panic: kernel diagnostic assertion "rn != NULL" failed: file "/syzkaller/managers/main/kernel/sys/net/pipex.c", line 501 Stopped at db_enter+0x25: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *394275 95001 0 0 0x4000000 0 syz-executor db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333c2a7) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83379931,ffffffff832d0363,1f5,ffffffff8333261d) at __assert+0x29 sys/kern/subr_prf.c:-1 pipex_unlink_session_locked(ffff80002e1290c8) at pipex_unlink_session_locked+0x402 pipex_destroy_all_sessions(ffff80000147e000) at pipex_destroy_all_sessions+0xd9 pipex_rele_session sys/net/pipex.c:-1 [inline] pipex_destroy_all_sessions(ffff80000147e000) at pipex_destroy_all_sessions+0xd9 sys/net/pipex.c:153 pppacclose(637e,41,2000,ffff80002a7f8550) at pppacclose+0x16f sys/net/if_pppx.c:1335 spec_close(ffff80003a5612a0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806ba22610,41,fffffd8007bfb548,ffff80002a7f8550) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806da8b810,ffff80002a7f8550) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806da8b810,ffff80002a7f8550) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806da8b810,ffff80002a7f8550) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806da8b810,ffff80002a7f8550) at closef+0x190 sys/kern/kern_descrip.c:1264 syscall(ffff80003a5614f0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003a5614f0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x214d5700590, count: 2 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic *cpu0: kernel diagnostic assertion "rn != NULL" failed: file "/syzkaller/managers/main/kernel/sys/net/pipex.c", line 501 ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333c2a7) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83379931,ffffffff832d0363,1f5,ffffffff8333261d) at __assert+0x29 sys/kern/subr_prf.c:-1 pipex_unlink_session_locked(ffff80002e1290c8) at pipex_unlink_session_locked+0x402 pipex_destroy_all_sessions(ffff80000147e000) at pipex_destroy_all_sessions+0xd9 pipex_rele_session sys/net/pipex.c:-1 [inline] pipex_destroy_all_sessions(ffff80000147e000) at pipex_destroy_all_sessions+0xd9 sys/net/pipex.c:153 pppacclose(637e,41,2000,ffff80002a7f8550) at pppacclose+0x16f sys/net/if_pppx.c:1335 spec_close(ffff80003a5612a0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806ba22610,41,fffffd8007bfb548,ffff80002a7f8550) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806da8b810,ffff80002a7f8550) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806da8b810,ffff80002a7f8550) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806da8b810,ffff80002a7f8550) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806da8b810,ffff80002a7f8550) at closef+0x190 sys/kern/kern_descrip.c:1264 syscall(ffff80003a5614f0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003a5614f0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x214d5700590, count: -13 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80003a561080 rbx 0x1 rdx 0xffff800001464ac0 rcx 0 rax 0xffff80002a7f8550 r8 0x101010101010101 r9 0x8080808080808080 r10 0x5262b73a75bd0d37 r11 0x3d44c23b83cb3223 r12 0 r13 0xffff80002e12a188 r14 0 r15 0x1 rip 0xffffffff83188ce5 db_enter+0x25 cs 0x8 rflags 0x246 rsp 0xffff80003a561070 ss 0x10 db_enter+0x25: addq $0x8,%rsp ddb> show proc PROC (syz-executor) tid=394275 pid=95001 tcnt=2 stat=onproc flags process=0 proc=4000000 runpri=32, usrpri=50, slppri=32, nice=20 wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0 forw=0xffffffffffffffff, list=0xffff80002a7f82b8,0xffff80002a7f9788 process=0xffff80002e130db8 user=0xffff80003a55c000, vmspace=0xfffffd8076cab8b8 estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 95001 502079 82321 0 2 0 syz-executor *95001 394275 82321 0 7 0x4000000 syz-executor 23292 344442 40660 0 2 0 syz-executor 23292 13177 40660 0 3 0x4000080 fsleep syz-executor 76442 222302 79598 0 2 0 syz-executor 76442 122644 79598 0 3 0x4000080 fsleep syz-executor 7633 395847 51822 0 2 0 syz-executor 7633 345887 51822 0 2 0x4000000 syz-executor 7633 368522 51822 0 3 0x4000000 inode syz-executor 26127 145357 94799 0 3 0x80 nanoslp syz-executor 26127 233510 94799 0 3 0x4000080 kqread syz-executor 26127 488912 94799 0 3 0x4000080 fsleep syz-executor 89490 507424 23596 0 3 0x80 nanoslp syz-executor 89490 437688 23596 0 3 0x4000080 kqsel syz-executor 89490 76845 23596 0 3 0x4000080 fsleep syz-executor 83581 356130 8126 0 3 0x80 nanoslp syz-executor 83581 279046 8126 0 3 0x4000080 fsleep syz-executor 83581 268452 8126 0 3 0x4000080 lockf syz-executor 83581 471254 8126 0 3 0x4000080 fsleep syz-executor 61207 456476 0 0 3 0x14200 acct acct 19201 513923 74529 0 3 0x82 sbwait sshd-session 48205 151257 1 0 3 0x100083 ttyin getty 16526 294035 0 0 3 0x14200 bored sosplice 23596 36627 63230 0 3 0x82 nanoslp syz-executor 40660 432163 63230 0 3 0x82 nanoslp syz-executor 82321 102077 63230 0 3 0x82 nanoslp syz-executor 62126 473919 63230 0 2 0x2 syz-executor 51822 458049 63230 0 2 0x2 syz-executor 79598 56954 63230 0 3 0x82 nanoslp syz-executor 94799 172465 63230 0 3 0x82 nanoslp syz-executor 8126 440772 63230 0 3 0x82 nanoslp syz-executor 63230 274053 86763 0 3 0x82 kqread syz-executor 86763 498086 13904 0 3 0x10008a sigsusp ksh 13904 355651 69701 0 3 0x98 kqread sshd-session 69701 292543 74529 0 3 0x92 kqread sshd-session 74529 302075 1 0 3 0x88 kqread sshd 4386 435342 29108 73 3 0x1100090 kqread syslogd 29108 120671 1 0 3 0x100082 sbwait syslogd 64317 237469 1 0 3 0x100080 kqread resolvd 92510 149017 98511 77 2 0x100012 dhcpleased 25270 57148 98511 77 3 0x100092 kqread dhcpleased 98511 2967 1 0 3 0x80 kqread dhcpleased 32155 350603 0 0 3 0x14200 bored smr 18340 427742 0 0 2 0x14200 zerothread 18074 136337 0 0 3 0x14200 aiodoned aiodoned 41463 13017 0 0 3 0x14200 syncer update 86169 488749 0 0 3 0x14200 cleaner cleaner 9091 178671 0 0 3 0x14200 reaper reaper 47605 454129 0 0 3 0x14200 pgdaemon pagedaemon 25559 378870 0 0 3 0x14200 bored viomb 59613 191332 0 0 3 0x40014200 acpi0 acpi0 51906 207169 0 0 3 0x14200 bored softnet7 5384 221988 0 0 3 0x14200 bored softnet6 9915 380676 0 0 3 0x14200 bored softnet5 87157 480898 0 0 3 0x14200 bored softnet4 26474 386691 0 0 3 0x14200 bored softnet3 7597 319904 0 0 3 0x14200 bored softnet2 18617 107306 0 0 3 0x14200 bored softnet1 69377 94877 0 0 2 0x14200 softnet0 53919 445654 0 0 3 0x14200 bored systqmp 85945 478329 0 0 3 0x14200 bored systq 2932 37504 0 0 3 0x40014200 tmoslp softclock 72004 82187 0 0 3 0x40014200 idle0 1 103385 0 0 3 0x82 wait init 0 0 -1 0 3 0x10010200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 10187 11063K 11302K 166960K 11653 0 pcb 19 12K 12K 166960K 84 0 rtable 147 6K 6K 166960K 314 0 pf 34 13K 15K 166960K 62 0 ifaddr 30 4K 7K 166960K 58 0 ifgroup 46 2K 2K 166960K 77 0 sysctl 3 1K 9K 166960K 8 0 counters 35 17K 18K 166960K 53 0 ioctlops 0 0K 4K 166960K 147 0 iov 0 0K 16K 166960K 26 0 mount 1 1K 1K 166960K 1 0 log 0 0K 0K 166960K 4 0 vnodes 1340 84K 85K 166960K 1617 0 UFS quota 1 32K 32K 166960K 1 0 UFS mount 5 36K 36K 166960K 5 0 shm 2 1K 5K 166960K 8 0 VM map 2 1K 1K 166960K 2 0 sem 8 0K 0K 166960K 44 0 dirhash 12 2K 2K 166960K 15 0 ACPI 1692 195K 286K 166960K 12470 0 file desc 17 61K 89K 166960K 491 0 sigio 0 0K 0K 166960K 6 0 proc 60 59K 100K 166960K 529 0 subproc 72 4K 4K 166960K 72 0 NFS srvsock 1 0K 0K 166960K 1 0 NFS daemon 1 16K 16K 166960K 1 0 ip_moptions 0 0K 0K 166960K 34 0 in_multi 55 4K 7K 166960K 109 0 ether_multi 1 0K 0K 166960K 1 0 mrt 0 0K 0K 166960K 1 0 ISOFS mount 1 32K 32K 166960K 1 0 MSDOSFS mount 1 16K 16K 166960K 1 0 ttys 85 387K 387K 166960K 85 0 exec 0 0K 1K 166960K 374 0 fusefs mount 1 32K 32K 166960K 1 0 tdb 3 0K 0K 166960K 3 0 VM swap 8 62K 64K 166960K 10 0 UVM amap 236 167K 183K 166960K 5846 0 UVM aobj 116 4K 4K 166960K 118 0 pinsyscall 40 80K 93K 166960K 1522 0 memdesc 1 4K 4K 166960K 1 0 crypto data 1 1K 1K 166960K 1 0 ip6_options 0 0K 0K 166960K 15 0 NDP 11 0K 2K 166960K 37 0 temp 49 8637K 8706K 166960K 21143 0 kqueue 18 27K 32K 166960K 105 0 SYN cache 2 16K 16K 166960K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle rtpcb 120 119 0 116 3 0 3 3 0 8 2 rtentry 136 106 0 48 4 0 4 4 0 8 0 unpcb 144 280 0 262 2 0 2 2 0 8 1 syncache 336 4 0 4 2 1 1 1 0 8 1 tcpqe 32 1 0 1 1 0 1 1 0 8 1 tcpcb 736 171 0 165 10 6 4 7 0 8 3 arp 88 14 0 8 1 0 1 1 0 8 0 ipq 40 2 0 0 1 0 1 1 0 8 0 ipqe 40 4 0 2 1 0 1 1 0 8 0 inpcb 328 365 0 351 10 5 5 6 0 8 3 ip6q 72 2 0 0 1 0 1 1 0 8 0 ip6af 40 3 0 0 1 0 1 1 0 8 0 nd6 104 18 0 10 1 0 1 1 0 8 0 pkpcb 40 2 0 2 1 0 1 1 0 8 1 kcovpl 48 8 0 0 1 0 1 1 0 8 0 ppxss 1072 18 0 13 2 1 1 1 0 8 0 pppxif 1384 1 0 1 1 1 0 1 0 8 0 pfstscr 40 3 0 2 1 0 1 1 0 8 0 pfrktable 1344 2 0 2 1 0 1 1 0 8 1 pftag 88 2 0 1 1 0 1 1 0 8 0 pfstitem 24 7 0 0 1 0 1 1 0 8 0 pfstkey 128 