When try to ping6 peer (addreess is fe80::1, for example) over firewire, it immediately crashes. Stack trace is as follows: kbd_backtrace panic trap_fatal trap_pfault trap calltrap nd6_llinfo_settimer_locked nd6_na_input icmp6_input ip6_input netisr_dispatch_src netisr_dispatch firewire_input fwip_unicast_input fw_rcv fwohci_arcv fwohci_task_dma taskqueue_run_locked How-To-Repeat: Let ${peer_eui64} EUI-64 of your peer on fwip0, then $ ping6 fe80::${peer_eui64}%fwip0
See full stack trace at: https://twitter.com/yoshfuji/status/307707100627337216/photo/1
Responsible Changed From-To: freebsd-bugs->freebsd-net Over to maintainer(s).
Responsible Changed From-To: freebsd-net->ae Take it.
Hi, It seems to me, that in the nd6_cache_lladdr() function at the lines: 1592 if (lladdr) { /* (3-5) and (7) */ 1593 /* 1594 * Record source link-layer address 1595 * XXX is it dependent to ifp->if_type? 1596 */ 1597 bcopy(lladdr, &ln->ll_addr, ifp->if_addrlen); bcopy overwrites part of lle_timer struct and then this triggers panic in the callout_reset(). -- WBR, Andrey V. Elsukov
State Changed From-To: open->analyzed fwip(4) has 16-bytes sized hw address, but struct llenetry expects only 8-bytes. In the nd6_cache_lladdr() occurs overwriting of lle_timer field and this leads to panic in callout_reset().
State Changed From-To: analyzed->patched This has been fixed in head/ with r254823. Thanks!