panic: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *300031 2006 0 0 0x4000000 0K syz-executor.5 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff8257abd3) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825eecca,ffffffff8263a0f6,131,ffffffff82604eda) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000c2f800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff80002445c5c0) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd80620b2268,80206979,ffff80002445c5c0,ffff80002e384a90) at soo_ioctl+0x26c sys_ioctl(ffff80002e384a90,ffff80002445c6d8,ffff80002445c730) at sys_ioctl+0x4a2 syscall(ffff80002445c7a0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002445c7a0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xc3c7e477c30, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{0}> ddb{0}> set $lines = 0 ddb{0}> set $maxwidth = 0 ddb{0}> show panic *cpu0: kernel diagnostic assertion "sc->sc_dev == 0" failed: file "/syzkaller/managers/multicore/kernel/sys/net/if_tun.c", line 305 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff8257abd3) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825eecca,ffffffff8263a0f6,131,ffffffff82604eda) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000c2f800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff80002445c5c0) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd80620b2268,80206979,ffff80002445c5c0,ffff80002e384a90) at soo_ioctl+0x26c sys_ioctl(ffff80002e384a90,ffff80002445c6d8,ffff80002445c730) at sys_ioctl+0x4a2 syscall(ffff80002445c7a0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002445c7a0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xc3c7e477c30, count: -9 ddb{0}> show registers rdi 0 rsi 0x1 rbp 0xffff80002445c3d0 rbx 0xffffffff82906bff cpu_info_full_primary+0x2bff rdx 0xffff800000ca8700 rcx 0 rax 0xffff80002e384a90 r8 0 r9 0x8080808080808080 r10 0x3973cc138a443fac r11 0xc7e6d1cf14ef6343 r12 0xffffffff82906a00 cpu_info_full_primary+0x2a00 r13 0 r14 0 r15 0x1 rip 0xffffffff81111978 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80002445c3c0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor.5) pid=300031 stat=onproc flags process=0 proc=4000000 pri=32, usrpri=84, nice=20 forw=0xffffffffffffffff, list=0xffff80002e384550,0xffff80002e384d40 process=0xffff80002e3f4020 user=0xffff800024457000, vmspace=0xfffffd8077a73000 estcpu=34, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 6498 466768 38018 0 2 0 syz-executor.6 6498 79675 38018 0 3 0x4000080 fsleep syz-executor.6 57704 22502 74549 0 2 0 syz-executor.2 57704 265298 74549 0 3 0x4000080 fsleep syz-executor.2 50336 486962 58225 0 2 0 syz-executor.0 50336 434273 58225 0 3 0x4000080 fsleep syz-executor.0 2006 22619 42775 0 2 0 syz-executor.5 * 2006 300031 42775 0 7 0x4000000 syz-executor.5 36719 62617 31959 0 2 0 syz-executor.7 36719 406950 31959 0 3 0x4000080 fsleep syz-executor.7 58722 281450 89561 0 2 0x480 syz-executor.4 58722 188899 89561 0 3 0x4000080 fsleep syz-executor.4 58722 223995 89561 0 3 0x4000080 fsleep syz-executor.4 66594 1164 32604 0 2 0 syz-executor.3 66594 506427 32604 0 3 0x4000080 fsleep syz-executor.3 59811 30965 9497 0 3 0x80 nanoslp syz-executor.1 59811 101099 9497 0 3 0x4000080 kqpoll syz-executor.1 59811 411974 9497 0 3 0x4000080 fsleep syz-executor.1 59811 156853 9497 0 3 0x4000080 fsleep syz-executor.1 32604 61709 64695 0 2 0x482 syz-executor.3 38018 180333 64695 0 3 0x82 nanoslp syz-executor.6 74549 463224 64695 0 2 0x482 syz-executor.2 58225 150074 64695 0 2 0x482 syz-executor.0 89561 326950 64695 0 2 0x482 syz-executor.4 19877 392898 1 0 3 0x100083 ttyin getty 31959 181088 64695 0 2 0x482 syz-executor.7 9497 506143 64695 0 2 0x482 syz-executor.1 80671 284938 0 0 3 0x14200 acct acct 42775 25959 64695 0 2 0x482 syz-executor.5 13213 467219 0 0 3 0x14280 nfsidl nfsio 65541 364348 0 0 3 0x14280 nfsidl nfsio 6670 135864 0 0 3 0x14280 nfsidl nfsio 65173 71194 0 0 3 0x14280 nfsidl nfsio 19923 206315 0 0 3 0x14280 nfsidl nfsio 26238 212391 0 0 3 0x14280 nfsidl nfsio 37642 508866 0 0 3 0x14280 nfsidl nfsio 50497 389629 0 0 3 0x14280 nfsidl nfsio 20283 49515 0 0 3 0x14280 nfsidl nfsio 88342 20379 0 0 3 0x14280 nfsidl nfsio 71351 60325 0 0 3 0x14280 nfsidl nfsio 91059 138953 0 0 3 0x14280 nfsidl nfsio 83843 14669 0 0 3 0x14280 nfsidl nfsio 1826 392782 0 0 3 0x14280 nfsidl nfsio 99511 67498 0 0 3 0x14280 nfsidl nfsio 21510 118826 0 0 3 0x14280 nfsidl nfsio 10806 267741 0 0 3 0x14280 nfsidl nfsio 25020 363688 0 0 3 0x14280 nfsidl nfsio 44627 7942 0 0 3 0x14280 nfsidl nfsio 6746 165892 0 0 3 0x14280 nfsidl nfsio 82596 3675 0 0 3 0x14200 bored sosplice 64695 464320 5819 0 3 0x82 thrsleep syz-fuzzer 64695 10974 5819 0 3 0x4000082 thrsleep syz-fuzzer 64695 96411 5819 0 3 0x4000082 thrsleep syz-fuzzer 64695 452502 5819 0 3 0x4000082 thrsleep syz-fuzzer 64695 68084 5819 0 3 0x4000082 thrsleep syz-fuzzer 64695 316474 5819 0 3 0x4000082 thrsleep syz-fuzzer 64695 326853 5819 0 3 0x4000082 kqread syz-fuzzer 64695 378121 5819 0 3 0x4000082 thrsleep syz-fuzzer 64695 167276 5819 0 3 0x4000082 thrsleep syz-fuzzer 64695 358165 5819 0 3 0x4000082 thrsleep syz-fuzzer 5819 513351 78526 0 3 0x10008a sigsusp ksh 78526 75536 26857 0 3 0x9a kqread sshd 26857 466488 1 0 3 0x88 kqread sshd 51776 451204 27891 74 3 0x1100092 bpf pflogd 27891 313439 1 0 3 0x80 netio pflogd 55329 103965 60203 73 3 0x1100090 kqread syslogd 60203 274805 1 0 3 0x100082 netio syslogd 94587 408240 1 0 3 0x100080 kqread resolvd 51558 158899 39857 77 3 0x100092 kqread dhcpleased 34013 94760 39857 77 3 0x100092 kqread dhcpleased 39857 445902 1 0 3 0x80 kqread dhcpleased 73988 100853 0 0 3 0x14200 bored smr 91451 185617 0 0 2 0x14200 zerothread 72451 291774 0 0 3 0x14200 aiodoned aiodoned 77135 25347 0 0 3 0x14200 syncer update 68450 93984 0 0 3 0x14200 cleaner cleaner 67296 128546 0 0 3 0x14200 reaper reaper 11853 1958 0 0 3 0x14200 pgdaemon pagedaemon 40795 210472 0 0 3 0x14200 bored viomb 49114 184885 0 0 3 0x40014200 acpi0 acpi0 66129 39935 0 0 7 0x40014200 idle1 49823 181610 0 0 3 0x14200 bored softnet 16723 94396 0 0 3 0x14200 bored systqmp 88899 437318 0 0 3 0x14200 bored systq 86106 230355 0 0 3 0x40014200 bored softclock 18935 76797 0 0 3 0x40014200 idle0 1 333257 0 0 3 0x80082 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb{0}> show all locks Process 2006 (syz-executor.5) thread 0xffff80002e384a90 (300031) exclusive rwlock clonelk r = 0 (0xffffffff828ef0a0) #0 witness_lock+0x44d #1 if_clone_destroy+0x49 #2 soo_ioctl+0x26c #3 sys_ioctl+0x4a2 #4 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #4 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #5 Xsyscall+0x128 exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82ad3b18) #0 witness_lock+0x44d #1 soo_ioctl+0x25a sys/kern/sys_socket.c:136 #2 sys_ioctl+0x4a2 #3 syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] #3 syscall+0x489 sys/arch/amd64/amd64/trap.c:585 #4 Xsyscall+0x128 ddb{0}> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10231 6523K 7278K 78643K 85235 0 pcb 13 24K 28K 78643K 5291 0 rtable 249 23K 25K 78643K 8546 0 ifaddr 112 29K 31K 78643K 2690 0 sysctl 3 1K 5K 78643K 10 0 counters 58 35K 36K 78643K 802 0 ioctlops 0 0K 8K 78643K 9377 0 iov 0 0K 24K 78643K 6113 0 mount 1 1K 1K 78643K 1 0 log 0 0K 0K 78643K 5 0 vnodes 1655 103K 104K 78643K 27906 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 13K 78643K 316 0 VM map 2 1K 1K 78643K 2 0 sem 12 0K 0K 78643K 5325 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1697 195K 286K 78643K 12548 0 file desc 18 65K 85K 78643K 37210 0 sigio 0 0K 0K 78643K 428 0 proc 73 87K 136K 78643K 5898 0 subproc 104 6K 7K 78643K 1880 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 1780 0 in_multi 79 5K 6K 78643K 2489 0 ether_multi 1 0K 0K 78643K 313 0 mrt 2 0K 0K 78643K 136 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 271 1208K 1208K 78643K 271 0 exec 0 0K 2K 78643K 8120 0 pfkey data 0 0K 1K 78643K 44 0 tdb 3 0K 0K 78643K 3 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 908 2360K 2373K 78643K 452610 0 UVM aobj 131 4K 4K 78643K 135 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 2 0K 0K 78643K 5363 0 NDP 15 0K 1K 78643K 714 0 temp 173 4758K 8853K 78643K 517379 0 kqueue 12 18K 28K 78643K 1949 0 SYN cache 2 16K 24K 78643K 4 0 ddb{0}> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle plcache 128 22 0 0 1 0 1 1 0 8 0 rtpcb 120 3919 0 3915 47 46 1 5 0 8 0 rtentry 112 2171 0 2079 4 1 3 4 0 8 0 unpcb 136 33203 0 33187 284 278 6 10 0 8 5 syncache 296 125 0 125 35 35 0 1 0 8 0 tcpqe 32 30 0 30 13 13 0 1 0 8 0 tcpcb 736 23834 0 23830 578 572 6 20 0 8 5 arp 120 362 0 346 1 0 1 1 0 8 0 inpcb 304 52648 0 52633 590 581 9 16 0 8 7 rttmr 72 27 0 27 9 9 0 1 0 8 0 ip6q 72 2 0 2 1 1 0 1 0 8 0 ip6af 40 4 0 4 1 1 0 1 0 8 0 nd6 48 480 0 459 1 0 1 1 0 8 0 pkpcb 40 196 0 196 20 20 0 1 0 8 0 kcovpl 48 144 0 136 1 0 1 1 0 8 0 ppxss 1248 131 0 131 29 29 0 1 0 8 0 pfstscr 40 22 0 22 1 1 0 1 0 8 0 pffrag 232 200 0 195 19 18 1 1 0 482 0 pffrnode 88 200 0 195 19 18 1 1 0 8 0 pffrent 40 3939 0 3934 24 23 1 1 0 8 0 pfosfp 40 1432 0 1008 5 0 5 5 0 8 0 pfosfpen 112 1432 0 714 21 0 21 21 0 8 0 pfrktable 1344 546 0 530 3 1 2 2 0 8 0 pftag 88 14 0 2 1 0 1 1 0 8 0 pfqueue 264 4 0 4 1 1 0 1 0 8 0 pfstitem 24 29 0 27 1 0 1 1 0 8 0 pfstkey 112 61 0 59 1 0 1 1 0 8 0 pfstate 320 42 0 40 2 1 1 2 0 8 0 pfrule 1360 545 0 461 9 2 7 8 0 8 0 art_heap8 4096 9 0 7 8 6 2 3 0 8 0 art_heap4 256 8486 0 8131 64 41 23 30 0 8 0 art_table 32 8495 0 8138 5 2 3 4 0 8 0 art_node 16 2151 0 2072 1 0 1 1 0 8 0 sysvmsgpl 40 19 0 16 1 0 1 1 0 8 0 semupl 112 3 0 3 1 1 0 1 0 8 0 semapl 112 5323 0 5313 1 0 1 1 0 8 0 shmpl 112 132 0 4 4 0 4 4 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 48801 0 47221 100 0 100 100 0 8 0 ffsino 272 48801 0 47221 106 0 106 106 0 8 0 nchpl 144 96759 0 95122 62 0 62 62 0 8 0 uvmvnodes 80 11047 0 0 226 0 226 226 0 8 0 vnodes 224 11047 0 0 650 0 650 650 0 8 0 namei 1024 353024 0 353024 19 18 1 2 0 8 1 percpumem 16 413 0 372 1 0 1 1 0 8 0 vcpupl 2048 490 0 1 62 0 62 62 0 8 0 vmpool 560 513 0 24 37 2 35 35 0 8 0 pfiaddrpl 120 180 0 152 3 2 1 1 0 8 0 scsiplug 72 13 0 13 4 4 0 1 0 8 0 scxspl 216 305300 0 305300 27 26 1 8 0 8 1 plimitpl 152 5104 0 5089 1 0 1 1 0 8 0 sigapl 424 37275 0 37208 8 0 8 8 0 8 0 futexpl 64 382361 0 382352 13 12 1 1 0 8 0 knotepl 120 1463 0 0 11 1 10 11 0 8 0 kqueuepl 216 8154 0 8145 149 148 1 8 0 8 0 pipepl 336 7380 0 7350 216 213 3 11 0 8 0 fdescpl 496 37210 0 37179 5 0 5 5 0 8 0 filepl 152 268175 0 267923 475 460 15 25 0 8 5 lockfpl 104 8417 0 8415 17 16 1 2 0 8 0 lockfspl 48 2592 0 2590 1 0 1 1 0 8 0 sessionpl 144 165 0 148 1 0 1 1 0 8 0 pgrppl 48 530 0 513 1 0 1 1 0 8 0 ucredpl 96 31428 0 31412 1 0 1 1 0 8 0 zombiepl 144 37208 0 37208 2 1 1 1 0 8 1 processpl 1064 37275 0 37208 5 0 5 5 0 8 0 procpl 672 93974 0 93887 47 39 8 9 0 8 0 srpgc 96 156 0 156 52 52 0 1 0 8 0 sosppl 168 230 0 230 43 43 0 1 0 8 0 sockpl 480 90078 0 90034 1775 1761 14 53 0 8 8 mcl64k 65536 14 0 0 2 0 2 2 0 8 0 mcl16k 16384 4 0 0 1 0 1 1 0 8 0 mcl12k 12288 10 0 0 1 0 1 1 0 8 0 mcl9k 9216 5 0 0 1 0 1 1 0 8 0 mcl8k 8192 78 0 0 10 0 10 10 0 8 0 mcl4k 4096 16 0 0 2 0 2 2 0 8 0 mcl2k2 2112 4 0 0 1 0 1 1 0 8 0 mcl2k 2048 714 0 0 32 5 27 28 0 8 0 mtagpl 96 1883 0 0 14 0 14 14 0 8 0 mbufpl 