7.0-RELEASE panics in ip_output

Nick Sayer nsayer at kfu.com
Sun Mar 9 06:39:13 UTC 2008

Since upgrading to 7.0-RELEASE, I seem to get a panic about once a  
week or so.

I have 6to4 set up on this machine, and the stack trace I get from  
kgdb usually looks something like this:

#0  doadump () at pcpu.h:195
#1  0xc062e2a7 in boot (howto=260) at /usr/src/sys/kern/ 
#2  0xc062e569 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:563
#3  0xc084ce2c in trap_fatal (frame=0xe679875c, eva=76)
     at /usr/src/sys/i386/i386/trap.c:899
#4  0xc084d0b0 in trap_pfault (frame=0xe679875c, usermode=0, eva=76)
     at /usr/src/sys/i386/i386/trap.c:812
#5  0xc084da5c in trap (frame=0xe679875c) at /usr/src/sys/i386/i386/ 
#6  0xc0833d3b in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0xc06f23b9 in ip_output (m=0xc4494e00, opt=0x0, ro=0xc3eabbc4,  
     imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:169
#8  0xc06ca751 in stf_output (ifp=0xc3ee1000, m=0xc4494e00,  
     rt=0xc3fb5780) at /usr/src/sys/net/if_stf.c:533
#9  0xc077772d in nd6_output (ifp=0xc3ee1000, origifp=0xc3ee1000,
     m0=0xc4494e00, dst=0xc3ee5bdc, rt0=0xc3fb5780)
     at /usr/src/sys/netinet6/nd6.c:2123
#10 0xc07749f2 in ip6_output (m0=0xc4494e00, opt=0xc4089c80,  
     flags=0, im6o=0x0, ifpp=0x0, inp=0xc3fb2924)
     at /usr/src/sys/netinet6/ip6_output.c:927
#11 0xc0785a27 in udp6_send (so=0xc424d630, flags=0, m=0xc4494e00,
     addr=0xc3e4d880, control=0x0, td=0xc4246210)
     at /usr/src/sys/netinet6/udp6_usrreq.c:675
#12 0xc0681785 in sosend_generic (so=0xc424d630, addr=0xc3e4d880,
     uio=0xe6798bd4, top=0xc4494e00, control=0x0, flags=0,  
     at /usr/src/sys/kern/uipc_socket.c:1240
#13 0xc067d74f in sosend (so=0xc424d630, addr=0xc3e4d880,  
     top=0x0, control=0x0, flags=0, td=0xc4246210)
     at /usr/src/sys/kern/uipc_socket.c:1286
#14 0xc0683ed6 in kern_sendit (td=0xc4246210, s=27, mp=0xe6798c58,  
     control=0x0, segflg=UIO_USERSPACE) at /usr/src/sys/kern/ 
#15 0xc0686f91 in sendit (td=0xc4246210, s=27, mp=0xe6798c58, flags=0)
     at /usr/src/sys/kern/uipc_syscalls.c:730
#16 0xc0687031 in sendmsg (td=0xc4246210, uap=0xe6798cfc)
     at /usr/src/sys/kern/uipc_syscalls.c:922
#17 0xc084d405 in syscall (frame=0xe6798d38)
     at /usr/src/sys/i386/i386/trap.c:1035
#18 0xc0833da0 in Xint0x80_syscall () at /usr/src/sys/i386/i386/ 
#19 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)

The exact details can vary, but the line where things seem to blow up  
is always in this code in ip_output.c:

          * If there is a cached route,
          * check that it is to the same destination
          * and is still up.  If not, free it and try again.
          * The address family should also be checked in case of  
sharing the
          * cache with IPv6.
         if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 ||
                           dst->sin_family != AF_INET ||
                           dst->sin_addr.s_addr != ip->ip_dst.s_addr)) {
                 ro->ro_rt = (struct rtentry *)NULL;

on the RTFREE line.

Is it just me, or is this something other folks have seen as well?

More information about the freebsd-questions mailing list