From owner-freebsd-bugs@FreeBSD.ORG  Mon Mar 19 00:00:21 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id F34AD16A402
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 19 Mar 2007 00:00:20 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id B261E13C469
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 19 Mar 2007 00:00:20 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2J00KxZ054534
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 19 Mar 2007 00:00:20 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2J00KSp054533;
	Mon, 19 Mar 2007 00:00:20 GMT (envelope-from gnats)
Date: Mon, 19 Mar 2007 00:00:20 GMT
Message-Id: <200703190000.l2J00KSp054533@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Alexander Motin <mav@alkar.net>
Cc: 
Subject: Re: kern/108197: IPv6-related crash if if_delmulti
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Alexander Motin <mav@alkar.net>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2007 00:00:21 -0000

The following reply was made to PR kern/108197; it has been noted by GNATS.

From: Alexander Motin <mav@alkar.net>
To: bug-followup@FreeBSD.org,  freebsd@spatula.net
Cc:  
Subject: Re: kern/108197: IPv6-related crash if if_delmulti
Date: Mon, 19 Mar 2007 01:50:04 +0200

 I am regularly observe problem with smething alike simptoms. I have 
 FreeBSD 6.2-STABLE of Jan 29. I have IPv6 in my kernel, but do not use 
 it actively. In my case it happends with significant probability when 
 mpd4.1 based server trying to destroy several ngX interfaces on 
 shutdown. It does it by shutting down related ng_iface netgraph node.
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x100027c
 fault code              = supervisor write, page not present
 instruction pointer     = 0x20:0xc05df5a3
 stack pointer           = 0x28:0xdce8c94c
 frame pointer           = 0x28:0xdce8c970
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                          = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 6089 (mpd4)
 trap number             = 12
 panic: page fault
 Uptime: 4h43m35s
 Dumping 511 MB (2 chunks)
    chunk 0: 1MB (159 pages) ... ok
    chunk 1: 511MB (130800 pages) 495 479 463 447 431 415 399 383 367 351 
 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 
 31 15
 
 #0  doadump () at pcpu.h:165
 165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) bt
 #0  doadump () at pcpu.h:165
 #1  0xc055e046 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
 #2  0xc055e350 in panic (fmt=0xc0749735 "%s") at 
 /usr/src/sys/kern/kern_shutdown.c:565
 #3  0xc0723095 in trap_fatal (frame=0xdce8c90c, eva=0) at 
 /usr/src/sys/i386/i386/trap.c:837
 #4  0xc0722db5 in trap_pfault (frame=0xdce8c90c, usermode=0, 
 eva=16777852) at /usr/src/sys/i386/i386/trap.c:745
 #5  0xc072299f in trap (frame=
        {tf_fs = -588775416, tf_es = -1068171224, tf_ds = -588775384, 
 tf_edi = 16777216, tf_esi = 167772927, tf_ebp = -588723856, tf_isp = 
 -588723912, tf_ebx = -1008249152, tf_edx = -1011626624, tf_ecx = 
 -1007975136, tf_eax = 4, tf_trapno = 12, tf_err = 2, tf_eip = 
 -1067584093, tf_cs = 32, tf_eflags = 66194, tf_esp = -1015311360, tf_ss 
 = -2145359566}) at /usr/src/sys/i386/i386/trap.c:435
 #6  0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc05df5a3 in if_delmulti (ifp=0x1000000, sa=0xa0002ff) at atomic.h:146
 #8  0xc05f03cd in in_delmulti_locked (inm=0xc3eb8520) at 
 /usr/src/sys/netinet/in.c:1060
 #9  0xc05f049b in in_delmulti_ifp (ifp=0xc37b9400) at 
 /usr/src/sys/netinet/in.c:1079
 #10 0xc05f0568 in in_ifdetach (ifp=0xc37b9400) at 
 /usr/src/sys/netinet/in.c:1095
 #11 0xc05dc82b in if_detach (ifp=0xc37b9400) at /usr/src/sys/net/if.c:655
 
 This looks strange for me:
 (kgdb) frame 8
 #8  0xc05f03cd in in_delmulti_locked (inm=0xc3eb8520) at 
 /usr/src/sys/netinet/in.c:1060
 1060            if_delmulti(ifma->ifma_ifp, ifma->ifma_addr);
 (kgdb) p ifma->ifma_ifp
 $8 = (struct ifnet *) 0x1000000
 (kgdb) p *(ifma->ifma_ifp)
 Cannot access memory at address 0x1000000
 
 I also have several other alike coredumps:
 
 #6  0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc05df5a3 in if_delmulti (ifp=0x80000, sa=0x0) at atomic.h:146
 #8  0xc05f03cd in in_delmulti_locked (inm=0xc4a3e7c0) at 
 /usr/src/sys/netinet/in.c:1060
 #9  0xc05f049b in in_delmulti_ifp (ifp=0xc385fc00) at 
 /usr/src/sys/netinet/in.c:1079
 #10 0xc05f0568 in in_ifdetach (ifp=0xc385fc00) at 
 /usr/src/sys/netinet/in.c:1095
 #11 0xc05dc82b in if_detach (ifp=0xc385fc00) at /usr/src/sys/net/if.c:655
 
 ----
 #5  0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #6  0xc05839e5 in turnstile_setowner (ts=0xc3a2fcc0, owner=0x4) at 
 /usr/src/sys/kern/subr_turnstile.c:434
 #7  0xc0583d11 in turnstile_wait (lock=0xc385e660, owner=0x4) at 
 /usr/src/sys/kern/subr_turnstile.c:593
 #8  0xc0553aeb in _mtx_lock_sleep (m=0xc385e660, tid=3286708992, opts=0, 
 file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:579
 #9  0xc05df5df in if_delmulti (ifp=0xc385e400, sa=0xc3e79b80) at 
 /usr/src/sys/net/if.c:2083
 #10 0xc05f03cd in in_delmulti_locked (inm=0x4) at 
 /usr/src/sys/netinet/in.c:1060
 #11 0xc05f049b in in_delmulti_ifp (ifp=0xc3855000) at 
 /usr/src/sys/netinet/in.c:1079
 #12 0xc05f0568 in in_ifdetach (ifp=0xc3855000) at 
 /usr/src/sys/netinet/in.c:1095
 #13 0xc05dc82b in if_detach (ifp=0xc3855000) at /usr/src/sys/net/if.c:655
 
 ---
 #6  0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc05df5a3 in if_delmulti (ifp=0x0, sa=0x50001ff) at atomic.h:146
 #8  0xc05f03cd in in_delmulti_locked (inm=0xc50901c0) at 
 /usr/src/sys/netinet/in.c:1060
 #9  0xc05f049b in in_delmulti_ifp (ifp=0xc4b1a800) at 
 /usr/src/sys/netinet/in.c:1079
 #10 0xc05f0568 in in_ifdetach (ifp=0xc4b1a800) at 
 /usr/src/sys/netinet/in.c:1095
 #11 0xc05dc82b in if_detach (ifp=0xc4b1a800) at /usr/src/sys/net/if.c:655
 
 If anybody needs additional info, I will be glad to help.
 
 -- 
 Alexander Motin