9 0 2 1 0 1 1 0 8 0 pfstate 384 5 0 1 1 0 1 1 0 8 0 pfrule 1344 2 0 2 1 0 1 1 0 8 1 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 481 0 211 29 2 27 29 0 8 8 art_table 40 482 0 211 5 0 5 5 0 8 0 art_node 32 106 0 54 1 0 1 1 0 8 0 sysvmsgpl 40 9 0 4 1 0 1 1 0 8 0 semupl 112 2 0 2 2 1 1 1 0 8 1 semapl 112 42 0 36 1 0 1 1 0 8 0 shmpl 112 115 0 2 4 0 4 4 0 8 0 dirhash 1024 19 0 2 3 0 3 3 0 8 0 dino2pl 256 2218 0 720 95 0 95 95 0 8 0 ffsino 256 2218 0 720 95 0 95 95 0 8 0 nchpl 144 2932 0 1248 63 0 63 63 0 8 0 rtmask 32 5 0 2 1 0 1 1 0 8 0 uvmvnodes 80 2446 0 0 50 0 50 50 0 8 0 vnodes 216 2446 0 0 136 0 136 136 0 8 0 namei 1024 9229 0 9229 2 1 1 2 0 8 1 kstatmem 264 42 0 20 2 0 2 2 0 8 0 scsiplug 72 5 0 5 2 1 1 1 0 8 1 scxspl 216 13979 0 13979 15 7 8 8 1 8 8 plimitpl 152 171 0 155 1 0 1 1 0 8 0 sigapl 424 796 0 744 8 0 8 8 0 8 2 knotepl 120 16901 0 16615 16 7 9 9 0 8 0 kqueuepl 184 226 0 210 4 3 1 4 0 8 0 pipepl 304 134 0 105 3 0 3 3 0 8 0 fdescpl 448 754 0 724 5 1 4 5 0 8 0 filepl 120 3984 0 3747 12 3 9 11 0 8 0 lockfpl 104 153 0 147 1 0 1 1 0 8 0 lockfspl 48 66 0 61 1 0 1 1 0 8 0 sessionpl 144 23 0 14 1 0 1 1 0 8 0 pgrppl 48 35 0 18 1 0 1 1 0 8 0 ucredpl 104 529 0 518 1 0 1 1 0 8 0 zombiepl 144 744 0 744 1 0 1 1 0 8 1 processpl 1168 796 0 744 6 0 6 6 0 8 1 procpl 664 1329 0 1265 8 0 8 8 0 8 2 sosppl 168 3 0 3 1 1 0 1 0 8 0 sockpl 552 779 0 744 11 4 7 7 0 8 4 mcl64k 65536 16 0 16 2 1 1 1 0 8 1 mcl12k 12288 1 0 1 1 0 1 1 0 8 1 mcl9k 9216 2 0 2 1 0 1 1 0 8 1 mcl8k 8192 10 0 10 2 1 1 1 0 8 1 mcl4k 4096 2912 0 2861 14 6 8 13 0 8 1 mcl2k2 2112 1 0 1 1 0 1 1 0 8 1 mcl2k 2048 642 0 634 3 0 3 3 0 8 2 mtagpl 96 5 0 4 1 0 1 1 0 8 0 mbufpl 256 7419 0 7287 15 0 15 15 0 8 1 bufpl 280 5848 0 126 409 0 409 409 0 8 0 anonpl 24 153186 0 149620 68 24 44 52 0 187 15 amapchunkpl 152 19201 0 18697 36 3 33 33 0 158 12 amappl16 200 3474 0 3445 31 19 12 18 0 8 8 amappl15 192 25 0 25 2 1 1 1 0 8 1 amappl14 184 128 0 117 1 0 1 1 0 8 0 amappl13 176 3 0 2 1 0 1 1 0 8 0 amappl12 168 1366 0 1336 3 1 2 3 0 8 0 amappl11 160 46 0 36 1 0 1 1 0 8 0 amappl10 152 7 0 7 1 1 0 1 0 8 0 amappl9 144 242 0 241 1 0 1 1 0 8 0 amappl8 136 19 0 17 1 0 1 1 0 8 0 amappl7 128 109 0 98 1 0 1 1 0 8 0 amappl6 120 194 0 190 1 0 1 1 0 8 0 amappl5 112 123 0 116 1 0 1 1 0 8 0 amappl4 104 279 0 263 1 0 1 1 0 8 0 amappl3 96 3537 0 3427 4 0 4 4 0 8 1 amappl2 88 622 0 563 2 0 2 2 0 8 0 amappl1 80 9655 0 9028 14 1 13 13 0 8 0 amappl 88 5127 0 4960 5 0 5 5 0 92 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma1024 1024 1 0 0 1 0 1 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 255 0 255 2 1 1 1 0 8 1 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 72 117 0 2 3 0 3 3 0 8 0 uaddrrnd 24 754 0 724 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 754 0 724 1 0 1 1 0 8 0 vmmpekpl 168 7310 0 7279 2 0 2 2 0 8 0 vmmpepl 168 54187 0 52211 104 12 92 95 0 357 3 vmsppl 368 753 0 724 4 1 3 4 0 8 0 rwobjpl 40 19888 0 16385 36 0 36 36 0 8 0 pdppl 4096 1515 0 1448 103 34 69 79 0 8 2 pvpl 32 362775 0 353262 148 35 113 118 0 265 25 pmappl 216 753 0 724 2 0 2 2 0 8 0 extentpl 40 45 0 27 1 0 1 1 0 8 0 phpool 112 394 0 56 10 0 10 10 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333c2a7) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83379931,ffffffff832d0363,1f5,ffffffff8333261d) at __assert+0x29 sys/kern/subr_prf.c:-1 pipex_unlink_session_locked(ffff80002e1290c8) at pipex_unlink_session_locked+0x402 pipex_destroy_all_sessions(ffff80000147e000) at pipex_destroy_all_sessions+0xd9 pipex_rele_session sys/net/pipex.c:-1 [inline] pipex_destroy_all_sessions(ffff80000147e000) at pipex_destroy_all_sessions+0xd9 sys/net/pipex.c:153 pppacclose(637e,41,2000,ffff80002a7f8550) at pppacclose+0x16f sys/net/if_pppx.c:1335 spec_close(ffff80003a5612a0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806ba22610,41,fffffd8007bfb548,ffff80002a7f8550) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806da8b810,ffff80002a7f8550) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806da8b810,ffff80002a7f8550) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806da8b810,ffff80002a7f8550) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806da8b810,ffff80002a7f8550) at closef+0x190 sys/kern/kern_descrip.c:1264 syscall(ffff80003a5614f0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003a5614f0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x214d5700590, count: -13 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x25 sys/arch/amd64/amd64/db_interface.c:438 panic(ffffffff8333c2a7) at panic+0x1cf sys/kern/subr_prf.c:198 __assert(ffffffff83379931,ffffffff832d0363,1f5,ffffffff8333261d) at __assert+0x29 sys/kern/subr_prf.c:-1 pipex_unlink_session_locked(ffff80002e1290c8) at pipex_unlink_session_locked+0x402 pipex_destroy_all_sessions(ffff80000147e000) at pipex_destroy_all_sessions+0xd9 pipex_rele_session sys/net/pipex.c:-1 [inline] pipex_destroy_all_sessions(ffff80000147e000) at pipex_destroy_all_sessions+0xd9 sys/net/pipex.c:153 pppacclose(637e,41,2000,ffff80002a7f8550) at pppacclose+0x16f sys/net/if_pppx.c:1335 spec_close(ffff80003a5612a0) at spec_close+0x417 sys/kern/spec_vnops.c:-1 VOP_CLOSE(fffffd806ba22610,41,fffffd8007bfb548,ffff80002a7f8550) at VOP_CLOSE+0x129 sys/kern/vfs_vops.c:156 vn_closefile(fffffd806da8b810,ffff80002a7f8550) at vn_closefile+0x11d vn_close sys/kern/vfs_vnops.c:292 [inline] vn_closefile(fffffd806da8b810,ffff80002a7f8550) at vn_closefile+0x11d sys/kern/vfs_vnops.c:615 fdrop(fffffd806da8b810,ffff80002a7f8550) at fdrop+0x121 sys/kern/kern_descrip.c:1280 closef(fffffd806da8b810,ffff80002a7f8550) at closef+0x190 sys/kern/kern_descrip.c:1264 syscall(ffff80003a5614f0) at syscall+0x962 mi_syscall sys/sys/syscall_mi.h:-1 [inline] syscall(ffff80003a5614f0) at syscall+0x962 sys/arch/amd64/amd64/trap.c:748 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0x214d5700590, count: -13