kern/122283: [ip6] [panic] Panic in ip_output related to IPv6 routes

Pekka Savola pekkas at netcore.fi
Thu Aug 21 08:20:05 UTC 2008 

The following reply was made to PR kern/122283; it has been noted by GNATS.

From: Pekka Savola <pekkas at netcore.fi>
To: bug-followup at freebsd.org
Cc:  
Subject: kern/122283: [ip6] [panic] Panic in ip_output related to IPv6
 routes
Date: Thu, 21 Aug 2008 11:11:28 +0300 (EEST)

 FYI,
 
 Here's another, slightly different, crash also with SMP, which occurs 
 in the same place as Nick's first crash:
 
 (kgdb) up 7
 #7  0xc065427c in ip_output (m=0xc51ef800, opt=0x0, ro=0xc50fec84, 
 flags=0, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:171
 171                     RTFREE(ro->ro_rt);
 
 (kgdb) list
 166              * cache with IPv6.
 167              */
 168             if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 ||
 169                               dst->sin_family != AF_INET ||
 170                               dst->sin_addr.s_addr != ip->ip_dst.s_addr)) {
 171                     RTFREE(ro->ro_rt);
 172                     ro->ro_rt = (struct rtentry *)NULL;
 173             }
 174     #ifdef IPFIREWALL_FORWARD
 175             if (ro->ro_rt == NULL && fwd_tag == NULL) {
 
 
 (kgdb) print *ro
 $1 = {ro_rt = 0x0, ro_dst = {sa_len = 16 '\020', sa_family = 2 '\002', 
 sa_data = "\000\000SYB\224\000\000\000\000\000\000\000"}}
 
 so ro->ro_rt is zero, and RTFREE is doing locking here which gives a 
 hint why SMP might be a factor here.
 
 This is a rather busy box also running Teredo relay (5-10kpps).  I get 
 hit by this crash in minutes or hours if SMP is enabled.
 
 =========================
 
 Fatal trap 12: page fault while in kernel mode
 cpuid = 0; apic id = 00
 fault virtual address   = 0x4c
 fault code              = supervisor read, page not present
 instruction pointer     = 0x20:0xc065427c
 stack pointer           = 0x28:0xe7781788
 frame pointer           = 0x28:0xe77817f8
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                           = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 929 (miredo)
 trap number             = 12
 panic: page fault
 cpuid = 0
 Uptime: 16m9s
 Physical memory: 2039 MB
 Dumping 176 MB: 161 145 129 113 97 81 65 49 33 17 1
 
 #0  doadump () at pcpu.h:195
 195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) bt
 #0  doadump () at pcpu.h:195
 #1  0xc058bc37 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
 #2  0xc058bef9 in panic (fmt=Variable "fmt" is not available.
 ) at /usr/src/sys/kern/kern_shutdown.c:572
 #3  0xc073a48c in trap_fatal (frame=0xe7781748, eva=76)
       at /usr/src/sys/i386/i386/trap.c:899
 #4  0xc073a710 in trap_pfault (frame=0xe7781748, usermode=0, eva=76)
       at /usr/src/sys/i386/i386/trap.c:812
 #5  0xc073b08c in trap (frame=0xe7781748) at /usr/src/sys/i386/i386/trap.c:490
 #6  0xc0720b1b in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc065427c in ip_output (m=0xc51ef800, opt=0x0, ro=0xc50fec84, flags=0,
       imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:171
 #8  0xc0628e26 in stf_output (ifp=0xc4fd6c00, m=0xc51ef800, dst=0xe7781a00,
       rt=0xc51da8b8) at /usr/src/sys/net/if_stf.c:537
 #9  0xc068708d in nd6_output (ifp=0xc4fd6c00, origifp=0xc4fd6c00,
       m0=0xc51ef800, dst=0xe7781a00, rt0=0xc51da8b8)
       at /usr/src/sys/netinet6/nd6.c:2123
 #10 0xc0684342 in ip6_output (m0=0xc51ef800, opt=0x0, ro=0xe77819fc, flags=0,
       im6o=0x0, ifpp=0xe7781a80, inp=0xc52cb924)
       at /usr/src/sys/netinet6/ip6_output.c:944
 #11 0xc068f4cb in rip6_output (m=0xc51ef800)
       at /usr/src/sys/netinet6/raw_ip6.c:448
 #12 0xc068fad8 in rip6_send (so=0xc52d51a0, flags=0, m=0xc51ef800,
       nam=0xc5007960, control=0x0, td=0xc52ec000)
 ---Type <return> to continue, or q <return> to quit---
       at /usr/src/sys/netinet6/raw_ip6.c:790
 #13 0xc05e30a5 in sosend_generic (so=0xc52d51a0, addr=0xc5007960,
       uio=0xe7781be8, top=0xc51ef800, control=0x0, flags=0, td=0xc52ec000)
       at /usr/src/sys/kern/uipc_socket.c:1246
 #14 0xc05debbf in sosend (so=0xc52d51a0, addr=0xc5007960, uio=0xe7781be8,
       top=0x0, control=0x0, flags=0, td=0xc52ec000)
       at /usr/src/sys/kern/uipc_socket.c:1292
 #15 0xc05e5856 in kern_sendit (td=0xc52ec000, s=6, mp=0xe7781c64, flags=0,
       control=0x0, segflg=UIO_USERSPACE) at /usr/src/sys/kern/uipc_syscalls.c:805
 #16 0xc05e81b2 in sendit (td=0xc52ec000, s=6, mp=0xe7781c64, flags=0)
       at /usr/src/sys/kern/uipc_syscalls.c:742
 #17 0xc05e83ef in sendto (td=0xc52ec000, uap=0xe7781cfc)
       at /usr/src/sys/kern/uipc_syscalls.c:857
 #18 0xc073aa49 in syscall (frame=0xe7781d38)
       at /usr/src/sys/i386/i386/trap.c:1035
 #19 0xc0720b80 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:196
 #20 0x00000033 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 
 
 
 
 
 -- 
 Pekka Savola                 "You each name yourselves king, yet the
 Netcore Oy                    kingdom bleeds."
 Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the freebsd-bugs mailing list