From owner-freebsd-bugs@FreeBSD.ORG Tue Jun 5 09:10:14 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9693916A400 for ; Tue, 5 Jun 2007 09:10:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 7452713C45B for ; Tue, 5 Jun 2007 09:10:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l559AEEf095633 for ; Tue, 5 Jun 2007 09:10:14 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l559ACsb095628; Tue, 5 Jun 2007 09:10:14 GMT (envelope-from gnats) Resent-Date: Tue, 5 Jun 2007 09:10:14 GMT Resent-Message-Id: <200706050910.l559ACsb095628@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Frank Behrens Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E2B3516A46B for ; Tue, 5 Jun 2007 09:05:42 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from pinky.frank-behrens.de (pinky.frank-behrens.de [82.139.199.24]) by mx1.freebsd.org (Postfix) with ESMTP id 1D03D13C46C for ; Tue, 5 Jun 2007 09:05:41 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from moon.behrens (localhost [127.0.0.1]) by pinky.frank-behrens.de (8.14.1/8.14.1) with ESMTP-MSA id l558qnnR003339 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 5 Jun 2007 10:52:49 +0200 (CEST) (envelope-from frank@moon.behrens) Received: (from frank@localhost) by moon.behrens (8.14.1/8.14.1/Submit) id l558qm7J003337; Tue, 5 Jun 2007 10:52:48 +0200 (CEST) (envelope-from frank) Message-Id: <200706050852.l558qm7J003337@moon.behrens> Date: Tue, 5 Jun 2007 10:52:48 +0200 (CEST) From: Frank Behrens To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/113359: panic sbdrop after ICMP6, packet too big X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 09:10:14 -0000 >Number: 113359 >Category: kern >Synopsis: panic sbdrop after ICMP6, packet too big >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jun 05 09:10:12 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Frank Behrens >Release: FreeBSD 6.2-STABLE-200705211513 i386 >Organization: >Environment: System: FreeBSD moon.behrens 6.2-STABLE-200705211513 FreeBSD 6.2-STABLE-200705211513 #0: Tue Jun 5 09:07:43 CEST 2007 Custom kernel, Network Options: options SMP options INET # InterNETworking options INET6 # IPv6 communications protocols options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security Outgoing interface: tun0: flags=8051 mtu 1456 >Description: The machine panics with "sbdrop" after receiving ICMP6, packet to big. ping6 -m -v -b 8000 -c 1 -s 1408 2a01:xxxx::xxxx PING6(1456=40+8+1408 bytes) 2a01:yyyy::yyyy --> 2a01:xxxx::xxxx new path MTU (1440) is notified The exchanged packets are: 09:57:30.358528 IP6 (hlim 64, next-header: ICMPv6 (58), length: 1416) host > remote: [icmp6 sum ok] ICMP6, echo request, length 1416, seq 0 09:57:30.491101 IP6 (hlim 61, next-header: ICMPv6 (58), length: 1240) router > host: [icmp6 sum ok] ICMP6, packet too big, length 1240, mtu 1440 The panic is: (kgdb) bt #0 doadump () at pcpu.h:165 #1 0xc0525da1 in boot (howto=260) at /data3/sources/fbsd6/sys/kern/kern_shutdown.c:409 #2 0xc052649b in panic (fmt=0xc075c5ba "sbdrop") at /data3/sources/fbsd6/sys/kern/kern_shutdown.c:565 #3 0xc056dd40 in sbdrop_locked (sb=0xed1ba818, len=1316) at /data3/sources/fbsd6/sys/kern/uipc_socket2.c:1103 #4 0xc056ecf8 in sbflush_locked (sb=0xed1ba818) at /data3/sources/fbsd6/sys/kern/uipc_socket2.c:1070 #5 0xc056ed4d in sbrelease_locked (sb=0xed1ba818, so=0x0) at /data3/sources/fbsd6/sys/kern/uipc_socket2.c:569 #6 0xc056f502 in sbrelease (sb=0xed1ba818, so=0x0) at /data3/sources/fbsd6/sys/kern/uipc_socket2.c:582 #7 0xc056b838 in sorflush (so=0xc40cf590) at /data3/sources/fbsd6/sys/kern/uipc_socket.c:1502 #8 0xc056bb20 in sofree (so=0xc40cf590) at /data3/sources/fbsd6/sys/kern/uipc_socket.c:413 #9 0xc056c1e3 in soclose (so=0xc40cf590) at /data3/sources/fbsd6/sys/kern/uipc_socket.c:491 #10 0xc05576d9 in soo_close (fp=0xc3fd55e8, td=0xc3cb3c00) at /data3/sources/fbsd6/sys/kern/sys_socket.c:317 #11 0xc04f86b7 in fdrop_locked (fp=0xc3fd55e8, td=0xc3cb3c00) at file.h:296 #12 0xc04f8b76 in closef (fp=0xc3fd55e8, td=0xc3cb3c00) at /data3/sources/fbsd6/sys/kern/kern_descrip.c:1954 #13 0xc04fa7d5 in fdfree (td=0xc3cb3c00) at /data3/sources/fbsd6/sys/kern/kern_descrip.c:1639 #14 0xc0505d43 in exit1 (td=0xc3cb3c00) at /data3/sources/fbsd6/sys/kern/kern_exit.c:273 #15 0xc052a416 in sigexit (td=0xc3cb3c00, sig=2) at /data3/sources/fbsd6/sys/kern/kern_sig.c:2459 #16 0xc052b10f in postsig (sig=2) at /data3/sources/fbsd6/sys/kern/kern_sig.c:2340 #17 0xc054d4b6 in ast (framep=0xed1bad38) at /data3/sources/fbsd6/sys/kern/subr_trap.c:270 #18 0xc06fd17d in doreti_ast () at /data3/sources/fbsd6/sys/i386/i386/exception.s:293 #19 0xed1bad38 in ?? () #20 0x0000003b in ?? () #21 0x0000003b in ?? () #22 0x0000003b in ?? () #23 0xbfbfe6e0 in ?? () #24 0xbfbfeaf0 in ?? () #25 0xbfbfe2e8 in ?? () #26 0xed1bad64 in ?? () #27 0xbfbfe6b0 in ?? () #28 0x00000c31 in ?? () #29 0x00000002 in ?? () #30 0x00000000 in ?? () #31 0x00000000 in ?? () #32 0x00000002 in ?? () #33 0x28175e03 in ?? () #34 0x00000033 in ?? () #35 0x00000202 in ?? () #36 0xbfbfe2dc in ?? () #37 0x0000003b in ?? () #38 0x00000000 in ?? () #39 0x00000000 in ?? () #40 0x00000000 in ?? () #41 0x00000000 in ?? () #42 0x35aab000 in ?? () #43 0xc3cb1c90 in ?? () #44 0xc3cb3c00 in ?? () #45 0xed1ba6ac in ?? () #46 0xed1ba694 in ?? () #47 0xc34e8a80 in ?? () #48 0xc053b8ef in sched_switch (td=0xbfbfeaf0, newtd=0xbfbfe6b0, flags=Cannot access memory at address 0xbfbfe2f8 ) at /data3/sources/fbsd6/sys/kern/sched_4bsd.c:973 Previous frame inner to this frame (corrupt stack?) (kgdb) up #1 0xc0525da1 in boot (howto=260) at /data3/sources/fbsd6/sys/kern/kern_shutdown.c:409 409 doadump(); (kgdb) up #2 0xc052649b in panic (fmt=0xc075c5ba "sbdrop") at /data3/sources/fbsd6/sys/kern/kern_shutdown.c:565 565 boot(bootopt); (kgdb) up #3 0xc056dd40 in sbdrop_locked (sb=0xed1ba818, len=1316) at /data3/sources/fbsd6/sys/kern/uipc_socket2.c:1103 1103 panic("sbdrop"); (kgdb) print *sb $1 = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0, kl_unlock = 0, kl_locked = 0, kl_lockarg = 0x0}, si_flags = 0}, sb_mtx = {mtx_object = {lo_class = 0xc078e8a0, lo_name = 0xc075c534 "so_rcv", lo_type = 0xc075c534 "so_rcv", lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3284876288, mtx_recurse = 0}, sb_state = 0, sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 1316, sb_hiwat = 8000, sb_mbcnt = 3072, sb_mbmax = 64000, sb_ctl = 76, sb_lowat = 1, sb_timeo = 0, sb_flags = 64} (kgdb) >How-To-Repeat: ping6(8) to a host, where you get an "ICMP6, packet to big" answer. >Fix: >Release-Note: >Audit-Trail: >Unformatted: