Kernel panic (triggered by receiving an IPv6 ping!). Running stable/10 r277643. System has a tun0 device controlled by ppp and a gif device tunnelled over that connection for IPv6. Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x0 fault code = supervisor read, page not present instruction pointer = 0x20:0xc0d0b1fc stack pointer = 0x28:0xdb570738 frame pointer = 0x28:0xdb5708e0 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 742 (ppp) trap number = 12 panic: page fault cpuid = 0 KDB: stack backtrace: #0 0xc0b5f3c2 at kdb_backtrace+0x52 #1 0xc0b20fcf at panic+0x11f #2 0xc1027574 at trap_fatal+0x324 #3 0xc10278d5 at trap_pfault+0x355 #4 0xc1026f94 at trap+0x674 #5 0xc1011b8c at calltrap+0x6 #6 0xc0bf828b at netisr_dispatch_src+0x8b #7 0xc0bf8600 at netisr_dispatch+0x20 #8 0xc0bf071e at gif_input+0x35e #9 0xc0c4f781 at in_gif_input+0x51 #10 0xc0c4f5bf at in_gif_input10+0x2f #11 0xc0c58420 at encap4_input+0x210 #12 0xc0c5c432 at ip_input+0x152 #13 0xc0bf828b at netisr_dispatch_src+0x8b #14 0xc0bf8600 at netisr_dispatch+0x20 #15 0xc0bf4904 at tunwrite+0x254 #16 0xc09fe644 at devfs_write_f+0xb4 #17 0xc0b77776 at dofilewrite+0x86 Uptime: 37s Physical memory: 491 MB Dumping 65 MB: 50 34 18 2 Reading symbols from /boot/kernel/pf.ko.symbols...done. Loaded symbols for /boot/kernel/pf.ko.symbols Reading symbols from /boot/kernel/pflog.ko.symbols...done. Loaded symbols for /boot/kernel/pflog.ko.symbols Reading symbols from /boot/kernel/netgraph.ko.symbols...done. Loaded symbols for /boot/kernel/netgraph.ko.symbols Reading symbols from /boot/kernel/ng_ether.ko.symbols...done. Loaded symbols for /boot/kernel/ng_ether.ko.symbols Reading symbols from /boot/kernel/ng_pppoe.ko.symbols...done. Loaded symbols for /boot/kernel/ng_pppoe.ko.symbols Reading symbols from /boot/kernel/ng_socket.ko.symbols...done. Loaded symbols for /boot/kernel/ng_socket.ko.symbols #0 doadump (textdump=-999684992) at pcpu.h:233 233 pcpu.h: No such file or directory. in pcpu.h (kgdb) list *0xc0d0b1fc 0xc0d0b1fc is in ip6_input (/usr/src/sys/netinet6/ip6_input.c:702). 697 bad = 1; 698 #define sa_equal(a1, a2) \ 699 (bcmp((a1), (a2), ((a1))->sin6_len) == 0) 700 IF_ADDR_RLOCK(ifp); 701 TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { 702 if (ifa->ifa_addr->sa_family != dst6.sin6_family) 703 continue; 704 if (sa_equal(&dst6, ifa->ifa_addr)) 705 break; 706 } Current language: auto; currently minimal (kgdb) backtrace #0 doadump (textdump=-999684992) at pcpu.h:233 #1 0xc0b20c3d in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:452 #2 0xc0b2100d in panic (fmt=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:759 #3 0xc1027574 in trap_fatal (frame=<value optimized out>, eva=<value optimized out>) at /usr/src/sys/i386/i386/trap.c:1023 #4 0xc10278d5 in trap_pfault (frame=0x0, usermode=<value optimized out>, eva=0) at /usr/src/sys/i386/i386/trap.c:835 #5 0xc1026f94 in trap (frame=0xdb5706f8) at /usr/src/sys/i386/i386/trap.c:532 #6 0xc1011b8c in calltrap () at /usr/src/sys/i386/i386/exception.s:170 #7 0xc0d0b1fc in ip6_input (m=0xc4571830) at /usr/src/sys/netinet6/ip6_input.c:702 #8 0xc0bf828b in netisr_dispatch_src (proto=<value optimized out>, source=<value optimized out>, m=0x0) at /usr/src/sys/net/netisr.c:972 #9 0xc0bf8600 in netisr_dispatch (proto=10, m=0xc4ae3a00) at /usr/src/sys/net/netisr.c:1063 #10 0xc0bf071e in gif_input (m=0xc4ae3a00, ifp=0xc52d2800, proto=<value optimized out>, ecn=12 '\f') at /usr/src/sys/net/if_gif.c:693 #11 0xc0c4f781 in in_gif_input (mp=0xdb5709ac, offp=<value optimized out>) at /usr/src/sys/netinet/in_gif.c:166 #12 0xc0c4f5bf in in_gif_input10 (m=0xc4ae3a00, off=20) at /usr/src/sys/netinet/in_gif.c:143 #13 0xc0c58420 in encap4_input (m=0xc4ae3a00) at /usr/src/sys/netinet/ip_encap.c:191 #14 0xc0c5c432 in ip_input (m=0xc4ae3a00) at /usr/src/sys/netinet/ip_input.c:734 #15 0xc0bf828b in netisr_dispatch_src (proto=<value optimized