panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *209443 85960 0 0 0x4000000 0K syz-executor.4 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff8257c664) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825f108d,ffffffff82638ad2,131,ffffffff826036c0) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000bfe000) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff8000294d69c0) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd806c4f14d8,80206979,ffff8000294d69c0,ffff8000211f8010) at soo_ioctl+0x26c sys_ioctl(ffff8000211f8010,ffff8000294d6ad8,ffff8000294d6b30) at sys_ioctl+0x4a2 syscall(ffff8000294d6ba0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000294d6ba0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x11de8d369f0, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff8257c664) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825f108d,ffffffff82638ad2,131,ffffffff826036c0) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000bfe000) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff8000294d69c0) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd806c4f14d8,80206979,ffff8000294d69c0,ffff8000211f8010) at soo_ioctl+0x26c sys_ioctl(ffff8000211f8010,ffff8000294d6ad8,ffff8000294d6b30) at sys_ioctl+0x4a2 syscall(ffff8000294d6ba0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000294d6ba0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x11de8d369f0, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff8000294d67d0 rbx 0xffffffff8295dbff cpu_info_full_primary+0x2bff rdx 0xffff800000d59c80 rcx 0 rax 0xffff8000211f8010 r8 0 r9 0x8080808080808080 r10 0xf7c0737ed99011b r11 0x253ca2fb6950f322 r12 0xffffffff8295da00 cpu_info_full_primary+0x2a00 r13 0 r14 0 r15 0x1 rip 0xffffffff8168b928 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff8000294d67c0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.4) pid=209443 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=83, nice=20 forw=0xffffffffffffffff, list=0xffff8000211f9270,0xffff8000ffff1520 process=0xffff8000fffed0b8 user=0xffff8000294d1000, vmspace=0xfffffd807c48e760 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 50786 34501 62729 0 2 0 syz-executor.0 50786 471320 62729 0 3 0x4000080 fsleep syz-executor.0 85960 65177 62129 0 2 0 syz-executor.4 *85960 209443 62129 0 7 0x4000000 syz-executor.4 42694 308371 73355 0 2 0 syz-executor.3 42694 132820 73355 0 3 0x4000080 fsleep syz-executor.3 72680 251218 0 0 3 0x14200 acct acct 73355 362873 79301 0 3 0x82 nanoslp syz-executor.3 62729 48404 79301 0 3 0x82 nanoslp syz-executor.0 58468 288846 79301 0 2 0x482 syz-executor.6 12995 134824 79301 0 2 0x482 syz-executor.1 62129 453054 79301 0 2 0x482 syz-executor.4 29131 308026 79301 0 2 0x482 syz-executor.2 34746 354225 79301 0 2 0x482 syz-executor.5 47286 276427 79301 0 2 0x482 syz-executor.7 50019 31504 1 0 3 0x100083 ttyin getty 81917 398659 0 0 3 0x14280 nfsidl nfsio 80539 57787 0 0 3 0x14280 nfsidl nfsio 8448 366944 0 0 3 0x14280 nfsidl nfsio 25319 418817 0 0 3 0x14280 nfsidl nfsio 7508 128955 0 0 3 0x14280 nfsidl nfsio 38342 151575 0 0 3 0x14280 nfsidl nfsio 86328 188104 0 0 3 0x14280 nfsidl nfsio 55772 523015 0 0 3 0x14280 nfsidl nfsio 10989 391400 0 0 3 0x14280 nfsidl nfsio 86518 27919 0 0 3 0x14280 nfsidl nfsio 72076 409091 0 0 3 0x14280 nfsidl nfsio 58663 312634 0 0 3 0x14280 nfsidl nfsio 63707 57609 0 0 3 0x14280 nfsidl nfsio 71074 95483 0 0 3 0x14280 nfsidl nfsio 48797 145638 0 0 3 0x14280 nfsidl nfsio 63969 35258 0 0 3 0x14280 nfsidl nfsio 68276 186422 0 0 3 0x14280 nfsidl nfsio 8076 4513 0 0 3 0x14280 nfsidl nfsio 98710 27490 0 0 3 0x14280 nfsidl nfsio 74803 84413 0 0 3 0x14280 nfsidl nfsio 5119 200106 0 0 3 0x14200 bored sosplice 79301 30151 2047 0 3 0x82 thrsleep syz-fuzzer 79301 350971 2047 0 3 0x4000082 thrsleep syz-fuzzer 79301 124213 2047 0 3 0x4000082 thrsleep syz-fuzzer 79301 319329 2047 0 3 0x4000082 thrsleep syz-fuzzer 79301 116962 2047 0 3 0x4000082 thrsleep syz-fuzzer 79301 394170 2047 0 3 0x4000082 kqread syz-fuzzer 79301 19068 2047 0 3 0x4000082 thrsleep syz-fuzzer 79301 247097 2047 0 3 0x4000082 thrsleep syz-fuzzer 79301 227145 2047 0 3 0x4000082 thrsleep syz-fuzzer 2047 213063 125 0 3 0x10008a sigsusp ksh 125 179998 99359 0 3 0x9a poll sshd 99359 420624 1 0 3 0x88 poll sshd 62024 164495 99328 74 3 0x100092 bpf pflogd 99328 285086 1 0 3 0x80 netio pflogd 62996 12694 49513 73 3 0x100090 kqread syslogd 49513 135793 1 0 3 0x100082 netio syslogd 24424 376748 1 0 3 0x100080 kqread resolvd 3024 404043 70963 77 3 0x100092 kqread dhcpleased 137 100902 70963 77 3 0x100092 kqread dhcpleased 70963 306463 1 0 3 0x80 kqread dhcpleased 58361 312871 0 0 3 0x14200 bored smr 64138 160970 0 0 2 0x14200 zerothread 99747 176892 0 0 3 0x14200 aiodoned aiodoned 67229 461111 0 0 3 0x14200 syncer update 88830 314451 0 0 3 0x14200 cleaner cleaner 11786 131863 0 0 3 0x14200 reaper reaper 4171 332930 0 0 3 0x14200 pgdaemon pagedaemon 34173 195385 0 0 3 0x14200 bored viomb 7321 436471 0 0 3 0x40014200 acpi0 acpi0 99937 401615 0 0 7 0x40014200 idle1 76918 337214 0 0 3 0x14200 bored softnet 59157 364524 0 0 3 0x14200 bored systqmp 79767 498474 0 0 3 0x14200 bored systq 78113 219726 0 0 2 0x40014200 softclock 43132 361834 0 0 3 0x40014200 idle0 1 355637 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 85960 (syz-executor.4) thread 0xffff8000211f8010 (209443) exclusive rwlock clonelk r = 0 (0xffffffff8299fe50) #0 witness_lock+0x44d #1 if_clone_destroy+0x49 #2 soo_ioctl+0x26c #3 sys_ioctl+0x4a2 #4 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #4 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #5 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82b62fd8) #0 witness_lock+0x44d #1 soo_ioctl+0x25a sys/kern/sys_socket.c:136 #2 sys_ioctl+0x4a2 #3 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #3 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #4 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10234 6596K 7805K 78643K 92341 0 pcb 13 24K 34K 78643K 13051 0 rtable 266 26K 28K 78643K 10767 0 ifaddr 104 31K 39K 78643K 4508 0 sysctl 3 1K 5K 78643K 10 0 counters 56 35K 36K 78643K 1530 0 ioctlops 0 0K 8K 78643K 18254 0 iov 0 0K 32K 78643K 5745 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1685 105K 106K 78643K 34084 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 5K 9K 78643K 481 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 0K 78643K 7252 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12598 0 file desc 13 45K 81K 78643K 52829 0 sigio 0 0K 0K 78643K 134 0 proc 72 87K 112K 78643K 6889 0 subproc 104 13K 21K 78643K 2197 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 7069 0 in_multi 77 5K 7K 78643K 4903 0 ether_multi 1 0K 0K 78643K 903 0 mrt 2 0K 0K 78643K 272 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 265 1182K 1182K 78643K 265 0 exec 0 0K 2K 78643K 9804 0 pfkey data 0 0K 0K 78643K 79 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 757 1511K 1530K 78643K 652290 0 UVM aobj 260 6K 6K 78643K 263 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 3789 0 NDP 15 0K 1K 78643K 1197 0 temp 154 4712K 8808K 78643K 393838 0 kqueue 13 20K 29K 78643K 2745 0 SYN cache 2 16K 16K 78643K 2 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 3490 0 3487 48 47 1 5 0 8 0 rtentry 112 3161 0 3067 6 2 4 4 0 8 0 unpcb 136 40779 0 40764 403 402 1 12 0 8 0 syncache 296 198 0 198 19 19 0 1 0 8 0 tcpqe 32 23 62 23 1 1 0 1 0 8 0 tcpcb 736 26395 0 26384 645 638 7 21 0 8 6 arp 120 492 0 477 1 0 1 1 0 8 0 inpcb 304 67072 0 67063 643 637 6 19 0 8 5 rttmr 72 92 0 92 18 18 0 1 0 8 0 nd6 48 645 0 624 1 0 1 1 0 8 0 pkpcb 40 325 0 325 36 36 0 1 0 8 0 kcovpl 48 160 0 152 1 0 1 1 0 8 0 ppxss 1248 172 0 172 29 28 1 1 0 8 1 pfstscr 40 3 0 3 1 1 0 1 0 8 0 pffrag 232 531 0 528 23 22 1 1 0 482 0 pffrnode 88 527 0 524 23 22 1 1 0 8 0 pffrent 40 6412 0 6409 27 26 1 1 0 8 0 pfosfp 40 1428 0 1428 5 5 0 5 0 8 0 pfosfpen 112 1428 0 1428 21 21 0 21 0 8 0 pfrke_plain 168 24 0 20 5 4 1 1 0 8 0 pfrktable 1344 484 0 465 5 3 2 2 0 8 0 pftag 88 13 0 6 1 0 1 1 0 8 0 pfstitem 24 53 0 51 1 0 1 1 0 8 0 pfstkey 112 57 0 55 2 1 1 2 0 8 0 pfstate 320 54 0 52 4 3 1 4 0 8 0 pfsrctr 152 1251 0 1247 11 10 1 1 0 8 0 pfrule 1360 705 0 640 9 3 6 6 0 8 0 art_heap8 4096 3 0 1 3 1 2 2 0 8 0 art_heap4 256 13577 0 13186 109 79 30 63 0 8 0 art_table 32 13580 0 13187 11 6 5 9 0 8 0 art_node 16 3075 0 2992 1 0 1 1 0 8 0 sysvmsgpl 40 41 0 1 1 0 1 1 0 8 0 semapl 112 7250 0 7240 1 0 1 1 0 8 0 shmpl 112 260 0 3 8 0 8 8 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 72575 0 70963 101 0 101 101 0 8 0 ffsino 272 72575 0 70963 108 0 108 108 0 8 0 nchpl 144 160492 0 158852 63 0 63 63 0 8 0 rtmask 32 36 0 33 5 4 1 1 0 8 0 uvmvnodes 80 10237 0 0 209 0 209 209 0 8 0 vnodes 224 10237 0 0 603 0 603 603 0 8 0 namei 1024 556983 0 556983 22 21 1 2 0 8 1 percpumem 16 777 0 737 1 0 1 1 0 8 0 vcpupl 2048 262 0 1 33 0 33 33 0 8 0 vmpool 560 513 0 252 19 0 19 19 0 8 0 pfiaddrpl 120 139 0 110 3 2 1 2 0 8 0 scsiplug 72 23 0 23 8 8 0 1 0 8 0 scxspl 216 416856 0 416856 47 46 1 8 0 8 1 plimitpl 152 6026 0 6011 1 0 1 1 0 8 0 sigapl 424 52865 0 52803 8 0 8 8 0 8 0 futexpl 64 546328 0 546326 20 19 1 1 0 8 0 knotepl 112 349 0 0 5 0 5 5 0 8 0 kqueuepl 216 14356 0 14340 261 258 3 9 0 8 2 pipepl 336 11659 0 11631 268 263 5 13 0 8 2 fdescpl 496 52824 0 52798 5 0 5 5 0 8 0 filepl 152 435784 0 435539 593 579 14 25 0 8 4 lockfpl 104 14990 0 14987 26 25 1 3 0 8 0 lockfspl 48 4221 0 4218 1 0 1 1 0 8 0 sessionpl 144 193 0 176 1 0 1 1 0 8 0 pgrppl 48 368 0 351 1 0 1 1 0 8 0 ucredpl 96 49649 0 49632 1 0 1 1 0 8 0 zombiepl 144 52803 0 52798 8 7 1 1 0 8 0 processpl 1064 52865 0 52798 5 0 5 5 0 8 0 procpl 672 138233 0 138155 48 40 8 10 0 8 0 srpgc 96 217 0 217 51 51 0 1 0 8 0 sosppl 168 425 0 425 68 67 1 1 0 8 1 sockpl 480 111823 0 111796 2364 2352 12 53 0 8 8 mcl64k 65536 50 0 0 4 1 3 3 0 8 0 mcl16k 16384 28 0 0 4 1 3 3 0 8 0 mcl12k 12288 33 0 0 2 0 2 2 0 8 0 mcl9k 9216 41 0 0 2 0 2 2 0 8 0 mcl8k 8192 25 0 0 3 0 3 3 0 8 0 mcl4k 4096 50 0 0 4 1 3 3 0 8 0 mcl2k2 2112 9 0 0 1 0 1 1 0 8 0 mcl2k 2048 585 0 0 22 5 17 20 0 8 0 mtagpl 96 2095 0 0 14 2 12 13 0 8 0 mbufpl 256 10221 0 0 604 0 604 604 0 8 0 bufpl 288 81384 0 71147 732 0 732 732 0 8 0 anonpl 24 14826910 0 14800014 846 651 195 199 0 186 20 amapchunkpl 152 1625230 0 1624156 371 323 48 60 0 158 0 amappl16 200 143590 0 142684 510 449 61 63 0 8 11 amappl15 192 9474 0 9467 1 0 1 1 0 8 0 amappl14 184 7932 0 7923 1 0 1 1 0 8 0 amappl13 176 5009 0 5007 1 0 1 1 0 8 0 amappl12 168 9756 0 9747 2 1 1 1 0 8 0 amappl11 160 5089 0 5072 1 0 1 1 0 8 0 amappl10 152 4382 0 4374 1 0 1 1 0 8 0 amappl9 144 11949 0 11944 1 0 1 1 0 8 0 amappl8 136 7252 0 7004 9 0 9 9 0 8 0 amappl7 128 3271 0 3255 1 0 1 1 0 8 0 amappl6 120 12173 0 12134 2 0 2 2 0 8 0 amappl5 112 52235 0 52219 1 0 1 1 0 8 0 amappl4 104 13846 0 13800 2 0 2 2 0 8 0 amappl3 96 16218 0 16205 1 0 1 1 0 8 0 amappl2 88 10153 0 10069 3 1 2 3 0 8 0 amappl1 80 928324 0 927783 27 13 14 19 0 8 0 amappl 88 648035 0 647678 12 2 10 10 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 262 0 3 5 0 5 5 0 8 0 uaddrrnd 24 53337 0 53050 2 0 2 2 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 53337 0 53050 2 0 2 2 0 8 0 vmmpekpl 168 356185 0 356093 5 0 5 5 0 8 0 vmmpepl 168 4825992 0 4822317 913 718 195 219 0 357 0 vmsppl 368 53336 0 53050 28 1 27 27 0 8 0 rwobjpl 56 1123866 0 1111182 271 87 184 184 0 8 2 pdppl 4096 106681 0 106361 1827 1497 330 332 0 8 10 pvpl 32 25089792 0 25064494 1383 1130 253 287 0 265 28 pmappl 248 53336 0 53050 20 1 19 19 0 8 0 extentpl 40 57 0 38 1 0 1 1 0 8 0 phpool 112 4532 0 2513 59 1 58 58 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff8257c664) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825f108d,ffffffff82638ad2,131,ffffffff826036c0) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000bfe000) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff8000294d69c0) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd806c4f14d8,80206979,ffff8000294d69c0,ffff8000211f8010) at soo_ioctl+0x26c sys_ioctl(ffff8000211f8010,ffff8000294d6ad8,ffff8000294d6b30) at sys_ioctl+0x4a2 syscall(ffff8000294d6ba0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff8000294d6ba0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x11de8d369f0, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: -5