panic: tcp_output: template len != hdrlen - optlen
0 views
Skip to first unread message
syzbot
Sep 26, 2019, 6:33:07 AM9/26/19
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: fb00f44f When battery state switches to critical, apmd(8) ..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1216134d600000
kernel config: https://syzkaller.appspot.com/x/.config?x=26ca0a9c07f16a3a
dashboard link: https://syzkaller.appspot.com/bug?extid=23c0824b688f28c79c1b
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153d456d600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+23c082...@syzkaller.appspotmail.com
login: panic: tcp_output: template len != hdrlen - optlen
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
62236 57317 0 0x2 0 0K syz-executor.0
*295219 57335 0 0x12 0 1 sshd
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
tcp_output(ffff800000a7a100) at tcp_output+0x2c28 tcp_setpersist
sys/netinet/tcp_output.c:1130 [inline]
tcp_output(ffff800000a7a100) at tcp_output+0x2c28
sys/netinet/tcp_output.c:333
tcp_usrreq(fffffd806e975c08,9,fffffd806d6c3400,0,0,ffff800020ac1b38) at
tcp_usrreq+0xa45
sosend(fffffd806e975c08,0,ffff800020aeb408,0,0,80) at sosend+0x645
sys/kern/uipc_socket.c:524
dofilewritev(ffff800020ac1b38,4,ffff800020aeb408,0,ffff800020aeb4f0) at
dofilewritev+0x1b7 sys/kern/sys_generic.c:364
sys_write(ffff800020ac1b38,ffff800020aeb4a0,ffff800020aeb4f0) at
sys_write+0x83 sys/kern/sys_generic.c:284
syscall(ffff800020aeb570) at syscall+0x4a4 mi_syscall
sys/sys/syscall_mi.h:92 [inline]
syscall(ffff800020aeb570) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,4,8e421f1616b,4,4,8e6c4eb1080) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffc4cb0, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}>
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: fb00f44f When battery state switches to critical, apmd(8) ..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=1216134d600000
kernel config: https://syzkaller.appspot.com/x/.config?x=26ca0a9c07f16a3a
dashboard link: https://syzkaller.appspot.com/bug?extid=23c0824b688f28c79c1b
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153d456d600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+23c082...@syzkaller.appspotmail.com
login: panic: tcp_output: template len != hdrlen - optlen
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
62236 57317 0 0x2 0 0K syz-executor.0
*295219 57335 0 0x12 0 1 sshd
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:207
tcp_output(ffff800000a7a100) at tcp_output+0x2c28 tcp_setpersist
sys/netinet/tcp_output.c:1130 [inline]
tcp_output(ffff800000a7a100) at tcp_output+0x2c28
sys/netinet/tcp_output.c:333
tcp_usrreq(fffffd806e975c08,9,fffffd806d6c3400,0,0,ffff800020ac1b38) at
tcp_usrreq+0xa45
sosend(fffffd806e975c08,0,ffff800020aeb408,0,0,80) at sosend+0x645
sys/kern/uipc_socket.c:524
dofilewritev(ffff800020ac1b38,4,ffff800020aeb408,0,ffff800020aeb4f0) at
dofilewritev+0x1b7 sys/kern/sys_generic.c:364
sys_write(ffff800020ac1b38,ffff800020aeb4a0,ffff800020aeb4f0) at
sys_write+0x83 sys/kern/sys_generic.c:284
syscall(ffff800020aeb570) at syscall+0x4a4 mi_syscall
sys/sys/syscall_mi.h:92 [inline]
syscall(ffff800020aeb570) at syscall+0x4a4 sys/arch/amd64/amd64/trap.c:555
Xsyscall(6,4,8e421f1616b,4,4,8e6c4eb1080) at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffc4cb0, count: 6
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{1}>
ddb{1}>
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages