Date: Sun, 21 Jan 2007 16:40:47 -0800 (PST) From: Nick Johnson <freebsd@spatula.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/108197: IPv6-related crash if if_delmulti Message-ID: <20070122004047.1BA0217033@turing.morons.org> Resent-Message-ID: <200701220100.l0M10SdY091996@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 108197
>Category: kern
>Synopsis: IPv6-related crash if if_delmulti
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 22 01:00:27 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Nick Johnson
>Release: FreeBSD 6.2-STABLE i386
>Organization:
morons.org
>Environment:
System: FreeBSD turing.morons.org 6.2-STABLE FreeBSD 6.2-STABLE #5: Sun Jan 21 15:19:12 PST 2007 root@turing.morons.org:/usr/obj/usr/src/sys/TURING i386
>Description:
This happens randomly during normal operation with ipv6 over a gif tunnel to freenet6.
Here's the stack trace from the memory dump:
Unread portion of the kernel message buffer:
trap number = 12
panic: page fault
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc04ee96c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2 0xc04eeced in panic (fmt=0xc06ba001 "%s") at /usr/src/sys/kern/kern_shutdown.c:565
#3 0xc068dfae in trap_fatal (frame=0xea26babc, eva=0) at /usr/src/sys/i386/i386/trap.c:837
#4 0xc068dc42 in trap_pfault (frame=0xea26babc, usermode=0, eva=636) at /usr/src/sys/i386/i386/trap.c:745
#5 0xc068d7b0 in trap (frame=
{tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = 67109631, tf_ebp = -366560480, tf_isp = -366560536, tf_ebx = -946169472, tf_edx = -946099584, tf_ecx = 4, tf_eax = 4, tf_trapno = 12, tf_err = 2, tf_eip = -1068001029, tf_cs = 32, tf_eflags = 66198, tf_esp = -956809216, tf_ss = -941078880}) at /usr/src/sys/i386/i386/trap.c:435
#6 0xc0678e8a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7 0xc05798fb in if_delmulti (ifp=0x0, sa=0x40002ff) at atomic.h:146
#8 0xc05e0572 in in6_delmulti (in6m=0xc7419700) at /usr/src/sys/netinet6/mld6.c:649
#9 0xc05cf502 in in6_ifdetach (ifp=0xc6f84000) at /usr/src/sys/netinet6/in6_ifattach.c:806
#10 0xc05769ad in if_detach (ifp=0xc6f84000) at /usr/src/sys/net/if.c:665
#11 0xc057d310 in gif_destroy (sc=0xc7838c80) at /usr/src/sys/net/if_gif.c:209
#12 0xc057d408 in gif_clone_destroy (ifp=0x4) at /usr/src/sys/net/if_gif.c:226
#13 0xc057b287 in ifc_simple_destroy (ifc=0xc06f2060, ifp=0x4) at /usr/src/sys/net/if_clone.c:478
#14 0xc057a552 in if_clone_destroy (name=0x4 <Address 0x4 out of bounds>) at /usr/src/sys/net/if_clone.c:172
#15 0xc0578b3e in ifioctl (so=0xc7d6a858, cmd=2149607801, data=0xc7e84080 "gif0", td=0xc79baa80) at /usr/src/sys/net/if.c:1533
#16 0xc0520bc7 in soo_ioctl (fp=0x4, cmd=2149607801, data=0xc7e84080, active_cred=0xc72c8b00, td=0xc79baa80)
at /usr/src/sys/kern/sys_socket.c:214
#17 0xc0519d77 in ioctl (td=0xc79baa80, uap=0xea26bd04) at file.h:265
#18 0xc068e3a0 in syscall (frame=
{tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134533248, tf_esi = -1077941524, tf_ebp = -1077944072, tf_isp = -366559900, tf_ebx = 134578976, tf_edx = 134590397, tf_ecx = 0, tf_eax = 54, tf_trapno = 12, tf_err = 2, tf_eip = 1209393607, tf_cs = 51, tf_eflags = 582, tf_esp = -1077944100, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:983
#19 0xc0678edf in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#20 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
>How-To-Repeat:
Unknown what actually causes it, but it may be related to deletion/recreation of the gif tunnel.
>Fix:
Unknown.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070122004047.1BA0217033>