From owner-freebsd-transport@freebsd.org Thu May 20 21:04:42 2021 Return-Path: Delivered-To: freebsd-transport@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A2B13648F89 for ; Thu, 20 May 2021 21:04:42 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FmMgY4W9yz3tQX; Thu, 20 May 2021 21:04:41 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by mail-qv1-xf2c.google.com with SMTP id w9so9344300qvi.13; Thu, 20 May 2021 14:04:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=4Gut19LqpFkE/pH9Uf+1WR3162ij7Cooj4P6lehhOZY=; b=go9lxocuFz52M296JHn2uHgSiLk1pb5lGgotKktDDLFU01q2mB+q8OWrpTQ1uDjGAE thjfSzOT/J3QALlRl7+auwj0M0uIk7+pXcQ7CRJi0Gp5ivNIKqidJKB21wAbANfUCv6F ubEhdBSe6Q6S5vb4fkSb4gGH1NnkPaMROyPo3N4ce7r1BJ1/V0GlCeh7shDgBFijvhfJ Uo9VduFidNXSUBI8ZKNZlzLul0lY1PvC6RKY6VPsT69Cl66Ok4/UkWzFDlnStM9kkvRl XGAM4wFFK2Y8A9SnNYjdH/gHEQLHft3h7fv5JybGQa7hSnZtMNy5Y/69z/NJmmuU+Jxc V0Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=4Gut19LqpFkE/pH9Uf+1WR3162ij7Cooj4P6lehhOZY=; b=UcREc4qDPSE+JwLdTpc7b906r+hGcefB2mBlZ6q7Exw1qPMUawbGjFbj0+LqpJblip /Qe7gn3gWeu44zspnI+xuNY/VMmXpxs1QWmjwSCad5YYBQvINvxVwbng7RJiy+OnqIKp 5fcKvvBcNwkcXk3dEX57XWns6p1v+Ldbl1mkuD8Yrv/zg3+jZipXuYSd/slbkHWa+L6w VmiDB59bcm1zxyA166uaOZEsYAf4WxkieAsR0GKZPHt3VkmVPMy5pZchjKqOkd7PvsYU x35o5Q4DugzYe3KB5RhO1/gLf2QdwYVsiB2OlVOGoFB7a2TBd4tvTc6pgjMNQoM9ibNy bsTw== X-Gm-Message-State: AOAM5337cdqcS+yGU3tplmidUMCMEEW5QIak8F6QBq33GGGEHpDrgF+p WRfc1aowl1i7X/PgigGWb/H1iVV4e00= X-Google-Smtp-Source: ABdhPJzyBdNlyf5LJu/jkDWS8zCRIvtcZkbirKMZIQiyW4tX+vwZ0K79S16koDHJo5MHKK1FBizeLg== X-Received: by 2002:a05:6214:10e9:: with SMTP id q9mr8235211qvt.45.1621544680090; Thu, 20 May 2021 14:04:40 -0700 (PDT) Received: from nuc ([142.126.156.186]) by smtp.gmail.com with ESMTPSA id v10sm3018876qkg.42.2021.05.20.14.04.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 20 May 2021 14:04:39 -0700 (PDT) Sender: Mark Johnston Date: Thu, 20 May 2021 17:04:40 -0400 From: Mark Johnston To: Michael Tuexen Cc: freebsd-transport@freebsd.org, rscheff@freebsd.org Subject: Re: integer divide fault in tcp_mss() Message-ID: References: <88EFAFD0-7743-413A-8F3B-61835CF97721@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <88EFAFD0-7743-413A-8F3B-61835CF97721@freebsd.org> X-Rspamd-Queue-Id: 4FmMgY4W9yz3tQX X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=go9lxocu; dmarc=none; spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::f2c as permitted sender) smtp.mailfrom=markjdb@gmail.com X-Spamd-Result: default: False [-2.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::f2c:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::f2c:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f2c:from]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-transport] X-BeenThere: freebsd-transport@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions of transport level network protocols in FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 May 2021 21:04:42 -0000 On Thu, May 20, 2021 at 10:58:01PM +0200, Michael Tuexen wrote: > > On 20. May 2021, at 22:31, Mark Johnston wrote: > > > > Hi, > > > > My syzkaller instance managed to trigger an integer divide fault in > > tcp_mss(). I attached a reproducer with debugging info. > > > > I'm not sure if it's a recent regression or not. Interestingly, syzbot > > doesn't appear to have discovered this one. > > > > #14 > > #15 0xffffffff80dee710 in tcp_mss (tp=tp@entry=0xfffffe00cb99e428, offer=offer@entry=-1) at /usr/home/markj/src/freebsd/sys/netinet/tcp_input.c:3903 > > #16 0xffffffff80e0cc70 in tcp_usr_send (so=, flags=, m=0x0, nam=0xfffff800038c9dc0, control=, > > td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/netinet/tcp_usrreq.c:1144 > > #17 0xffffffff80cbe3f7 in sosend_generic (so=0xfffff8006806db10, addr=0xfffff800038c9dc0, uio=, top=0xfffff80004a18900, > > control=, flags=128, td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/kern/uipc_socket.c:1759 > > #18 0xffffffff80cbe706 in sosend (so=0x0, so@entry=0xfffff8006806db10, addr=0x10000, uio=0x0, uio@entry=0xfffffe0084f248a8, top=0xffff, top@entry=0x0, > > control=control@entry=0x0, flags=16, flags@entry=128, td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/kern/uipc_socket.c:1809 > > #19 0xffffffff80cc54ec in kern_sendit (td=, td@entry=0xfffffe00cb995740, s=3, mp=, mp@entry=0xfffffe0084f24980, flags=128, > > control=0x0, segflg=segflg@entry=UIO_USERSPACE) at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:798 > > #20 0xffffffff80cc588b in sendit (td=0xfffffe00cb995740, s=65536, mp=mp@entry=0xfffffe0084f24980, flags=65535) > > at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:723 > > #21 0xffffffff80cc569d in sys_sendto (td=0x0, uap=) at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:841 > > #22 0xffffffff810cf77e in syscallenter (td=) at /usr/home/markj/src/freebsd/sys/amd64/amd64/../../kern/subr_syscall.c:189 > > #23 amd64_syscall (td=0xfffffe00cb995740, traced=0) at /usr/home/markj/src/freebsd/sys/amd64/amd64/trap.c:1156 > > > Does the reproducer work for you? Hrm, I reproduced the crash in a test VM but now I can't get it to happen anymore using a stock GENERIC kernel. This is probably from a local change that I was testing then. Sorry for the noise.