kern/108197: IPv6-related crash if if_delmulti

[Nick Johnson]

>Number:         108197
>Category:       kern
>Synopsis:       IPv6-related crash if if_delmulti
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 22 01:00:27 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Nick Johnson
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
morons.org 
>Environment:
System: FreeBSD turing.morons.org 6.2-STABLE FreeBSD 6.2-STABLE #5: Sun Jan 21 15:19:12 PST 2007 root at turing.morons.org:/usr/obj/usr/src/sys/TURING i386


	
>Description:
This happens randomly during normal operation with ipv6 over a gif tunnel to freenet6.

Here's the stack trace from the memory dump:

Unread portion of the kernel message buffer:

trap number             = 12
panic: page fault
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc04ee96c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc04eeced in panic (fmt=0xc06ba001 "%s") at /usr/src/sys/kern/kern_shutdown.c:565
#3  0xc068dfae in trap_fatal (frame=0xea26babc, eva=0) at /usr/src/sys/i386/i386/trap.c:837
#4  0xc068dc42 in trap_pfault (frame=0xea26babc, usermode=0, eva=636) at /usr/src/sys/i386/i386/trap.c:745
#5  0xc068d7b0 in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = 67109631, tf_ebp = -366560480, tf_isp = -366560536, tf_ebx = -946169472, tf_edx = -946099584, tf_ecx = 4, tf_eax = 4, tf_trapno = 12, tf_err = 2, tf_eip = -1068001029, tf_cs = 32, tf_eflags = 66198, tf_esp = -956809216, tf_ss = -941078880}) at /usr/src/sys/i386/i386/trap.c:435
#6  0xc0678e8a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0xc05798fb in if_delmulti (ifp=0x0, sa=0x40002ff) at atomic.h:146
#8  0xc05e0572 in in6_delmulti (in6m=0xc7419700) at /usr/src/sys/netinet6/mld6.c:649
#9  0xc05cf502 in in6_ifdetach (ifp=0xc6f84000) at /usr/src/sys/netinet6/in6_ifattach.c:806
#10 0xc05769ad in if_detach (ifp=0xc6f84000) at /usr/src/sys/net/if.c:665
#11 0xc057d310 in gif_destroy (sc=0xc7838c80) at /usr/src/sys/net/if_gif.c:209
#12 0xc057d408 in gif_clone_destroy (ifp=0x4) at /usr/src/sys/net/if_gif.c:226
#13 0xc057b287 in ifc_simple_destroy (ifc=0xc06f2060, ifp=0x4) at /usr/src/sys/net/if_clone.c:478
#14 0xc057a552 in if_clone_destroy (name=0x4 <Address 0x4 out of bounds>) at /usr/src/sys/net/if_clone.c:172
#15 0xc0578b3e in ifioctl (so=0xc7d6a858, cmd=2149607801, data=0xc7e84080 "gif0", td=0xc79baa80) at /usr/src/sys/net/if.c:1533
#16 0xc0520bc7 in soo_ioctl (fp=0x4, cmd=2149607801, data=0xc7e84080, active_cred=0xc72c8b00, td=0xc79baa80)
    at /usr/src/sys/kern/sys_socket.c:214
#17 0xc0519d77 in ioctl (td=0xc79baa80, uap=0xea26bd04) at file.h:265
#18 0xc068e3a0 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134533248, tf_esi = -1077941524, tf_ebp = -1077944072, tf_isp = -366559900, tf_ebx = 134578976, tf_edx = 134590397, tf_ecx = 0, tf_eax = 54, tf_trapno = 12, tf_err = 2, tf_eip = 1209393607, tf_cs = 51, tf_eflags = 582, tf_esp = -1077944100, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:983
#19 0xc0678edf in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#20 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)

	
>How-To-Repeat:

Unknown what actually causes it, but it may be related to deletion/recreation of the gif tunnel.
	
>Fix:

Unknown.
	


>Release-Note:
>Audit-Trail:
>Unformatted: