From owner-freebsd-bugs@FreeBSD.ORG  Mon Oct 20 17:00:11 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D00181065679
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 20 Oct 2008 17:00:11 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id BCF568FC1A
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 20 Oct 2008 17:00:11 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id m9KH0BWp015631
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 20 Oct 2008 17:00:11 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id m9KH0BkY015630;
	Mon, 20 Oct 2008 17:00:11 GMT (envelope-from gnats)
Date: Mon, 20 Oct 2008 17:00:11 GMT
Message-Id: <200810201700.m9KH0BkY015630@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc: 
Subject: Re: kern/128247: [panic] Fatal Trap 12 in ip6_forward
 (/usr/src/sys/netinet6/ip6_forward.c:420)
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2008 17:00:11 -0000

The following reply was made to PR kern/128247; it has been noted by GNATS.

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: bug-followup@FreeBSD.org, m.atkinson@F5.com
Cc:  
Subject: Re: kern/128247: [panic] Fatal Trap 12 in ip6_forward
 (/usr/src/sys/netinet6/ip6_forward.c:420)
Date: Mon, 20 Oct 2008 16:31:17 +0000 (UTC)

 On Mon, 20 Oct 2008, Mark Atkinson wrote:
 
 > #0  doadump () at pcpu.h:221
 > 221             __asm __volatile("movl %%fs:0,%0" : "=3Dr" (td));
 > (kgdb) l *0xc09af288
 > 0xc09af288 is in ip6_forward (/usr/src/sys/netinet6/ip6_forward.c:420).
 > 415              * address).  We use a local copy of ip6_src, since =
 > in6_setscope()
 > 416              * will possibly modify its first argument.
 > 417              * [draft-ietf-ipngwg-icmp-v3-04.txt, Section 3.1]
 > 418              */
 > 419             src_in6 =3D ip6->ip6_src;
 > 420             if (in6_setscope(&src_in6, rt->rt_ifp, &outzone)) {
 > 421                     /* XXX: this should not happen */
 > 422                     V_ip6stat.ip6s_cantforward++;
 > 423                     V_ip6stat.ip6s_badscope++;
 > 424                     m_freem(m);
 >
 > (kgdb) frame 10
 > #10 0xc09af288 in ip6_forward (m=3D0xc5ed8300, srcrt=3D0)
 >    at /usr/src/sys/netinet6/ip6_forward.c:420
 > 420             if (in6_setscope(&src_in6, rt->rt_ifp, &outzone)) {
 > (kgdb) p rt
 > $3 =3D (struct rtentry *) 0x0
 
 and rt comes from
  	rt = V_ip6_forward_rt.ro_rt;
 
 which is an unprotected (no lock) single global cache in the ipv6
 stack. So I guess another packet changed it while this one was
 processed. The problem is well known and will hopefully be eliminated
 one day along with other caches left.
 
 /bz
 
 -- 
 Bjoern A. Zeeb              Stop bit received. Insert coin for new game.