3 0x82 kqread syz-fuzzer 89489 395871 51061 0 3 0x4000082 thrsleep syz-fuzzer 89489 474172 51061 0 3 0x4000082 wait syz-fuzzer 89489 111642 51061 0 3 0x4000082 thrsleep syz-fuzzer 89489 486086 51061 0 3 0x4000082 wait syz-fuzzer 89489 210931 51061 0 3 0x4000082 wait syz-fuzzer 89489 157404 51061 0 3 0x4000082 thrsleep syz-fuzzer 89489 102649 51061 0 3 0x4000082 wait syz-fuzzer 89489 89819 51061 0 3 0x4000082 wait syz-fuzzer 89489 323851 51061 0 3 0x4000082 thrsleep syz-fuzzer 89489 374765 51061 0 3 0x4000082 wait syz-fuzzer 89489 368150 51061 0 3 0x4000082 wait syz-fuzzer 89489 56804 51061 0 3 0x4000082 thrsleep syz-fuzzer 89489 394995 51061 0 3 0x4000082 wait syz-fuzzer 51061 504112 38991 0 3 0x10008a sigsusp ksh 38991 403168 91998 0 3 0x9a kqread sshd 91998 440576 1 0 3 0x88 kqread sshd 30955 142456 37410 73 3 0x1100090 kqread syslogd 37410 243985 1 0 3 0x100082 netio syslogd 60913 511316 1 0 3 0x100080 kqread resolvd 82559 473794 0 0 3 0x14200 bored smr 4571 170438 0 0 2 0x14200 zerothread 67457 429541 0 0 3 0x14200 aiodoned aiodoned 66124 77870 0 0 3 0x14200 syncer update 89852 220564 0 0 3 0x14200 cleaner cleaner 82665 315529 0 0 3 0x14200 reaper reaper 26508 459825 0 0 3 0x14200 pgdaemon pagedaemon 45013 227758 0 0 3 0x14200 bored viomb 78293 380961 0 0 3 0x40014200 acpi0 acpi0 4242 222187 0 0 3 0x14200 bored softnet 22826 391685 0 0 3 0x14200 bored softnet 70746 269834 0 0 3 0x14200 bored softnet 69755 184392 0 0 3 0x14200 bored softnet 2401 137653 0 0 3 0x14200 bored systqmp 32034 349293 0 0 3 0x14200 bored systq 6100 89596 0 0 2 0x40014200 softclock 72094 416020 0 0 3 0x40014200 idle0 1 284747 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10205 6416K 6745K 78643K 13369 0 pcb 13 22K 26K 78643K 1187 0 rtable 168 15K 16K 78643K 2071 0 ifaddr 71 21K 25K 78643K 746 0 sysctl 2 0K 2K 78643K 8 0 counters 27 17K 17K 78643K 325 0 ioctlops 0 0K 4K 78643K 1423 0 iov 0 0K 32K 78643K 535 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 4 0 vnodes 1349 84K 84K 78643K 5102 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 9K 78643K 83 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 0K 78643K 1225 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 11 37K 77K 78643K 7208 0 sigio 0 0K 0K 78643K 227 0 proc 58 43K 83K 78643K 1745 0 subproc 104 6K 7K 78643K 654 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 759 0 in_multi 60 4K 6K 78643K 649 0 ether_multi 1 0K 0K 78643K 40 0 mrt 1 0K 0K 78643K 50 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 169 758K 758K 78643K 169 0 exec 0 0K 1K 78643K 1825 0 pfkey data 0 0K 0K 78643K 9 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 8 62K 64K 78643K 10 0 UVM amap 260 90K 103K 78643K 45741 0 UVM aobj 131 9K 9K 78643K 134 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 182 0 NDP 12 0K 1K 78643K 262 0 temp 128 5770K 5850K 78643K 52757 0 kqueue 6 10K 26K 78643K 546 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 574 0 573 6 5 1 3 0 8 0 rtentry 112 650 0 582 4 1 3 4 0 8 0 unpcb 144 5020 0 5014 61 59 2 8 0 8 1 syncache 296 20 0 20 5 5 0 1 0 8 0 tcpqe 32 180 0 180 6 6 0 1 0 8 0 tcpcb 776 3899 0 3888 61 53 8 8 0 8 6 arp 88 101 0 90 1 0 1 1 0 8 0 ipq 40 6 0 6 3 3 0 1 0 8 0 ipqe 40 16 0 16 3 3 0 1 0 8 0 inpcb 336 21664 0 21657 165 152 13 23 0 8 12 nd6 48 154 0 138 1 0 1 1 0 8 0 pkpcb 40 111 0 111 5 5 0 1 0 8 0 kcovpl 48 50 0 42 1 0 1 1 0 8 0 mppekey 1024 97 0 97 3 3 0 1 0 8 0 ppxss 1160 198 0 198 12 12 0 1 0 8 0 pppxif 1360 104 0 104 5 5 0 1 0 8 0 pfstscr 40 11 0 5 1 0 1 1 0 8 0 pfosfp 40 7 0 6 1 0 1 1 0 8 0 pfosfpen 112 7 0 6 1 0 1 1 0 8 0 pfanchor 1280 400 0 199 21 3 18 21 0 8 0 pfqueue 264 73 0 73 3 3 0 1 0 8 0 pfstitem 24 6 0 0 1 0 1 1 0 8 0 pfstkey 128 14 0 12 1 0 1 1 0 8 0 pfstate 352 7 0 4 1 0 1 1 0 8 0 rttmr 136 10 0 10 2 2 0 1 0 8 0 art_heap8 4096 8 0 6 6 4 2 3 0 8 0 art_heap4 256 2767 0 2458 37 17 20 29 0 8 0 art_table 32 2775 0 2464 4 1 3 4 0 8 0 art_node 16 642 0 584 1 0 1 1 0 8 0 sysvmsgpl 40 67 0 67 1 1 0 1 0 8 0 semapl 112 1223 0 1213 1 0 1 1 0 8 0 shmpl 112 131 0 3 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 11384 0 9957 90 0 90 90 0 8 0 ffsino 240 11384 0 9957 85 0 85 85 0 8 0 nchpl 144 20341 0 18705 63 0 63 63 0 8 0 rtmask 32 9 0 9 3 3 0 1 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 75177 0 75177 8 7 1 3 0 8 1 vmpool 664 52 0 52 7 7 0 1 0 8 0 kstatmem 264 320 0 296 8 6 2 3 0 8 0 scsiplug 72 20 0 20 5 5 0 1 0 8 0 scxspl 216 58591 0 58591 17 16 1 8 0 8 1 plimitpl 152 1074 0 1060 1 0 1 1 0 8 0 sigapl 424 7460 0 7397 10 2 8 8 0 8 0 futexpl 64 81933 0 81933 4 3 1 1 0 8 1 knotepl 120 88991 0 88927 61 58 3 12 0 8 0 kqueuepl 184 1281 0 1276 13 12 1 4 0 8 0 pipepl 288 1360 0 1332 27 24 3 7 0 8 0 fdescpl 432 7402 0 7383 4 0 4 4 0 8 0 filepl 120 65288 0 65070 87 76 11 17 0 8 3 lockfpl 104 1642 0 1641 4 3 1 2 0 8 0 lockfspl 48 409 0 408 1 0 1 1 0 8 0 sessionpl 144 63 0 48 1 0 1 1 0 8 0 pgrppl 48 103 0 88 1 0 1 1 0 8 0 ucredpl 104 11689 0 11677 1 0 1 1 0 8 0 zombiepl 144 7404 0 7397 2 1 1 1 0 8 0 processpl 1008 7460 0 7397 12 4 8 9 0 8 0 procpl 696 17249 0 17172 19 10 9 10 0 8 1 sosppl 168 28 0 28 6 5 1 1 0 8 1 sockpl 456 27457 0 27443 501 481 20 44 0 8 18 mcl64k 65536 327 0 327 15 14 1 1 0 8 1 mcl16k 16384 156 0 156 14 13 1 1 0 8 1 mcl12k 12288 206 0 206 12 12 0 1 0 8 0 mcl9k 9216 96 0 96 17 17 0 1 0 8 0 mcl8k 8192 557 0 557 11 10 1 1 0 8 1 mcl4k 4096 676 0 676 9 8 1 1 0 8 1 mcl2k2 