Date: Sun, 6 Aug 2006 23:44:53 -0700 (PDT) From: Nick Johnson <freebsd@spatula.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/101553: Kernel panic in ipv6 interface deletion Message-ID: <20060807064453.C577D17027@turing.morons.org> Resent-Message-ID: <200608070650.k776oObn091165@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 101553
>Category: kern
>Synopsis: Kernel panic in ipv6 interface deletion
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Aug 07 06:50:18 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Nick Johnson
>Release: FreeBSD 6.1-PRERELEASE i386
>Organization:
morons.org
>Environment:
System: FreeBSD turing.morons.org 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #3: Wed Mar 15 11:22:41 PST 2006 root@turing.morons.org:/usr/obj/usr/src/sys/TURING i386
>Description:
When deleting/readding an ipv6 interface using Freenet6's tspc, the kernel panicked. This is likely some obscure
race condition, since I've done this countless times with no adverse effects.
Here's the crash info:
Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0xf4458c1b
fault code = supervisor write, page not present
instruction pointer = 0x20:0xc05124bd
stack pointer = 0x28:0xea3cdab8
frame pointer = 0x28:0xea3cdabc
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = resume, IOPL = 0
current process = 94490 (ifconfig)
trap number = 12
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc04e9ec7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
#2 0xc04ea23d in panic (fmt=0xc06ad51a "%s") at /usr/src/sys/kern/kern_shutdown.c:558
#3 0xc0681f8e in trap_fatal (frame=0xea3cda78, eva=0) at /usr/src/sys/i386/i386/trap.c:836
#4 0xc0681564 in trap (frame=
{tf_fs = 8, tf_es = -365166552, tf_ds = -1067646936, tf_edi = -854216364, tf_esi = -942957952, tf_ebp = -365110596, tf_isp = -365110620, tf_ebx = -945419776, tf_edx = -196768769, tf_ecx = -1067618448, tf_eax = -945419752, tf_trapno = 12, tf_err = 2, tf_eip = -1068424003, tf_cs = 32, tf_eflags = 65670, tf_esp = -942957952, tf_ss = -365110560}) at /usr/src/sys/i386/i386/trap.c:269
#5 0xc066df8a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#6 0xc05124bd in turnstile_setowner (ts=0xc7a60a00, owner=0xc05d6f70) at /usr/src/sys/kern/subr_turnstile.c:418
#7 0xc051280a in turnstile_wait (lock=0xcd15b3b4, owner=0xc7a60a18) at /usr/src/sys/kern/subr_turnstile.c:576
#8 0xc04ddb94 in _mtx_lock_sleep (m=0xcd15b3b4, tid=3352009344, opts=0, file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:565
#9 0xc0572866 in if_delmulti (ifp=0xcd15b154, sa=0xc716ad80) at /usr/src/sys/net/if.c:2058
#10 0xc05d7cd2 in in6_delmulti (in6m=0xc7936d80) at /usr/src/sys/netinet6/mld6.c:649
#11 0xc05c6c92 in in6_ifdetach (ifp=0xcba9f000) at /usr/src/sys/netinet6/in6_ifattach.c:806
#12 0xc056f92e in if_detach (ifp=0xcba9f000) at /usr/src/sys/net/if.c:658
#13 0xc0576240 in gif_destroy (sc=0xccf6e880) at /usr/src/sys/net/if_gif.c:209
#14 0xc0576338 in gif_clone_destroy (ifp=0xc7a60a18) at /usr/src/sys/net/if_gif.c:226
#15 0xc05741b7 in ifc_simple_destroy (ifc=0xc06e4c60, ifp=0xc05d6f70) at /usr/src/sys/net/if_clone.c:478
#16 0xc0573482 in if_clone_destroy (name=0xc7a60a18 "ÿ\213Eôô\024\233Ç") at /usr/src/sys/net/if_clone.c:172
#17 0xc0571a6e in ifioctl (so=0xccabb000, cmd=2149607801, data=0xcd143800 "gif0", td=0xc7cb9a80) at /usr/src/sys/net/if.c:1508
#18 0xc051b8c7 in soo_ioctl (fp=0xc7a60a18, cmd=2149607801, data=0xcd143800, active_cred=0xc77bc400, td=0xc7cb9a80)
at /usr/src/sys/kern/sys_socket.c:214
#19 0xc0514aa7 in ioctl (td=0xc7cb9a80, uap=0xea3cdd04) at file.h:258
#20 0xc0682380 in syscall (frame=
{tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134533232, tf_esi = -1077942360, tf_ebp = -1077944904, tf_isp = -365109916, tf_ebx = 134577248, tf_edx = 134588381, tf_ecx = 0, tf_eax = 54, tf_trapno = 0, tf_err = 2, tf_eip = 1209323239, tf_cs = 51, tf_eflags = 582, tf_esp = -1077944932, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:981
#21 0xc066dfdf in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#22 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) f 6
#6 0xc05124bd in turnstile_setowner (ts=0xc7a60a00, owner=0xc05d6f70) at /usr/src/sys/kern/subr_turnstile.c:418
418 LIST_INSERT_HEAD(&owner->td_contested, ts, ts_link);
(kgdb) i args
ts = (struct turnstile *) 0xc7a60a00
owner = (struct thread *) 0xc05d6f70
(kgdb) print *ts
$2 = {ts_blocked = {tqh_first = 0xc7cb9a80, tqh_last = 0xc7cb9aa0}, ts_pending = {tqh_first = 0x0, tqh_last = 0xc7a60a08},
ts_hash = {le_next = 0x0, le_prev = 0xc0703bf8}, ts_link = {le_next = 0xf4458bff, le_prev = 0xc79b14f4}, ts_free = {
lh_first = 0x0}, ts_lockobj = 0xcd15b3b4, ts_owner = 0xc05d6f70}
It looks like the address in le_next is the junk that caused the fault.
(kgdb) print *(ts->ts_link->le_prev)
$7 = (struct turnstile *) 0x0
(kgdb) print **(ts->ts_hash->le_prev)
$9 = {ts_blocked = {tqh_first = 0xc7cb9a80, tqh_last = 0xc7cb9aa0}, ts_pending = {tqh_first = 0x0, tqh_last = 0xc7a60a08},
ts_hash = {le_next = 0x0, le_prev = 0xc0703bf8}, ts_link = {le_next = 0xf4458bff, le_prev = 0xc79b14f4}, ts_free = {
lh_first = 0x0}, ts_lockobj = 0xcd15b3b4, ts_owner = 0xc05d6f70}
>How-To-Repeat:
Unclear, but possibly creating and destroying an ipv6 tunnel repeatedly may tickle the bug.
>Fix:
Unknown. I'd be only too happy to assist in debugging this trouble any way I can. I'll keep the core file around.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060807064453.C577D17027>