To reproduce the panic, call `SNDSTIOC_ADD_USER_DEVS` with an uninitialized `sndstioc_nv_arg->buf`:
```
#include <sys/sndstat.h>
#include <err.h>
#include <fcntl.h>
#include <string.h>
int
main(int argc, char *argv[])
{
struct sndstioc_nv_arg arg;
int fd;
if ((fd = open("/dev/sndstat", O_RDWR)) < 0)
err(1, "open()");
arg.nbytes = 14;
if (ioctl(fd, SNDSTIOC_ADD_USER_DEVS, &arg) < 0)
err(1, "ioctl(SNDSTIOC_ADD_USER_DEVS)");
return (0);
}
```
Panic:
```
panic: Assertion (nvl) != ((void *)0) failed at /mnt/src/sys/contrib/libnv/nvlist.c:387
cpuid = 0
time = 1715988197
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe0046d42270
kdb_backtrace() at kdb_backtrace+0xc6/frame 0xfffffe0046d423d0
vpanic() at vpanic+0x210/frame 0xfffffe0046d42570
panic() at panic+0xb5/frame 0xfffffe0046d42640
nvlist_find() at nvlist_find+0x11f/frame 0xfffffe0046d42680
nvlist_exists_nvlist_array() at nvlist_exists_nvlist_array+0x11/frame 0xfffffe0046d42690
sndstat_ioctl() at sndstat_ioctl+0x824/frame 0xfffffe0046d42790
devfs_ioctl() at devfs_ioctl+0x1f6/frame 0xfffffe0046d42870
vn_ioctl() at vn_ioctl+0x235/frame 0xfffffe0046d42a80
devfs_ioctl_f() at devfs_ioctl_f+0x6c/frame 0xfffffe0046d42ad0
kern_ioctl() at kern_ioctl+0x3a1/frame 0xfffffe0046d42bb0
sys_ioctl() at sys_ioctl+0x247/frame 0xfffffe0046d42d10
amd64_syscall() at amd64_syscall+0x39e/frame 0xfffffe0046d42f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0046d42f30
--- syscall (54, FreeBSD ELF64, ioctl), rip = 0x821be28fa, rsp = 0x820bf78a8, rbp = 0x820bf7960 ---
KDB: enter: panic
[ thread pid 945 tid 100108 ]
Stopped at kdb_enter+0x34: movq $0,0x1f09d01(%rip)
```