Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 03 Feb 2015 02:27:04 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 197286] Panic in IPv6 stack - 0xc0d0b1fc is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:702)
Message-ID:  <bug-197286-8@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197286

            Bug ID: 197286
           Summary: Panic in IPv6 stack - 0xc0d0b1fc is in ip6_input
                    (/usr/src/sys/netinet6/ip6_input.c:702)
           Product: Base System
           Version: 10.1-STABLE
          Hardware: i386
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: tdb@FreeBSD.org

Kernel panic (triggered by receiving an IPv6 ping!). Running stable/10 r277643.
System has a tun0 device controlled by ppp and a gif device tunnelled over that
connection for IPv6.

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x0
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0d0b1fc
stack pointer           = 0x28:0xdb570738
frame pointer           = 0x28:0xdb5708e0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 742 (ppp)
trap number             = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xc0b5f3c2 at kdb_backtrace+0x52
#1 0xc0b20fcf at panic+0x11f
#2 0xc1027574 at trap_fatal+0x324
#3 0xc10278d5 at trap_pfault+0x355
#4 0xc1026f94 at trap+0x674
#5 0xc1011b8c at calltrap+0x6
#6 0xc0bf828b at netisr_dispatch_src+0x8b
#7 0xc0bf8600 at netisr_dispatch+0x20
#8 0xc0bf071e at gif_input+0x35e
#9 0xc0c4f781 at in_gif_input+0x51
#10 0xc0c4f5bf at in_gif_input10+0x2f
#11 0xc0c58420 at encap4_input+0x210
#12 0xc0c5c432 at ip_input+0x152
#13 0xc0bf828b at netisr_dispatch_src+0x8b
#14 0xc0bf8600 at netisr_dispatch+0x20
#15 0xc0bf4904 at tunwrite+0x254
#16 0xc09fe644 at devfs_write_f+0xb4
#17 0xc0b77776 at dofilewrite+0x86
Uptime: 37s
Physical memory: 491 MB
Dumping 65 MB: 50 34 18 2

Reading symbols from /boot/kernel/pf.ko.symbols...done.
Loaded symbols for /boot/kernel/pf.ko.symbols
Reading symbols from /boot/kernel/pflog.ko.symbols...done.
Loaded symbols for /boot/kernel/pflog.ko.symbols
Reading symbols from /boot/kernel/netgraph.ko.symbols...done.
Loaded symbols for /boot/kernel/netgraph.ko.symbols
Reading symbols from /boot/kernel/ng_ether.ko.symbols...done.
Loaded symbols for /boot/kernel/ng_ether.ko.symbols
Reading symbols from /boot/kernel/ng_pppoe.ko.symbols...done.
Loaded symbols for /boot/kernel/ng_pppoe.ko.symbols
Reading symbols from /boot/kernel/ng_socket.ko.symbols...done.
Loaded symbols for /boot/kernel/ng_socket.ko.symbols
#0  doadump (textdump=-999684992) at pcpu.h:233
233     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) list *0xc0d0b1fc
0xc0d0b1fc is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:702).
697                     bad = 1;
698     #define sa_equal(a1, a2)                                               
\
699             (bcmp((a1), (a2), ((a1))->sin6_len) == 0)
700                     IF_ADDR_RLOCK(ifp);
701                     TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
702                             if (ifa->ifa_addr->sa_family !=
dst6.sin6_family)
703                                     continue;
704                             if (sa_equal(&dst6, ifa->ifa_addr))
705                                     break;
706                     }
Current language:  auto; currently minimal
(kgdb) backtrace
#0  doadump (textdump=-999684992) at pcpu.h:233
#1  0xc0b20c3d in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:452
#2  0xc0b2100d in panic (fmt=<value optimized out>) at
/usr/src/sys/kern/kern_shutdown.c:759
#3  0xc1027574 in trap_fatal (frame=<value optimized out>, eva=<value optimized
out>) at /usr/src/sys/i386/i386/trap.c:1023
#4  0xc10278d5 in trap_pfault (frame=0x0, usermode=<value optimized out>,
eva=0) at /usr/src/sys/i386/i386/trap.c:835
#5  0xc1026f94 in trap (frame=0xdb5706f8) at /usr/src/sys/i386/i386/trap.c:532
#6  0xc1011b8c in calltrap () at /usr/src/sys/i386/i386/exception.s:170
#7  0xc0d0b1fc in ip6_input (m=0xc4571830) at
/usr/src/sys/netinet6/ip6_input.c:702
#8  0xc0bf828b in netisr_dispatch_src (proto=<value optimized out>,
source=<value optimized out>, m=0x0) at /usr/src/sys/net/netisr.c:972
#9  0xc0bf8600 in netisr_dispatch (proto=10, m=0xc4ae3a00) at
/usr/src/sys/net/netisr.c:1063
#10 0xc0bf071e in gif_input (m=0xc4ae3a00, ifp=0xc52d2800, proto=<value
optimized out>, ecn=12 '\f') at /usr/src/sys/net/if_gif.c:693
#11 0xc0c4f781 in in_gif_input (mp=0xdb5709ac, offp=<value optimized out>) at
/usr/src/sys/netinet/in_gif.c:166
#12 0xc0c4f5bf in in_gif_input10 (m=0xc4ae3a00, off=20) at
/usr/src/sys/netinet/in_gif.c:143
#13 0xc0c58420 in encap4_input (m=0xc4ae3a00) at
/usr/src/sys/netinet/ip_encap.c:191
#14 0xc0c5c432 in ip_input (m=0xc4ae3a00) at
/usr/src/sys/netinet/ip_input.c:734
#15 0xc0bf828b in netisr_dispatch_src (proto=<value optimized out>,
source=<value optimized out>, m=0x0) at /usr/src/sys/net/netisr.c:972
#16 0xc0bf8600 in netisr_dispatch (proto=1, m=0xc4ae3a00) at
/usr/src/sys/net/netisr.c:1063
#17 0xc0bf4904 in tunwrite (dev=0xc4b5e700, uio=<value optimized out>, flag=0)
at /usr/src/sys/net/if_tun.c:926
#18 0xc09fe644 in devfs_write_f (fp=<value optimized out>, uio=0xdb570be8,
flags=<value optimized out>, td=<value optimized out>) at
/usr/src/sys/fs/devfs/devfs_vnops.c:1678
#19 0xc0b77776 in dofilewrite (td=0xc52cc930, fd=6, fp=0xc4be9498,
auio=0xdb570be8, offset=-1, flags=0) at file.h:304
#20 0xc0b77476 in kern_writev (td=0xc52cc930, fd=6, auio=<value optimized out>)
at /usr/src/sys/kern/sys_generic.c:481
#21 0xc0b773cc in sys_write (td=<value optimized out>, uap=<value optimized
out>) at /usr/src/sys/kern/sys_generic.c:396
#22 0xc1028036 in syscall (frame=<value optimized out>) at subr_syscall.c:134
#23 0xc1011c21 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:270
#24 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb)

Bug is reproducible and I have the kernel dump available.

-- 
You are receiving this mail because:
You are the assignee for the bug.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-197286-8>