kern/109696: 6.2-STABLE panic page fault when deleting IPv6 gif(4) tunnel

J.R. Oldroyd fbsd at opal.com
Wed Feb 28 20:40:15 UTC 2007 

>Number:         109696
>Category:       kern
>Synopsis:       6.2-STABLE panic page fault when deleting IPv6 gif(4) tunnel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 28 20:40:14 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     J.R. Oldroyd
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD linwhf.opal.com 6.2-STABLE FreeBSD 6.2-STABLE #11: Mon Feb 19 10:11:02 EST 2007 xx at xx.opal.com:/usr/src/sys/i386/compile/LINWHF i386
>Description:
6.2-stable cvsup'd mid-Jan 2007 panics when IPv6 tunnel fails
and is being reset.  Tunnel created using tspc from the net/freenet6
port.  While up, tunnel works fine.  If tspc keepalives fail, tspc
resets tunnel by deleting existing one and creating new one.  After
several resets, system panics.
>How-To-Repeat:
Reproducible crash details:

1. 6.2-stable system
2. IPv6 tunnel using net/freenet6 port
3. use firewall to block ICMP6 ping keepalives
4. wait 1 to 2 hours; tspc program will reset tunnel about 12 times
5. panic page fault

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x443c
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc058683b
stack pointer           = 0x28:0xe63b8b6c
frame pointer           = 0x28:0xe63b8b7c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 16975 (ifconfig)
trap number             = 12
panic: page fault
Uptime: 1d2h51m23s
Dumping 959 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 959MB (245488 pages) 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
#0  doadump () at pcpu.h:165
165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc051869e in boot (howto=260) at ../../../kern/kern_shutdown.c:409
#2  0xc0518934 in panic (fmt=0xc06da695 "%s") at ../../../kern/kern_shutdown.c:565
#3  0xc06afe54 in trap_fatal (frame=0xe63b8b2c, eva=17468) at ../../../i386/i386/trap.c:837
#4  0xc06afbbb in trap_pfault (frame=0xe63b8b2c, usermode=0, eva=17468) at ../../../i386/i386/trap.c:745
#5  0xc06af819 in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 16832, tf_esi = -993340032, tf_ebp = -432305284, tf_isp = -432305320, tf_ebx = -991704512, tf_edx = -989538432, tf_ecx = 4, tf_eax = 4, tf_trapno = 12, tf_err = 2, tf_eip = -1067947973, tf_cs = 32, tf_eflags = 66198, tf_esp = -1067576410, tf_ss = -991704512}) at ../../../i386/i386/trap.c:435
#6  0xc069e7fa in calltrap () at ../../../i386/i386/exception.s:139
#7  0xc058683b in if_delmulti (ifp=0x41c0, sa=0xc4cad580) at atomic.h:146
#8  0xc05db677 in in6_delmulti (in6m=0xc4f96900) at ../../../netinet6/mld6.c:649
#9  0xc05cee70 in in6_ifdetach (ifp=0xc4b37000) at ../../../netinet6/in6_ifattach.c:806
#10 0xc058425f in if_detach (ifp=0xc4b37000) at ../../../net/if.c:665
#11 0xc0589590 in gif_destroy (sc=0xc556db00) at ../../../net/if_gif.c:209
#12 0xc0589642 in gif_clone_destroy (ifp=0x4) at ../../../net/if_gif.c:226
#13 0xc0587b4a in ifc_simple_destroy (ifc=0xc0721460, ifp=0x4) at ../../../net/if_clone.c:478
#14 0xc0587189 in if_clone_destroy (name=0xc4f697e0 "gif0") at ../../../net/if_clone.c:172
#15 0xc0585d38 in ifioctl (so=0xc4d47c84, cmd=2149607801, data=0xc4f697e0 "gif0", td=0xc504d780) at ../../../net/if.c:1533
#16 0xc05405af in soo_ioctl (fp=0x4, cmd=2149607801, data=0xc4f697e0,active_cred=0xc4921d80, td=0xc504d780) at ../../../kern/sys_socket.c:214
#17 0xc053ac79 in ioctl (td=0xc504d780, uap=0xe63b8d04) at file.h:265
#18 0xc06b016b in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077941000, tf_esi = -1077940788, tf_ebp = -1077943208, tf_isp = -432304796, tf_ebx = 134567488, tf_edx = 134578685, tf_ecx = 0, tf_eax = 54, tf_trapno = 12, tf_err = 2, tf_eip = 672428783, tf_cs = 51, tf_eflags = 642, tf_esp = -1077943236, tf_ss = 59}) at ../../../i386/i386/trap.c:983
#19 0xc069e84f in Xint0x80_syscall () at ../../../i386/i386/exception.s:200
#20 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) list *0xc058683b
0xc058683b is in if_delmulti (atomic.h:149).
144     static __inline int
145     atomic_cmpset_int(volatile u_int *dst, u_int exp, u_int src)
146     {
147             int res = exp;
148
149             __asm __volatile (
150             "       " __XSTRING(MPLOCKED) " "
151             "       cmpxchgl %2,%1 ;        "
152             "       setz    %%al ;          "
153             "       movzbl  %%al,%0 ;       "
(kgdb)=20


/tspc.log then contains:

2007/02/20 11:40:16 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 11:40:47 tspc: tspSetupTunnel: Got tunnel parameters from server, setting up local tunnel
2007/02/20 11:40:47 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 11:40:47 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 11:46:40 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 11:47:11 tspc: tspSetupTunnel: Got tunnel parameters from server, setting up local tunnel
2007/02/20 11:47:11 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 11:47:11 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 11:50:18 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 11:50:48 tspc: tspSetupTunnel: Got tunnel parameters from server, setting up local tunnel
2007/02/20 11:50:48 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 11:50:48 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 12:12:27 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 12:12:57 tspc: tspSetupTunnel: Got tunnel parameters from server , setting up local tunnel
2007/02/20 12:12:57 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 12:12:57 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 12:16:42 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 12:17:12 tspc: tspSetupTunnel: Got tunnel parameters from server, setting up local tunnel
2007/02/20 12:17:12 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 12:17:12 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 12:19:50 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 12:20:21 tspc: tspSetupTunnel: Got tunnel parameters from server, setting up local tunnel
2007/02/20 12:20:21 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 12:20:21 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 12:32:14 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 12:32:44 tspc: tspSetupTunnel: Got tunnel parameters from server, setting up local tunnel
2007/02/20 12:32:44 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 12:32:44 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 12:36:38 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 12:37:09 tspc: tspSetupTunnel: Got tunnel parameters from server, setting up local tunnel
2007/02/20 12:37:09 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 12:37:09 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 12:40:56 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 12:41:26 tspc: tspSetupTunnel: Got tunnel parameters from server, setting up local tunnel
2007/02/20 12:41:26 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 12:41:26 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 12:54:59 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 12:55:29 tspc: tspSetupTunnel: Got tunnel parameters from server, setting up local tunnel
2007/02/20 12:55:29 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 12:55:29 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 13:05:56 tspc: tspMain: Disconnected, retry in 30 seconds
2007/02/20 13:06:27 tspc: tspSetupTunnel: Got tunnel parameters from server, setting up local tunnel
2007/02/20 13:06:27 tspc: tspStartLocal: Going daemon, check tspc.log for tunnel creation status
2007/02/20 13:06:27 tspc: tspSetupInterface: Your IPv6 address is 2001:05c0:8fff:fffe:0000:0000:0000:0553
2007/02/20 13:09:04 tspc: tspMain: Disconnected, retry in 30 seconds

and then it panics.  12 resets.  This appears to be very typical.

>Fix:
Not yet determined.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list