out>, source=<value optimized out>, m=0x0) at /usr/src/sys/net/netisr.c:972 #16 0xc0bf8600 in netisr_dispatch (proto=1, m=0xc4ae3a00) at /usr/src/sys/net/netisr.c:1063 #17 0xc0bf4904 in tunwrite (dev=0xc4b5e700, uio=<value optimized out>, flag=0) at /usr/src/sys/net/if_tun.c:926 #18 0xc09fe644 in devfs_write_f (fp=<value optimized out>, uio=0xdb570be8, flags=<value optimized out>, td=<value optimized out>) at /usr/src/sys/fs/devfs/devfs_vnops.c:1678 #19 0xc0b77776 in dofilewrite (td=0xc52cc930, fd=6, fp=0xc4be9498, auio=0xdb570be8, offset=-1, flags=0) at file.h:304 #20 0xc0b77476 in kern_writev (td=0xc52cc930, fd=6, auio=<value optimized out>) at /usr/src/sys/kern/sys_generic.c:481 #21 0xc0b773cc in sys_write (td=<value optimized out>, uap=<value optimized out>) at /usr/src/sys/kern/sys_generic.c:396 #22 0xc1028036 in syscall (frame=<value optimized out>) at subr_syscall.c:134 #23 0xc1011c21 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:270 #24 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) Bug is reproducible and I have the kernel dump available.
I've confirmed the same issue occurs on stable/9 as well as stable/10. It used to be fine on stable/7 which is what I was using prior to this update. I haven't tested stable/8. However, I've just tried head and so far it looks like this issue is fixed there. There have been a number of changes to the file where the problem occurred, specifically r274300. It'd be good to get these changes MFCed to stable/10 if possible.
(In reply to Tim Bishop from comment #0) > Kernel panic (triggered by receiving an IPv6 ping!). Running stable/10 > r277643. System has a tun0 device controlled by ppp and a gif device > tunnelled over that connection for IPv6. Can you show ifconfig output of your configuration?
(In reply to Andrey V. Elsukov from comment #2) > Can you show ifconfig output of your configuration? I've got the machine running HEAD (still no problems since my comment #0), but from console logs I can see the following (IPs anonymised): vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8284b<RXCSUM,TXCSUM,VLAN_MTU,POLLING,WOL_UCAST,WOL_MAGIC,LINKSTATE> ether 00:00:24:cb:15:b8 inet6 fe80::200:24ff:fecb:15b8%vr0 prefixlen 64 scopeid 0x1 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (100baseTX <full-duplex>) status: active vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8284b<RXCSUM,TXCSUM,VLAN_MTU,POLLING,WOL_UCAST,WOL_MAGIC,LINKSTATE> ether 00:00:24:cb:15:b9 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::200:24ff:fecb:15b9%vr1 prefixlen 64 scopeid 0x2 inet6 1:1::1 prefixlen 64 inet 1.1.1.198 netmask 0xfffffff8 broadcast 1.1.1.199 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (100baseTX <full-duplex>) status: active vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8284b<RXCSUM,TXCSUM,VLAN_MTU,POLLING,WOL_UCAST,WOL_MAGIC,LINKSTATE> ether 00:00:24:cb:15:ba inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 inet6 fe80::200:24ff:fecb:15ba%vr2 prefixlen 64 scopeid 0x3 inet6 1:2::1 prefixlen 64 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (none) status: no carrier vr3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE> ether 00:00:24:cb:15:bb nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200 nd6 options=9<PERFORMNUD,IFDISABLED> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 tunnel inet 1.1.1.198 --> 1.1.1.126 inet6 fe80::200:24ff:fecb:15b8%gif0 prefixlen 64 scopeid 0x9 inet6 1:73::2 --> 1:73::1 prefixlen 128 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> options=1<ACCEPT_REV_ETHIP_VER> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492 options=80000<LINKSTATE> inet 1.1.1.198 --> 1.1.1.27 netmask 0xffffffff nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Opened by PID 838 tun0 is a ppp managed link using PPPoE over vr0. gif0 is an IPv6 tunnel which goes out over the tun0 connection. vr1 and vr2 are internal networking.
r274300 is very dangerous for merging to stable/10. Can you try this patch instead? It disables LLE operations for tunneling interfaces, and therefore ip6_input() will go through another code path for such packets. Index: in6.c =================================================================== --- in6.c (revision 279514) +++ in6.c (working copy) @@ -155,6 +155,8 @@ in6_ifaddloop(struct ifaddr *ifa) ia = ifa2ia6(ifa); ifp = ifa->ifa_ifp; + if (nd6_need_cache(ifp) == 0) + return; IF_AFDATA_LOCK(ifp); ifa->ifa_rtrequest = nd6_rtrequest; ln = lla_lookup(LLTABLE6(ifp), (LLE_CREATE | LLE_IFADDR | Index: nd6.c =================================================================== --- nd6.c (revision 279514) +++ nd6.c (working copy) @@ -2185,9 +2185,6 @@ nd6_need_cache(struct ifnet *ifp) case IFT_IEEE80211: #endif case IFT_INFINIBAND: - case IFT_GIF: /* XXX need more cases? */ - case IFT_PPP: - case IFT_TUNNEL: case IFT_BRIDGE: case IFT_PROPVIRTUAL: return (1);
(In reply to Andrey V. Elsukov from comment #4) Sorry, I can't at the moment since the machine is now running HEAD, so I'd have to do a complete rebuild including packages. If I do get a chance I'll report back though.
(In reply to Andrey V. Elsukov from comment #4) I've just tested this patch on stable/10 r280197. I can confirm that without the patch I get a panic, and with the patch I don't. That suggests this fixes the problem. I will continue to run with the patch just to make sure there aren't any side effects.
A commit references this bug: Author: ae Date: Wed Apr 22 20:42:18 UTC 2015 New revision: 281868 URL: https://svnweb.freebsd.org/changeset/base/281868 Log: MFC r274988 (with modification): Skip L2 addresses lookups for tunneling interfaces. PR: 197286 Changes: _U stable/10/ _U stable/10/sys/gnu/dts/ stable/10/sys/netinet6/in6.c stable/10/sys/netinet6/nd6.c
A commit references this bug: Author: ae Date: Wed Apr 22 20:48:57 UTC 2015 New revision: 281869 URL: https://svnweb.freebsd.org/changeset/base/281869 Log: MFC r274988 (with modification): Skip L2 addresses lookups for tunneling interfaces. PR: 197286 Changes: _U stable/9/sys/ _U stable/9/sys/amd64/include/xen/ _U stable/9/sys/boot/ _U stable/9/sys/boot/forth/ _U stable/9/sys/boot/i386/efi/ _U stable/9/sys/boot/i386/gptboot/ _U stable/9/sys/boot/ia64/efi/ _U stable/9/sys/boot/ia64/ski/ _U stable/9/sys/boot/powerpc/boot1.chrp/ _U stable/9/sys/boot/powerpc/ofw/ _U stable/9/sys/cddl/contrib/opensolaris/ _U stable/9/sys/conf/ _U stable/9/sys/contrib/dev/acpica/ _U stable/9/sys/contrib/dev/run/ _U stable/9/sys/contrib/octeon-sdk/ _U stable/9/sys/contrib/pf/ _U stable/9/sys/contrib/x86emu/ _U stable/9/sys/dev/ _U stable/9/sys/dev/e1000/ _U stable/9/sys/dev/isp/ _U stable/9/sys/dev/ixgbe/ _U stable/9/sys/dev/puc/ _U stable/9/sys/dev/usb/wlan/if_run.c _U stable/9/sys/dev/usb/wlan/if_runreg.h _U stable/9/sys/fs/ _U stable/9/sys/fs/ntfs/ _U stable/9/sys/modules/ _U stable/9/sys/modules/ixgbe/ _U stable/9/sys/modules/svr4/ _U stable/9/sys/net/ stable/9/sys/netinet6/in6.c stable/9/sys/netinet6/nd6.c _U stable/9/sys/netpfil/ _U stable/9/sys/sys/
Fixed in stable/9 and stable/10. Thanks!