From owner-freebsd-net@FreeBSD.ORG Sun Mar 5 19:52:34 2006 Return-Path: X-Original-To: net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C77D016A420 for ; Sun, 5 Mar 2006 19:52:34 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9146043D48 for ; Sun, 5 Mar 2006 19:52:34 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 7782C1A4DDD for ; Sun, 5 Mar 2006 11:52:34 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EE09A514C3; Sun, 5 Mar 2006 14:52:33 -0500 (EST) Date: Sun, 5 Mar 2006 14:52:33 -0500 From: Kris Kennaway To: net@FreeBSD.org Message-ID: <20060305195233.GB2880@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="QTprm0S8XgL7H0Dt" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Cc: Subject: Double free in icmp6 processing? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Mar 2006 19:52:34 -0000 --QTprm0S8XgL7H0Dt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I've been doing a lot of ping6'ing trying to track down the cause of the nd6 panics on sparc64 SMP machines, and I'm also seeing the following panic: -- memory address not aligned sfar=0xdedeadc0de sfsr=0x40029 %o7=0xc031d8e4 -- m_tag_delete_chain() at m_tag_delete_chain+0x28 mb_dtor_mbuf() at mb_dtor_mbuf+0x18 uma_zfree_arg() at uma_zfree_arg+0x18 m_freem() at m_freem+0x38 icmp6_error() at icmp6_error+0x61c icmp6_error2() at icmp6_error2+0x158 nd6_llinfo_timer() at nd6_llinfo_timer+0x158 softclock() at softclock+0x238 ithread_execute_handlers() at ithread_execute_handlers+0x144 ithread_loop() at ithread_loop+0xa4 fork_exit() at fork_exit+0x94 fork_trampoline() at fork_trampoline+0x8 which looks like a double free of an mbuf. Can someone take a look? Kris --QTprm0S8XgL7H0Dt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (FreeBSD) iD8DBQFEC0GBWry0BWjoQKURAhtwAKC8q2yBd9Fu2FQ5XBSREMtX/vM/sgCeNG8E bZ2b2aKCbnHstXBsYrN+Gv4= =w2/Y -----END PGP SIGNATURE----- --QTprm0S8XgL7H0Dt--