From owner-freebsd-bugs@FreeBSD.ORG  Fri Dec  1 18:50:34 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id E68D716A4D0
	for <freebsd-bugs@hub.freebsd.org>;
	Fri,  1 Dec 2006 18:50:34 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2EC7243CA5
	for <freebsd-bugs@hub.freebsd.org>;
	Fri,  1 Dec 2006 18:50:11 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kB1IoLMR083208
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 1 Dec 2006 18:50:21 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kB1IoLMD083206;
	Fri, 1 Dec 2006 18:50:21 GMT (envelope-from gnats)
Date: Fri, 1 Dec 2006 18:50:21 GMT
Message-Id: <200612011850.kB1IoLMD083206@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Mark Kamichoff <prox@prolixium.com>
Cc: 
Subject: Re: kern/105966: panic w/IPv6
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Mark Kamichoff <prox@prolixium.com>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2006 18:50:35 -0000

The following reply was made to PR kern/105966; it has been noted by GNATS.

From: Mark Kamichoff <prox@prolixium.com>
To: Ruslan Ermilov <ru@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/105966: panic w/IPv6
Date: Fri, 1 Dec 2006 13:40:10 -0500

 --liOOAslEiF7prFVr
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Ruslan -=20
 
 On Fri, Dec 01, 2006 at 11:26:22AM +0300, Ruslan Ermilov wrote:
 > You're running IPv6 routing daemon, ospf6d(8), so you were vulnerable.
 > This bug has already been fixed; you need the following file/revision
 > to get a fix:
 >=20
 > $FreeBSD: src/sys/netinet6/nd6.c,v 1.48.2.16 2006/11/29 14:00:29 ru Exp $
 >=20
 > You can either upgrade your sources, or just pick up this
 > revision and recompile your kernel:
 >=20
 > http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/sys/netinet6/nd6.c?r=
 ev=3D1.48.2.16&content-type=3Dtext/plain
 >=20
 > Please follow-up with the success report so we can close the PR.
 
 Thanks.  I have updated my sources, and rebuilt everything.  It seems to
 be working fine, but judging from past history, the system could be
 stable for up to 2-3 weeks, and then panic.  It's up to you whether this
 PR should be open for such a duration.  Either way, I will send an
 update when after a couple of weeks.
 
 - Mark
 
 >=20
 > On Tue, Nov 28, 2006 at 06:00:29PM +0000, Mark Kamichoff wrote:
 > > >Synopsis:       panic w/IPv6
 > > >Release:        6.2-PRERELEASE
 > >=20
 > > Unread portion of the kernel message buffer:
 > > kernel trap 12 with interrupts disabled
 > >=20
 > >=20
 > > Fatal trap 12: page fault while in kernel mode
 > > fault virtual address   =3D 0x78
 > > fault code              =3D supervisor read, page not present
 > > instruction pointer     =3D 0x20:0xc0554ba7
 > > stack pointer           =3D 0x28:0xd43f2b28
 > > frame pointer           =3D 0x28:0xd43f2b2c
 > > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
 > >                         =3D DPL 0, pres 1, def32 1, gran 1
 > > processor eflags        =3D resume, IOPL =3D 0
 > > current process         =3D 11 (swi1: net)
 > > trap number             =3D 12
 > > panic: page fault
 > > Uptime: 17d17h21m15s
 > > Dumping 510 MB (2 chunks)
 > >   chunk 0: 1MB (159 pages) ... ok
 > >   chunk 1: 510MB (130544 pages) 494 478 462 446 430 414 398 382 366 350=
  334 318 302 286 270 254 238 222 206 190 174 158 142 126 110 94 78 62 46 30=
  14
 > >=20
 > > #0  doadump () at pcpu.h:165
 > > 165             __asm __volatile("movl %%fs:0,%0" : "=3Dr" (td));
 > > (kgdb) bt
 > > #0  doadump () at pcpu.h:165
 > > #1  0xc052f44a in boot (howto=3D260) at /usr/src/sys/kern/kern_shutdown=
 =2Ec:409
 > > #2  0xc052f754 in panic (fmt=3D0xc0709871 "%s") at /usr/src/sys/kern/ke=
 rn_shutdown.c:565
 > > #3  0xc06e576d in trap_fatal (frame=3D0xd43f2ae8, eva=3D0) at /usr/src/=
 sys/i386/i386/trap.c:837
 > > #4  0xc06e4e85 in trap (frame=3D
 > >       {tf_fs =3D -1067450360, tf_es =3D -734068696, tf_ds =3D 40, tf_ed=
 i =3D -1019857920, tf_esi =3D -1020668032, tf_ebp =3D -734057684, tf_isp =
 =3D -734057708, tf_ebx =3D -1020701888, tf_edx =3D -1020668032, tf_ecx =3D =
 4, tf_eax =3D 4, tf_trapno =3D 12, tf_err =3D 0, tf_eip =3D -1068151897, tf=
 _cs =3D 32, tf_eflags =3D 65543, tf_esp =3D -1020668032, tf_ss =3D -7340576=
 48}) at /usr/src/sys/i386/i386/trap.c:270
 > > #5  0xc06d220a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 > > #6  0xc0554ba7 in turnstile_setowner (ts=3D0xc3295340, owner=3D0x4)
 > >     at /usr/src/sys/kern/subr_turnstile.c:432
 > > #7  0xc0554ed3 in turnstile_wait (lock=3D0xc5df4504, owner=3D0x4)
 > >     at /usr/src/sys/kern/subr_turnstile.c:591
 > > #8  0xc0524db7 in _mtx_lock_sleep (m=3D0xc5df4504, tid=3D3274299264, op=
 ts=3D0, file=3D0x0, line=3D0)
 > >     at /usr/src/sys/kern/kern_mutex.c:579
 > > #9  0xc05ffe40 in nd6_output (ifp=3D0xc3363400, origifp=3D0x4, m0=3D0xc=
 364a100, dst=3D0xc3777a9c,=20
 > >     rt0=3D0xc38de6b4) at /usr/src/sys/netinet6/nd6.c:2004
 > > #10 0xc05f3aec in ip6_forward (m=3D0xc364a100, srcrt=3D0)
 > >     at /usr/src/sys/netinet6/ip6_forward.c:626
 > > #11 0xc05f4d54 in ip6_input (m=3D0xc364a100) at /usr/src/sys/netinet6/i=
 p6_input.c:732
 > > #12 0xc05b7aa7 in netisr_processqueue (ni=3D0xc0777c84) at /usr/src/sys=
 /net/netisr.c:236
 > > #13 0xc05b7c9d in swi_net (dummy=3D0x0) at /usr/src/sys/net/netisr.c:343
 > > #14 0xc051631a in ithread_execute_handlers (p=3D0xc329ca78, ie=3D0xc32d=
 a300)
 > >     at /usr/src/sys/kern/kern_intr.c:682
 > > #15 0xc051645b in ithread_loop (arg=3D0xc3283700) at /usr/src/sys/kern/=
 kern_intr.c:765
 > > #16 0xc0514f51 in fork_exit (callout=3D0xc05163f8 <ithread_loop>, arg=
 =3D0x4, frame=3D0x4)
 > >     at /usr/src/sys/kern/kern_fork.c:821
 > > #17 0xc06d226c in fork_trampoline () at /usr/src/sys/i386/i386/exceptio=
 n.s:208
 > > (kgdb)=20
 > >=20
 > > More information (pkg_info, ps output, etc.):
 > >=20
 > > http://www.prolixium.com/share/txt/freebsd/ipv6/
 > >=20
 > > pf.conf can be provided, if needed.
 >=20
 > --=20
 > Ruslan Ermilov
 > ru@FreeBSD.org
 > FreeBSD committer
 >=20
 
 --=20
 Mark Kamichoff
 prox@prolixium.com
 http://prolixium.com/
 Rensselaer Polytechnic Institute, Class of 2004
 
 --liOOAslEiF7prFVr
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: Digital signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (GNU/Linux)
 
 iD8DBQFFcHcK0TYC9KtF8BMRAmO/AJ9C0wVvwiO7tY1aFgZTcSbGhnqiGwCfTJLa
 ae6cVF4aMiz5ValqjVxYwkw=
 =KNhl
 -----END PGP SIGNATURE-----
 
 --liOOAslEiF7prFVr--