From nobody@FreeBSD.org  Tue Sep  4 10:58:52 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 89E1A16A417
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  4 Sep 2007 10:58:52 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 762BE13C467
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  4 Sep 2007 10:58:52 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l84Awq5T035093
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 4 Sep 2007 10:58:52 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l84Awqsm035092;
	Tue, 4 Sep 2007 10:58:52 GMT
	(envelope-from nobody)
Message-Id: <200709041058.l84Awqsm035092@www.freebsd.org>
Date: Tue, 4 Sep 2007 10:58:52 GMT
From: "Ralf S. Engelschall" <rse@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: 6.2-STABLE panic during use of multi-cast networking client
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         116077
>Category:       kern
>Synopsis:       [ip] [patch] 6.2-STABLE panic during use of multi-cast networking client
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 04 11:00:07 GMT 2007
>Closed-Date:    Mon Feb 02 11:24:55 UTC 2009
>Last-Modified:  Mon Feb 02 11:24:55 UTC 2009
>Originator:     Ralf S. Engelschall
>Release:        6.2-STABLE
>Organization:
Engelschall
>Environment:
FreeBSD en1.engelschall.com 6.2-STABLE FreeBSD 6.2-STABLE #0: Thu Aug 30 11:31:47 CEST 2007     root@en1.engelschall.com:/var/obj/usr/src/sys/EN1  i386

>Description:
The following kernel panic occurred twice yesterday evening under
the latest 6.2-STABLE when I ran the (multi-cast using?) Elvin event
notifcation consumer client ec(1) from libelvin 4.0.3 with "ec -e
elvin://10.0.0.1 'Timeout > 0'" against an Avis server under 10.0.0.1. A
second after stopping the ec(1) with CTRL-C the following panic occurs
more or less reproducable:

Panic
-----

# kgdb /boot/kernel/kernel.debug vmcore.40
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x615b2094
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc05e3e6f
stack pointer           = 0x28:0xeb4ecaf4
frame pointer           = 0x28:0xeb4ecafc
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 58238 (ec)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
kdb_backtrace(100,c6e1f780,28,eb4ecab4,c,...) at 0xc056c82d = kdb_backtrace+0x29
panic(c07089bd,c072fc26,0,fffff,c7b6f89b,...) at 0xc0552bf0 = panic+0x114
trap_fatal(eb4ecab4,615b2094,c6e1f780,c79a1cb8,c,...) at 0xc06e6232 = trap_fatal+0x2ce
trap_pfault(eb4ecab4,0,615b2094) at 0xc06e5f3b = trap_pfault+0x1d7
trap(c6c00008,eb4e0028,28,c0786920,ce75c8a0,...) at 0xc06e5b51 = trap+0x2fd
calltrap() at 0xc06d0b1a = calltrap+0x5
--- trap 0xc, eip = 0xc05e3e6f, esp = 0xeb4ecaf4, ebp = 0xeb4ecafc ---
in_delmulti(ce75c8a0) at 0xc05e3e6f = in_delmulti+0xb
ip_freemoptions(ca45b880,c7bc3870,0,c7c912c8,eb4ecb38,...) at 0xc05ed8e9 = ip_freemoptions+0x21
in_pcbdetach(c7bc3870) at 0xc05e5d6c = in_pcbdetach+0x15c
udp_detach(c7c912c8) at 0xc05fee96 = udp_detach+0xb6
soclose(c7c912c8) at 0xc058e710 = soclose+0xa8
soo_close(c7009ca8,c6e1f780) at 0xc057db3f = soo_close+0x63
fdrop_locked(c7009ca8,c6e1f780,ca23fb00,eb4ecc00,c052e263,...) at 0xc052fd9c = fdrop_locked+0xd0
fdrop(c7009ca8,c6e1f780,87,c0564d7f,0,...) at 0xc052fcc5 = fdrop+0x41
closef(c7009ca8,c6e1f780) at 0xc052e263 = closef+0x42f
fdfree(c6e1f780) at 0xc052d253 = fdfree+0x5a3
exit1(c6e1f780,0,eb4ecd30,c06e6577,c6e1f780,...) at 0xc0536b4b = exit1+0x49b
exit1(c6e1f780,eb4ecd04) at 0xc05366b0 = exit1
syscall(3b,3b,3b,83fbfc0,83e2000,...) at 0xc06e6577 = syscall+0x2bf
Xint0x80_syscall() at 0xc06d0b6f = Xint0x80_syscall+0x1f
--- syscall (1, FreeBSD ELF32, sys_exit), eip = 0x283ef0af, esp = 0xbfbfe44c, ebp = 0xbfbfe468 ---
Uptime: 2d11h34m40s
Dumping 2045 MB (7 chunks)
  chunk 0: 1MB (142 pages) ... ok
  chunk 1: 2030MB (519581 pages) 2014 1998 1982 1966 1950 1934 1918 1902 1886 1870 1854 1838 1822 1806 1790 1774 1758 1742 1726 1710 1694 1678 16
  chunk 2: 15MB (3708 pages) ... ok
  chunk 3: 1MB (159 pages) ... ok
  chunk 4: 1MB (122 pages)

#0  doadump () at pcpu.h:165
165     pcpu.h: No such file or directory.
        in pcpu.h

Details
-------

(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc055293e in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc0552c95 in panic (fmt=0xc07089bd "%s") at /usr/src/sys/kern/kern_shutdown.c:565
#3  0xc06e6232 in trap_fatal (frame=0xeb4ecab4, eva=1633362068) at /usr/src/sys/i386/i386/trap.c:838
#4  0xc06e5f3b in trap_pfault (frame=0xeb4ecab4, usermode=0, eva=1633362068) at /usr/src/sys/i386/i386/trap.c:745
#5  0xc06e5b51 in trap (frame= 
      {tf_fs = -960495608, tf_es = -347209688, tf_ds = 40, tf_edi = -1065850592, tf_esi = -831141728, tf_ebp = -347157764, tf_isp = -347157792, t
#6  0xc06d0b1a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0xc05e3e6f in in_delmulti (inm=0xce75c8a0) at /usr/src/sys/netinet/in.c:1063
#8  0xc05ed8e9 in ip_freemoptions (imo=0xca45b880) at /usr/src/sys/netinet/ip_output.c:2064
#9  0xc05e5d6c in in_pcbdetach (inp=0xc7bc3870) at /usr/src/sys/netinet/in_pcb.c:714
#10 0xc05fee96 in udp_detach (so=0x1) at /usr/src/sys/netinet/udp_usrreq.c:1071
#11 0xc058e710 in soclose (so=0xc7c912c8) at /usr/src/sys/kern/uipc_socket.c:459
#12 0xc057db3f in soo_close (fp=0xc7009ca8, td=0xc6e1f780) at /usr/src/sys/kern/sys_socket.c:317
#13 0xc052fd9c in fdrop_locked (fp=0xc7009ca8, td=0xc6e1f780) at file.h:296
#14 0xc052fcc5 in fdrop (fp=0xc7009ca8, td=0xc6e1f780) at /usr/src/sys/kern/kern_descrip.c:2113
#15 0xc052e263 in closef (fp=0xc7009ca8, td=0xc6e1f780) at /usr/src/sys/kern/kern_descrip.c:1933
#16 0xc052d253 in fdfree (td=0xc6e1f780) at /usr/src/sys/kern/kern_descrip.c:1651
#17 0xc0536b4b in exit1 (td=0xc6e1f780, rv=0) at /usr/src/sys/kern/kern_exit.c:273
#18 0xc05366b0 in sys_exit (td=0xc6e1f780, uap=0x1) at /usr/src/sys/kern/kern_exit.c:99
#19 0xc06e6577 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 138395584, tf_esi = 138289152, tf_ebp = -1077943192, tf_isp = -347157148, tf_ebx = 675280672,
#20 0xc06d0b6f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#21 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
[...]
(kgdb) up 
#7  0xc05e3e6f in in_delmulti (inm=0xce75c8a0) at /usr/src/sys/netinet/in.c:1063
1063            ifp = inm->inm_ifp;
Current language:  auto; currently c
(kgdb) list
1058    in_delmulti(inm)
1059            register struct in_multi *inm;
1060    {
1061            struct ifnet *ifp;
1062
1063            ifp = inm->inm_ifp;
1064            IFF_LOCKGIANT(ifp);
1065            IN_MULTI_LOCK();
1066            in_delmulti_locked(inm, 0);
1067            IN_MULTI_UNLOCK();
(kgdb) print inm
$1 = (struct in_multi *) 0xce75c8a0
(kgdb) print *inm 
$2 = {inm_link = {le_next = 0x0, le_prev = 0x11}, inm_addr = {s_addr = 1684566899}, inm_ifp = 0x615b203a, inm_ifma = 0x70656363,
  inm_timer = 1566860660, inm_state = 450304, inm_rti = 0x6d7b6}
(kgdb) print inm->inm_ifp
$3 = (struct ifnet *) 0x615b203a
(kgdb) print *inm->inm_ifp
Cannot access memory at address 0x615b203a

>How-To-Repeat:
Seems like some multi-cast related cleanups are broken. When
in_delmulti() is called, the "inm" is still valid but the "inm->inm_ifp"
already points to an invalid location. I'm not familiar with this
network code, so cannot easily determine the root of the problem. 
Perhaps someone of us who knows the network stack good enough can look
at this issue and figure out the root cause (and fix it ;-).

For reproducing this one have to build
http://distfiles-msn.opendarwin.org/libelvin-4.0.3.tar.gz and run its
commands ec(1) and ep(1) against an Avis (see http://avsis.sf.net/) 
server. This is a little bit nasty as one needs Java for Avis, etc. So,
sorry, I've currently no simple reproducing procedure. But perhaps the
bug can already be found with the above information.

I've also a corresponding "vmcore" (2GB) and a "kernel.debug" (16MB)
file available in case someone wants to digg deeper. Or tell me the
kgdb commands I should run against those for digging up additional
information.

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: remko 
Responsible-Changed-When: Tue Sep 4 11:17:55 UTC 2007 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116077 

From: Bruce M Simpson <bms@incunabulum.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/116077: 6.2-STABLE panic during use of multi-cast networking
 client
Date: Tue, 04 Sep 2007 14:17:53 +0100

 I wrote this, but I may not have time to fix it, because I need to do 
 work other than FreeBSD to support myself.
 
 I have no idea what an elvin or avis is. It isn't clear to me how you 
 are triggering this panic, it looks like you are removing or tearing 
 down interfaces from the system? Are you using a network driver which 
 has IFF_NEEDSGIANT set?
 
 Unfortunately because the ifp lock has to be taken before other locks if 
 IFF_NEEDSGIANT is set, it dereferences the ifp provided which may have 
 already gone away.
 
 The link layer multicast code will try to invalidate the ifp pointer in 
 the underlying ifma. However in this case the cached ifp used is the one 
 in struct in_multi.
 
 Try the following. Change
 
 1063 ifp = inm->inm_ifp;
 1064 IFF_LOCKGIANT(ifp);
 1065 IN_MULTI_LOCK();
 ...
 
 to
 
 ifp = inm->inm_ifma->ifp;
 if (ifp != NULL)
   IFF_LOCKGIANT(ifp);
 ...
 and put
 if (ifp != NULL)
   IFF_UNLOCKGIANT(ifp);
 
 at the end of the function.
 
 It is safe to deref inm->inm_ifma as ifma is refcounted.
 
 
 The real fix is to either eliminate Giant completely or to implement 
 reference counting for struct ifnet.
 
 I should point out that this code gets rewritten for IGMPv3.
 
 Please let me know if this works around the issue. If it doesn't, I'll 
 leave it to someone else for now - there should be enough in here to go on.

From: Norbert Papke <npapke@acm.org>
To: bug-followup@freebsd.org, rse@freebsd.org
Cc:  
Subject: Re: kern/116077: 6.2-STABLE panic during use of multi-cast networking
 client
Date: Sat, 13 Oct 2007 11:03:18 -0700

 I am experiencing similar issues.  In my case, they manifest themselves as a 
 crash during system shut-down.  I suspect that this is triggered when avahi 
 stops.
 
 I don't believe that the suggested change will work -- at least in my case.  
 The inm->inm_ifma pointer also appears to be invalid.
 
 -----------
 
 FreeBSD proven.lan 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Oct 12 09:22:51 PDT 
 2007     npapke@proven.lan:/usr4/obj/usr/src/sys/NGP  i386
 
 -----------
 
 kgdb: kvm_nlist(_stopped_cpus):
 kgdb: kvm_nlist(_stoppcbs):
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: 
 Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 <118>Oct 13 08:18:35 proven syslogd: exiting on signal 15
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x69775fd0
 fault code              = supervisor read, page not present
 instruction pointer     = 0x20:0xc05cca9e
 stack pointer           = 0x28:0xe9523b08
 frame pointer           = 0x28:0xe9523b24
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 1222 (avahi-daemon)
 panic: from debugger
 Uptime: 14h50m58s
 Dumping 2047 MB (2 chunks)
   chunk 0: 1MB (159 pages) ... ok
   chunk 1: 2047MB (523968 pages) 2031 2015 1999 1983 1967 1951 1935 1919 1903 
 1887 1871 1855 1839 1823 1807 1791 1775 1759 1743 1727 1711 1695 1679 1663 
 1647 1631 1615 1599 1583 1567 1551 1535 1519 1503 1487 1471 1455 1439 1423 
 1407 1391 1375 1359 1343 1327 1311 1295 1279 1263 1247 1231 1215 1199 1183 
 1167 1151 1135 1119 1103 1087 1071 1055 1039 1023 1007 991 975 959 943 927 
 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 
 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 
 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
 
 #0  doadump () at pcpu.h:165
 165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) bt
 #0  doadump () at pcpu.h:165
 #1  0xc052ad14 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
 #2  0xc052b06d in panic (fmt=0xc06d6b75 "from debugger") 
 at /usr/src/sys/kern/kern_shutdown.c:565
 #3  0xc044e012 in db_panic (addr=-1067660642, have_addr=0, count=-1, 
 modif=0xe9523914 "") at /usr/src/sys/ddb/db_command.c:438
 #4  0xc044df82 in db_command (last_cmdp=0xc0738dc4, cmd_table=0x0, 
 aux_cmd_tablep=0xc0700a48, aux_cmd_tablep_end=0xc0700a4c)
     at /usr/src/sys/ddb/db_command.c:350
 #5  0xc044e08a in db_command_loop () at /usr/src/sys/ddb/db_command.c:458
 #6  0xc045016a in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:222
 #7  0xc0549347 in kdb_trap (type=0, code=0, tf=0xe9523ac8) 
 at /usr/src/sys/kern/subr_kdb.c:473
 #8  0xc06b0c3b in trap_fatal (frame=0xe9523ac8, eva=0) 
 at /usr/src/sys/i386/i386/trap.c:829
 #9  0xc06b0942 in trap_pfault (frame=0xe9523ac8, usermode=0, eva=1769430992) 
 at /usr/src/sys/i386/i386/trap.c:745
 #10 0xc06b04bd in trap (frame=
       {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -1066114528, tf_esi 
 = -955338656, tf_ebp = -380486876, tf_isp = -380486924, tf_ebx = 1769430902, 
 tf_edx = -950849536, tf_ecx = 4, tf_eax = -955338656, tf_trapno = 12, tf_err 
 = 0, tf_eip = -1067660642, tf_cs = 32, tf_eflags = 66178, tf_esp 
 = -380486876, tf_ss = -1068381583}) at /usr/src/sys/i386/i386/trap.c:435
 #11 0xc069aa5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #12 0xc05cca9e in in_delmulti (inm=0xc70eb060) 
 at /usr/src/sys/netinet/in.c:1063
 #13 0xc05d7afc in ip_freemoptions (imo=0xc7597980) 
 at /usr/src/sys/netinet/ip_output.c:2064
 #14 0xc05cea4b in in_pcbdetach (inp=0xc711aca8) 
 at /usr/src/sys/netinet/in_pcb.c:714
 #15 0xc05ec158 in udp_detach (so=0xc70eb060) 
 at /usr/src/sys/netinet/udp_usrreq.c:1071
 #16 0xc05705f2 in soclose (so=0xc759e000) 
 at /usr/src/sys/kern/uipc_socket.c:459
 #17 0xc055c92d in soo_close (fp=0xc7497a68, td=0xc7533000) 
 at /usr/src/sys/kern/sys_socket.c:317
 #18 0xc05017f0 in fdrop_locked (fp=0xc7497a68, td=0xc70eb060) at file.h:296
 #19 0xc05016cf in fdrop (fp=0xc7497a68, td=0xc70eb060) 
 at /usr/src/sys/kern/kern_descrip.c:2113
 #20 0xc04ff652 in closef (fp=0xc7497a68, td=0xc7533000) 
 at /usr/src/sys/kern/kern_descrip.c:1933
 #21 0xc04fbe77 in kern_close (td=0xc7533000, fd=15) 
 at /usr/src/sys/kern/kern_descrip.c:1023
 #22 0xc04fbbda in close (td=0xc70eb060, uap=0xc70eb060) 
 at /usr/src/sys/kern/kern_descrip.c:975
 #23 0xc06b1052 in syscall (frame=
       {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134660096, tf_esi = 
 134622792, tf_ebp = -1077941832, tf_isp = -380486300, tf_ebx = 672482484, 
 tf_edx = 0, tf_ecx = 0, tf_eax = 6, tf_trapno = 0, tf_err = 2, tf_eip = 
 673363703, tf_cs = 51, tf_eflags = 646, tf_esp = -1077941860, tf_ss = 59}) 
 at /usr/src/sys/i386/i386/trap.c:984
 #24 0xc069aaaf in Xint0x80_syscall () 
 at /usr/src/sys/i386/i386/exception.s:200
 #25 0x00000033 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) frame 12
 #12 0xc05cca9e in in_delmulti (inm=0xc70eb060) 
 at /usr/src/sys/netinet/in.c:1063
 1063            ifp = inm->inm_ifp;
 (kgdb) list
 1058    in_delmulti(inm)
 1059            register struct in_multi *inm;
 1060    {
 1061            struct ifnet *ifp;
 1062
 1063            ifp = inm->inm_ifp;
 1064            IFF_LOCKGIANT(ifp);
 1065            IN_MULTI_LOCK();
 1066            in_delmulti_locked(inm, 0);
 1067            IN_MULTI_UNLOCK();
 (kgdb) p ifp
 $1 = (struct ifnet *) 0x69775f76
 (kgdb) p *ifp
 Cannot access memory at address 0x69775f76
 (kgdb) p inm
 $2 = (struct in_multi *) 0xc70eb060
 (kgdb) p *inm
 $3 = {inm_link = {le_next = 0x73006d76, le_prev = 0x73746174}, inm_addr = 
 {s_addr = 7173632}, inm_ifp = 0x69775f76,
   inm_ifma = 0x635f6572, inm_timer = 1953396079, inm_state = 3339549696, 
 inm_rti = 0x1e86417}
 (kgdb) p *inm->inm_ifma
 Cannot access memory at address 0x635f6572

From: "Jerry Toung" <jrytoung@gmail.com>
To: bug-followup@FreeBSD.org, rse@FreeBSD.org
Cc:  
Subject: Re: kern/116077: 6.2-STABLE panic during use of multi-cast networking client
Date: Mon, 15 Oct 2007 10:34:45 -0700

 I have experienced the same crash. Please try this patch, it works for me. I
 am running 6.2 STABLE.
 Jerry
 
 
 
 diff -u ip_output.c.orig ip_output.c
 --- ip_output.c.orig    Thu Mar  8 05:19:03 2007
 +++ ip_output.c Fri Oct 12 10:23:32 2007
 @@ -58,6 +58,7 @@
  #include <netinet/in_var.h>
  #include <netinet/ip_var.h>
 
 @@ -1669,7 +1672,7 @@
 
         INP_UNLOCK(inp);
 
 -       imo = (struct ip_moptions*)malloc(sizeof(*imo), M_IPMOPTS,
 M_WAITOK);
 +       imo = (struct ip_moptions*)malloc(sizeof(*imo), M_IPMOPTS,
 M_WAITOK|M_ZERO);
 
         imo->imo_multicast_ifp = NULL;
         imo->imo_multicast_addr.s_addr = INADDR_ANY;
 
 @@ -1957,6 +1960,9 @@
                  * membership points.
                  */
                 in_delmulti(imo->imo_membership[i]);
 +               imo->imo_membership[i]->inm_ifma = NULL;
 +               imo->imo_membership[i]->inm_ifp = NULL;
 +               imo->imo_membership[i]->inm_addr.s_addr = 0;
                 /*
                  * Remove the gap in the membership array.
                  */
 
 
 
 diff -u ~tester/in.c.orig in.c
 --- /home/tester/in.c.orig      Mon Oct 15 10:21:45 2007
 +++ in.c        Fri Oct 12 08:24:18 2007
 @@ -1058,14 +1058,29 @@
  in_delmulti(inm)
         register struct in_multi *inm;
  {
 -       struct ifnet *ifp;
 +       struct ifnet *ifp, *it_ifp;
 +       int found = 0;
 
         ifp = inm->inm_ifp;
 +       if (ifp == NULL)
 +               return;
 +
 +       TAILQ_FOREACH(it_ifp, &ifnet, if_link) {
 +                if (ifp == it_ifp) {
 +                        found = 1;
 +                        break;
 +                }
 +       }
 +
 +       if (found == 0)
 +               return;
 +
         IFF_LOCKGIANT(ifp);
         IN_MULTI_LOCK();
         in_delmulti_locked(inm, 0);
         IN_MULTI_UNLOCK();
         IFF_UNLOCKGIANT(ifp);
 +
  }
 
From: Norbert Papke <npapke@acm.org>
To: bug-followup@freebsd.org, rse@freebsd.org
Cc: jrytoung@gmail.com
Subject: Re: kern/116077: 6.2-STABLE panic during use of multi-cast networking client
Date: Mon, 05 Nov 2007 23:45:31 -0800

 The patch provided by Jerry Toung works for me on 6.3-PRERELEASE.  Thanks!


From: John Baldwin <jhb@FreeBSD.org>
To: bug-followup@FreeBSD.org, rse@FreeBSD.org
Cc: ups@FreeBSD.org
Subject: Re: kern/116077: [ip] [patch] 6.2-STABLE panic during use of multi-cast networking client
Date: Mon, 25 Feb 2008 14:13:30 -0500

 Try applying the changes from this commit to fix this:
 
 ups         2008-02-22 19:13:57 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     sys/netinet          in.c 
   Log:
   Fix reference counting for already existing addresses in in_addmulti()
   
   Reviewed by:    gnn@
   
   Revision   Changes    Path
   1.85.2.10  +0 -1      src/sys/netinet/in.c
 
 -- 
 John Baldwin

From: Norbert Papke <npapke@acm.org>
To: bug-followup@freebsd.org, rse@freebsd.org
Cc:  
Subject: Re: kern/116077: 6.2-STABLE panic during use of multi-cast networking client
Date: Mon, 24 Mar 2008 10:29:52 -0700

 I have applied the commit and retested by 
 
 1) restarting multi-cast clients and
 2) rebooting the system.
 
 I have not been able to reproduce the failure.  The commit fixes the problem 
 for me.  Thanks!
 
 -- Norbert Papke.
 
State-Changed-From-To: open->closed 
State-Changed-By: rwatson 
State-Changed-When: Mon Feb 2 11:24:14 UTC 2009 
State-Changed-Why:  
This bug is now reported to be fixed by the referenced commit; if you 
experience further problems of this sort, or a regression, please 
follow up on this PR or open a new one!  Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116077 
>Unformatted:
