panic: malformed IPv4 option passed to ip_optcopy Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 284535 82723 65534 0x10 0 0 syz-executor0 *516031 82723 65534 0x10 0x4000000 1K syz-executor0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 panic() at panic+0x147 sys/kern/subr_prf.c:208 ip_fragment(5415214018450a98,ffffff007b4415b0,ffff800000173290) at ip_fragment+0x625 ip_output(1e35f711b454ec47,ffffff006f307118,ffffff007af73900,0,ffffff007af73900,ffffff006e717d88) at ip_output+0xc8d sys/netinet/ip_output.c:501 udp_output(5415214018df37f2,100d,ffffff006e717d88,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004 sosend(dfc6741f1ea95eac,ffffff00664e36a0,ffff8000211139c8,ffff800021113b00,13f3,0) at sosend+0x477 sys/kern/uipc_socket.c:513 dofilewritev(7dc73e373e006fa0,0,8,ffff8000210459d0,ffff800021113b00) at dofilewritev+0x148 sys/kern/sys_generic.c:364 sys_writev(a539280468c9135,790,ffff8000210459d0) at sys_writev+0xdb sys/kern/sys_generic.c:310 syscall(276c9d71cc3e55f1) at syscall+0x473 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(276c9d71cc3e55f1) at syscall+0x473 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,d,0,3,d358eb5b010) at Xsyscall+0x128 end of kernel end trace frame: 0xd37db546f10, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> show panic malformed IPv4 option passed to ip_optcopy ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 panic() at panic+0x147 sys/kern/subr_prf.c:208 ip_fragment(5415214018450a98,ffffff007b4415b0,ffff800000173290) at ip_fragment+0x625 ip_output(1e35f711b454ec47,ffffff006f307118,ffffff007af73900,0,ffffff007af73900,ffffff006e717d88) at ip_output+0xc8d sys/netinet/ip_output.c:501 udp_output(5415214018df37f2,100d,ffffff006e717d88,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004 sosend(dfc6741f1ea95eac,ffffff00664e36a0,ffff8000211139c8,ffff800021113b00,13f3,0) at sosend+0x477 sys/kern/uipc_socket.c:513 dofilewritev(7dc73e373e006fa0,0,8,ffff8000210459d0,ffff800021113b00) at dofilewritev+0x148 sys/kern/sys_generic.c:364 sys_writev(a539280468c9135,790,ffff8000210459d0) at sys_writev+0xdb sys/kern/sys_generic.c:310 syscall(276c9d71cc3e55f1) at syscall+0x473 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(276c9d71cc3e55f1) at syscall+0x473 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,d,0,3,d358eb5b010) at Xsyscall+0x128 end of kernel end trace frame: 0xd37db546f10, count: -10 ddb{1}> show registers rdi 0xffffffff81edbb38 kprintf_mutex rsi 0xffffffff811bca37 db_enter+0x17 rbp 0xffff8000211135f0 rbx 0xffff800021113690 rdx 0xffff800000ad9000 rcx 0x1833 __ALIGN_SIZE+0x833 rax 0xffff800000ad9000 r8 0xffff8000211135c0 r9 0 r10 0xe91e0c9e884ca374 r11 0x6c611b945b342705 r12 0x3000000008 r13 0xffff800021113600 r14 0x100 r15 0xffffffff81c5e947 substchar+0x10fc3 rip 0xffffffff811bca38 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff8000211135e0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor0) pid=516031 stat=onproc flags process=10 proc=4000000 pri=78, usrpri=78, nice=20 forw=0xffffffffffffffff, list=0xffff800021044710,0xffffffff81f734e0 process=0xffff8000210649e8 user=0xffff80002110e000, vmspace=0xffffff0069904c68 estcpu=36, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 82723 284535 60629 65534 7 0x10 syz-executor0 *82723 516031 60629 65534 7 0x4000010 syz-executor0 59667 425579 46529 65534 3 0x90 nanosleep syz-executor1 46529 204672 874 0 3 0x82 wait syz-executor1 60629 43501 21904 65534 3 0x90 nanosleep syz-executor0 21904 175610 874 0 3 0x82 wait syz-executor0 40937 507675 0 0 3 0x14200 bored sosplice 874 304793 12331 0 3 0x82 thrsleep syz-fuzzer 874 72928 12331 0 3 0x4000082 nanosleep syz-fuzzer 874 50472 12331 0 3 0x4000082 thrsleep syz-fuzzer 874 353814 12331 0 3 0x4000082 thrsleep syz-fuzzer 874 17074 12331 0 3 0x4000082 thrsleep syz-fuzzer 874 315782 12331 0 3 0x4000082 thrsleep syz-fuzzer 874 355106 12331 0 3 0x4000082 thrsleep syz-fuzzer 874 406277 12331 0 3 0x4000082 thrsleep syz-fuzzer 874 57 12331 0 3 0x4000082 kqread syz-fuzzer 874 465748 12331 0 3 0x4000082 thrsleep syz-fuzzer 874 459476 12331 0 3 0x4000082 nanosleep syz-fuzzer 874 232425 12331 0 3 0x4000082 thrsleep syz-fuzzer 12331 156354 78881 0 3 0x10008a pause ksh 78881 297748 95779 0 3 0x92 select sshd 78416 413991 1 0 3 0x100083 ttyin getty 95779 42982 1 0 3 0x80 select sshd 62492 480531 46363 73 3 0x100090 kqread syslogd 46363 13237 1 0 3 0x100082 netio syslogd 88561 4910 1 77 3 0x100090 poll dhclient 96062 4769 1 0 3 0x80 poll dhclient 32705 319178 0 0 3 0x14200 pgzero zerothread 22153 451930 0 0 3 0x14200 aiodoned aiodoned 4883 237199 0 0 3 0x14200 syncer update 19630 376728 0 0 3 0x14200 cleaner cleaner 10620 422563 0 0 3 0x14200 reaper reaper 22962 417509 0 0 3 0x14200 pgdaemon pagedaemon 38354 374165 0 0 3 0x14200 bored crynlk 52143 487430 0 0 3 0x14200 bored crypto 96880 278251 0 0 3 0x40014200 acpi0 acpi0 91899 184324 0 0 3 0x40014200 idle1 70369 193639 0 0 3 0x14200 bored softnet 2107 312869 0 0 3 0x14200 bored systqmp 81233 160194 0 0 3 0x14200 bored systq 77217 353287 0 0 3 0x40014200 bored softclock 28984 405996 0 0 3 0x40014200 idle0 1 489316 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper