panic: malformed IPv4 option passed to ip_optcopy Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 365949 75496 65534 0x10 0 0 syz-executor1 *101519 75496 65534 0x10 0x4000000 1K syz-executor1 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 panic() at panic+0x147 sys/kern/subr_prf.c:208 ip_fragment(7ea7536a75616f7c,ffffff0074f8d9d9,ffff800000173290) at ip_fragment+0x625 ip_output(d3627c8d2952cf3d,ffffff006f2fc118,ffffff0074f8d900,0,ffffff006d8aec00,ffffff006e71dc08) at ip_output+0xc8d sys/netinet/ip_output.c:501 udp_output(233df67544314163,1400,ffffff006e71dc08,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004 sosend(79ac66295e5064d2,ffffff00681b2e20,ffff800021199220,ffff8000211992d0,1000,0) at sosend+0x477 sys/kern/uipc_socket.c:513 dofilewritev(c5d8e032ad849e86,ffff80002108bc38,ffff8000211992d0,1000,ffff8000211992e8) at dofilewritev+0x148 sys/kern/sys_generic.c:364 sys_write(2c8bc2bbbf49ec6a,40,ffff80002108bc38) at sys_write+0x7b sys/kern/sys_generic.c:283 syscall(8a61feb5c2b2d6da) at syscall+0x473 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(8a61feb5c2b2d6da) at syscall+0x473 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,c,0,3,1c2da879010) at Xsyscall+0x128 end of kernel end trace frame: 0x1c51fb9ba10, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> show panic malformed IPv4 option passed to ip_optcopy ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 panic() at panic+0x147 sys/kern/subr_prf.c:208 ip_fragment(7ea7536a75616f7c,ffffff0074f8d9d9,ffff800000173290) at ip_fragment+0x625 ip_output(d3627c8d2952cf3d,ffffff006f2fc118,ffffff0074f8d900,0,ffffff006d8aec00,ffffff006e71dc08) at ip_output+0xc8d sys/netinet/ip_output.c:501 udp_output(233df67544314163,1400,ffffff006e71dc08,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004 sosend(79ac66295e5064d2,ffffff00681b2e20,ffff800021199220,ffff8000211992d0,1000,0) at sosend+0x477 sys/kern/uipc_socket.c:513 dofilewritev(c5d8e032ad849e86,ffff80002108bc38,ffff8000211992d0,1000,ffff8000211992e8) at dofilewritev+0x148 sys/kern/sys_generic.c:364 sys_write(2c8bc2bbbf49ec6a,40,ffff80002108bc38) at sys_write+0x7b sys/kern/sys_generic.c:283 syscall(8a61feb5c2b2d6da) at syscall+0x473 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(8a61feb5c2b2d6da) at syscall+0x473 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,c,0,3,1c2da879010) at Xsyscall+0x128 end of kernel end trace frame: 0x1c51fb9ba10, count: -10 ddb{1}> show registers rdi 0xffffffff81f15558 kprintf_mutex rsi 0xffffffff8109bf47 db_enter+0x17 rbp 0xffff800021198e50 rbx 0xffff800021198ef0 rdx 0xffff8000042df000 rcx 0x129f __ALIGN_SIZE+0x29f rax 0xffff8000042df000 r8 0xffff800021198e20 r9 0 r10 0xacb42b66d5a98c40 r11 0xf168591978ec38cf r12 0x3000000008 r13 0xffff800021198e60 r14 0x100 r15 0xffffffff81c5f94c apollo_udma100_tim+0x10bae rip 0xffffffff8109bf48 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800021198e40 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor1) pid=101519 stat=onproc flags process=10 proc=4000000 pri=81, usrpri=81, nice=20 forw=0xffffffffffffffff, list=0xffff80002108a4c8,0xffffffff81fbf118 process=0xffff8000210646a0 user=0xffff800021194000, vmspace=0xffffff0065979c68 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 75496 365949 22087 65534 7 0x10 syz-executor1 *75496 101519 22087 65534 7 0x4000010 syz-executor1 84018 267273 49080 65534 3 0x90 nanosleep syz-executor0 84018 389140 49080 65534 3 0x4000090 piperd syz-executor0 49080 259755 94496 65534 3 0x90 nanosleep syz-executor0 94496 380045 92664 0 3 0x82 wait syz-executor0 22087 358697 8822 65534 3 0x90 nanosleep syz-executor1 8822 40310 92664 0 3 0x82 wait syz-executor1 92046 45666 0 0 3 0x14200 bored sosplice 92664 137206 16025 0 3 0x82 thrsleep syz-fuzzer 92664 80833 16025 0 3 0x4000082 nanosleep syz-fuzzer 92664 203684 16025 0 3 0x4000082 thrsleep syz-fuzzer 92664 126959 16025 0 3 0x4000082 thrsleep syz-fuzzer 92664 279011 16025 0 3 0x4000082 thrsleep syz-fuzzer 92664 144629 16025 0 3 0x4000082 thrsleep syz-fuzzer 92664 452866 16025 0 3 0x4000082 thrsleep syz-fuzzer 92664 59393 16025 0 3 0x4000082 kqread syz-fuzzer 92664 110682 16025 0 3 0x4000082 thrsleep syz-fuzzer 92664 171462 16025 0 3 0x4000082 nanosleep syz-fuzzer 16025 315452 44723 0 3 0x10008a pause ksh 44723 105811 38410 0 3 0x92 select sshd 55938 15106 1 0 3 0x100083 ttyin getty 38410 411362 1 0 3 0x80 select sshd 48566 157821 66366 73 3 0x100090 kqread syslogd 66366 301054 1 0 3 0x100082 netio syslogd 82084 418369 1 77 3 0x100090 poll dhclient 13260 327573 1 0 3 0x80 poll dhclient 37122 387859 0 0 3 0x14200 pgzero zerothread 34260 177508 0 0 3 0x14200 aiodoned aiodoned 1718 468884 0 0 3 0x14200 syncer update 89324 334774 0 0 3 0x14200 cleaner cleaner 22 434730 0 0 3 0x14200 reaper reaper 37355 22422 0 0 3 0x14200 pgdaemon pagedaemon 38494 479977 0 0 3 0x14200 bored crynlk 12255 377899 0 0 3 0x14200 bored crypto 43721 222245 0 0 3 0x40014200 acpi0 acpi0 24472 401461 0 0 3 0x40014200 idle1 61989 159715 0 0 3 0x14200 bored softnet 41099 392852 0 0 3 0x14200 bored systqmp 91597 263306 0 0 3 0x14200 bored systq 48327 147667 0 0 3 0x40014200 bored softclock 77085 476335 0 0 3 0x40014200 idle0 1 292742 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper