panic: malformed IPv4 option passed to ip_optcopy Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND 52655 66867 0 0 0 0 syz-executor0 *507500 66867 0 0 0x4000000 1K syz-executor0 db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 panic() at panic+0x147 sys/kern/subr_prf.c:208 ip_fragment(92f96d2fa8582020,ffffff00699426d9,ffff800000173290) at ip_fragment+0x625 ip_output(4185686e01672c0f,ffffff006f4ae118,ffffff0069942600,0,ffffff00720d9400,ffffff006f4afa80) at ip_output+0xc8d sys/netinet/ip_output.c:501 udp_output(e0d07334cbd33dcc,1400,ffffff006f4afa80,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004 sosend(bc42dedc8d18d660,ffffff00682e9e98,ffff80002114f2d0,1000,ffff80002114f380,0) at sosend+0x47a sys/kern/uipc_socket.c:513 dofilewritev(adfc7b215d346384,ffff80002108a720,ffff80002114f380,1000,ffff80002114f398) at dofilewritev+0x14b sys/kern/sys_generic.c:364 sys_write(fd8146f9d6356b09,40,ffff80002108a720) at sys_write+0x7b sys/kern/sys_generic.c:283 syscall(adfc7b215d8becab) at syscall+0x496 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(adfc7b215d8becab) at syscall+0x496 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,c,0,3,156f36bb010) at Xsyscall+0x128 end of kernel end trace frame: 0x15971f5b120, count: 5 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb{1}> ddb{1}> set $lines = 0 ddb{1}> show panic malformed IPv4 option passed to ip_optcopy ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 panic() at panic+0x147 sys/kern/subr_prf.c:208 ip_fragment(92f96d2fa8582020,ffffff00699426d9,ffff800000173290) at ip_fragment+0x625 ip_output(4185686e01672c0f,ffffff006f4ae118,ffffff0069942600,0,ffffff00720d9400,ffffff006f4afa80) at ip_output+0xc8d sys/netinet/ip_output.c:501 udp_output(e0d07334cbd33dcc,1400,ffffff006f4afa80,0) at udp_output+0x45a sys/netinet/udp_usrreq.c:1004 sosend(bc42dedc8d18d660,ffffff00682e9e98,ffff80002114f2d0,1000,ffff80002114f380,0) at sosend+0x47a sys/kern/uipc_socket.c:513 dofilewritev(adfc7b215d346384,ffff80002108a720,ffff80002114f380,1000,ffff80002114f398) at dofilewritev+0x14b sys/kern/sys_generic.c:364 sys_write(fd8146f9d6356b09,40,ffff80002108a720) at sys_write+0x7b sys/kern/sys_generic.c:283 syscall(adfc7b215d8becab) at syscall+0x496 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(adfc7b215d8becab) at syscall+0x496 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,c,0,3,156f36bb010) at Xsyscall+0x128 end of kernel end trace frame: 0x15971f5b120, count: -10 ddb{1}> show registers rdi 0xffffffff81efc328 kprintf_mutex rsi 0xffffffff816336e7 db_enter+0x17 rbp 0xffff80002114ef00 rbx 0xffff80002114efa0 rdx 0xffff80000093b000 rcx 0x14ac __ALIGN_SIZE+0x4ac rax 0xffff80000093b000 r8 0xffff80002114eed0 r9 0 r10 0x5bc66a926098740f r11 0x1471dd3e8583c1af r12 0x3000000008 r13 0xffff80002114ef10 r14 0x100 r15 0xffffffff81cd5393 substchar+0xdfee rip 0xffffffff816336e8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80002114eef0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor0) pid=507500 stat=onproc flags process=0 proc=4000000 pri=74, usrpri=74, nice=20 forw=0xffffffffffffffff, list=0xffff80002108bc38,0xffffffff81fc53e0 process=0xffff800021065a50 user=0xffff80002114a000, vmspace=0xffffff007f124210 estcpu=36, cpticks=1, pctcpu=0.0 user=0, sys=1, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 66867 52655 58756 0 7 0 syz-executor0 *66867 507500 58756 0 7 0x4000000 syz-executor0 80823 13423 1 0 3 0x100083 ttyin getty 64563 178648 0 0 3 0x14200 bored sosplice 90340 214047 47453 0 3 0x2 biowait syz-executor1 58756 364128 47453 0 3 0x82 nanosleep syz-executor0 47453 309812 41913 0 3 0x82 thrsleep syz-fuzzer 47453 167979 41913 0 3 0x4000082 nanosleep syz-fuzzer 47453 45671 41913 0 3 0x4000082 thrsleep syz-fuzzer 47453 190951 41913 0 3 0x4000082 thrsleep syz-fuzzer 47453 503026 41913 0 3 0x4000082 thrsleep syz-fuzzer 47453 81408 41913 0 3 0x4000082 thrsleep syz-fuzzer 47453 463101 41913 0 3 0x4000082 thrsleep syz-fuzzer 47453 64325 41913 0 3 0x4000082 thrsleep syz-fuzzer 47453 259162 41913 0 3 0x4000082 thrsleep syz-fuzzer 47453 390397 41913 0 3 0x4000082 thrsleep syz-fuzzer 47453 326547 41913 0 3 0x4000082 kqread syz-fuzzer 41913 383205 17871 0 3 0x10008a pause ksh 17871 487791 56605 0 3 0x92 select sshd 56605 201334 1 0 3 0x80 select sshd 37117 430181 26046 73 3 0x100090 kqread syslogd 26046 487010 1 0 3 0x100082 netio syslogd 91621 282783 1 77 3 0x100090 poll dhclient 98979 389324 1 0 3 0x80 poll dhclient 31851 351120 0 0 3 0x14200 pgzero zerothread 65233 332317 0 0 3 0x14200 aiodoned aiodoned 51798 345500 0 0 3 0x14200 syncer update 11997 343053 0 0 3 0x14200 cleaner cleaner 89944 268631 0 0 3 0x14200 reaper reaper 54647 142200 0 0 3 0x14200 pgdaemon pagedaemon 84352 293640 0 0 3 0x14200 bored crynlk 65684 225560 0 0 3 0x14200 bored crypto 80037 329797 0 0 3 0x40014200 acpi0 acpi0 83292 338904 0 0 3 0x40014200 idle1 7758 79418 0 0 3 0x14200 bored softnet 69739 170702 0 0 3 0x14200 bored systqmp 15986 199890 0 0 3 0x14200 bored systq 42739 25283 0 0 3 0x40014200 bored softclock 55844 229410 0 0 3 0x40014200 idle0 1 384767 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper