integer divide fault in tcp_mss()

Thu May 20 21:04:42 UTC 2021

On Thu, May 20, 2021 at 10:58:01PM +0200, Michael Tuexen wrote:
> > On 20. May 2021, at 22:31, Mark Johnston <markj at freebsd.org> wrote:
> > 
> > Hi,
> > 
> > My syzkaller instance managed to trigger an integer divide fault in
> > tcp_mss().  I attached a reproducer with debugging info.
> > 
> > I'm not sure if it's a recent regression or not.  Interestingly, syzbot
> > doesn't appear to have discovered this one.
> > 
> > #14 <signal handler called> 
> > #15 0xffffffff80dee710 in tcp_mss (tp=tp at entry=0xfffffe00cb99e428, offer=offer at entry=-1) at /usr/home/markj/src/freebsd/sys/netinet/tcp_input.c:3903
> > #16 0xffffffff80e0cc70 in tcp_usr_send (so=<optimized out>, flags=<optimized out>, m=0x0, nam=0xfffff800038c9dc0, control=<optimized out>, 
> >    td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/netinet/tcp_usrreq.c:1144
> > #17 0xffffffff80cbe3f7 in sosend_generic (so=0xfffff8006806db10, addr=0xfffff800038c9dc0, uio=<optimized out>, top=0xfffff80004a18900, 
> >    control=<optimized out>, flags=128, td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/kern/uipc_socket.c:1759
> > #18 0xffffffff80cbe706 in sosend (so=0x0, so at entry=0xfffff8006806db10, addr=0x10000, uio=0x0, uio at entry=0xfffffe0084f248a8, top=0xffff, top at entry=0x0, 
> >    control=control at entry=0x0, flags=16, flags at entry=128, td=0xfffffe00cb995740) at /usr/home/markj/src/freebsd/sys/kern/uipc_socket.c:1809
> > #19 0xffffffff80cc54ec in kern_sendit (td=<optimized out>, td at entry=0xfffffe00cb995740, s=3, mp=<optimized out>, mp at entry=0xfffffe0084f24980, flags=128, 
> >    control=0x0, segflg=segflg at entry=UIO_USERSPACE) at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:798
> > #20 0xffffffff80cc588b in sendit (td=0xfffffe00cb995740, s=65536, mp=mp at entry=0xfffffe0084f24980, flags=65535)
> >    at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:723
> > #21 0xffffffff80cc569d in sys_sendto (td=0x0, uap=<optimized out>) at /usr/home/markj/src/freebsd/sys/kern/uipc_syscalls.c:841
> > #22 0xffffffff810cf77e in syscallenter (td=<optimized out>) at /usr/home/markj/src/freebsd/sys/amd64/amd64/../../kern/subr_syscall.c:189
> > #23 amd64_syscall (td=0xfffffe00cb995740, traced=0) at /usr/home/markj/src/freebsd/sys/amd64/amd64/trap.c:1156
> > <report.txt>
> Does the reproducer work for you? 

Hrm, I reproduced the crash in a test VM but now I can't get it to
happen anymore using a stock GENERIC kernel.  This is probably from a
local change that I was testing then.  Sorry for the noise.