kern/108197: IPv6-related crash if if_delmulti
Alexander Motin
mav at alkar.net
Mon Mar 19 00:00:21 UTC 2007
The following reply was made to PR kern/108197; it has been noted by GNATS.
From: Alexander Motin <mav at alkar.net>
To: bug-followup at FreeBSD.org, freebsd at spatula.net
Cc:
Subject: Re: kern/108197: IPv6-related crash if if_delmulti
Date: Mon, 19 Mar 2007 01:50:04 +0200
I am regularly observe problem with smething alike simptoms. I have
FreeBSD 6.2-STABLE of Jan 29. I have IPv6 in my kernel, but do not use
it actively. In my case it happends with significant probability when
mpd4.1 based server trying to destroy several ngX interfaces on
shutdown. It does it by shutting down related ng_iface netgraph node.
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x100027c
fault code = supervisor write, page not present
instruction pointer = 0x20:0xc05df5a3
stack pointer = 0x28:0xdce8c94c
frame pointer = 0x28:0xdce8c970
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 6089 (mpd4)
trap number = 12
panic: page fault
Uptime: 4h43m35s
Dumping 511 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 511MB (130800 pages) 495 479 463 447 431 415 399 383 367 351
335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47
31 15
#0 doadump () at pcpu.h:165
165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc055e046 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2 0xc055e350 in panic (fmt=0xc0749735 "%s") at
/usr/src/sys/kern/kern_shutdown.c:565
#3 0xc0723095 in trap_fatal (frame=0xdce8c90c, eva=0) at
/usr/src/sys/i386/i386/trap.c:837
#4 0xc0722db5 in trap_pfault (frame=0xdce8c90c, usermode=0,
eva=16777852) at /usr/src/sys/i386/i386/trap.c:745
#5 0xc072299f in trap (frame=
{tf_fs = -588775416, tf_es = -1068171224, tf_ds = -588775384,
tf_edi = 16777216, tf_esi = 167772927, tf_ebp = -588723856, tf_isp =
-588723912, tf_ebx = -1008249152, tf_edx = -1011626624, tf_ecx =
-1007975136, tf_eax = 4, tf_trapno = 12, tf_err = 2, tf_eip =
-1067584093, tf_cs = 32, tf_eflags = 66194, tf_esp = -1015311360, tf_ss
= -2145359566}) at /usr/src/sys/i386/i386/trap.c:435
#6 0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7 0xc05df5a3 in if_delmulti (ifp=0x1000000, sa=0xa0002ff) at atomic.h:146
#8 0xc05f03cd in in_delmulti_locked (inm=0xc3eb8520) at
/usr/src/sys/netinet/in.c:1060
#9 0xc05f049b in in_delmulti_ifp (ifp=0xc37b9400) at
/usr/src/sys/netinet/in.c:1079
#10 0xc05f0568 in in_ifdetach (ifp=0xc37b9400) at
/usr/src/sys/netinet/in.c:1095
#11 0xc05dc82b in if_detach (ifp=0xc37b9400) at /usr/src/sys/net/if.c:655
This looks strange for me:
(kgdb) frame 8
#8 0xc05f03cd in in_delmulti_locked (inm=0xc3eb8520) at
/usr/src/sys/netinet/in.c:1060
1060 if_delmulti(ifma->ifma_ifp, ifma->ifma_addr);
(kgdb) p ifma->ifma_ifp
$8 = (struct ifnet *) 0x1000000
(kgdb) p *(ifma->ifma_ifp)
Cannot access memory at address 0x1000000
I also have several other alike coredumps:
#6 0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7 0xc05df5a3 in if_delmulti (ifp=0x80000, sa=0x0) at atomic.h:146
#8 0xc05f03cd in in_delmulti_locked (inm=0xc4a3e7c0) at
/usr/src/sys/netinet/in.c:1060
#9 0xc05f049b in in_delmulti_ifp (ifp=0xc385fc00) at
/usr/src/sys/netinet/in.c:1079
#10 0xc05f0568 in in_ifdetach (ifp=0xc385fc00) at
/usr/src/sys/netinet/in.c:1095
#11 0xc05dc82b in if_detach (ifp=0xc385fc00) at /usr/src/sys/net/if.c:655
----
#5 0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#6 0xc05839e5 in turnstile_setowner (ts=0xc3a2fcc0, owner=0x4) at
/usr/src/sys/kern/subr_turnstile.c:434
#7 0xc0583d11 in turnstile_wait (lock=0xc385e660, owner=0x4) at
/usr/src/sys/kern/subr_turnstile.c:593
#8 0xc0553aeb in _mtx_lock_sleep (m=0xc385e660, tid=3286708992, opts=0,
file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:579
#9 0xc05df5df in if_delmulti (ifp=0xc385e400, sa=0xc3e79b80) at
/usr/src/sys/net/if.c:2083
#10 0xc05f03cd in in_delmulti_locked (inm=0x4) at
/usr/src/sys/netinet/in.c:1060
#11 0xc05f049b in in_delmulti_ifp (ifp=0xc3855000) at
/usr/src/sys/netinet/in.c:1079
#12 0xc05f0568 in in_ifdetach (ifp=0xc3855000) at
/usr/src/sys/netinet/in.c:1095
#13 0xc05dc82b in if_detach (ifp=0xc3855000) at /usr/src/sys/net/if.c:655
---
#6 0xc070fb5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7 0xc05df5a3 in if_delmulti (ifp=0x0, sa=0x50001ff) at atomic.h:146
#8 0xc05f03cd in in_delmulti_locked (inm=0xc50901c0) at
/usr/src/sys/netinet/in.c:1060
#9 0xc05f049b in in_delmulti_ifp (ifp=0xc4b1a800) at
/usr/src/sys/netinet/in.c:1079
#10 0xc05f0568 in in_ifdetach (ifp=0xc4b1a800) at
/usr/src/sys/netinet/in.c:1095
#11 0xc05dc82b in if_detach (ifp=0xc4b1a800) at /usr/src/sys/net/if.c:655
If anybody needs additional info, I will be glad to help.
--
Alexander Motin
More information about the freebsd-bugs
mailing list