2112 35 0 35 15 14 1 1 0 8 1 mcl2k 2048 91393 0 91349 47 40 7 29 0 8 1 mtagpl 96 42 0 42 2 2 0 1 0 8 0 mbufpl 256 243736 0 243639 536 527 9 111 0 8 0 bufpl 288 14682 0 8288 459 1 458 458 0 8 0 anonpl 24 1371331 0 1353832 173 53 120 142 0 188 0 amapchunkpl 152 129554 0 128936 86 57 29 39 0 158 0 amappl16 200 11444 0 10796 61 25 36 46 0 8 0 amappl15 192 6 0 6 2 2 0 1 0 8 0 amappl14 184 308 0 299 2 1 1 2 0 8 0 amappl13 176 7 0 7 2 2 0 1 0 8 0 amappl12 168 867 0 865 1 0 1 1 0 8 0 amappl11 160 46 0 42 1 0 1 1 0 8 0 amappl10 152 77 0 65 1 0 1 1 0 8 0 amappl9 144 1029 0 1028 2 1 1 1 0 8 0 amappl8 136 368 0 301 5 2 3 3 0 8 0 amappl7 128 248 0 224 2 0 2 2 0 8 0 amappl6 120 377 0 365 2 1 1 2 0 8 0 amappl5 112 383 0 379 1 0 1 1 0 8 0 amappl4 104 911 0 886 2 1 1 2 0 8 0 amappl3 96 19993 0 19960 2 0 2 2 0 8 0 amappl2 88 8231 0 8183 3 0 3 3 0 8 0 amappl1 80 164259 0 163755 29 14 15 26 0 8 0 amappl 88 44831 0 44686 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 133 0 3 3 0 3 3 0 8 0 uaddrrnd 24 7454 0 7435 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 7454 0 7435 1 0 1 1 0 8 0 vmmpekpl 168 52942 0 52891 3 0 3 3 0 8 0 vmmpepl 168 685308 0 683189 286 163 123 156 0 357 4 vmsppl 344 7453 0 7435 3 0 3 3 0 8 0 rwobjpl 24 172280 0 164717 48 1 47 48 0 8 0 pdppl 4096 14914 0 14870 493 435 58 70 0 8 14 pvpl 32 2865585 0 2843471 468 268 200 334 0 265 0 pmappl 216 7453 0 7435 2 0 2 2 0 8 0 extentpl 40 56 0 38 1 0 1 1 0 8 0 phpool 112 2016 0 1262 26 2 24 25 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82722f34) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff827a0c78,ffffffff827d347f,13b,ffffffff827b3ae6) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000d39000) at tun_clone_destroy+0x234 sys/net/if_tun.c:315 if_clone_destroy(ffff80002e8b72f0) at if_clone_destroy+0x132 sys/net/if.c:1247 sys_ioctl(ffff8000216deb08,ffff80002e8b7408,ffff80002e8b7450) at sys_ioctl+0x49e syscall(ffff80002e8b74d0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:625 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa9ddc4ec830, count: -8 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437 panic(ffffffff82722f34) at panic+0x161 sys/kern/subr_prf.c:198 __assert(ffffffff827a0c78,ffffffff827d347f,13b,ffffffff827b3ae6) at __assert+0x25 sys/kern/subr_prf.c:157 tun_clone_destroy(ffff800000d39000) at tun_clone_destroy+0x234 sys/net/if_tun.c:315 if_clone_destroy(ffff80002e8b72f0) at if_clone_destroy+0x132 sys/net/if.c:1247 sys_ioctl(ffff8000216deb08,ffff80002e8b7408,ffff80002e8b7450) at sys_ioctl+0x49e syscall(ffff80002e8b74d0) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:625 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xa9ddc4ec830, count: -8