256 10406 0 0 558 0 558 558 0 8 0 bufpl 288 59891 0 48843 790 0 790 790 0 8 0 anonpl 24 10658725 0 10628575 814 602 212 258 0 186 0 amapchunkpl 152 1134248 0 1132748 432 372 60 86 0 158 1 amappl16 200 112499 0 111527 475 423 52 66 0 8 0 amappl15 192 11633 0 11622 1 0 1 1 0 8 0 amappl14 184 2259 0 2246 1 0 1 1 0 8 0 amappl13 176 4805 0 4800 1 0 1 1 0 8 0 amappl12 168 2881 0 2870 4 3 1 1 0 8 0 amappl11 160 5090 0 5076 1 0 1 1 0 8 0 amappl10 152 4274 0 4263 1 0 1 1 0 8 0 amappl9 144 2550 0 2543 1 0 1 1 0 8 0 amappl8 136 9849 0 9650 7 0 7 7 0 8 0 amappl7 128 6554 0 6542 1 0 1 1 0 8 0 amappl6 120 2670 0 2637 4 2 2 2 0 8 0 amappl5 112 33819 0 33795 1 0 1 1 0 8 0 amappl4 104 14971 0 14931 2 0 2 2 0 8 0 amappl3 96 6931 0 6915 1 0 1 1 0 8 0 amappl2 88 9862 0 9773 9 7 2 3 0 8 0 amappl1 80 661669 0 661045 20 6 14 19 0 8 0 amappl 88 449059 0 448571 12 0 12 12 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 134 0 4 4 1 3 3 0 8 0 uaddrrnd 24 37723 0 37203 4 0 4 4 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 37723 0 37203 4 0 4 4 0 8 0 vmmpekpl 168 241357 0 241240 6 0 6 6 0 8 0 vmmpepl 168 3402791 0 3398549 914 658 256 262 0 357 60 vmsppl 368 37722 0 37203 50 2 48 48 0 8 0 rwobjpl 56 810889 0 797328 250 58 192 192 0 8 0 pdppl 4096 75453 0 74895 2499 1941 558 560 0 8 0 pvpl 32 18133014 0 18107576 1105 859 246 339 0 265 4 pmappl 248 37722 0 37203 33 0 33 33 0 8 0 extentpl 40 58 0 38 1 0 1 1 0 8 0 phpool 112 5112 0 2802 67 0 67 67 0 8 0 ddb{0}> machine ddbcpu 0 Invalid cpu 0 ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:440 panic(ffffffff8257abd3) at panic+0x177 sys/kern/subr_prf.c:202 __assert(ffffffff825eecca,ffffffff8263a0f6,131,ffffffff82604eda) at __assert+0x25 sys/kern/subr_prf.c:161 tun_clone_destroy(ffff800000c2f800) at tun_clone_destroy+0x278 sys/net/if_tun.c:305 if_clone_destroy(ffff80002445c5c0) at if_clone_destroy+0x132 sys/net/if.c:1218 soo_ioctl(fffffd80620b2268,80206979,ffff80002445c5c0,ffff80002e384a90) at soo_ioctl+0x26c sys_ioctl(ffff80002e384a90,ffff80002445c6d8,ffff80002445c730) at sys_ioctl+0x4a2 syscall(ffff80002445c7a0) at syscall+0x489 mi_syscall sys/sys/syscall_mi.h:102 [inline] syscall(ffff80002445c7a0) at syscall+0x489 sys/arch/amd64/amd64/trap.c:585 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xc3c7e477c30, count: -9 ddb{0}> machine ddbcpu 1 Stopped at x86_ipi_db+0x1a: addq $0x8,%rsp x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: 10 ddb{1}> trace x86_ipi_db(ffff800020ce8ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393 x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106 Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23 acpicpu_idle() at acpicpu_idle+0x312 sys/dev/acpi/acpicpu.c:1206 sched_idle(ffff800020ce8ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178 end trace frame: 0x0, count: -5