Date: Thu, 20 May 2021 17:04:40 -0400 From: Mark Johnston <markj@freebsd.org> To: Michael Tuexen <tuexen@freebsd.org> Cc: freebsd-transport@freebsd.org, rscheff@freebsd.org Subject: Re: integer divide fault in tcp_mss() Message-ID: <YKbO6NUHlzaaq4/H@nuc> In-Reply-To: <88EFAFD0-7743-413A-8F3B-61835CF97721@freebsd.org> References: <YKbHOnBZEVwcRzYX@nuc> <88EFAFD0-7743-413A-8F3B-61835CF97721@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 20, 2021 at 10:58:01PM +0200, Michael Tuexen wrote: > > On 20. May 2021, at 22:31, Mark Johnston <markj@freebsd.org> wrote: > > > > Hi, > > > > My syzkaller instance managed to trigger an integer divide fault in > > tcp_mss(). I attached a reproducer with debugging info. > > > > I'm not sure if it's a recent regression or not. Interestingly, syzbot > > doesn't appear to have discovered this one. > > > > #14 <signal handler called> > > #15 0xffffffff80dee710 in tcp_mss (tp=tp@entry=0xfffffe00cb99e428, offer=offer@entry=-1) at /usr/home/markj/src/freebsd/sys/netinet/tcp_input.c:3903 > > #16 0xffffffff80e0cc70 in tcp_usr_send (so=<optimized out>, flags=<optimized out>, m=0x0, nam=0xfffff800038c9dc0, control=<optimized out>, > > td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/netinet/tcp_usrreq.c:1144 > > #17 0xffffffff80cbe3f7 in sosend_generic (so=0xfffff8006806db10, addr=0xfffff800038c9dc0, uio=<optimized out>, top=0xfffff80004a18900, > > control=<optimized out>, flags=128, td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/kern/uipc_socket.c:1759 > > #18 0xffffffff80cbe706 in sosend (so=0x0, so@entry=0xfffff8006806db10, addr=0x10000, uio=0x0, uio@entry=0xfffffe0084f248a8, top=0xffff, top@entry=0x0, > > control=control@entry=0x0, flags=16, flags@entry=128, td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/kern/uipc_socket.c:1809 > > #19 0xffffffff80cc54ec in kern_sendit (td=<optimized out>, td@entry=0xfffffe00cb995740, s=3, mp=<optimized out>, mp@entry=0xfffffe0084f24980, flags=128, > > control=0x0, segflg=segflg@entry=UIO_USERSPACE) at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:798 > > #20 0xffffffff80cc588b in sendit (td=0xfffffe00cb995740, s=65536, mp=mp@entry=0xfffffe0084f24980, flags=65535) > > at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:723 > > #21 0xffffffff80cc569d in sys_sendto (td=0x0, uap=<optimized out>) at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:841 > > #22 0xffffffff810cf77e in syscallenter (td=<optimized out>) at /usr/home/markj/src/freebsd/sys/amd64/amd64/../../kern/subr_syscall.c:189 > > #23 amd64_syscall (td=0xfffffe00cb995740, traced=0) at /usr/home/markj/src/freebsd/sys/amd64/amd64/trap.c:1156 > > <report.txt> > Does the reproducer work for you? Hrm, I reproduced the crash in a test VM but now I can't get it to happen anymore using a stock GENERIC kernel. This is probably from a local change that I was testing then. Sorry for the noise.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YKbO6NUHlzaaq4/H>