Bug 124021 - [ip6] [panic] page fault in nd6_output()
Summary: [ip6] [panic] page fault in nd6_output()
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 6.3-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords: crash
Depends on:
Blocks:
 
Reported: 2008-05-27 09:40 UTC by Mohacsi Janos
Modified: 2022-10-17 12:18 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mohacsi Janos 2008-05-27 09:40:03 UTC 
	Kernel panicked in nd6_output() function.

root@mignon# kgdb kernel.debug /var/crash/vmcore.1 
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0x104
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc055cc65
stack pointer	        = 0x28:0xef85289c
frame pointer	        = 0x28:0xef8528b4
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= resume, IOPL = 0
current process		= 30145 (sshd)
trap number		= 12
panic: page fault
cpuid = 0
Uptime: 4d5h35m21s
Dumping 1023 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 1023MB (261872 pages) 1007 991 975 959 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

Reading symbols from /boot/kernel/ispfw.ko...done.
Loaded symbols for /boot/kernel/ispfw.ko
Reading symbols from /boot/kernel/acpi.ko...done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from /boot/kernel/fdescfs.ko...done.
Loaded symbols for /boot/kernel/fdescfs.ko
Reading symbols from /boot/kernel/pflog.ko...done.
Loaded symbols for /boot/kernel/pflog.ko
Reading symbols from /boot/kernel/pf.ko...done.
Loaded symbols for /boot/kernel/pf.ko
Reading symbols from /boot/kernel/accf_http.ko...done.
Loaded symbols for /boot/kernel/accf_http.ko
Reading symbols from /boot/kernel/daemon_saver.ko...done.
Loaded symbols for /boot/kernel/daemon_saver.ko
#0  doadump () at pcpu.h:165
165		__asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc056802d in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:410
#2  0xc05683de in panic (fmt=0xc0759e9a "%s")
    at /usr/src/sys/kern/kern_shutdown.c:566
#3  0xc0729180 in trap_fatal (frame=0xef85285c, eva=0)
    at /usr/src/sys/i386/i386/trap.c:838
#4  0xc0728865 in trap (frame=
      {tf_fs = -276496376, tf_es = -1067188184, tf_ds = -276496344, tf_edi = -939729920, tf_esi = 4, tf_ebp = -276485964, tf_isp = -276486008, tf_ebx = -987277284, tf_edx = 6, tf_ecx = 3, tf_eax = 1, tf_trapno = 12, tf_err = 0, tf_eip = -1068118939, tf_cs = 32, tf_eflags = 65538, tf_esp = -987277284, tf_ss = -991664924}) at /usr/src/sys/i386/i386/trap.c:270
#5  0xc071186a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#6  0xc055cc65 in _mtx_lock_sleep (m=0xc527581c, tid=3355237376, opts=0, 
    file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:546
#7  0xc0642437 in nd6_output (ifp=0xc4c3e000, origifp=0x1, m0=0xc6c18300, 
    dst=0xc4e464dc, rt0=0xc5275840) at /usr/src/sys/netinet6/nd6.c:2008
#8  0xc063b712 in ip6_output (m0=0xef852a78, opt=0x0, ro=0xef852a78, flags=0, 
    im6o=0x0, ifpp=0x0, inp=0xc54ae2d0)
    at /usr/src/sys/netinet6/ip6_output.c:994
#9  0xc0619e31 in tcp_output (tp=0xc588acb0)
    at /usr/src/sys/netinet/tcp_output.c:1059
#10 0xc06225bb in tcp_usr_send (so=0xc589b000, flags=0, m=0xc7baaa00, nam=0x0, 
    control=0x0, td=0xc7fcdc00) at /usr/src/sys/netinet/tcp_usrreq.c:698
#11 0xc05ad5df in sosend (so=0xc589b000, addr=0x0, uio=0xef852cb0, 
    top=0xc7baaa00, control=0x0, flags=0, td=0xc7fcdc00)
    at /usr/src/sys/kern/uipc_socket.c:836
#12 0xc05992c7 in soo_write (fp=0x1, uio=0xef852cb0, active_cred=0xc5d60000, 
    flags=0, td=0xc7fcdc00) at /usr/src/sys/kern/sys_socket.c:118
#13 0xc05923da in dofilewrite (td=0xc7fcdc00, fd=1, fp=0xc59ffd38, 
    auio=0xef852cb0, offset=Unhandled dwarf expression opcode 0x93
) at file.h:253
#14 0xc059220b in kern_writev (td=0xc7fcdc00, fd=3, auio=0x1)
    at /usr/src/sys/kern/sys_generic.c:402
#15 0xc05920dd in write (td=0x1, uap=0x3)
    at /usr/src/sys/kern/sys_generic.c:326
#16 0xc0729567 in syscall (frame=
      {tf_fs = 134676539, tf_es = -1078001605, tf_ds = -1078001605, tf_edi = 134701160, tf_esi = 80, tf_ebp = -1077941848, tf_isp = -276484764, tf_ebx = 672000184, tf_edx = 134701160, tf_ecx = 3, tf_eax = 4, tf_trapno = 0, tf_err = 2, tf_eip = 674877415, tf_cs = 51, tf_eflags = 518, tf_esp = -1077941876, tf_ss = 59})
    at /usr/src/sys/i386/i386/trap.c:984
#17 0xc07118bf in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#18 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) quit

Fix: 

If you need more infromation about the crash and the kernel - I can provide you.
How-To-Repeat: 	This crash occurs basically every 2-3 months since FreeBSD 6.x
Comment 1 bzeeb-lists 2008-05-27 09:45:16 UTC 
On Tue, 27 May 2008, Mohacsi Janos wrote:

>> Synopsis:       page fault in nd6_output()

This is most likely an issue because of missing proper locking and is
well known.

I bet one can find another 5 reports of this in gnats.

-- 
Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2008-05-28 04:49:54 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).
Comment 3 vladislav V. Prodan 2010-09-06 12:58:11 UTC 
After ping the internal network system hung

# ping6 2001:470:ZZ:140::10
PING6(56=40+8+8 bytes) 2001:470:ZZ:140::5 --> 2001:470:ZZ:140::10

http://img834.imageshack.us/img834/5016/dsc00523qw.jpg

# uname -a
FreeBSD mary-teresa.XXXXX.ua 9.0-CURRENT FreeBSD 9.0-CURRENT #0: Sun Aug
29 19:00:25 EEST 2010
vlad11@mary-teresa.XXXXX.ua:/usr/obj/usr/src/sys/mary-teresa.24  amd64

# ifconfig re0
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:e0:4d:7b:69:0c
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::2e0:4dff:fe7b:690c%re0 prefixlen 64 scopeid 0x1
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 2001:470:ZZ:140::5 prefixlen 64
        inet6 2001:5c0:1503:XXXX::1 prefixlen 64
        inet6 2001:5c0:1503:XXXX::84 prefixlen 64
        inet6 2001:470:ZZXX::5 prefixlen 48
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
Comment 4 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:01:01 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped
Comment 5 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:18:10 UTC 
Keyword: 

    crash

– in lieu of summary line prefix: 

    [panic]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>