panic: tcp_output: template len != hdrlen - optlen Stopped at db_enter+0x18: addq $0x8,%rsp TID PID UID PRFLAGS PFLAGS CPU COMMAND *514618 93144 0 0x2 0x4000000 0 syz-fuzzer db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff823f3b71) at panic+0x15c sys/kern/subr_prf.c:207 tcp_output(ffff800000ac1ee0) at tcp_output+0x2ad0 tcp_setpersist sys/netinet/tcp_output.c:1130 [inline] tcp_output(ffff800000ac1ee0) at tcp_output+0x2ad0 sys/netinet/tcp_output.c:333 tcp_usrreq(fffffd805da7caf8,9,fffffd805bc01c00,0,0,ffff80001d718120) at tcp_usrreq+0xa54 sosend(fffffd805da7caf8,0,ffff80001d75df68,0,0,80) at sosend+0x669 sys/kern/uipc_socket.c:555 dofilewritev(ffff80001d718120,3,ffff80001d75df68,0,ffff80001d75e050) at dofilewritev+0x1ab sys/kern/sys_generic.c:365 sys_write(ffff80001d718120,ffff80001d75e000,ffff80001d75e050) at sys_write+0x83 sys/kern/sys_generic.c:285 syscall(ffff80001d75e0d0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xc002ae13c8, count: 6 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> ddb> set $lines = 0 ddb> set $maxwidth = 0 ddb> show panic tcp_output: template len != hdrlen - optlen ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff823f3b71) at panic+0x15c sys/kern/subr_prf.c:207 tcp_output(ffff800000ac1ee0) at tcp_output+0x2ad0 tcp_setpersist sys/netinet/tcp_output.c:1130 [inline] tcp_output(ffff800000ac1ee0) at tcp_output+0x2ad0 sys/netinet/tcp_output.c:333 tcp_usrreq(fffffd805da7caf8,9,fffffd805bc01c00,0,0,ffff80001d718120) at tcp_usrreq+0xa54 sosend(fffffd805da7caf8,0,ffff80001d75df68,0,0,80) at sosend+0x669 sys/kern/uipc_socket.c:555 dofilewritev(ffff80001d718120,3,ffff80001d75df68,0,ffff80001d75e050) at dofilewritev+0x1ab sys/kern/sys_generic.c:365 sys_write(ffff80001d718120,ffff80001d75e000,ffff80001d75e050) at sys_write+0x83 sys/kern/sys_generic.c:285 syscall(ffff80001d75e0d0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xc002ae13c8, count: -9 ddb> show registers rdi 0 rsi 0x1 rbp 0xffff80001d75dad0 rbx 0xffff80001d75db80 rdx 0x2 rcx 0 rax 0x1 r8 0xffffffff81cf67ff kprintf+0x15f r9 0x1 r10 0x2 r11 0x6a6a11be2adf15f8 r12 0x3000000008 r13 0xffff80001d75dae0 r14 0x100 r15 0x1 rip 0xffffffff81fe3938 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff80001d75dac0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb> show proc PROC (syz-fuzzer) pid=514618 stat=onproc flags process=2 proc=4000000 pri=32, usrpri=58, nice=20 forw=0xffffffffffffffff, list=0xffff80001d717280,0xffff80001d7183a0 process=0xffff8000ffff8018 user=0xffff80001d759000, vmspace=0xfffffd806bc0a440 estcpu=8, cpticks=0, pctcpu=0.42 user=0, sys=0, intr=0 ddb> ps PID TID PPID UID S FLAGS WAIT COMMAND 72156 32190 20558 0 2 0 syz-executor.0 72156 288056 20558 0 3 0x4000080 lockf syz-executor.0 72156 231054 20558 0 2 0x4000000 syz-executor.0 94040 477322 0 0 3 0x14200 acct acct 90988 300825 0 0 3 0x14200 bored sosplice 20558 56506 93144 0 3 0x82 nanosleep syz-executor.0 93144 236278 60404 0 3 0x82 thrsleep syz-fuzzer 93144 186264 60404 0 2 0x4000002 syz-fuzzer 93144 513465 60404 0 2 0x4000002 syz-fuzzer 93144 375838 60404 0 3 0x4000082 thrsleep syz-fuzzer *93144 514618 60404 0 7 0x4000002 syz-fuzzer 93144 91942 60404 0 3 0x4000082 kqread syz-fuzzer 93144 352878 60404 0 3 0x4000082 thrsleep syz-fuzzer 93144 432110 60404 0 3 0x4000082 thrsleep syz-fuzzer 60404 20053 41987 0 3 0x10008a pause ksh 41987 239674 6463 0 3 0x92 select sshd 77168 72512 1 0 3 0x100083 ttyin getty 6463 365837 1 0 3 0x80 select sshd 88018 515234 8816 73 3 0x100090 kqread syslogd 8816 369708 1 0 3 0x100082 netio syslogd 98010 194760 1 77 3 0x100090 poll dhclient 95211 441073 1 0 3 0x80 poll dhclient 43798 94961 0 0 3 0x14200 bored smr 40888 389715 0 0 2 0x14200 zerothread 71330 520588 0 0 3 0x14200 aiodoned aiodoned 37536 295725 0 0 3 0x14200 syncer update 23780 521737 0 0 3 0x14200 cleaner cleaner 6554 298976 0 0 3 0x14200 reaper reaper 68859 452745 0 0 3 0x14200 pgdaemon pagedaemon 51996 496679 0 0 3 0x14200 bored crynlk 73125 404214 0 0 3 0x14200 bored crypto 54433 372311 0 0 3 0x40014200 acpi0 acpi0 14794 281895 0 0 3 0x14200 bored softnet 40002 29611 0 0 3 0x14200 bored systqmp 87713 509699 0 0 3 0x14200 bored systq 9288 226034 0 0 3 0x40014200 bored softclock 91876 173197 0 0 3 0x40014200 idle0 1 442097 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper ddb> show all locks No such command ddb> show malloc Type InUse MemUse HighUse Limit Requests Type Lim devbuf 9494 6347K 6920K 78643K 11499 0 pcb 13 8K 8K 78643K 65 0 rtable 108 9K 13K 78643K 793 0 ifaddr 78 17K 18K 78643K 179 0 counters 20 16K 16K 78643K 28 0 ioctlops 0 0K 4K 78643K 71 0 iov 0 0K 16K 78643K 253 0 mount 1 1K 1K 78643K 1 0 vnodes 1224 77K 77K 78643K 1578 0 UFS quota 1 32K 32K 78643K 1 0 UFS mount 5 36K 36K 78643K 5 0 shm 2 1K 5K 78643K 8 0 VM map 2 0K 0K 78643K 2 0 sem 12 0K 0K 78643K 82 0 dirhash 12 2K 2K 78643K 12 0 ACPI 1809 195K 288K 78643K 12938 0 file desc 4 9K 25K 78643K 555 0 proc 50 38K 63K 78643K 451 0 subproc 16 1K 2K 78643K 68 0 NFS srvsock 1 0K 0K 78643K 1 0 NFS daemon 1 16K 16K 78643K 1 0 ip_moptions 0 0K 0K 78643K 18 0 in_multi 70 3K 4K 78643K 182 0 ether_multi 1 0K 0K 78643K 10 0 mrt 0 0K 0K 78643K 1 0 ISOFS mount 1 32K 32K 78643K 1 0 MSDOSFS mount 1 16K 16K 78643K 1 0 ttys 43 201K 201K 78643K 43 0 exec 0 0K 1K 78643K 228 0 pagedep 1 8K 8K 78643K 1 0 inodedep 1 32K 32K 78643K 1 0 newblk 1 0K 0K 78643K 1 0 VM swap 7 26K 26K 78643K 7 0 UVM amap 131 32K 41K 78643K 2112 0 UVM aobj 10 2K 2K 78643K 21 0 memdesc 1 4K 4K 78643K 1 0 crypto data 1 1K 1K 78643K 1 0 ip6_options 0 0K 0K 78643K 45 0 NDP 10 0K 0K 78643K 34 0 temp 91 3860K 3929K 78643K 7758 0 kqueue 3 4K 9K 78643K 14 0 SYN cache 2 16K 16K 78643K 2 0 ddb> show all pools Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle arp 64 11 0 7 1 0 1 1 0 8 0 rtpcb 80 449 0 447 1 0 1 1 0 8 0 rtentry 112 96 0 66 2 0 2 2 0 8 0 unpcb 120 141 0 131 1 0 1 1 0 8 0 syncache 264 4 0 4 1 1 0 1 0 8 0 tcpqe 32 341 0 341 1 1 0 1 0 8 0 tcpcb 544 130 0 126 1 0 1 1 0 8 0 inpcb 296 651 0 644 2 0 2 2 0 8 1 nd6 48 24 0 23 1 0 1 1 0 8 0 pkpcb 40 2 0 2 1 1 0 1 0 8 0 ppxss 1128 1 0 1 1 1 0 1 0 8 0 pfrke_plain 160 12 0 8 1 0 1 1 0 8 0 pfrktable 1344 89 0 78 2 0 2 2 0 8 1 pftag 88 8 0 2 1 0 1 1 0 8 0 pfrule 1360 30 0 14 2 0 2 2 0 8 0 art_heap8 4096 1 0 0 1 0 1 1 0 8 0 art_heap4 256 384 0 250 13 1 12 13 0 8 0 art_table 32 385 0 250 2 0 2 2 0 8 0 art_node 16 95 0 67 1 0 1 1 0 8 0 sysvmsgpl 40 25 0 12 1 0 1 1 0 8 0 semupl 112 1 0 1 1 1 0 1 0 8 0 semapl 112 80 0 70 1 0 1 1 0 8 0 shmpl 112 19 0 11 1 0 1 1 0 8 0 dirhash 1024 17 0 0 3 0 3 3 0 8 0 dino2pl 256 2302 0 907 88 0 88 88 0 8 0 ffsino 240 2302 0 907 83 0 83 83 0 8 0 nchpl 144 3407 0 1831 60 0 60 60 0 8 0 rtmask 32 22 0 19 1 0 1 1 0 8 0 uvmvnodes 72 2648 0 0 49 0 49 49 0 8 0 vnodes 208 2648 0 0 140 0 140 140 0 8 0 namei 1024 8916 0 8916 1 0 1 1 0 8 1 vcpupl 1984 1 0 0 1 0 1 1 0 8 0 vmpool 528 1 0 0 1 0 1 1 0 8 0 pfiaddrpl 120 30 0 22 1 0 1 1 0 8 0 scxspl 192 9955 0 9955 1 0 1 1 0 8 1 plimitpl 152 39 0 33 1 0 1 1 0 8 0 sigapl 424 737 0 708 4 0 4 4 0 8 0 futexpl 56 11298 0 11298 1 0 1 1 0 8 1 knotepl 112 98 0 85 1 0 1 1 0 8 0 kqueuepl 144 55 0 52 1 0 1 1 0 8 0 pipepl 272 287 0 280 1 0 1 1 0 8 0 fdescpl 432 721 0 708 2 0 2 2 0 8 0 filepl 120 4620 0 4543 4 0 4 4 0 8 1 lockfpl 104 71 0 67 1 0 1 1 0 8 0 lockfspl 48 28 0 26 1 0 1 1 0 8 0 sessionpl 112 19 0 10 1 0 1 1 0 8 0 pgrppl 48 19 0 10 1 0 1 1 0 8 0 ucredpl 96 299 0 292 1 0 1 1 0 8 0 zombiepl 144 708 0 708 1 0 1 1 0 8 1 processpl 920 737 0 708 4 0 4 4 0 8 0 procpl 624 1317 0 1279 4 0 4 4 0 8 0 sosppl 128 6 0 6 1 1 0 1 0 8 0 sockpl 400 1248 0 1229 3 0 3 3 0 8 1 mcl64k 65536 31 0 31 2 1 1 1 0 8 1 mcl16k 16384 1 0 1 1 1 0 1 0 8 0 mcl12k 12288 192 0 192 1 0 1 1 0 8 1 mcl9k 9216 6 0 6 2 1 1 1 0 8 1 mcl8k 8192 15 0 15 1 0 1 1 0 8 1 mcl4k 4096 46 0 46 2 1 1 1 0 8 1 mcl2k2 2112 3 0 3 2 1 1 1 0 8 1 mcl2k 2048 77779 0 77727 20 12 8 17 0 8 0 mtagpl 96 34 0 6 2 1 1 1 0 8 0 mbufpl 256 129553 0 129401 21 5 16 17 0 8 0 bufpl 280 4433 0 125 308 0 308 308 0 8 0 anonpl 16 84177 0 68366 80 4 76 78 0 107 11 amapchunkpl 152 2964 0 2817 10 3 7 8 0 158 1 amappl16 192 3561 0 2418 63 5 58 58 0 8 0 amappl15 184 10 0 8 1 0 1 1 0 8 0 amappl14 176 24 0 18 1 0 1 1 0 8 0 amappl13 168 132 0 129 1 0 1 1 0 8 0 amappl12 160 94 0 93 1 0 1 1 0 8 0 amappl11 152 53 0 43 1 0 1 1 0 8 0 amappl10 144 243 0 238 1 0 1 1 0 8 0 amappl9 136 546 0 545 1 0 1 1 0 8 0 amappl8 128 459 0 418 2 0 2 2 0 8 0 amappl7 120 348 0 334 1 0 1 1 0 8 0 amappl6 112 27 0 22 1 0 1 1 0 8 0 amappl5 104 570 0 559 1 0 1 1 0 8 0 amappl4 96 533 0 504 1 0 1 1 0 8 0 amappl3 88 389 0 383 1 0 1 1 0 8 0 amappl2 80 4787 0 4727 2 0 2 2 0 8 0 amappl1 72 21921 0 21510 23 14 9 17 0 8 0 amappl 80 1568 0 1524 2 0 2 2 0 84 0 dma4096 4096 1 0 1 1 1 0 1 0 8 0 dma256 256 6 0 6 1 1 0 1 0 8 0 dma128 128 253 0 253 1 1 0 1 0 8 0 dma64 64 6 0 6 1 1 0 1 0 8 0 dma32 32 7 0 7 1 1 0 1 0 8 0 dma16 16 18 0 17 1 0 1 1 0 8 0 aobjpl 64 20 0 11 1 0 1 1 0 8 0 uaddrrnd 24 722 0 708 1 0 1 1 0 8 0 uaddrbest 32 2 0 0 1 0 1 1 0 8 0 uaddr 24 722 0 708 1 0 1 1 0 8 0 vmmpekpl 168 8849 0 8821 2 0 2 2 0 8 0 vmmpepl 168 91302 0 89133 131 12 119 119 0 357 24 vmsppl 272 721 0 708 3 1 2 2 0 8 1 pdppl 4096 1450 0 1417 6 1 5 6 0 8 0 pvpl 32 243288 0 224559 185 2 183 185 0 265 28 pmappl 200 721 0 708 1 0 1 1 0 8 0 extentpl 40 53 0 36 1 0 1 1 0 8 0 phpool 112 258 0 25 7 0 7 7 0 8 0 ddb> machine ddbcpu 0 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff823f3b71) at panic+0x15c sys/kern/subr_prf.c:207 tcp_output(ffff800000ac1ee0) at tcp_output+0x2ad0 tcp_setpersist sys/netinet/tcp_output.c:1130 [inline] tcp_output(ffff800000ac1ee0) at tcp_output+0x2ad0 sys/netinet/tcp_output.c:333 tcp_usrreq(fffffd805da7caf8,9,fffffd805bc01c00,0,0,ffff80001d718120) at tcp_usrreq+0xa54 sosend(fffffd805da7caf8,0,ffff80001d75df68,0,0,80) at sosend+0x669 sys/kern/uipc_socket.c:555 dofilewritev(ffff80001d718120,3,ffff80001d75df68,0,ffff80001d75e050) at dofilewritev+0x1ab sys/kern/sys_generic.c:365 sys_write(ffff80001d718120,ffff80001d75e000,ffff80001d75e050) at sys_write+0x83 sys/kern/sys_generic.c:285 syscall(ffff80001d75e0d0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xc002ae13c8, count: -9 ddb> machine ddbcpu 1 No such command ddb> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398 panic(ffffffff823f3b71) at panic+0x15c sys/kern/subr_prf.c:207 tcp_output(ffff800000ac1ee0) at tcp_output+0x2ad0 tcp_setpersist sys/netinet/tcp_output.c:1130 [inline] tcp_output(ffff800000ac1ee0) at tcp_output+0x2ad0 sys/netinet/tcp_output.c:333 tcp_usrreq(fffffd805da7caf8,9,fffffd805bc01c00,0,0,ffff80001d718120) at tcp_usrreq+0xa54 sosend(fffffd805da7caf8,0,ffff80001d75df68,0,0,80) at sosend+0x669 sys/kern/uipc_socket.c:555 dofilewritev(ffff80001d718120,3,ffff80001d75df68,0,ffff80001d75e050) at dofilewritev+0x1ab sys/kern/sys_generic.c:365 sys_write(ffff80001d718120,ffff80001d75e000,ffff80001d75e050) at sys_write+0x83 sys/kern/sys_generic.c:285 syscall(ffff80001d75e0d0) at syscall+0x507 sys/arch/amd64/amd64/trap.c:570 Xsyscall() at Xsyscall+0x128 end of kernel end trace frame: 0xc002ae13c8, count: -9