From owner-freebsd-bugs@FreeBSD.ORG Sun Mar 18 23:50:09 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1644E16A402 for ; Sun, 18 Mar 2007 23:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id EC73C13C4D0 for ; Sun, 18 Mar 2007 23:50:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2INo81A053409 for ; Sun, 18 Mar 2007 23:50:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2INo8VT053408; Sun, 18 Mar 2007 23:50:08 GMT (envelope-from gnats) Date: Sun, 18 Mar 2007 23:50:08 GMT Message-Id: <200703182350.l2INo8VT053408@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Alexander Motin Cc: Subject: Re: kern/107431: [ipv6] Regular kernel panics related to ipv6 interface management/manipulation X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Alexander Motin List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Mar 2007 23:50:09 -0000 The following reply was made to PR kern/107431; it has been noted by GNATS. From: Alexander Motin To: bug-followup@FreeBSD.org, lofi@FreeBSD.org Cc: Subject: Re: kern/107431: [ipv6] Regular kernel panics related to ipv6 interface management/manipulation Date: Mon, 19 Mar 2007 01:44:34 +0200 I am regularly observe problem with smething alike simptoms. I have FreeBSD 6.2-STABLE of Jan 29. I have IPv6 in my kernel, but do not use it actively. In my case it happends with significant probability when mpd4.1 based server trying to destroy several ngX interfaces on shutdown. It does it by shutting down related ng_iface netgraph node. Fatal trap 12: page fault while in kernel mode fault virtual address = 0x100027c fault code = supervisor write, page not present instruction pointer = 0x20:0xc05df5a3 stack pointer = 0x28:0xdce8c94c frame pointer = 0x28:0xdce8c970 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 6089 (mpd4) trap number = 12 panic: page fault Uptime: 4h43m35s Dumping 511 MB (2 chunks) chunk 0: 1MB (159 pages) ... ok chunk 1: 511MB (130800 pages) 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15 #0 doadump () at pcpu.h:165 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt #0 doadump () at pcpu.h:165 #1 0xc055e046 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409 #2 0xc055e350 in panic (fmt=0xc0749735 "%s") at /usr/src/sys/kern/kern_shutdown.c:565 #3 0xc0723095 in trap_fatal (frame=0xdce8c90c, eva=0) at /usr/src/sys/i386/i386/trap.c:837 #4 0xc0722db5 in trap_pfault (frame=0xdce8c90c, usermode=0, eva=16777852) at /usr/src/sys/i386/i386/trap.c:745 #5 0xc072299f in trap (frame= {tf_fs = -588775416, tf_es = -1068171224, tf_ds = -588775384, tf_edi = 16777216, tf_esi = 167772927, tf_ebp = -588723856, tf_isp = -588723912, tf_ebx = -1008249152, tf_edx = -1011626624, tf_ecx = -1007975136, tf_eax = 4, tf_trapno = 12, tf_err = 2, tf_eip = -1067584093, tf_cs = 32, tf_eflags = 66194, tf_esp = -1015311360, tf_ss = -2145359566}) at /usr/src/sys/i386/i386/trap.c:435 #6 0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #7 0xc05df5a3 in if_delmulti (ifp=0x1000000, sa=0xa0002ff) at atomic.h:146 #8 0xc05f03cd in in_delmulti_locked (inm=0xc3eb8520) at /usr/src/sys/netinet/in.c:1060 #9 0xc05f049b in in_delmulti_ifp (ifp=0xc37b9400) at /usr/src/sys/netinet/in.c:1079 #10 0xc05f0568 in in_ifdetach (ifp=0xc37b9400) at /usr/src/sys/netinet/in.c:1095 #11 0xc05dc82b in if_detach (ifp=0xc37b9400) at /usr/src/sys/net/if.c:655 This looks strange for me: (kgdb) frame 8 #8 0xc05f03cd in in_delmulti_locked (inm=0xc3eb8520) at /usr/src/sys/netinet/in.c:1060 1060 if_delmulti(ifma->ifma_ifp, ifma->ifma_addr); (kgdb) p ifma->ifma_ifp $8 = (struct ifnet *) 0x1000000 (kgdb) p *(ifma->ifma_ifp) Cannot access memory at address 0x1000000 I also have several other alike coredumps: #6 0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #7 0xc05df5a3 in if_delmulti (ifp=0x80000, sa=0x0) at atomic.h:146 #8 0xc05f03cd in in_delmulti_locked (inm=0xc4a3e7c0) at /usr/src/sys/netinet/in.c:1060 #9 0xc05f049b in in_delmulti_ifp (ifp=0xc385fc00) at /usr/src/sys/netinet/in.c:1079 #10 0xc05f0568 in in_ifdetach (ifp=0xc385fc00) at /usr/src/sys/netinet/in.c:1095 #11 0xc05dc82b in if_detach (ifp=0xc385fc00) at /usr/src/sys/net/if.c:655 ---- #5 0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #6 0xc05839e5 in turnstile_setowner (ts=0xc3a2fcc0, owner=0x4) at /usr/src/sys/kern/subr_turnstile.c:434 #7 0xc0583d11 in turnstile_wait (lock=0xc385e660, owner=0x4) at /usr/src/sys/kern/subr_turnstile.c:593 #8 0xc0553aeb in _mtx_lock_sleep (m=0xc385e660, tid=3286708992, opts=0, file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:579 #9 0xc05df5df in if_delmulti (ifp=0xc385e400, sa=0xc3e79b80) at /usr/src/sys/net/if.c:2083 #10 0xc05f03cd in in_delmulti_locked (inm=0x4) at /usr/src/sys/netinet/in.c:1060 #11 0xc05f049b in in_delmulti_ifp (ifp=0xc3855000) at /usr/src/sys/netinet/in.c:1079 #12 0xc05f0568 in in_ifdetach (ifp=0xc3855000) at /usr/src/sys/netinet/in.c:1095 #13 0xc05dc82b in if_detach (ifp=0xc3855000) at /usr/src/sys/net/if.c:655 --- #6 0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #7 0xc05df5a3 in if_delmulti (ifp=0x0, sa=0x50001ff) at atomic.h:146 #8 0xc05f03cd in in_delmulti_locked (inm=0xc50901c0) at /usr/src/sys/netinet/in.c:1060 #9 0xc05f049b in in_delmulti_ifp (ifp=0xc4b1a800) at /usr/src/sys/netinet/in.c:1079 #10 0xc05f0568 in in_ifdetach (ifp=0xc4b1a800) at /usr/src/sys/netinet/in.c:1095 #11 0xc05dc82b in if_detach (ifp=0xc4b1a800) at /usr/src/sys/net/if.c:655 If anybody needs additional info, I will be glad to help. -- Alexander Motin