From nobody Sat May 10 19:49:52 2025
X-Original-To: net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZvxKb3kSRz5vlYv
	for <net@mlmmj.nyi.freebsd.org>; Sat, 10 May 2025 19:49:55 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature ECDSA (prime256v1) client-digest SHA256)
	(Client CN "mx-01.divo.sbone.de", Issuer "E5" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZvxKb22m1z3svZ;
	Sat, 10 May 2025 19:49:55 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Authentication-Results: mx1.freebsd.org;
	none
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by mx-01.divo.sbone.de (Postfix) with ESMTPS id D2E99A64805;
	Sat, 10 May 2025 19:49:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zabbadoz.net;
	s=20240622; t=1746906591;
	bh=SmE62afIoyye/pAC1UL5TwAveTnI/m8SukThX4hRF1w=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=NANZI8AyeorJcAvcx5nAdlG/OXBh8Aia8oIA8cGiHuf4f2ZAtqdfnY+xzDbZMctBT
	 RJk2jPeX4PAT0iB9Dena1cDGxHSUMWVS36SX2nTNw5L0emxdN1BMSHkB1j2qFn8K/b
	 hTcgrIjB2TDRiLKXa1kpvRbDuRxAJS2kZ6EELiaSbchahF0XQ+k5AnuBlvjijMzzWk
	 S22sAOBrbc33awztWNWLTCwFzkf7dLiRHMTQsF2AtZeSQo9YgltnFrcEcvvL80vDd3
	 YB/rpvF1hJ/AzPEknHPy4NUeteL+0m7tzyNtxF6b1Kz2bO1mCnufRiCZXsqc274mei
	 lUjQs/Qf8fuXCZX3gD5aAcp82eC9TU+GWUCGPj9AOroBUu6QXsqVB5F/xvkIENlWHF
	 ZjUdNwcvlePgasF+FhHl3kn9Clk0UTTPtkq/xJu0o+hDfYXfXtIw/haxAOqmgoSiLE
	 eBSPTZGQQaA54ujnlD6l4BXvXoiLMO9Lx+64LgeXz+AcXMro13udcTylt8/9ITTinE
	 +zfpc3anKKTvathIvkKvvO7yew4TpsbRThj3Q0PHPwF+x55sDKwpoRvY7cjKUV7/rz
	 8ddbSGrHQJ8Z5MJt0iTbMX96VOxLNU8HxhwSNRU1wHOkQYvCSby+smKfX4N45VlbH9
	 8GHHs6H6u2TVcuSyrhoulorA=
Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPS id 953572D029E0;
	Sat, 10 May 2025 19:49:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025])
	by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024)
	with ESMTP id wCNofTI0zcfQ; Sat, 10 May 2025 19:49:52 +0000 (UTC)
Received: from strong-rtwn0.sbone.de (strong-rtwn0.sbone.de [IPv6:fde9:577b:c1a9:4902:3e64:cfff:fe55:bc80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPSA id A1A1C2D029D8;
	Sat, 10 May 2025 19:49:52 +0000 (UTC)
Date: Sat, 10 May 2025 19:49:52 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: Kristof Provost <kp@freebsd.org>
cc: net@freebsd.org
Subject: Re: IPv6 panic (NULL * deref?) in nd6_ifnet_link_event
In-Reply-To: <167D3E8A-2CF0-4723-BA7A-487DCEF382F4@freebsd.org>
Message-ID: <28r32q30-pn96-q513-36s7-pr04166spp8q@yvfgf.mnoonqbm.arg>
References: <080s18s9-8q6r-75rr-s158-338413q14s4p@yvfgf.mnoonqbm.arg> <167D3E8A-2CF0-4723-BA7A-487DCEF382F4@freebsd.org>
X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1098556516-395348036-1746906592=:4633"
X-Rspamd-Queue-Id: 4ZvxKb22m1z3svZ
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE]
X-Spamd-Bar: ----

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--1098556516-395348036-1746906592=:4633
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT

On Sat, 10 May 2025, Kristof Provost wrote:

>
>
>> On 10 May 2025, at 21:32, Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net> wrote:
>>
>> Hi,
>>
>> main of the last days.
>>
>> Fatal trap 12: page fault while in kernel mode
>> cpuid = 2; apic id = 02
>> fault virtual address   = 0x10
>> fault code              = supervisor read data, page not present
>> instruction pointer     = 0x20:0xffffffff80dbd769
>> stack pointer           = 0x28:0xfffffe0106296d60
>> frame pointer           = 0x28:0xfffffe0106296d70
>> code segment            = base 0x0, limit 0xfffff, type 0x1b
>>                        = DPL 0, pres 1, long 1, def32 0, gran 1
>> processor eflags        = interrupt enabled, resume, IOPL = 0
>> current process         = 12 (swi6: task queue)
>> rdi: fffff8002f997800 rsi: 000000000000001c rdx: 0000000000000000
>> rcx: 0000000000010000  r8: 0000000000000001  r9: ffffffffffffffff
>> rax: 0000000000000000 rbx: fffff8002f997a18 rbp: fffffe0106296d70
>> r10: ffffffff81c4a1e8 r11: 0000000000000001 r12: fffff80001210700
>> r13: fffff80001210728 r14: fffff8002f997800 r15: 0000000000000001
>> trap number             = 12
>> panic: page fault
>> cpuid = 2
>> time = 1746903751
>> KDB: stack backtrace:
>> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0106296a90
>> vpanic() at vpanic+0x136/frame 0xfffffe0106296bc0
>> panic() at panic+0x43/frame 0xfffffe0106296c20
>> trap_pfault() at trap_pfault+0x48d/frame 0xfffffe0106296c90
>> calltrap() at calltrap+0x8/frame 0xfffffe0106296c90
>> --- trap 0xc, rip = 0xffffffff80dbd769, rsp = 0xfffffe0106296d60, rbp = 0xfffffe0106296d70 ---
>> nd6_ifnet_link_event() at nd6_ifnet_link_event+0x39/frame 0xfffffe0106296d70
>> do_link_state_change() at do_link_state_change+0x1b1/frame 0xfffffe0106296dc0
>> taskqueue_run_locked() at taskqueue_run_locked+0x1c2/frame 0xfffffe0106296e40
>> taskqueue_run() at taskqueue_run+0x4d/frame 0xfffffe0106296e60
>> ithread_loop() at ithread_loop+0x266/frame 0xfffffe0106296ef0
>> fork_exit() at fork_exit+0x82/frame 0xfffffe0106296f30
>> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0106296f30
>> --- trap 0x25b01e6e, rip = 0x52db004fa566ef34, rsp = 0xcadb9a4f3d667734, rbp = 0xde5a00adbd42c69c ---
>> KDB: enter: panic
>>
>>
>> (gdb) l * nd6_ifnet_link_event+0x39
>> 0xffffffff80dbd769 is in nd6_ifnet_link_event (sys/netinet6/nd6_rtr.c:327).
>> 322     static void
>> 323     defrtr_ipv6_only_ipf_down(struct ifnet *ifp)
>> 324     {
>> 325
>> 326             IF_AFDATA_WLOCK(ifp);
>> 327             ND_IFINFO(ifp)->flags &= ~ND6_IFF_IPV6_ONLY;
>> 328             IF_AFDATA_WUNLOCK(ifp);
>> 329     }
>> 330     #endif  /* EXPERIMENTAL */
>> 331
>>
> That may be a known issue. There’s something odd with teardown where we sometimes clean up af_data for INET6 and still try to send v6 traffic. I know of panics where there’s a fib6_lookup() that returns a route with no v6 af_data.
> I put a hack in the pfsense tree to make the panic less likely, but I don’t know what the root cause is.

This one likely came after the ifp was gone or at least ND_IFINFO(ifp)
was NULL.  The first would be a contract violation the second is likely
a bad order/race against queuing.  But here both can avoid panics by
NULL checks (+warning maybe so we can find the root casue)?

-- 
Bjoern A. Zeeb                                                     r15:7
--1098556516-395348036-1746906592=:4633--