From owner-freebsd-bugs@FreeBSD.ORG Mon Aug 7 06:50:36 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E30616A4E1 for ; Mon, 7 Aug 2006 06:50:36 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C769E43D99 for ; Mon, 7 Aug 2006 06:50:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k776oO5a091166 for ; Mon, 7 Aug 2006 06:50:24 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k776oObn091165; Mon, 7 Aug 2006 06:50:24 GMT (envelope-from gnats) Resent-Date: Mon, 7 Aug 2006 06:50:24 GMT Resent-Message-Id: <200608070650.k776oObn091165@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nick Johnson Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A70716A4E0 for ; Mon, 7 Aug 2006 06:44:54 +0000 (UTC) (envelope-from root@turing.morons.org) Received: from turing.morons.org (morons.org [64.147.161.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BCEE43D46 for ; Mon, 7 Aug 2006 06:44:53 +0000 (GMT) (envelope-from root@turing.morons.org) Received: by turing.morons.org (Postfix, from userid 0) id C577D17027; Sun, 6 Aug 2006 23:44:53 -0700 (PDT) Message-Id: <20060807064453.C577D17027@turing.morons.org> Date: Sun, 6 Aug 2006 23:44:53 -0700 (PDT) From: Nick Johnson To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/101553: Kernel panic in ipv6 interface deletion X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Aug 2006 06:50:36 -0000 >Number: 101553 >Category: kern >Synopsis: Kernel panic in ipv6 interface deletion >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Aug 07 06:50:18 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Nick Johnson >Release: FreeBSD 6.1-PRERELEASE i386 >Organization: morons.org >Environment: System: FreeBSD turing.morons.org 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #3: Wed Mar 15 11:22:41 PST 2006 root@turing.morons.org:/usr/obj/usr/src/sys/TURING i386 >Description: When deleting/readding an ipv6 interface using Freenet6's tspc, the kernel panicked. This is likely some obscure race condition, since I've done this countless times with no adverse effects. Here's the crash info: Unread portion of the kernel message buffer: kernel trap 12 with interrupts disabled Fatal trap 12: page fault while in kernel mode fault virtual address = 0xf4458c1b fault code = supervisor write, page not present instruction pointer = 0x20:0xc05124bd stack pointer = 0x28:0xea3cdab8 frame pointer = 0x28:0xea3cdabc code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = resume, IOPL = 0 current process = 94490 (ifconfig) trap number = 12 (kgdb) bt #0 doadump () at pcpu.h:165 #1 0xc04e9ec7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402 #2 0xc04ea23d in panic (fmt=0xc06ad51a "%s") at /usr/src/sys/kern/kern_shutdown.c:558 #3 0xc0681f8e in trap_fatal (frame=0xea3cda78, eva=0) at /usr/src/sys/i386/i386/trap.c:836 #4 0xc0681564 in trap (frame= {tf_fs = 8, tf_es = -365166552, tf_ds = -1067646936, tf_edi = -854216364, tf_esi = -942957952, tf_ebp = -365110596, tf_isp = -365110620, tf_ebx = -945419776, tf_edx = -196768769, tf_ecx = -1067618448, tf_eax = -945419752, tf_trapno = 12, tf_err = 2, tf_eip = -1068424003, tf_cs = 32, tf_eflags = 65670, tf_esp = -942957952, tf_ss = -365110560}) at /usr/src/sys/i386/i386/trap.c:269 #5 0xc066df8a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #6 0xc05124bd in turnstile_setowner (ts=0xc7a60a00, owner=0xc05d6f70) at /usr/src/sys/kern/subr_turnstile.c:418 #7 0xc051280a in turnstile_wait (lock=0xcd15b3b4, owner=0xc7a60a18) at /usr/src/sys/kern/subr_turnstile.c:576 #8 0xc04ddb94 in _mtx_lock_sleep (m=0xcd15b3b4, tid=3352009344, opts=0, file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:565 #9 0xc0572866 in if_delmulti (ifp=0xcd15b154, sa=0xc716ad80) at /usr/src/sys/net/if.c:2058 #10 0xc05d7cd2 in in6_delmulti (in6m=0xc7936d80) at /usr/src/sys/netinet6/mld6.c:649 #11 0xc05c6c92 in in6_ifdetach (ifp=0xcba9f000) at /usr/src/sys/netinet6/in6_ifattach.c:806 #12 0xc056f92e in if_detach (ifp=0xcba9f000) at /usr/src/sys/net/if.c:658 #13 0xc0576240 in gif_destroy (sc=0xccf6e880) at /usr/src/sys/net/if_gif.c:209 #14 0xc0576338 in gif_clone_destroy (ifp=0xc7a60a18) at /usr/src/sys/net/if_gif.c:226 #15 0xc05741b7 in ifc_simple_destroy (ifc=0xc06e4c60, ifp=0xc05d6f70) at /usr/src/sys/net/if_clone.c:478 #16 0xc0573482 in if_clone_destroy (name=0xc7a60a18 "ÿ\213Eôô\024\233Ç") at /usr/src/sys/net/if_clone.c:172 #17 0xc0571a6e in ifioctl (so=0xccabb000, cmd=2149607801, data=0xcd143800 "gif0", td=0xc7cb9a80) at /usr/src/sys/net/if.c:1508 #18 0xc051b8c7 in soo_ioctl (fp=0xc7a60a18, cmd=2149607801, data=0xcd143800, active_cred=0xc77bc400, td=0xc7cb9a80) at /usr/src/sys/kern/sys_socket.c:214 #19 0xc0514aa7 in ioctl (td=0xc7cb9a80, uap=0xea3cdd04) at file.h:258 #20 0xc0682380 in syscall (frame= {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134533232, tf_esi = -1077942360, tf_ebp = -1077944904, tf_isp = -365109916, tf_ebx = 134577248, tf_edx = 134588381, tf_ecx = 0, tf_eax = 54, tf_trapno = 0, tf_err = 2, tf_eip = 1209323239, tf_cs = 51, tf_eflags = 582, tf_esp = -1077944932, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:981 #21 0xc066dfdf in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200 #22 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) f 6 #6 0xc05124bd in turnstile_setowner (ts=0xc7a60a00, owner=0xc05d6f70) at /usr/src/sys/kern/subr_turnstile.c:418 418 LIST_INSERT_HEAD(&owner->td_contested, ts, ts_link); (kgdb) i args ts = (struct turnstile *) 0xc7a60a00 owner = (struct thread *) 0xc05d6f70 (kgdb) print *ts $2 = {ts_blocked = {tqh_first = 0xc7cb9a80, tqh_last = 0xc7cb9aa0}, ts_pending = {tqh_first = 0x0, tqh_last = 0xc7a60a08}, ts_hash = {le_next = 0x0, le_prev = 0xc0703bf8}, ts_link = {le_next = 0xf4458bff, le_prev = 0xc79b14f4}, ts_free = { lh_first = 0x0}, ts_lockobj = 0xcd15b3b4, ts_owner = 0xc05d6f70} It looks like the address in le_next is the junk that caused the fault. (kgdb) print *(ts->ts_link->le_prev) $7 = (struct turnstile *) 0x0 (kgdb) print **(ts->ts_hash->le_prev) $9 = {ts_blocked = {tqh_first = 0xc7cb9a80, tqh_last = 0xc7cb9aa0}, ts_pending = {tqh_first = 0x0, tqh_last = 0xc7a60a08}, ts_hash = {le_next = 0x0, le_prev = 0xc0703bf8}, ts_link = {le_next = 0xf4458bff, le_prev = 0xc79b14f4}, ts_free = { lh_first = 0x0}, ts_lockobj = 0xcd15b3b4, ts_owner = 0xc05d6f70} >How-To-Repeat: Unclear, but possibly creating and destroying an ipv6 tunnel repeatedly may tickle the bug. >Fix: Unknown. I'd be only too happy to assist in debugging this trouble any way I can. I'll keep the core file around. >Release-Note: >Audit-Trail: >Unformatted: