From owner-freebsd-bugs@FreeBSD.ORG Thu Aug 21 08:20:05 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D16301065672 for ; Thu, 21 Aug 2008 08:20:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C15618FC0C for ; Thu, 21 Aug 2008 08:20:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m7L8K5mu085065 for ; Thu, 21 Aug 2008 08:20:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m7L8K5Yk085064; Thu, 21 Aug 2008 08:20:05 GMT (envelope-from gnats) Date: Thu, 21 Aug 2008 08:20:05 GMT Message-Id: <200808210820.m7L8K5Yk085064@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Pekka Savola Cc: Subject: kern/122283: [ip6] [panic] Panic in ip_output related to IPv6 routes X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Pekka Savola List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 08:20:05 -0000 The following reply was made to PR kern/122283; it has been noted by GNATS. From: Pekka Savola To: bug-followup@freebsd.org Cc: Subject: kern/122283: [ip6] [panic] Panic in ip_output related to IPv6 routes Date: Thu, 21 Aug 2008 11:11:28 +0300 (EEST) FYI, Here's another, slightly different, crash also with SMP, which occurs in the same place as Nick's first crash: (kgdb) up 7 #7 0xc065427c in ip_output (m=0xc51ef800, opt=0x0, ro=0xc50fec84, flags=0, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:171 171 RTFREE(ro->ro_rt); (kgdb) list 166 * cache with IPv6. 167 */ 168 if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || 169 dst->sin_family != AF_INET || 170 dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { 171 RTFREE(ro->ro_rt); 172 ro->ro_rt = (struct rtentry *)NULL; 173 } 174 #ifdef IPFIREWALL_FORWARD 175 if (ro->ro_rt == NULL && fwd_tag == NULL) { (kgdb) print *ro $1 = {ro_rt = 0x0, ro_dst = {sa_len = 16 '\020', sa_family = 2 '\002', sa_data = "\000\000SYB\224\000\000\000\000\000\000\000"}} so ro->ro_rt is zero, and RTFREE is doing locking here which gives a hint why SMP might be a factor here. This is a rather busy box also running Teredo relay (5-10kpps). I get hit by this crash in minutes or hours if SMP is enabled. ========================= Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x4c fault code = supervisor read, page not present instruction pointer = 0x20:0xc065427c stack pointer = 0x28:0xe7781788 frame pointer = 0x28:0xe77817f8 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 929 (miredo) trap number = 12 panic: page fault cpuid = 0 Uptime: 16m9s Physical memory: 2039 MB Dumping 176 MB: 161 145 129 113 97 81 65 49 33 17 1 #0 doadump () at pcpu.h:195 195 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt #0 doadump () at pcpu.h:195 #1 0xc058bc37 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418 #2 0xc058bef9 in panic (fmt=Variable "fmt" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:572 #3 0xc073a48c in trap_fatal (frame=0xe7781748, eva=76) at /usr/src/sys/i386/i386/trap.c:899 #4 0xc073a710 in trap_pfault (frame=0xe7781748, usermode=0, eva=76) at /usr/src/sys/i386/i386/trap.c:812 #5 0xc073b08c in trap (frame=0xe7781748) at /usr/src/sys/i386/i386/trap.c:490 #6 0xc0720b1b in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #7 0xc065427c in ip_output (m=0xc51ef800, opt=0x0, ro=0xc50fec84, flags=0, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:171 #8 0xc0628e26 in stf_output (ifp=0xc4fd6c00, m=0xc51ef800, dst=0xe7781a00, rt=0xc51da8b8) at /usr/src/sys/net/if_stf.c:537 #9 0xc068708d in nd6_output (ifp=0xc4fd6c00, origifp=0xc4fd6c00, m0=0xc51ef800, dst=0xe7781a00, rt0=0xc51da8b8) at /usr/src/sys/netinet6/nd6.c:2123 #10 0xc0684342 in ip6_output (m0=0xc51ef800, opt=0x0, ro=0xe77819fc, flags=0, im6o=0x0, ifpp=0xe7781a80, inp=0xc52cb924) at /usr/src/sys/netinet6/ip6_output.c:944 #11 0xc068f4cb in rip6_output (m=0xc51ef800) at /usr/src/sys/netinet6/raw_ip6.c:448 #12 0xc068fad8 in rip6_send (so=0xc52d51a0, flags=0, m=0xc51ef800, nam=0xc5007960, control=0x0, td=0xc52ec000) ---Type to continue, or q to quit--- at /usr/src/sys/netinet6/raw_ip6.c:790 #13 0xc05e30a5 in sosend_generic (so=0xc52d51a0, addr=0xc5007960, uio=0xe7781be8, top=0xc51ef800, control=0x0, flags=0, td=0xc52ec000) at /usr/src/sys/kern/uipc_socket.c:1246 #14 0xc05debbf in sosend (so=0xc52d51a0, addr=0xc5007960, uio=0xe7781be8, top=0x0, control=0x0, flags=0, td=0xc52ec000) at /usr/src/sys/kern/uipc_socket.c:1292 #15 0xc05e5856 in kern_sendit (td=0xc52ec000, s=6, mp=0xe7781c64, flags=0, control=0x0, segflg=UIO_USERSPACE) at /usr/src/sys/kern/uipc_syscalls.c:805 #16 0xc05e81b2 in sendit (td=0xc52ec000, s=6, mp=0xe7781c64, flags=0) at /usr/src/sys/kern/uipc_syscalls.c:742 #17 0xc05e83ef in sendto (td=0xc52ec000, uap=0xe7781cfc) at /usr/src/sys/kern/uipc_syscalls.c:857 #18 0xc073aa49 in syscall (frame=0xe7781d38) at /usr/src/sys/i386/i386/trap.c:1035 #19 0xc0720b80 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:196 #20 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings