syzbot

panic: malformed IPv4 option passed to ip_optcopy
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
 198720  94493      0           0          0    0  syz-executor5461
*149272  94493      0           0  0x4000000    1K syz-executor5461
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_fragment(cf5c07fbf8856990,ffffff007f1433d9,ffff800000173290) at ip_fragment+0x625
ip_output(17d5a39689666dd0,ffffff006f307460,ffffff007f143300,0,ffffff006f016800,ffffff006f308c00) at ip_output+0xc8d sys/netinet/ip_output.c:501
udp_output(cf5c07fbf81f54fa,1400,ffffff006f308c00,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004
sosend(58a7126b623f4bbc,ffffff006e4af260,ffff8000210e72c8,ffff8000210e7400,1000,0) at sosend+0x477 sys/kern/uipc_socket.c:513
dofilewritev(c5a2f71672af20b5,0,3,ffff8000210b4bc8,ffff8000210e7400) at dofilewritev+0x148 sys/kern/sys_generic.c:364
sys_writev(fbe5352a4b0548a4,790,ffff8000210b4bc8) at sys_writev+0xdb sys/kern/sys_generic.c:310
syscall(2d7fac4b52467d04) at syscall+0x473 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(2d7fac4b52467d04) at syscall+0x473 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,10aec53c4a0,0,1083f18e108,1083f18e100) at Xsyscall+0x128
end of kernel
end trace frame: 0x10afe8803d0, count: 5
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{1}> 
ddb{1}> set $lines = 0
ddb{1}> show panic
malformed IPv4 option passed to ip_optcopy
ddb{1}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399
panic() at panic+0x147 sys/kern/subr_prf.c:208
ip_fragment(cf5c07fbf8856990,ffffff007f1433d9,ffff800000173290) at ip_fragment+0x625
ip_output(17d5a39689666dd0,ffffff006f307460,ffffff007f143300,0,ffffff006f016800,ffffff006f308c00) at ip_output+0xc8d sys/netinet/ip_output.c:501
udp_output(cf5c07fbf81f54fa,1400,ffffff006f308c00,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004
sosend(58a7126b623f4bbc,ffffff006e4af260,ffff8000210e72c8,ffff8000210e7400,1000,0) at sosend+0x477 sys/kern/uipc_socket.c:513
dofilewritev(c5a2f71672af20b5,0,3,ffff8000210b4bc8,ffff8000210e7400) at dofilewritev+0x148 sys/kern/sys_generic.c:364
sys_writev(fbe5352a4b0548a4,790,ffff8000210b4bc8) at sys_writev+0xdb sys/kern/sys_generic.c:310
syscall(2d7fac4b52467d04) at syscall+0x473 mi_syscall sys/sys/syscall_mi.h:99 [inline]
syscall(2d7fac4b52467d04) at syscall+0x473 sys/arch/amd64/amd64/trap.c:583
Xsyscall(6,0,10aec53c4a0,0,1083f18e108,1083f18e100) at Xsyscall+0x128
end of kernel
end trace frame: 0x10afe8803d0, count: -10
ddb{1}> show registers
rdi               0xffffffff81edbb38    kprintf_mutex
rsi                              0x5
rbp               0xffff8000210e6ef0
rbx               0xffff8000210e6f90
rdx                            0x3fd
rcx                                0
rax                              0x1
r8                0xffff8000210e6ec0
r9                                 0
r10               0x8989983e3d4cbb6c
r11               0x1ecd66cd6e111d7c
r12                     0x3000000008
r13               0xffff8000210e6f00
r14                            0x100
r15               0xffffffff81c5e947    substchar+0x10fc3
rip               0xffffffff811bca38    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff8000210e6ee0
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb{1}> show proc
PROC (syz-executor5461) pid=149272 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=51, usrpri=51, nice=20
    forw=0xffffffffffffffff, list=0xffff8000210b4e20,0xffffffff81f734e0
    process=0xffff80002109a018 user=0xffff8000210e2000, vmspace=0xffffff007f123528
    estcpu=1, cpticks=1, pctcpu=0.0
    user=0, sys=1, intr=0
ddb{1}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 94493  198720  43260      0  7           0                syz-executor5461
 94493  162239  43260      0  3   0x4000080  fsleep        syz-executor5461
 94493  394784  43260      0  3   0x4000080  fsleep        syz-executor5461
*94493  149272  43260      0  7   0x4000000                syz-executor5461
 43260  274301  75395      0  3        0x82  nanosleep     syz-executor5461
 75395  450220  64241      0  3    0x10008a  pause         ksh
 64241  303646  48657      0  3        0x92  select        sshd
 79547  114943      1      0  3    0x100083  ttyin         getty
 48657  227558      1      0  3        0x80  select        sshd
 96995   62829  52889     73  3    0x100090  kqread        syslogd
 52889  195501      1      0  3    0x100082  netio         syslogd
 54315  463431      1     77  3    0x100090  poll          dhclient
 73361  215428      1      0  3        0x80  poll          dhclient
 86678  514671      0      0  3     0x14200  pgzero        zerothread
 42358  218261      0      0  3     0x14200  aiodoned      aiodoned
 49820  313607      0      0  3     0x14200  syncer        update
 37386  150931      0      0  3     0x14200  cleaner       cleaner
 99507  369069      0      0  3     0x14200  reaper        reaper
 71626  455578      0      0  3     0x14200  pgdaemon      pagedaemon
  5952  290225      0      0  3     0x14200  bored         crynlk
 45274  204849      0      0  3     0x14200  bored         crypto
 64538  202509      0      0  3  0x40014200  acpi0         acpi0
 65675  191149      0      0  3  0x40014200                idle1
 54482  144785      0      0  3     0x14200  bored         softnet
 35473  495950      0      0  3     0x14200  bored         systqmp
 50658  228535      0      0  3     0x14200  bored         systq
 16489  118424      0      0  3  0x40014200  bored         softclock
 47302  104405      0      0  3  0x40014200                idle0
     1  106821      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{1}>