svn commit: r279588 - head/sys/netinet6

Florian Smeets flo at smeets.im
Thu Mar 5 22:17:25 UTC 2015 

On 04.03.15 12:20, Andrey V. Elsukov wrote:
> Author: ae
> Date: Wed Mar  4 11:20:01 2015
> New Revision: 279588
> URL: https://svnweb.freebsd.org/changeset/base/279588
> 
> Log:
>   Fix deadlock in IPv6 PCB code.
>   

Hi,

everything I'm going to mention is running world/kernel @r279675.

I have a host running a couple of IPv6 only bhyves. It looks like I can easily panic them when trying to ssh into them. With my limited understanding I'd say the stack trace points to this commit.

All the tap interfaces used by the bhyves are connected to one bridge interface. Every bhyve has its own IPv6 address configured on vtnet0. The bridge interface on the host has an IPv6 address which is the default gateway in all the bhyves.

Let me know if you need anything else. It seems to be quite easy to reproduce.

Fatal trap 12: page fault while in kernel mode
cpuid = 6; apic id = 06
fault virtual address   = 0x0
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80bda224
stack pointer           = 0x28:0xfffffe01efbfd330
frame pointer           = 0x28:0xfffffe01efbfd3d0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (irq265: virtio_pci0)
[ thread pid 12 tid 100036 ]
Stopped at      in6_pcbnotify+0x254:    movl    (%rax),%edx
db> where
Tracing pid 12 tid 100036 td 0xfffff800063d0000
in6_pcbnotify() at in6_pcbnotify+0x254/frame 0xfffffe01efbfd3d0
tcp6_ctlinput() at tcp6_ctlinput+0xf0/frame 0xfffffe01efbfd470
icmp6_input() at icmp6_input+0x18d4/frame 0xfffffe01efbfd660
ip6_input() at ip6_input+0x488/frame 0xfffffe01efbfd740
netisr_dispatch_src() at netisr_dispatch_src+0x61/frame 0xfffffe01efbfd7b0
ether_demux() at ether_demux+0x15d/frame 0xfffffe01efbfd7e0
ether_nh_input() at ether_nh_input+0x377/frame 0xfffffe01efbfd840
netisr_dispatch_src() at netisr_dispatch_src+0x61/frame 0xfffffe01efbfd8b0
ether_input() at ether_input+0x26/frame 0xfffffe01efbfd8d0
vtnet_rxq_eof() at vtnet_rxq_eof+0x7ab/frame 0xfffffe01efbfd9a0
vtnet_rx_vq_intr() at vtnet_rx_vq_intr+0x94/frame 0xfffffe01efbfd9e0
intr_event_execute_handlers() at intr_event_execute_handlers+0x1d8/frame 0xfffffe01efbfda20
ithread_loop() at ithread_loop+0x9c/frame 0xfffffe01efbfda70
fork_exit() at fork_exit+0x9a/frame 0xfffffe01efbfdab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe01efbfdab0
--- trap 0, rip = 0, rsp = 0xfffffe01efbfdb70, rbp = 0 ---

(kgdb) list *0xffffffff80bda224
0xffffffff80bda224 is in in6_pcbnotify (/usr/src/sys/netinet6/in6_pcb.c:649).
644                      * and the application (associated with this socket) wanted to
645                      * know the value, notify.
646                      * XXX: should we avoid to notify the value to TCP sockets?
647                      */
648                     if (cmd == PRC_MSGSIZE)
649                             ip6_notify_pmtu(inp, (struct sockaddr_in6 *)dst,
650                                             *(u_int32_t *)cmdarg);
651
652                     /*
653                      * Detect if we should notify the error. If no source and
(kgdb) print dst
$5 = (struct sockaddr *) 0xfffffe01efbfd590
(kgdb) print notify
$6 = (struct inpcb *(*)(struct inpcb *,
    int)) 0xffffffff80bb5220 <tcp_mtudisc_notify>

Florian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 957 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20150305/44f1463c/attachment.sig>

More information about the svn-src-head mailing list