panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 316 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 396041 47565 0 0 0 0 syz-executor *172906 54880 0 0x2 0 1K ifconfig db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8346880f) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff83418c4c,ffffffff833e80a6,13c,ffffffff833f22dd) at __assert+0x29 sys/kern/subr_prf.c:-1 tun_clone_destroy(ffff800001418800) at tun_clone_destroy+0x38a sys/net/if_tun.c:316 if_clone_destroy(ffff80003c44f4f0) at if_clone_destroy+0x1d7 sys/net/if.c:1389 ifioctl(ffff8000017b4980,80206979,ffff80003c44f4f0,ffff80002a36f4c0) at ifioctl+0x5c5 sys/net/if.c:-1 sys_ioctl(ffff80002a36f4c0,ffff80003c44f6d0,ffff80003c44f620) at sys_ioctl+0x5c3 sys/kern/sys_generic.c:-1 syscall(ffff80003c44f6d0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c44f6d0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x75fc71507d30, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic *cpu1: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 316 ddb{1}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8346880f) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff83418c4c,ffffffff833e80a6,13c,ffffffff833f22dd) at __assert+0x29 sys/kern/subr_prf.c:-1 tun_clone_destroy(ffff800001418800) at tun_clone_destroy+0x38a sys/net/if_tun.c:316 if_clone_destroy(ffff80003c44f4f0) at if_clone_destroy+0x1d7 sys/net/if.c:1389 ifioctl(ffff8000017b4980,80206979,ffff80003c44f4f0,ffff80002a36f4c0) at ifioctl+0x5c5 sys/net/if.c:-1 sys_ioctl(ffff80002a36f4c0,ffff80003c44f6d0,ffff80003c44f620) at sys_ioctl+0x5c3 sys/kern/sys_generic.c:-1 syscall(ffff80003c44f6d0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c44f6d0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x75fc71507d30, count: -9 ddb{1}> show registers rdi 0 rsi 0x1 rbp 0xffff80003c44f2a0 rbx 0xffff8000299deddf rdx 0 rcx 0xffff80002a36f4c0 rax 0xffff8000299ddff0 r8 0x101010101010101 r9 0x8080808080808080 r10 0xa602ad397e7c18fd r11 0xb3e63d327611c722 r12 0xffff8000299debe0 r13 0 r14 0 r15 0x1 rip 0xffffffff828dc1f5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003c44f290 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb{1}> show proc PROC (ifconfig) tid=172906 pid=54880 tcnt=1 stat=onproc flags process=2 proc=0 runpri=32, usrpri=86, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002a36ea80,0xffff80002a36ed20 process=0xffff80002b41a248 user=0xffff80003c44a000, vmspace=0xfffffd806b1869a0 estcpu=36, cpticks=2, pctcpu=0.0, user=0, sys=2, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 47565 396041 56595 0 7 0 syz-executor 47565 432587 56595 0 2 0x4000000 syz-executor 28344 467016 37785 -1 2 0x10 syz-executor 28344 450123 37785 -1 2 0x4000010 syz-executor 28344 139072 37785 -1 3 0x4000090 fsleep syz-executor *54880 172906 74378 0 7 0x2 ifconfig 74378 163100 6798 0 3 0x10008a sigsusp sh 56156 414055 20385 0 2 0 syz-executor 56156 447405 20385 0 2 0x4000000 syz-executor 78499 188863 53592 0 2 0 syz-executor 78499 290033 53592 0 3 0x4000080 fsleep syz-executor 78499 107367 53592 0 2 0x4000000 syz-executor 28335 405480 56600 0 2 0 syz-executor 28335 88903 56600 0 3 0x4000080 fsleep syz-executor 28335 220896 56600 0 3 0x4000080 fsleep syz-executor 59540 419513 28744 0 3 0x80 nanoslp syz-executor 59540 186465 28744 0 2 0x4000000 syz-executor 59540 11582 28744 0 3 0x4000080 fsleep syz-executor 42725 281723 40370 0 2 0 syz-executor 42725 522437 40370 0 3 0x4000080 kqread syz-executor 42725 114455 40370 0 3 0x4000080 fsleep syz-executor 42725 57476 40370 0 2 0x4000000 syz-executor 6798 87292 21107 0 3 0x82 wait syz-executor 16655 352510 1 0 3 0x80 nanoslp init 40370 324153 21107 0 3 0x82 nanoslp syz-executor 28744 35581 21107 0 3 0x82 nanoslp syz-executor 37785 193435 21107 0 3 0x82 nanoslp syz-executor 20385 28565 21107 0 2 0x2 syz-executor 56595 226250 21107 0 3 0x82 nanoslp syz-executor 16739 186202 0 0 3 0x14200 bored sosplice 56600 198055 21107 0 3 0x82 nanoslp syz-executor 53592 136691 21107 0 3 0x82 nanoslp syz-executor 21107 192934 35454 0 3 0x82 kqread syz-executor 35454 155697 40739 0 3 0x10008a sigsusp ksh 40739 33197 44081 0 3 0x98 kqread sshd-session 44081 463615 27923 0 3 0x92 kqread sshd-session 27923 317963 1 0 3 0x88 kqread sshd 9327 26618 64480 74 3 0x1100092 bpf pflogd 64480 12311 1 0 3 0x80 sbwait pflogd 58912 256783 25232 73 3 0x1100090 kqread syslogd 25232 386486 1 0 3 0x100082 sbwait syslogd 62464 130516 1 0 3 0x100080 kqread resolvd 57565 491683 32048 77 3 0x100092 kqread dhcpleased 59066 337874 32048 77 3 0x100092 kqread dhcpleased 32048 33899 1 0 3 0x80 kqread dhcpleased 58974 446420 0 0 3 0x14200 bored smr 7578 262050 0 0 2 0x14200 zerothread 21439 234944 0 0 3 0x14200 aiodoned aiodoned 53365 397121 0 0 3 0x14200 syncer update 5741 261542 0 0 3 0x14200 cleaner cleaner 5307 462741 0 0 3 0x14200 reaper reaper 89896 311513 0 0 3 0x14200 pgdaemon pagedaemon 45797 136367 0 0 3 0x14200 bored viomb 40850 185016 0 0 3 0x40014200 acpi0 acpi0 67544 116848 0 0 3 0x40014200 idle1 40619 459052 0 0 3 0x14200 bored softnet7 3382 330332 0 0 3 0x14200 bored softnet6 23096 312578 0 0 3 0x14200 bored softnet5 98865 214786 0 0 3 0x14200 bored softnet4 57969 82826 0 0 3 0x14200 bored softnet3 78761 490812 0 0 3 0x14200 bored softnet2 58090 81156 0 0 3 0x14200 bored softnet1 85029 121232 0 0 3 0x14200 bored softnet0 71724 274064 0 0 3 0x14200 bored systqmp 94864 121921 0 0 3 0x14200 bored systq 49916 371015 0 0 3 0x14200 tmoslp softclockmp 96672 265731 0 0 3 0x40014200 tmoslp softclock 61418 147797 0 0 3 0x40014200 idle0 1 523617 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb{1}> show all locks Process 47565 (syz-executor) thread 0xffff80002a333c68 (432587) Process 28344 (syz-executor) thread 0xffff80002a36f750 (450123) Process 54880 (ifconfig) thread 0xffff80002a36f4c0 (172906) Process 78499 (syz-executor) thread 0xffff80002a3339d8 (107367) Process 59540 (syz-executor) thread 0xffff80002a3322c8 (186465) ddb{1}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10224 11162K 13786K 166960K 14652 0 pcb 18 18K 20K 166960K 412 0 rtable 184 11K 13K 166960K 806 0 pf 38 18K 67486K 166960K 256 0 ifaddr 34 6K 9K 166960K 164 0 ifgroup 51 2K 2K 166960K 282 0 sysctl 3 1K 9K 166960K 16 0 counters 66 36K 37K 166960K 280 0 ioctlops 0 0K 8K 166960K 1762 0 iov 0 0K 20K 166960K 120 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1586 100K 100K 166960K 3528 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 28K 32K 166960K 37 0 VM map 2 1K 1K 166960K 2 0 sem 12 0K 0K 166960K 52 0 dirhash 12 2K 2K 166960K 30 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 19 69K 89K 166960K 1944 0 sigio 1 0K 0K 166960K 99 0 proc 70 115K 164K 166960K 977 0 subproc 72 4K 4K 166960K 163 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 234 0 in_multi 73 5K 7K 166960K 242 0 ether_multi 1 0K 0K 166960K 13 0 mrt 2 0K 0K 166960K 21 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 103 466K 466K 166960K 103 0 exec 0 0K 1K 166960K 780 0 fusefs mount 1 32K 32K 166960K 1 0 pfkey data 0 0K 0K 166960K 3 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 244 165K 184K 166960K 19576 0 UVM aobj 110 5K 5K 166960K 114 0 pinsyscall 43 86K 102K 166960K 3336 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 98 0 NDP 11 0K 2K 166960K 120 0 temp 76 8684K 8810K 166960K 84433 0 kqueue 16 26K 33K 166960K 338 0 SYN cache 2 16K 16K 166960K 2 0 ddb{1}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 26 0 0 1 0 1 1 0 8 0 rtpcb 120 363 0 360 6 5 1 4 0 8 0 rtentry 176 235 0 171 5 0 5 5 0 8 0 unpcb 144 1227 0 1210 13 12 1 6 0 8 0 syncache 336 6 0 6 3 3 0 1 0 8 0 tcpqe 32 3 0 3 1 1 0 1 0 8 0 tcpcb 736 509 0 504 14 8 6 7 0 8 5 arp 128 31 0 24 1 0 1 1 0 8 0 inpcb 328 1923 0 1912 30 24 6 12 0 8 5 nd6 144 47 0 34 1 0 1 1 0 8 0 pkpcb 40 20 0 20 8 8 0 1 0 8 0 kcovpl 48 18 0 10 1 0 1 1 0 8 0 mppekey 1024 2 0 2 2 2 0 1 0 8 0 ppxss 1192 76 0 76 2 1 1 1 0 8 1 pppxif 1504 9 0 9 4 4 0 1 0 8 0 pfstscr 40 2 0 2 1 1 0 1 0 8 0 pffrag 232 15 0 9 1 0 1 1 0 482 0 pffrnode 88 15 0 9 1 0 1 1 0 8 0 pffrent 40 28 0 22 1 0 1 1 0 8 0 pfosfp 40 1428 0 1005 5 0 5 5 0 8 0 pfosfpen 112 1428 0 714 21 0 21 21 0 8 0 pfrktable 1344 4 0 2 1 0 1 1 0 8 0 pfanchor 1288 4 0 1 1 0 1 1 0 8 0 pftag 88 2 0 2 1 1 0 1 0 8 0 pfstitem 24 124 0 70 1 0 1 1 0 8 0 pfstkey 128 130 0 76 2 0 2 2 0 8 0 pfstate 384 126 0 73 6 0 6 6 0 8 0 pfrule 1344 38 0 23 3 1 2 2 0 8 0 rttmr 136 6 0 6 5 5 0 1 0 8 0 art_heap8 4096 4 0 0 4 0 4 4 0 8 0 art_heap4 256 1057 0 722 32 5 27 29 0 8 2 art_table 40 1061 0 722 5 0 5 5 0 8 0 art_node 32 235 0 181 1 0 1 1 0 8 0 sysvmsgpl 40 21 0 16 1 0 1 1 0 8 0 semupl 112 2 0 2 2 2 0 1 0 8 0 semapl 112 47 0 37 1 0 1 1 0 8 0 shmpl 112 111 0 4 4 0 4 4 0 8 0 dirhash 1024 30 0 13 3 0 3 3 0 8 0 dino2pl 256 4836 0 3311 96 0 96 96 0 8 0 ffsino 296 4836 0 3311 118 0 118 118 0 8 0 nchpl 144 7394 0 5665 65 0 65 65 0 8 0 rtmask 32 10 0 10 6 6 0 1 0 8 0 uvmvnodes 80 5926 0 0 121 0 121 121 0 8 0 vnodes 216 5926 0 0 330 0 330 330 0 8 0 namei 1024 26454 0 26454 2 1 1 2 0 8 1 percpumem 16 155 0 107 1 0 1 1 0 8 0 pfiaddrpl 120 3 0 2 1 0 1 1 0 8 0 kstatmem 264 176 0 150 6 3 3 3 0 8 0 scsiplug 72 12 0 12 5 4 1 1 0 8 1 scxspl 216 42234 0 42234 13 12 1 8 1 8 1 plimitpl 152 345 0 329 2 1 1 2 0 8 0 sigapl 424 2269 0 2213 9 1 8 9 0 8 0 knotepl 120 533 0 0 14 0 14 14 0 8 0 kqueuepl 224 594 0 579 6 5 1 3 0 8 0 pipepl 344 338 0 311 9 6 3 9 0 8 0 fdescpl 528 2225 0 2192 3 0 3 3 0 8 0 filepl 160 14280 0 14054 23 10 13 16 0 8 1 lockfpl 104 1570 0 1564 5 4 1 2 0 8 0 lockfspl 48 616 0 611 1 0 1 1 0 8 0 sessionpl 144 40 0 32 1 0 1 1 0 8 0 pgrppl 48 88 0 72 1 0 1 1 0 8 0 ucredpl 104 2241 0 2227 1 0 1 1 0 8 0 zombiepl 144 3341 0 3341 2 1 1 1 0 8 1 processpl 1248 2269 0 2213 6 0 6 6 0 8 0 procpl 656 5363 0 5294 9 1 8 9 0 8 0 sosppl 168 11 0 11 3 3 0 1 0 8 0 sockpl 752 3577 0 3545 37 28 9 18 0 8 5 mcl64k 65536 9 0 0 2 0 2 2 0 8 0 mcl16k 16384 5 0 0 1 0 1 1 0 8 0 mcl12k 12288 1 0 0 1 0 1 1 0 8 0 mcl9k 9216 2 0 0 1 0 1 1 0 8 0 mcl8k 8192 4 0 0 1 0 1 1 0 8 0 mcl4k 4096 124 0 0 16 1 15 16 0 8 0 mcl2k 2048 53 0 0 5 0 5 5 0 8 0 mtagpl 96 26 0 0 1 0 1 1 0 8 0 mbufpl 256 3491 0 0 218 0 218 218 0 8 0 bufpl 280 17669 0 11527 440 0 440 440 0 8 0 anonpl 32 14593 0 0 118 0 118 118 0 246 0 amapchunkpl 152 67120 0 66601 64 37 27 34 0 158 4 amappl16 200 7218 0 7185 60 45 15 27 0 8 7 amappl15 192 3 0 3 2 2 0 1 0 8 0 amappl14 184 145 0 134 1 0 1 1 0 8 0 amappl13 176 5 0 5 1 1 0 1 0 8 0 amappl12 168 3059 0 3027 3 1 2 2 0 8 0 amappl11 160 52 0 38 1 0 1 1 0 8 0 amappl10 152 37 0 37 1 1 0 1 0 8 0 amappl9 144 252 0 252 1 1 0 1 0 8 0 amappl8 136 26 0 22 1 0 1 1 0 8 0 amappl7 128 139 0 127 1 0 1 1 0 8 0 amappl6 120 284 0 278 1 0 1 1 0 8 0 amappl5 112 182 0 170 1 0 1 1 0 8 0 amappl4 104 334 0 315 1 0 1 1 0 8 0 amappl3 96 13384 0 13269 5 1 4 4 0 8 0 amappl2 88 813 0 749 2 0 2 2 0 8 0 amappl1 80 17189 0 16604 16 1 15 15 0 8 0 amappl 88 18361 0 18189 5 0 5 5 0 92 0 dma32768 32768 1 0 1 1 1 0 1 0 8 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 10 0 10 4 4 0 1 0 8 0 dma128 128 254 0 254 2 2 0 1 0 8 0 dma64 64 7 0 7 2 2 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 19 0 18 1 0 1 1 0 8 0 aobjpl 72 113 0 4 2 0 2 2 0 8 0 uaddrrnd 24 2225 0 2192 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 2225 0 2192 1 0 1 1 0 8 0 vmmpekpl 168 18893 0 18831 4 0 4 4 0 8 0 vmmpepl 168 145452 0 143430 124 22 102 111 0 357 0 vmsppl 488 2224 0 2192 6 1 5 5 0 8 0 rwobjpl 80 45156 0 38196 149 1 148 148 0 8 2 pdppl 4096 4458 0 4384 132 58 74 84 0 8 0 pvpl 32 26872 0 0 217 1 216 216 0 265 0 pmappl 256 2224 0 2192 4 1 3 3 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 542 0 85 14 0 14 14 0 8 0 ddb{1}> machine ddbcpu 0 Stopped at x86_ipi_db+0x27: addq $0x8,%rsp x86_ipi_db(ffffffff837f3ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff83980208) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline] __mp_lock(ffffffff83980208) at __mp_lock+0x192 sys/kern/kern_lock.c:165 softintr_dispatch(0) at softintr_dispatch+0x12a sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:847 Xsoftclock() at Xsoftclock+0x27 end of kernel end trace frame: 0x7f20ab161200, count: 8 ddb{0}> trace x86_ipi_db(ffffffff837f3ff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394 x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27 __mp_lock(ffffffff83980208) at __mp_lock+0x192 __mp_lock_spin sys/kern/kern_lock.c:134 [inline] __mp_lock(ffffffff83980208) at __mp_lock+0x192 sys/kern/kern_lock.c:165 softintr_dispatch(0) at softintr_dispatch+0x12a sys/kern/kern_softintr.c:83 dosoftint(0) at dosoftint+0x54 sys/arch/amd64/amd64/intr.c:847 Xsoftclock() at Xsoftclock+0x27 end of kernel end trace frame: 0x7f20ab161200, count: -7 ddb{0}> machine ddbcpu 1 Stopped at db_enter+0x25: addq $0x8,%rsp db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8346880f) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff83418c4c,ffffffff833e80a6,13c,ffffffff833f22dd) at __assert+0x29 sys/kern/subr_prf.c:-1 tun_clone_destroy(ffff800001418800) at tun_clone_destroy+0x38a sys/net/if_tun.c:316 if_clone_destroy(ffff80003c44f4f0) at if_clone_destroy+0x1d7 sys/net/if.c:1389 ifioctl(ffff8000017b4980,80206979,ffff80003c44f4f0,ffff80002a36f4c0) at ifioctl+0x5c5 sys/net/if.c:-1 sys_ioctl(ffff80002a36f4c0,ffff80003c44f6d0,ffff80003c44f620) at sys_ioctl+0x5c3 sys/kern/sys_generic.c:-1 syscall(ffff80003c44f6d0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c44f6d0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x75fc71507d30, count: 6 ddb{1}> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8346880f) at panic+0x1e5 sys/kern/subr_prf.c:198 __assert(ffffffff83418c4c,ffffffff833e80a6,13c,ffffffff833f22dd) at __assert+0x29 sys/kern/subr_prf.c:-1 tun_clone_destroy(ffff800001418800) at tun_clone_destroy+0x38a sys/net/if_tun.c:316 if_clone_destroy(ffff80003c44f4f0) at if_clone_destroy+0x1d7 sys/net/if.c:1389 ifioctl(ffff8000017b4980,80206979,ffff80003c44f4f0,ffff80002a36f4c0) at ifioctl+0x5c5 sys/net/if.c:-1 sys_ioctl(ffff80002a36f4c0,ffff80003c44f6d0,ffff80003c44f620) at sys_ioctl+0x5c3 sys/kern/sys_generic.c:-1 syscall(ffff80003c44f6d0) at syscall+0xbc6 mi_syscall sys/sys/syscall_mi.h:176 [inline] syscall(ffff80003c44f6d0) at syscall+0xbc6 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x75fc71507d30, count: -9