From nobody@FreeBSD.org  Fri Dec 28 23:00:33 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2522C16A419
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 28 Dec 2007 23:00:33 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 333EA13C448
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 28 Dec 2007 23:00:33 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id lBSMxrNR051116
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 28 Dec 2007 22:59:53 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id lBSMxrk5051115;
	Fri, 28 Dec 2007 22:59:53 GMT
	(envelope-from nobody)
Message-Id: <200712282259.lBSMxrk5051115@www.freebsd.org>
Date: Fri, 28 Dec 2007 22:59:53 GMT
From: Ashish Shukla <wahjava@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Kernel crashed while running Avahi and IPv6
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         119123
>Category:       kern
>Synopsis:       Kernel crashed while running Avahi and IPv6
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 28 23:10:01 UTC 2007
>Closed-Date:    Wed Oct 22 15:03:12 UTC 2008
>Last-Modified:  Wed Oct 22 15:03:12 UTC 2008
>Originator:     Ashish Shukla
>Release:        7.0-BETA4
>Organization:
N/A
>Environment:
FreeBSD chateau.d.lf 7.0-BETA4 FreeBSD 7.0-BETA4 #1: Wed Dec 19 13:22:36 IST 2007 toor@chatteau.d.lf:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
While running into GNOME, and play with Avahi and nss_mdns to get mDNS working over IPv6 link-local, kernel crashed. In the next restart. After savecore, I tried to debug the problem, and following is the output of my inspection:

----8<----8<----
[abbe@chateau ~/crashes]$ kgdb /boot/kernel/kernel vmcore.0
[GDB will not be able to debug user-mode threads:
/usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xffffff0101880530
fault code              = supervisor read data, page not present
instruction pointer     = 0x8:0xffffffff80594e8e
stack pointer           = 0x10:0xffffffffaf2807c0
frame pointer           = 0x10:0xffffff0001fe5700
code segment            = base 0x0, limit 0xfffff, type 0x1b
                       = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 953 (avahi-daemon)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 1h7m27s
Physical memory: 2025 MB
Dumping 311 MB: 296 280 264 248 232 216 200 184 168 152 136 120 104 88
72 56 40 24 8

#0  doadump () at pcpu.h:194
194     pcpu.h: No such file or directory.
       in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:194
#1  0x0000000000000004 in ?? ()
#2  0xffffffff80451c46 in boot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:409
#3  0xffffffff80452072 in panic (fmt=0x104 <Address 0x104 out of
bounds>) at /usr/src/sys/kern/kern_shutdown.c:563
#4  0xffffffff8070bcfa in trap_fatal (frame=0xffffff00035869c0,
eva=18446742974254081128) at /usr/src/sys/amd64/amd64/trap.c:724
#5  0xffffffff8070c0a1 in trap_pfault (frame=0xffffffffaf280710,
usermode=0) at /usr/src/sys/amd64/amd64/trap.c:641
#6  0xffffffff8070c95f in trap (frame=0xffffffffaf280710) at
/usr/src/sys/amd64/amd64/trap.c:410
#7  0xffffffff806f383e in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:169
#8  0xffffffff80594e8e in ip6_setpktopts (control=0xffffff0001fe5700,
opt=0xffffffffaf280870, stickyopt=Variable "stickyopt" is not
available.
) at /usr/src/sys/netinet6/ip6_output.c:2813
#9  0xffffffff805a7083 in udp6_send (so=Variable "so" is not available.
) at /usr/src/sys/netinet6/udp6_usrreq.c:523
#10 0xffffffff804a0e77 in sosend_generic (so=0xffffff0003365ae0,
addr=0xffffff0003029560, uio=0xffffffffaf280a30,
top=0xffffff00034b3100, control=0xffffff0001fe5700, flags=Variable
"flags" is not available.
)
   at /usr/src/sys/kern/uipc_socket.c:1240
#11 0xffffffff804a3866 in kern_sendit (td=0xffffff00035869c0, s=16,
mp=0xffffffffaf280af0, flags=0, control=0xffffff0001fe5700,
segflg=Variable "segflg" is not available.
) at /usr/src/sys/kern/uipc_syscalls.c:789
#12 0xffffffff804a6343 in sendit (td=0xffffff00035869c0, s=16,
mp=0xffffffffaf280af0, flags=0) at
/usr/src/sys/kern/uipc_syscalls.c:730
#13 0xffffffff804a63b4 in sendmsg (td=0xffffff00035869c0,
uap=0xffffffffaf280be0) at /usr/src/sys/kern/uipc_syscalls.c:922
#14 0xffffffff8070c30c in syscall (frame=0xffffffffaf280c70) at
/usr/src/sys/amd64/amd64/trap.c:852
#15 0xffffffff806f3a4b in Xfast_syscall () at
/usr/src/sys/amd64/amd64/exception.S:290
#16 0x00000008011c114c in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 8
#8  0xffffffff80594e8e in ip6_setpktopts (control=0xffffff0001fe5700,
opt=0xffffffffaf280870, stickyopt=Variable "stickyopt" is not
available.
) at /usr/src/sys/netinet6/ip6_output.c:2813
2813                    cm = mtod(control, struct cmsghdr *);
(kgdb) print control
$2 = (struct mbuf *) 0xffffff0001fe5700
---->8---->8----

I've the crash file, but its around 311 MiB, so not able to upload anywhere. After bzip2-ing, it reduced to 55 MiB, which is still not uploadable for me anywhere.
>How-To-Repeat:
Not reproducible
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sat Dec 29 10:58:05 UTC 2007 
Responsible-Changed-Why:  
bz has expressed interest in this 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119123 

From: wahjava@gmail.com (Ashish Shukla =?utf-8?B?4KSG4KS24KWA4KS3IOCktg==?=
 =?utf-8?B?4KWB4KSV4KWN4KSy?=)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/119123: Kernel crashed while running Avahi and IPv6
Date: Sat, 29 Dec 2007 19:26:29 +0530

 --=-=-=
 Content-Type: text/plain; charset=utf-8
 Content-Transfer-Encoding: quoted-printable
 
 Hi,
 
 Today again it crashed two times, so I've disabled IPv6 in
 avahi-daemon's configuration file:
 
 =2D---8<----8<-----
 [abbe@chateau ~/crashes]$ kgdb /boot/kernel/kernel vmcore.1
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:=
  Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain condition=
 s.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "amd64-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 
 
 Fatal trap 12: page fault while in kernel mode
 cpuid =3D 0; apic id =3D 00
 fault virtual address	=3D 0xffffff0102f89028
 fault code		=3D supervisor read data, page not present
 instruction pointer	=3D 0x8:0xffffffff80594e8e
 stack pointer	        =3D 0x10:0xffffffffaf2017c0
 frame pointer	        =3D 0x10:0xffffff000321bb00
 code segment		=3D base 0x0, limit 0xfffff, type 0x1b
 			=3D DPL 0, pres 1, long 1, def32 0, gran 1
 processor eflags	=3D interrupt enabled, resume, IOPL =3D 0
 current process		=3D 959 (avahi-daemon)
 trap number		=3D 12
 panic: page fault
 cpuid =3D 0
 Uptime: 1h48m42s
 Physical memory: 2025 MB
 Dumping 319 MB: 304 288 272 256 240 (CTRL-C to abort)  224 (CTRL-C to abort=
 )  208 192 176 160 144 128 112 96 80 64 48 (CTRL-C to abort)  32 16
 
 #0  doadump () at pcpu.h:194
 194	pcpu.h: No such file or directory.
 	in pcpu.h
 (kgdb) bt
 #0  doadump () at pcpu.h:194
 #1  0x0000000000000004 in ?? ()
 #2  0xffffffff80451c46 in boot (howto=3D260) at /usr/src/sys/kern/kern_shut=
 down.c:409
 #3  0xffffffff80452072 in panic (fmt=3D0x104 <Address 0x104 out of bounds>)=
  at /usr/src/sys/kern/kern_shutdown.c:563
 #4  0xffffffff8070bcfa in trap_fatal (frame=3D0xffffff00031b5680, eva=3D184=
 46742974250064080) at /usr/src/sys/amd64/amd64/trap.c:724
 #5  0xffffffff8070c0a1 in trap_pfault (frame=3D0xffffffffaf201710, usermode=
 =3D0) at /usr/src/sys/amd64/amd64/trap.c:641
 #6  0xffffffff8070c95f in trap (frame=3D0xffffffffaf201710) at /usr/src/sys=
 /amd64/amd64/trap.c:410
 #7  0xffffffff806f383e in calltrap () at /usr/src/sys/amd64/amd64/exception=
 .S:169
 #8  0xffffffff80594e8e in ip6_setpktopts (control=3D0xffffff000321bb00, opt=
 =3D0xffffffffaf201870, stickyopt=3DVariable "stickyopt" is not available.
 ) at /usr/src/sys/netinet6/ip6_output.c:2813
 #9  0xffffffff805a7083 in udp6_send (so=3DVariable "so" is not available.
 ) at /usr/src/sys/netinet6/udp6_usrreq.c:523
 #10 0xffffffff804a0e77 in sosend_generic (so=3D0xffffff00033f92b8, addr=3D0=
 xffffff000306d7e0, uio=3D0xffffffffaf201a30, top=3D0xffffff0001fe3a00, cont=
 rol=3D0xffffff000321bb00, flags=3DVariable "flags" is not available.
 )
     at /usr/src/sys/kern/uipc_socket.c:1240
 #11 0xffffffff804a3866 in kern_sendit (td=3D0xffffff00031b5680, s=3D16, mp=
 =3D0xffffffffaf201af0, flags=3D0, control=3D0xffffff000321bb00, segflg=3DVa=
 riable "segflg" is not available.
 ) at /usr/src/sys/kern/uipc_syscalls.c:789
 #12 0xffffffff804a6343 in sendit (td=3D0xffffff00031b5680, s=3D16, mp=3D0xf=
 fffffffaf201af0, flags=3D0) at /usr/src/sys/kern/uipc_syscalls.c:730
 #13 0xffffffff804a63b4 in sendmsg (td=3D0xffffff00031b5680, uap=3D0xfffffff=
 faf201be0) at /usr/src/sys/kern/uipc_syscalls.c:922
 #14 0xffffffff8070c30c in syscall (frame=3D0xffffffffaf201c70) at /usr/src/=
 sys/amd64/amd64/trap.c:852
 #15 0xffffffff806f3a4b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exce=
 ption.S:290
 #16 0x00000008011c114c in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) frame 8
 #8  0xffffffff80594e8e in ip6_setpktopts (control=3D0xffffff000321bb00, opt=
 =3D0xffffffffaf201870, stickyopt=3DVariable "stickyopt" is not available.
 ) at /usr/src/sys/netinet6/ip6_output.c:2813
 2813			cm =3D mtod(control, struct cmsghdr *);
 (kgdb) print control
 $2 =3D (struct mbuf *) 0xffffff000321bb00
 =2D--->8---->8-----
 
 =2D---8<----8<-----
 [abbe@chateau ~/crashes]$ kgdb /boot/kernel/kernel vmcore.2
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:=
  Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain condition=
 s.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "amd64-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 
 
 Fatal trap 12: page fault while in kernel mode
 cpuid =3D 0; apic id =3D 00
 fault virtual address	=3D 0xffffff0102daf628
 fault code		=3D supervisor read data, page not present
 instruction pointer	=3D 0x8:0xffffffff80594e8e
 stack pointer	        =3D 0x10:0xffffffffaf1d37c0
 frame pointer	        =3D 0x10:0xffffff0003042100
 code segment		=3D base 0x0, limit 0xfffff, type 0x1b
 			=3D DPL 0, pres 1, long 1, def32 0, gran 1
 processor eflags	=3D interrupt enabled, resume, IOPL =3D 0
 current process		=3D 969 (avahi-daemon)
 trap number		=3D 12
 panic: page fault
 cpuid =3D 0
 Uptime: 1h22m38s
 Physical memory: 2025 MB
 Dumping 282 MB: 267 251 235 219 203 187 171 155 139 123 107 (CTRL-C to abor=
 t)  91 (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  75 (CTRL-C =
 to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C=
  to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-=
 C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL=
 -C to abort)  (CTRL-C to abort)  59 (CTRL-C to abort)  (CTRL-C to abort)  (=
 CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  =
 (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort) =
  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  43 (CTRL-C to abo=
 rt)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to ab=
 ort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to a=
 bort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to =
 abort)  27 (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  11 (CTR=
 L-C to abort)=20
 
 #0  doadump () at pcpu.h:194
 194	pcpu.h: No such file or directory.
 	in pcpu.h
 (kgdb) bt
 #0  doadump () at pcpu.h:194
 #1  0x0000000000000004 in ?? ()
 #2  0xffffffff80451c46 in boot (howto=3D260) at /usr/src/sys/kern/kern_shut=
 down.c:409
 #3  0xffffffff80452072 in panic (fmt=3D0x104 <Address 0x104 out of bounds>)=
  at /usr/src/sys/kern/kern_shutdown.c:563
 #4  0xffffffff8070bcfa in trap_fatal (frame=3D0xffffff000317f340, eva=3D184=
 46742974250016768) at /usr/src/sys/amd64/amd64/trap.c:724
 #5  0xffffffff8070c0a1 in trap_pfault (frame=3D0xffffffffaf1d3710, usermode=
 =3D0) at /usr/src/sys/amd64/amd64/trap.c:641
 #6  0xffffffff8070c95f in trap (frame=3D0xffffffffaf1d3710) at /usr/src/sys=
 /amd64/amd64/trap.c:410
 #7  0xffffffff806f383e in calltrap () at /usr/src/sys/amd64/amd64/exception=
 .S:169
 #8  0xffffffff80594e8e in ip6_setpktopts (control=3D0xffffff0003042100, opt=
 =3D0xffffffffaf1d3870, stickyopt=3DVariable "stickyopt" is not available.
 ) at /usr/src/sys/netinet6/ip6_output.c:2813
 #9  0xffffffff805a7083 in udp6_send (so=3DVariable "so" is not available.
 ) at /usr/src/sys/netinet6/udp6_usrreq.c:523
 #10 0xffffffff804a0e77 in sosend_generic (so=3D0xffffff000345eae0, addr=3D0=
 xffffff0003c45360, uio=3D0xffffffffaf1d3a30, top=3D0xffffff00034cd200, cont=
 rol=3D0xffffff0003042100, flags=3DVariable "flags" is not available.
 )
     at /usr/src/sys/kern/uipc_socket.c:1240
 #11 0xffffffff804a3866 in kern_sendit (td=3D0xffffff000317f340, s=3D16, mp=
 =3D0xffffffffaf1d3af0, flags=3D0, control=3D0xffffff0003042100, segflg=3DVa=
 riable "segflg" is not available.
 ) at /usr/src/sys/kern/uipc_syscalls.c:789
 #12 0xffffffff804a6343 in sendit (td=3D0xffffff000317f340, s=3D16, mp=3D0xf=
 fffffffaf1d3af0, flags=3D0) at /usr/src/sys/kern/uipc_syscalls.c:730
 #13 0xffffffff804a63b4 in sendmsg (td=3D0xffffff000317f340, uap=3D0xfffffff=
 faf1d3be0) at /usr/src/sys/kern/uipc_syscalls.c:922
 #14 0xffffffff8070c30c in syscall (frame=3D0xffffffffaf1d3c70) at /usr/src/=
 sys/amd64/amd64/trap.c:852
 #15 0xffffffff806f3a4b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exce=
 ption.S:290
 #16 0x00000008011c114c in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) frame 8
 #8  0xffffffff80594e8e in ip6_setpktopts (control=3D0xffffff0003042100, opt=
 =3D0xffffffffaf1d3870, stickyopt=3DVariable "stickyopt" is not available.
 ) at /usr/src/sys/netinet6/ip6_output.c:2813
 2813			cm =3D mtod(control, struct cmsghdr *);
 (kgdb) print control
 $1 =3D (struct mbuf *) 0xffffff0003042100
 =2D--->8---->8-----
 
 HTH
 =2D-=20
 Ashish Shukla =E0=A4=86=E0=A4=B6=E0=A5=80=E0=A4=B7 =E0=A4=B6=E0=A5=81=E0=A4=
 =95=E0=A5=8D=E0=A4=B2                      http://wahjava.wordpress.com/
 =C2=B7-- =C2=B7- =C2=B7=C2=B7=C2=B7=C2=B7 =C2=B7--- =C2=B7- =C2=B7=C2=B7=C2=
 =B7- =C2=B7- =C2=B7--=C2=B7-=C2=B7 --=C2=B7 -- =C2=B7- =C2=B7=C2=B7 =C2=B7-=
 =C2=B7=C2=B7 =C2=B7-=C2=B7-=C2=B7- -=C2=B7-=C2=B7 --- --
 
 --=-=-=
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.6 (GNU/Linux)
 
 iD8DBQFHdlITHy+EEHYuXnQRAu0mAKDItxamAFiU3gB95GJowJ1+wIgt2wCgmL2u
 itemXA/VKflkn9TCV/96v90=
 =7zWK
 -----END PGP SIGNATURE-----
 --=-=-=--

From: Phil Pennock <phil.pennock@globnix.org>
To: bug-followup@FreeBSD.org, wahjava@gmail.com
Cc: bz@freebsd.org
Subject: Re: kern/119123: Kernel crashed while running Avahi and IPv6
Date: Sun, 2 Mar 2008 20:01:57 -0800

 I have now experienced this same same problem; the first time a few days
 ago, the second time today, when my system crashed whilst starting
 services on the reboot after the first crash, after starting avahi.
 
 The trigger the first time today (and perhaps a few days ago) was
 running "avahi-browse" as a non-privileged user.  This is a system crash
 bug that can be triggered by anyone with an account; further, given the
 crash during boot, it may be that a received network packet is
 sufficient, making this a remote DoS attack.
 
 In the meantime, I have disabled the avahi-daemon (booted single-user,
 edited /etc/rc.conf, to at least be somewhat sure the system would come
 up at all).
 
 I am running FreeBSD 6.2-RELEASE-p11 on amd64.  I too have IPv6
 configured; in fact, a recentish change was the addition of an stf(4)
 interface, to provide better IPv6 connectivity for remote 6to4 hosts by
 publishing a 2002::/16 address in DNS.  The other main change was
 addition of a second IPv4 address.  All other changes have been userland
 configuration changes as I switch applications from INADDR_ANY to
 configured IP addresses as preparation for use of a jail on the new IP
 address.  But I still have jail_enable="NO" in /etc/rc.conf.  Oh, and I
 set ipv6_default_interface recently too.
 
 During first boot, I interrupted the savecore to bring things up sooner,
 but after the system crashed again, I was sure to let the savecore
 complete the next time.  Since I was on serial console, I got to see the
 fault information; first snippet below.
 
 Second output is result of "ifconfig -a"; I also have pf configured and
 filtering traffic and can provide config on request (but to an
 individual fixing things, not for public posting unless truly necessary,
 please).  Third set of output from /var/crash/info.<n>, fourth from kgdb
 showing that something's wrong with the saved core or with my
 understanding of how to use kgdb these days (it's been a while since I
 last had cause to do so, FreeBSD has improved a lot).
 
 ----------------------------8< cut here >8------------------------------
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0xffffff0120eb6478
 fault code              = supervisor read, page not present
 instruction pointer     = 0x8:0xffffffff803a2cc5
 stack pointer           = 0x10:0xffffffffb47ea7b0
 frame pointer           = 0x10:0xffffff007adc1300
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, long 1, def32 0, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 1321 (avahi-daemon)
 trap number             = 12
 panic: page fault
 GEOM_MIRROR: Device gm0: rebuilding provider ad4 stopped.
 Uptime: 7m18s
 Dumping 2046 MB (2 chunks)
   chunk 0: 1MB (152 pages) ... ok
 ----------------------------8< cut here >8------------------------------
 
 ----------------------------8< cut here >8------------------------------
 # ifconfig -a
 nve0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         inet6 fe80::2e0:81ff:fe5c:8ea8%nve0 prefixlen 64 scopeid 0x1 
         ether 00:e0:81:5c:8e:a8
         media: Ethernet autoselect (none)
         status: no carrier
 bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
         inet6 fe80::2e0:81ff:fe5c:8ea9%bge0 prefixlen 64 scopeid 0x2 
         inet 193.202.115.177 netmask 0xffffff00 broadcast 193.202.115.255
         inet 193.202.115.234 netmask 0xffffffff broadcast 193.202.115.234
         inet6 2001:980:fff:31::1 prefixlen 64 
         inet6 2001:980:fff:31::2 prefixlen 64 
         inet6 2001:980:fff:31::3 prefixlen 64 
         inet6 2001:980:fff:31::4 prefixlen 64 
         inet6 2001:980:fff:31::5 prefixlen 64 
         inet6 2001:980:fff:31::6 prefixlen 64 
         inet6 2001:980:fff:31::7 prefixlen 64 
         inet6 2001:980:fff:31::8 prefixlen 64 
         inet6 2001:980:fff:31::9 prefixlen 64 
         inet6 2001:980:fff:31::a prefixlen 64 
         inet6 2001:980:fff:31::b prefixlen 64 
         inet6 2001:980:fff:31::c prefixlen 64 
         inet6 2001:980:fff:31::d prefixlen 64 
         inet6 2001:980:fff:31::e prefixlen 64 
         inet6 2001:980:fff:31::f prefixlen 64 
         inet6 2001:980:fff:31::10 prefixlen 64 
         inet6 2001:980:fff:31::11 prefixlen 64 
         inet6 2001:980:fff:31::12 prefixlen 64 
         inet6 2001:980:fff:31::13 prefixlen 64 
         inet6 2001:980:fff:31::14 prefixlen 64 
         inet6 2001:980:fff:31::15 prefixlen 64 
         inet6 2001:980:fff:31::16 prefixlen 64 
         inet6 2001:980:fff:31::1:1 prefixlen 64 
         inet6 2001:980:fff:31::1:2 prefixlen 64 
         inet6 2001:980:fff:31::1:3 prefixlen 64 
         inet6 2001:980:fff:31::1:4 prefixlen 64 
         ether 00:e0:81:5c:8e:a9
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
         inet6 ::1 prefixlen 128 
         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
         inet 127.0.0.1 netmask 0xff000000 
 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
         tunnel inet 193.202.115.177 --> 76.102.152.160
         inet6 fe80::2e0:81ff:fe5c:8ea8%gif0 prefixlen 64 scopeid 0x4 
         inet6 2001:980:ffd::2 --> 2001:980:ffd::3 prefixlen 128 
 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160
 stf0: flags=1<UP> mtu 1280
         inet6 2002:c1ca:73b1::1 prefixlen 16 
         inet6 2002:c1ca:73b1::6 prefixlen 64 
         inet6 2002:c1ca:73b1::8 prefixlen 64 
         inet6 2002:c1ca:73b1::1:1 prefixlen 64 
 ----------------------------8< cut here >8------------------------------
 
 ----------------------------8< cut here >8------------------------------
 # cat -v info.4
 Dump header from device /dev/mirror/gm0s1b
   Architecture: amd64
   Architecture Version: 2
   Dump Length: 2145882112B (2046 MB)
   Blocksize: 512
   Dumptime: Mon Mar  3 02:09:54 2008
   Hostname: redoubt.spodhuis.org
   Magic: FreeBSD Kernel Dump
   Version String: FreeBSD 6.2-RELEASE-p11 #0: Thu Feb 14 19:46:45 UTC 2008
     root@redoubt.spodhuis.org:/usr/obj/usr/src/sys/REDOUBT
   Panic String: page fault
   Dump Parity: 3518176347
   Bounds: 4
   Dump Status: good
 ----------------------------8< cut here >8------------------------------
 
 ----------------------------8< cut here >8------------------------------
 # kgdb /boot/kernel/kernel vmcore.4
 kgdb: kvm_nlist(_stopped_cpus): 
 kgdb: kvm_nlist(_stoppcbs): 
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "amd64-marcel-freebsd".
 (no debugging symbols found)...kgdb: kvm_read: invalid address (0xffffffffb48efd10)
 Attempt to extract a component of a value that is not a structure pointer.
 (kgdb) bt
 #0  0x0000000000000000 in ?? ()
 Cannot access memory at address 0x0
 ----------------------------8< cut here >8------------------------------
 
 Thanks,
 -Phil
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Sat Mar 22 12:00:49 UTC 2008 
State-Changed-Why:  
Submitters have been asked for testing with the latest revisions 
and provide more feedback if the problem persists. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119123 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, wahjava@gmail.com, phil.pennock@globnix.org
Cc:  
Subject: Re: kern/119123: Kernel crashed while running Avahi and IPv6
Date: Sat, 22 Mar 2008 11:59:30 +0000 (UTC)

 Hi,
 
 I had looked at the kernel code from the backtrace in the PR and
 couldn't find anything obvious.
 
 I tired to run avahi with ipv6 enabled and it didn't lead to a panic.
 
 I tried that on HEAD and RELENG_7 and even backed out some obvious
 changes.
 
 I checked an older avahi version as they fixed some CMSG stuff (or
 rather bugged it, depending from which version to which you are
 checking).
 
 I started to write regression tests to try all weird things targeting
 the code of the backtrace from this PR without being able to panic the
 machine. The kernel handled all of them just fine. I also tried to do
 the same as the avahi-app/daemon does for that codepath.
 
 
 I really need more input and a reliable test case to debug this.
 
 
 In case you can reproduce the panic could you:
 
 a) try latest RELENG_7 (not 7.0 release) or RELENG_6 and see if
     the problem is still there.
     Especially make sure you have this patch:
     http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ip6_output.c#rev1.111
     Here are the diffs/revisions of ip6_output.c for each branch:
     RELENG_6: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ip6_output.c.diff?r1=1.90.2.10;r2=1.90.2.11
     RELENG_7: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ip6_output.c.diff?r1=1.109;r2=1.109.2.1
     HEAD: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ip6_output.c.diff?r1=1.109;r2=1.110
 
 b) if, after a), the problem is still there, try to write things down,
     configuration, rchitecture, avahi version, ... and mail me (privately).
 
 c) in case the problem is gone please let me know as well;-)
 
 -- 
 Bjoern A. Zeeb                                 bzeeb at Zabbadoz dot NeT
 Software is harder than hardware  so better get it right the first time.

From: wahjava@gmail.com (Ashish Shukla =?utf-8?B?4KSG4KS24KWA4KS3IOCktg==?=
 =?utf-8?B?4KWB4KSV4KWN4KSy?=)
To: bug-followup@FreeBSD.org,wahjava@gmail.com
Cc:  
Subject: Re: kern/119123: Kernel crashed while running Avahi and IPv6
Date: Fri, 04 Apr 2008 20:38:04 +0530

 --=-=-=
 Content-Type: text/plain; charset=utf-8
 Content-Transfer-Encoding: base64
 
 SSd2ZSB0cmllZCByZXByb2R1Y2luZyB0aGUgcHJvYmxlbSBpbiBteSByZWNlbnRseSBpbnN0YWxs
 ZWQNCjcuMC1SRUxFQVNFIGJveCwgYnV0IEknbSBub3QgYWJsZSB0byByZXByb2R1Y2UgaXQuIFNv
 IHByb2JhYmx5LCBpdCBpcw0KZml4ZWQsIGFuZCB0aGlzIGJ1ZyBjYW4gYmUgY2xvc2VkLg0KDQpU
 aGFua3MNCi0tIA0KQXNoaXNoIFNodWtsYSDgpIbgpLbgpYDgpLcg4KS24KWB4KSV4KWN4KSyICAg
 ICAgICAgICAgICAgICAgICAgIGh0dHA6Ly93YWhqYXZhLndvcmRwcmVzcy5jb20vDQrCty0tIMK3
 LSDCt8K3wrfCtyDCty0tLSDCty0gwrfCt8K3LSDCty0gwrctLcK3LcK3IC0twrcgLS0gwrctIMK3
 wrcgwrctwrfCtyDCty3Cty3Cty0gLcK3LcK3IC0tLSAtLQ0K
 --=-=-=
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.6 (GNU/Linux)
 
 iD8DBQFH9kRXHy+EEHYuXnQRAhhYAKCxMt9OqyDWvMx6dT314JpaI3lC9QCgpMt6
 OQUYNXYr4P7Bl+wd7g4kgNs=
 =iZhl
 -----END PGP SIGNATURE-----
 --=-=-=--
State-Changed-From-To: feedback->closed 
State-Changed-By: bz 
State-Changed-When: Fri Apr 4 16:04:23 UTC 2008 
State-Changed-Why:  
Reporter says he this can be closed as he can't reproduce it on 7.0. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119123 
State-Changed-From-To: closed->open 
State-Changed-By: bz 
State-Changed-When: Sat May 24 21:42:35 UTC 2008 
State-Changed-Why:  
Reports are back that this is reproducable with 7.0-p1 on amd64. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119123 

From: wahjava@gmail.com (Ashish Shukla =?utf-8?B?4KSG4KS24KWA4KS3IOCktg==?=
 =?utf-8?B?4KWB4KSV4KWN4KSy?=)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/119123: Kernel crashed while running Avahi and IPv6
Date: Sun, 25 May 2008 03:40:16 +0530

 Hi,
 
 I'm again having this issue on a different machine running a different
 version of the FreeBSD. This time I'm running FreeBSD 7.0-RELEASE-p1
 (ULE/AMD64).
 
 Following is the information related to the crash:
 
 ----8<----8<----
 [abbe@monte-cristo ~]$ sudo kgdb /boot/kernel/kernel /var/crash/vmcore.0
 Password:
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:=
  Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain condition=
 s.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "amd64-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 
 
 Fatal trap 12: page fault while in kernel mode
 cpuid =3D 1; apic id =3D 01
 fault virtual address   =3D 0xffffff0103aebd40
 fault code              =3D supervisor read data, page not present
 instruction pointer     =3D 0x8:0xffffffff80586dde
 stack pointer           =3D 0x10:0xffffffffaf16e7c0
 frame pointer           =3D 0x10:0xffffff0003bdcd00
 code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, long 1, def32 0, gran 1
 processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
 current process         =3D 715 (avahi-daemon)
 trap number             =3D 12
 panic: page fault
 cpuid =3D 1
 Uptime: 1h41m31s
 Physical memory: 2026 MB
 Dumping 311 MB: 296 280 264 248 232 216 200 184 168 152 136 120 104 88 72 5=
 6 40 24 8
 
 #0  doadump () at pcpu.h:194
 194     pcpu.h: No such file or directory.
        in pcpu.h
 (kgdb) bt
 #0  doadump () at pcpu.h:194
 #1  0x0000000000000004 in ?? ()
 #2  0xffffffff80441ccf in boot (howto=3D260) at /usr/src/sys/kern/kern_shut=
 down.c:409
 #3  0xffffffff804420f8 in panic (fmt=3D0x104 <Address 0x104 out of bounds>)=
  at /usr/src/sys/kern/kern_shutdown.c:563
 #4  0xffffffff806c605a in trap_fatal (frame=3D0xffffff00013329f0, eva=3D184=
 46742974248502376) at /usr/src/sys/amd64/amd64/trap.c:724
 #5  0xffffffff806c6401 in trap_pfault (frame=3D0xffffffffaf16e710, usermode=
 =3D0) at /usr/src/sys/amd64/amd64/trap.c:641
 #6  0xffffffff806c6cbf in trap (frame=3D0xffffffffaf16e710) at /usr/src/sys=
 /amd64/amd64/trap.c:410
 #7  0xffffffff806adb1e in calltrap () at /usr/src/sys/amd64/amd64/exception=
 .S:169
 #8  0xffffffff80586dde in ip6_setpktopts (control=3D0xffffff0003bdcd00, opt=
 =3D0xffffffffaf16e870, stickyopt=3DVariable "stickyopt" is not available.
 ) at /usr/src/sys/netinet6/ip6_output.c:2813
 #9  0xffffffff80598fd3 in udp6_send (so=3DVariable "so" is not available.
 ) at /usr/src/sys/netinet6/udp6_usrreq.c:523
 #10 0xffffffff80492a95 in sosend_generic (so=3D0xffffff000323d2b8, addr=3D0=
 xffffff0003be9580, uio=3D0xffffffffaf16ea30, top=3D0xffffff0001f7a100, cont=
 rol=3D0xffffff0003bdcd00, flags=3DVariable "flags" is not available.
 )
    at /usr/src/sys/kern/uipc_socket.c:1240
 #11 0xffffffff80495476 in kern_sendit (td=3D0xffffff00013329f0, s=3D16, mp=
 =3D0xffffffffaf16eaf0, flags=3D0, control=3D0xffffff0003bdcd00, segflg=3DVa=
 riable "segflg" is not available.
 )
    at /usr/src/sys/kern/uipc_syscalls.c:789
 #12 0xffffffff80497f6a in sendit (td=3D0xffffff00013329f0, s=3D16, mp=3D0xf=
 fffffffaf16eaf0, flags=3D0) at /usr/src/sys/kern/uipc_syscalls.c:730
 #13 0xffffffff80497fdb in sendmsg (td=3D0xffffff00013329f0, uap=3D0xfffffff=
 faf16ebe0) at /usr/src/sys/kern/uipc_syscalls.c:922
 #14 0xffffffff806c666c in syscall (frame=3D0xffffffffaf16ec70) at /usr/src/=
 sys/amd64/amd64/trap.c:852
 #15 0xffffffff806add2b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exce=
 ption.S:290
 #16 0x00000008011d1d4c in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 [abbe@monte-cristo ~]$ sudo cat /var/crash/info.0
 Password:
 Dump header from device /dev/ad4s5
  Architecture: amd64
  Architecture Version: 2
  Dump Length: 327090176B (311 MB)
  Blocksize: 512
  Dumptime: Sun May 25 01:51:37 2008
  Hostname: monte-cristo.france
  Magic: FreeBSD Kernel Dump
  Version String: FreeBSD 7.0-RELEASE-p1 #1: Sun Apr 27 23:45:30 IST 2008
    root@monte-cristo.fr:/usr/obj/usr/src/sys/ULE
  Panic String: page fault
  Dump Parity: 2456841227
  Bounds: 0
  Dump Status: good
 [abbe@monte-cristo ~]$ ls -lh /var/crash/vmcore.0
 -rw-------  1 root  wheel   312M May 25 01:53 /var/crash/vmcore.0
 ---->8---->8----
 
 The crash location is similar as previous.
 
 HTH
 --=20
 Ashish Shukla =E0=A4=86=E0=A4=B6=E0=A5=80=E0=A4=B7 =E0=A4=B6=E0=A5=81=E0=A4=
 =95=E0=A5=8D=E0=A4=B2                      http://wahjava.wordpress.com/
 =C2=B7-- =C2=B7- =C2=B7=C2=B7=C2=B7=C2=B7 =C2=B7--- =C2=B7- =C2=B7=C2=B7=C2=
 =B7- =C2=B7- =C2=B7--=C2=B7-=C2=B7 --=C2=B7 -- =C2=B7- =C2=B7=C2=B7 =C2=B7-=
 =C2=B7=C2=B7 =C2=B7-=C2=B7-=C2=B7- -=C2=B7-=C2=B7 --- --
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Sun Jun 15 09:03:43 UTC 2008 
State-Changed-Why:  
The submitter was asked if it possible to test a patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119123 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, wahjava@gmail.com
Cc:  
Subject: Re: kern/119123: Kernel crashed while running Avahi and IPv6
Date: Sun, 15 Jun 2008 09:03:29 +0000 (UTC)

 On Sat, 24 May 2008, bz@FreeBSD.org wrote:
 
 Hi,
 
 could you try adding the patch cited earlier in the PR to your 7.0p1
 or try RELENG_7 (7-STABLE). The patch is not in 7.0-RELEASE (or later
 security fixes).
 
 Would be helpfull to know if you can still reproduce it regularly with
 7.0-Rp1 and if you still can with the patch applied.
 
 
 Thanks.
 
 Bjoern
 
 -- 
 Bjoern A. Zeeb              Stop bit received. Insert coin for new game.

From: wahjava@gmail.com (Ashish Shukla =?utf-8?B?4KSG4KS24KWA4KS3IOCktg==?=
 =?utf-8?B?4KWB4KSV4KWN4KSy?=)
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/119123: Kernel crashed while running Avahi and IPv6
Date: Sun, 15 Jun 2008 16:48:53 +0530

 =2D----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 >>>>> Bjoern A Zeeb writes:
     Bjoern> On Sat, 24 May 2008, bz@FreeBSD.org wrote:
 
     Bjoern> Hi,
 
     Bjoern> could you try adding the patch cited earlier in the PR to your =
 7.0p1
     Bjoern> or try RELENG_7 (7-STABLE). The patch is not in 7.0-RELEASE (or=
  later
     Bjoern> security fixes).
 
 Sure.
 
     Bjoern> Would be helpfull to know if you can still reproduce it regular=
 ly with
     Bjoern> 7.0-Rp1 and if you still can with the patch applied.
 
 Okay, I'll apply the patch on 7.0-Rp1 and report the results. atm, I'm
 using Avahi with IPv6 support disabled in configuration.
 
 Regards
 =2D --=20
 Ashish Shukla =E0=A4=86=E0=A4=B6=E0=A5=80=E0=A4=B7 =E0=A4=B6=E0=A5=81=E0=A4=
 =95=E0=A5=8D=E0=A4=B2                      http://wahjava.wordpress.com/
 =C2=B7-- =C2=B7- =C2=B7=C2=B7=C2=B7=C2=B7 =C2=B7--- =C2=B7- =C2=B7=C2=B7=C2=
 =B7- =C2=B7- =C2=B7--=C2=B7-=C2=B7 --=C2=B7 -- =C2=B7- =C2=B7=C2=B7 =C2=B7-=
 =C2=B7=C2=B7 =C2=B7-=C2=B7-=C2=B7- -=C2=B7-=C2=B7 --- --
 =2D----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (GNU/Linux)
 
 iEYEARECAAYFAkhU+p0ACgkQHy+EEHYuXnSRTwCbBKX+Ja3TRUJynM89ES3h2es3
 AQ0AnjBnPs2DvIU4AUy6cgY8zC9VDQwi
 =3DzZvK
 =2D----END PGP SIGNATURE-----

From: =?utf-8?B?4KSG4KS24KWA4KS3IOCktuClgeCkleCljeCksg==?= Ashish Shukla <wahjava@gmail.com>
To: bz@freebsd.org
Cc: bug-followup@freebsd.org
Subject: Re: kern/119123: Kernel crashed while running Avahi and IPv6
Date: Tue, 24 Jun 2008 23:13:38 +0530

 Hi bz,
 
 I again experienced that issue on my box, which has that
 ip6_output.c.diff applied. And this time I tried to add two IPv6
 addresses to my rl0, fdxx:xxxx:xxxx:ffff:ffff:ffff:ffff:fffe/48 &
 fdxx:xxxx:xxxx:ffff:ffff:ffff:ffff:ffff/48 . After adding=20
 fdxx:xxxx:xxxx:ffff:ffff:ffff:ffff:ffff/48, it crashed. I tried to
 reproduce that next time, but this time it didn't crashed :( .
 
 ---->8---->8----
 abbe [~] chateau% sudo kgdb /boot/kernel/kernel /var/crash/vmcore.0
 Password:
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:=
  Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain condition=
 s.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "amd64-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 
 
 Fatal trap 12: page fault while in kernel mode
 cpuid =3D 1; apic id =3D 01
 fault virtual address   =3D 0xffffff0103782d88
 fault code              =3D supervisor read data, page not present
 instruction pointer     =3D 0x8:0xffffffff803bded6
 stack pointer           =3D 0x10:0xffffffffaee567c0
 frame pointer           =3D 0x10:0xffffff0003873c00
 code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                         =3D DPL 0, pres 1, long 1, def32 0, gran 1
 processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
 current process         =3D 916 (avahi-daemon)
 trap number             =3D 12
 panic: page fault
 cpuid =3D 1
 Uptime: 54m27s
 Physical memory: 2029 MB
 Dumping 308 MB: (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (C=
 TRL-C to abort)  293 (CTRL-C to abort)  277 261 (CTRL-C to abort)  245 (CTR=
 L-C to abort)  (CTRL-C to abort)  229 (CTRL-C to abort)  213 (CTRL-C to abo=
 rt)  197 (CTRL-C to abort)  181 165 (CTRL-C to abort)  (CTRL-C to abort)  (=
 CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  =
 (CTRL-C to abort)  149 133 (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to=
  abort)  117 101 (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (=
 CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  85 69 (CTRL-C to ab=
 ort)  (CTRL-C to abort)  (CTRL-C to abort)  53 (CTRL-C to abort)  (CTRL-C t=
 o abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C =
 to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C=
  to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-=
 C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL=
 -C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  37 (=
 CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  =
 (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort) =
  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)=
   (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort=
 )  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abor=
 t)  (CTRL-C to abort)  21 5
 
 #0  doadump () at pcpu.h:194
 194     pcpu.h: No such file or directory.
         in pcpu.h
 (kgdb) bt
 #0  doadump () at pcpu.h:194
 #1  0x0000000000000004 in ?? ()
 #2  0xffffffff8029aadf in boot (howto=3D260) at /usr/src/sys/kern/kern_shut=
 down.c:409
 #3  0xffffffff8029af08 in panic (fmt=3D0x104 <Address 0x104 out of bounds>)=
  at /usr/src/sys/kern/kern_shutdown.c:563
 #4  0xffffffff8048406a in trap_fatal (frame=3D0xffffff00031e6350, eva=3D184=
 46742974250416336) at /usr/src/sys/amd64/amd64/trap.c:724
 #5  0xffffffff80484411 in trap_pfault (frame=3D0xffffffffaee56710, usermode=
 =3D0) at /usr/src/sys/amd64/amd64/trap.c:641
 #6  0xffffffff80484ccf in trap (frame=3D0xffffffffaee56710) at /usr/src/sys=
 /amd64/amd64/trap.c:410
 #7  0xffffffff8046bb2e in calltrap () at /usr/src/sys/amd64/amd64/exception=
 =2ES:169
 #8  0xffffffff803bded6 in ip6_setpktopts (control=3D0xffffff0003873c00, opt=
 =3D0xffffffffaee56870, stickyopt=3DVariable "stickyopt" is not available.
 ) at /usr/src/sys/netinet6/ip6_output.c:2808
 #9  0xffffffff803d00c3 in udp6_send (so=3DVariable "so" is not available.
 ) at /usr/src/sys/netinet6/udp6_usrreq.c:523
 #10 0xffffffff802eb8a5 in sosend_generic (so=3D0xffffff000329d2b8, addr=3D0=
 xffffff0001eb9560, uio=3D0xffffffffaee56a30, top=3D0xffffff0003724d00, cont=
 rol=3D0xffffff0003873c00, flags=3DVariable "flags" is not available.
 )
     at /usr/src/sys/kern/uipc_socket.c:1240
 #11 0xffffffff802ee286 in kern_sendit (td=3D0xffffff00031e6350, s=3D16, mp=
 =3D0xffffffffaee56af0, flags=3D0, control=3D0xffffff0003873c00, segflg=3DVa=
 riable "segflg" is not available.
 )
     at /usr/src/sys/kern/uipc_syscalls.c:789
 #12 0xffffffff802f0d7a in sendit (td=3D0xffffff00031e6350, s=3D16, mp=3D0xf=
 fffffffaee56af0, flags=3D0) at /usr/src/sys/kern/uipc_syscalls.c:730
 #13 0xffffffff802f0deb in sendmsg (td=3D0xffffff00031e6350, uap=3D0xfffffff=
 faee56be0) at /usr/src/sys/kern/uipc_syscalls.c:922
 #14 0xffffffff8048467c in syscall (frame=3D0xffffffffaee56c70) at /usr/src/=
 sys/amd64/amd64/trap.c:852
 #15 0xffffffff8046bd3b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exce=
 ption.S:290
 #16 0x0000000801217d4c in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) frame 8
 #8  0xffffffff803bded6 in ip6_setpktopts (control=3D0xffffff0003873c00, opt=
 =3D0xffffffffaee56870, stickyopt=3DVariable "stickyopt" is not available.
 ) at /usr/src/sys/netinet6/ip6_output.c:2808
 2808			cm =3D mtod(control, struct cmsghdr *);
 (kgdb) list
 2803			int error;
 2804=09
 2805			if (control->m_len < CMSG_LEN(0))
 2806				return (EINVAL);
 2807=09
 2808			cm =3D mtod(control, struct cmsghdr *);
 2809			if (cm->cmsg_len =3D=3D 0 || cm->cmsg_len > control->m_len)
 2810				return (EINVAL);
 (kgdb) list copypktopts
 2328		}\
 2329	} while (/*CONSTCOND*/ 0)
 2330=09
 2331	static int
 2332	copypktopts(struct ip6_pktopts *dst, struct ip6_pktopts *src, int canw=
 ait)
 2333	{
 2334		if (dst =3D=3D NULL || src =3D=3D NULL)  {
 2335			printf("ip6_clearpktopts: invalid argument\n");
 2336			return (EINVAL);
 2337		}
 (kgdb)=20
 2338=09
 2339		dst->ip6po_hlim =3D src->ip6po_hlim;
 2340		dst->ip6po_tclass =3D src->ip6po_tclass;
 2341		dst->ip6po_flags =3D src->ip6po_flags;
 2342		if (src->ip6po_pktinfo) {
 2343			dst->ip6po_pktinfo =3D malloc(sizeof(*dst->ip6po_pktinfo),
 2344			    M_IP6OPT, canwait);
 2345			if (dst->ip6po_pktinfo =3D=3D NULL)
 2346				goto bad;
 2347			*dst->ip6po_pktinfo =3D *src->ip6po_pktinfo;
 (kgdb)=20
 2348		}
 2349		if (src->ip6po_nexthop) {
 2350			dst->ip6po_nexthop =3D malloc(src->ip6po_nexthop->sa_len,
 2351			    M_IP6OPT, canwait);
 2352			if (dst->ip6po_nexthop =3D=3D NULL)
 2353				goto bad;
 2354			bcopy(src->ip6po_nexthop, dst->ip6po_nexthop,
 2355			    src->ip6po_nexthop->sa_len);
 2356		}
 2357		PKTOPT_EXTHDRCPY(ip6po_hbh);
 (kgdb)=20
 2358		PKTOPT_EXTHDRCPY(ip6po_dest1);
 2359		PKTOPT_EXTHDRCPY(ip6po_dest2);
 2360		PKTOPT_EXTHDRCPY(ip6po_rthdr); /* not copy the cached route */
 2361		return (0);
 2362=09
 2363	  bad:
 2364		ip6_clearpktopts(dst, -1);
 2365		return (ENOBUFS);
 2366	}
 ----8<----8<----
 
 If anymore information is requested, please tell me.
 
 Thanks
 --=20
 Ashish Shukla =E0=A4=86=E0=A4=B6=E0=A5=80=E0=A4=B7 =E0=A4=B6=E0=A5=81=E0=A4=
 =95=E0=A5=8D=E0=A4=B2                      http://wahjava.wordpress.com/
 =C2=B7-- =C2=B7- =C2=B7=C2=B7=C2=B7=C2=B7 =C2=B7--- =C2=B7- =C2=B7=C2=B7=C2=
 =B7- =C2=B7- =C2=B7--=C2=B7-=C2=B7 --=C2=B7 -- =C2=B7- =C2=B7=C2=B7 =C2=B7-=
 =C2=B7=C2=B7 =C2=B7-=C2=B7-=C2=B7- -=C2=B7-=C2=B7 --- --

From: =?utf-8?B?4KSG4KS24KWA4KS3IOCktuClgeCkleCljeCksiBBc2hpc2ggU2h1a2xh?=
 <wahjava@gmail.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/119123: Kernel crashed while running Avahi and IPv6
Date: Tue, 14 Oct 2008 18:19:24 +0530

 --===-=-=
 Content-Type: multipart/mixed; boundary="=-=-="
 
 --=-=-=
 Content-Type: multipart/signed; boundary="==-=-="
 
 --==-=-=
 Content-Type: text/plain; charset=utf-8; format=flowed
 Content-Disposition: inline
 
 Hi Bjoern,
 
 I've switched to 8-CURRENT on my notebook. I'm running a custom-compiled kernel 
 (compiled on October 12, 2008). I experienced a similar issue with it, which I 
 am able to reproduce everytime. To reproduce it, I've followed following steps:
 
 # ifconfig wlan0 192.168.1.4/24 up
 # ifmcstat -i wlan0
 # /usr/local/etc/rc.d/avahi-daemon onerestart
 
 I'm not able to take a crashdump at the time of crash, so I took a video of the 
 crash screen[1]. See, if it helps reproducing it in any way.
 
 Prerequisites:
 
 I've 2 interfaces, rl0 and wlan0 (created from ath0). rl0 is configured with a 
 static IPv4 address and a autoconfigured IPv6 address (from an RA server in my 
 network). wlan0 is not functional on my notebook[1], so it is not configured by 
 default, although a 'wpa_supplicant' starts from rc.conf for it with following 
 command line:
 
 /usr/sbin/wpa_supplicant -s -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
 
 Following lines are present in my rc.conf:
 
 ifconfig_rl0="inet 172.16.0.7  netmask 255.255.255.224"
 defaultrouter="172.16.0.2"
 hostname="monte-cristo.france"
 ipv6_enable="YES"
 dbus_enable="YES"
 sshd_enable="YES"
 gnome_enable="YES"
 inetd_enable="YES"
 fusefs_enable="YES"
 lighttpd_enable="YES"
 pf_enable="YES"
 moused_port="/dev/psm0"
 moused_type="glidepoint"
 moused_ums0_type="auto"
 moused_ums0_flags=""
 moused_flags="-m 11=4"
 named_enable="YES"
 clear_tmp_enable="YES"
 ftpproxy_enable="YES"
 ftpproxy_flags="-r"
 rpcbind_enable="YES"
 nfs_server_enable="YES"
 mountd_flags="-r -p 32001"
 mountd_enable="YES"
 nfs_client_enable="YES"
 rpc_lockd_enable="YES"
 rpc_lockd_flags="-p 32002"
 rpc_statd_flags="-p 32002"
 nfs_reserved_port_only="YES"
 gdm_enable="NO"
 hostname="monte-cristo.france"
 wlans_ath0="wlan0"
 ifconfig_wlan0="WPA"
 
 I've installed self-compiled avahi{,-app,-autoipd,-gtk,-libdns,-qt4}-0.6.23 packages. 
 And I source upgraded to FreeBSD 8-CURRENT from 7.1-PRERELEASE (to which I source-upgraded) 
 from 7.0-RELEASE-p3.
 
 References:
 [1] - http://lists.freebsd.org/pipermail/freebsd-current/2008-October/089035.html
 [2] - http://wahjava.googlepages.com/p1020190.ogg (2.5 MiB/Ogg Theora) 
 
 TiA
 Ashish Shukla
 -- 
 ·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
 ()  ascii ribbon campaign - against HTML e-mail
 /\  www.asciiribbon.org   - against proprietary attachments
 
 --==-=-=
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkj0lVIACgkQHy+EEHYuXnSm6ACgxVmwQGkJASg/lBRzLqjLts67
 Dp8AoK0YktrFdnwb6nvSnc5ra2V7UNHb
 =3zhS
 -----END PGP SIGNATURE-----
 
 --==-=-=--
 
 --=-=-=--
 
 --===-=-=
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (GNU/Linux)
 
 iEYEARECAAYFAkj0wbsACgkQHy+EEHYuXnT12wCgxQuA+kq+1W7mPUCySQuNY9FF
 D7gAn20heji9UpCu7tPVjvfHI4RuWVkF
 =yg5f
 -----END PGP SIGNATURE-----
 --===-=-=--
State-Changed-From-To: feedback->closed 
State-Changed-By: bz 
State-Changed-When: Wed Oct 22 15:02:00 UTC 2008 
State-Changed-Why:  
Patch has been applied to HEAD, 7-STABLE (will be in 7.1-R), 6-STABLE 
and 6.4-RCx. 

Thanks a lot for all the debugging and testing! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119123 
>Unformatted:
