From root@moby.pdsea.f5net.com  Mon Oct 20 15:16:52 2008
Return-Path: <root@moby.pdsea.f5net.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0D3A01065670
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 20 Oct 2008 15:16:52 +0000 (UTC)
	(envelope-from root@moby.pdsea.f5net.com)
Received: from mail.f5.com (mail.f5.com [65.197.145.96])
	by mx1.freebsd.org (Postfix) with ESMTP id D9BE68FC18
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 20 Oct 2008 15:16:51 +0000 (UTC)
	(envelope-from root@moby.pdsea.f5net.com)
Received: from moby.pdsea.f5net.com ([192.168.10.5]) by mail.f5.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 20 Oct 2008 08:16:51 -0700
Received: by moby.pdsea.f5net.com (Postfix, from userid 0) id CF619164833; Mon, 20 Oct 2008 08:16:50 -0700 (PDT)
Message-Id: <20081020151650.CF619164833@moby.pdsea.f5net.com>
Date: Mon, 20 Oct 2008 08:16:50 -0700
From: "Mark Atkinson" <m.atkinson@F5.com>
Reply-To: "Mark Atkinson" <m.atkinson@F5.com>
To: <FreeBSD-gnats-submit@freebsd.org>
Subject: [panic] Fatal Trap 12 in ip6_forward (/usr/src/sys/netinet6/ip6_forward.c:420)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         128247
>Category:       kern
>Synopsis:       [ip6] [panic] Fatal Trap 12 in ip6_forward =
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnn
>State:          patched
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 20 15:20:01 UTC 2008
>Closed-Date:    
>Last-Modified:  Sun May 18 05:02:18 UTC 2014
>Originator:     Mark Atkinson
>Release:        FreeBSD 8.0-CURRENT i386
>Organization:
F5 networks
>Environment:
System: FreeBSD marka-k8we 8.0-CURRENT FreeBSD 8.0-CURRENT #22: Fri Oct =
17 15:18:26 PDT 2008     root@marka-k8we:/usr/obj/usr/src/sys/K8WE  i386

CPU: AMD Opteron(tm) Processor 252 (2612.05-MHz 686-class CPU)
Origin =3D "AuthenticAMD"  Id =3D 0x20f51  Stepping =3D 1
Features=3D0x78bfbff =
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,C=
LFLUSH,MMX,FXSR,SSE,SSE2
Features2=3D0x1 SSE3=20
AMD Features=3D0xe2500800 SYSCALL,NX,MMX+,FFXSR,LM,3DNow!+,3DNow!=20
AMD Features2=3D0x1 LAHF=20
real memory  =3D 2146435072 (2047 MB)
avail memory =3D 2087993344 (1991 MB)
ACPI APIC Table:  PTLTD          APIC  =20
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 (BSP): APIC ID:  0
cpu1 (AP): APIC ID:  1

$ diff -b -u  /usr/src/sys/i386/conf/GENERIC /usr/src/sys/i386/conf/K8WE
--- /usr/src/sys/i386/conf/GENERIC      2008-10-17 14:33:05.000000000 =
-0700
+++ /usr/src/sys/i386/conf/K8WE 2008-10-17 14:38:52.000000000 -0700
@@ -329,3 +329,18 @@
 device         fwip            # IP over FireWire (RFC 2734,3146)
 device         dcons           # Dumb console driver
 device         dcons_crom      # Configuration ROM for dcons
+
+#K8WE options
+options        IPSEC
+options        TCP_SIGNATURE           #include support for RFC 2385
+device         crypto
+device         cryptodev
+
+device         pf
+device         pflog
+
+device         vlan

$ cat /etc/pf.conf |grep -v "^#"

ext_if=3D"external"       # replace with actual external interface name =
i.e., dc0
int_if=3D"internal"       # replace with actual internal interface name =
i.e., dc1
adm_if=3D"admin"

scrub in all random-id no-df

nat on $adm_if from $int_if:network to any -> $(adm_if)
nat on $adm_if from $ext_if:network to any -> $(adm_if)

pass in all
pass out all

>Description:

On this test system, there is a repeatable panic during large file=20
transfers, when the box is forwarding packets over ipv6

[root@marka-k8we K8WE]$ kgdb ./kernel.debug /var/crash/vmcore.4
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you =
are
welcome to change it and/or distribute copies of it under certain =
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for =
details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
cpuid =3D 0; apic id =3D 00
fault virtual address   =3D 0x38
fault code              =3D supervisor read, page not present
instruction pointer     =3D 0x20:0xc09af288
stack pointer           =3D 0x28:0xe5c26a1c
frame pointer           =3D 0x28:0xe5c26b0c
code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, def32 1, gran 1
processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
current process         =3D 0 (nfe1 taskq)
Physical memory: 2030 MB
Dumping 84 MB: 69 53 37 21 5

#0  doadump () at pcpu.h:221
221             __asm __volatile("movl %%fs:0,%0" : "=3Dr" (td));
(kgdb) l *0xc09af288
0xc09af288 is in ip6_forward (/usr/src/sys/netinet6/ip6_forward.c:420).
415              * address).  We use a local copy of ip6_src, since =
in6_setscope()
416              * will possibly modify its first argument.
417              * [draft-ietf-ipngwg-icmp-v3-04.txt, Section 3.1]
418              */
419             src_in6 =3D ip6->ip6_src;
420             if (in6_setscope(&src_in6, rt->rt_ifp, &outzone)) {
421                     /* XXX: this should not happen */
422                     V_ip6stat.ip6s_cantforward++;
423                     V_ip6stat.ip6s_badscope++;
424                     m_freem(m);


(kgdb) where
#0  doadump () at pcpu.h:221
#1  0xc04f34f9 in db_fncall (dummy1=3D-1067542808, dummy2=3D0, =
dummy3=3D-440244288,
    dummy4=3D0xe5c267b0 "@#=D6=C0=DFx=C3=C0=D8") at =
/usr/src/sys/ddb/db_command.c:548
#2  0xc04f38f1 in db_command (last_cmdp=3D0xc0d58bdc, cmd_table=3D0x0, =
dopager=3D1)
	at /usr/src/sys/ddb/db_command.c:445
#3  0xc04f3a4a in db_command_loop () at =
/usr/src/sys/ddb/db_command.c:498
#4  0xc04f58cc in db_trap (type=3D12, code=3D0) at =
/usr/src/sys/ddb/db_main.c:229
#5  0xc0861755 in kdb_trap (type=3D12, code=3D0, tf=3D0xe5c269dc)
	at /usr/src/sys/kern/subr_kdb.c:534
#6  0xc0b7f8df in trap_fatal (frame=3D0xe5c269dc, eva=3D56)
	at /usr/src/sys/i386/i386/trap.c:934
#7  0xc0b7fb11 in trap_pfault (frame=3D0xe5c269dc, usermode=3D0, =
eva=3D56)
	at /usr/src/sys/i386/i386/trap.c:856
#8  0xc0b80505 in trap (frame=3D0xe5c269dc) at =
/usr/src/sys/i386/i386/trap.c:536
#9  0xc0b648bb in calltrap () at /usr/src/sys/i386/i386/exception.s:165
#10 0xc09af288 in ip6_forward (m=3D0xc5ed8300, srcrt=3D0)
	at /usr/src/sys/netinet6/ip6_forward.c:420
#11 0xc09b1831 in ip6_input (m=3D0xc5ed8300)
	at /usr/src/sys/netinet6/ip6_input.c:722
#12 0xc08e1032 in netisr_dispatch (num=3D27, m=3D0xc5ed8300)
	at /usr/src/sys/net/netisr.c:178
#13 0xc08d8e01 in ether_demux (ifp=3D0xc574b400, m=3D0xc5ed8300)
	at /usr/src/sys/net/if_ethersubr.c:845
#14 0xc08d926f in ether_input (ifp=3D0xc574b400, m=3D0xc5ed8300)
	at /usr/src/sys/net/if_ethersubr.c:702
#15 0xc0b542fa in nfe_int_task (arg=3D0xc574c000, pending=3D1)
	at /usr/src/sys/dev/nfe/if_nfe.c:2116
#16 0xc086bfcb in taskqueue_run (queue=3D0xc575b080)
	at /usr/src/sys/kern/subr_taskqueue.c:282
#17 0xc086c128 in taskqueue_thread_loop (arg=3D0xc574c130)
	at /usr/src/sys/kern/subr_taskqueue.c:403
#18 0xc0811818 in fork_exit (callout=3D0xc086c0c0 =
<taskqueue_thread_loop>,
	arg=3D0xc574c130, frame=3D0xe5c26d38) at =
/usr/src/sys/kern/kern_fork.c:810
#19 0xc0b64930 in fork_trampoline () at =
/usr/src/sys/i386/i386/exception.s:270

(kgdb) frame 10
#10 0xc09af288 in ip6_forward (m=3D0xc5ed8300, srcrt=3D0)
    at /usr/src/sys/netinet6/ip6_forward.c:420
420             if (in6_setscope(&src_in6, rt->rt_ifp, &outzone)) {
(kgdb) p rt
$3 =3D (struct rtentry *) 0x0

>How-To-Repeat:

ftp a large file over ipv6 through the box


>Fix:

I'm working on the thought that this might because of the vague=20
nat pf rule, so I've changed it to be specific to ipv4 via inet and
specific inet4 addresses ranges right now.  Currently unknown if this
will work around it, however.

>Release-Note:
>Audit-Trail:

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: bug-followup@FreeBSD.org, m.atkinson@F5.com
Cc:  
Subject: Re: kern/128247: [panic] Fatal Trap 12 in ip6_forward
 (/usr/src/sys/netinet6/ip6_forward.c:420)
Date: Mon, 20 Oct 2008 16:31:17 +0000 (UTC)

 On Mon, 20 Oct 2008, Mark Atkinson wrote:
 
 > #0  doadump () at pcpu.h:221
 > 221             __asm __volatile("movl %%fs:0,%0" : "=3Dr" (td));
 > (kgdb) l *0xc09af288
 > 0xc09af288 is in ip6_forward (/usr/src/sys/netinet6/ip6_forward.c:420).
 > 415              * address).  We use a local copy of ip6_src, since =
 > in6_setscope()
 > 416              * will possibly modify its first argument.
 > 417              * [draft-ietf-ipngwg-icmp-v3-04.txt, Section 3.1]
 > 418              */
 > 419             src_in6 =3D ip6->ip6_src;
 > 420             if (in6_setscope(&src_in6, rt->rt_ifp, &outzone)) {
 > 421                     /* XXX: this should not happen */
 > 422                     V_ip6stat.ip6s_cantforward++;
 > 423                     V_ip6stat.ip6s_badscope++;
 > 424                     m_freem(m);
 >
 > (kgdb) frame 10
 > #10 0xc09af288 in ip6_forward (m=3D0xc5ed8300, srcrt=3D0)
 >    at /usr/src/sys/netinet6/ip6_forward.c:420
 > 420             if (in6_setscope(&src_in6, rt->rt_ifp, &outzone)) {
 > (kgdb) p rt
 > $3 =3D (struct rtentry *) 0x0
 
 and rt comes from
  	rt = V_ip6_forward_rt.ro_rt;
 
 which is an unprotected (no lock) single global cache in the ipv6
 stack. So I guess another packet changed it while this one was
 processed. The problem is well known and will hopefully be eliminated
 one day along with other caches left.
 
 /bz
 
 -- 
 Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Nov 9 02:45:04 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128247 
State-Changed-From-To: open->analyzed 
State-Changed-By: bz 
State-Changed-When: Fri Jan 30 19:42:35 UTC 2009 
State-Changed-Why:  
I have been tracking this issue for kern/131038 and 
the submitter is trying a patch currently. 


Responsible-Changed-From-To: freebsd-net->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Fri Jan 30 19:42:35 UTC 2009 
Responsible-Changed-Why:  
I am working on it atm as rwatson had flagged the problem for me in 2008: 
/* GIANT_REQUIRED; */ /* XXX bz: ip6_forward_rt */  

http://www.freebsd.org/cgi/query-pr.cgi?pr=128247 
State-Changed-From-To: analyzed->patched 
State-Changed-By: bz 
State-Changed-When: Sun Feb 1 21:11:25 UTC 2009 
State-Changed-Why:  
Comitted a fix to HEAD with r187989. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128247 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/128247: commit references a PR
Date: Sun,  1 Feb 2009 21:11:30 +0000 (UTC)

 Author: bz
 Date: Sun Feb  1 21:11:08 2009
 New Revision: 187989
 URL: http://svn.freebsd.org/changeset/base/187989
 
 Log:
   Remove the single global unlocked route cache ip6_forward_rt
   from the inet6 stack along with statistics and make sure we
   properly free the rt in all cases.
   
   While the current situation is not better performance wise it
   prevents panics seen more often these days.
   After more inet6 and ipsec cleanup we should be able to improve
   the situation again passing the rt to ip6_forward directly.
   
   Leave the ip6_forward_rt entry in struct vinet6 but mark it
   for removal.
   
   PR:		kern/128247, kern/131038
   MFC after:	25 days
   Committed from:	Bugathon #6
   Tested by:	Denis Ahrens <denis@h3q.com> (different initial version)
 
 Modified:
   head/UPDATING
   head/sys/netinet6/frag6.c
   head/sys/netinet6/ip6_forward.c
   head/sys/netinet6/ip6_input.c
   head/sys/netinet6/ip6_var.h
   head/sys/netinet6/vinet6.h
   head/usr.bin/netstat/inet6.c
 
 Modified: head/UPDATING
 ==============================================================================
 --- head/UPDATING	Sun Feb  1 20:18:27 2009	(r187988)
 +++ head/UPDATING	Sun Feb  1 21:11:08 2009	(r187989)
 @@ -22,6 +22,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
  	to maximize performance.  (To disable malloc debugging, run
  	ln -s aj /etc/malloc.conf.)
  
 +20090201:
 +	INET6 statistics (struct ip6stat) was updated.
 +	netstat(1) needs to be recompiled.
 +
  20090119:
  	NTFS has been removed from GENERIC kernel on amd64 to match
  	GENERIC on i386. Should not cause any issues since mount_ntfs(8)
 
 Modified: head/sys/netinet6/frag6.c
 ==============================================================================
 --- head/sys/netinet6/frag6.c	Sun Feb  1 20:18:27 2009	(r187988)
 +++ head/sys/netinet6/frag6.c	Sun Feb  1 21:11:08 2009	(r187989)
 @@ -751,18 +751,6 @@ frag6_slowtimo(void)
  	}
  	VNET_LIST_RUNLOCK();
  	IP6Q_UNLOCK();
 -
 -#if 0
 -	/*
 -	 * Routing changes might produce a better route than we last used;
 -	 * make sure we notice eventually, even if forwarding only for one
 -	 * destination and the cache is never replaced.
 -	 */
 -	if (V_ip6_forward_rt.ro_rt) {
 -		RTFREE(V_ip6_forward_rt.ro_rt);
 -		V_ip6_forward_rt.ro_rt = 0;
 -	}
 -#endif
  }
  
  /*
 
 Modified: head/sys/netinet6/ip6_forward.c
 ==============================================================================
 --- head/sys/netinet6/ip6_forward.c	Sun Feb  1 20:18:27 2009	(r187988)
 +++ head/sys/netinet6/ip6_forward.c	Sun Feb  1 21:11:08 2009	(r187989)
 @@ -77,10 +77,6 @@ __FBSDID("$FreeBSD$");
  
  #include <netinet6/ip6protosw.h>
  
 -#ifdef VIMAGE_GLOBALS
 -struct	route_in6 ip6_forward_rt;
 -#endif
 -
  /*
   * Forward a packet.  If some error occurs return the sender
   * an icmp packet.  Note we can't always generate a meaningful
 @@ -100,6 +96,7 @@ ip6_forward(struct mbuf *m, int srcrt)
  	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
  	struct sockaddr_in6 *dst = NULL;
  	struct rtentry *rt = NULL;
 +	struct route_in6 rin6;
  	int error, type = 0, code = 0;
  	struct mbuf *mcopy = NULL;
  	struct ifnet *origifp;	/* maybe unnecessary */
 @@ -112,8 +109,6 @@ ip6_forward(struct mbuf *m, int srcrt)
  #endif
  	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
  
 -	/* GIANT_REQUIRED; */ /* XXX bz: ip6_forward_rt */
 -
  #ifdef IPSEC
  	/*
  	 * Check AH/ESP integrity.
 @@ -355,56 +350,27 @@ ip6_forward(struct mbuf *m, int srcrt)
  skip_ipsec:
  #endif
  
 -	dst = (struct sockaddr_in6 *)&V_ip6_forward_rt.ro_dst;
 -	if (!srcrt) {
 -		/* ip6_forward_rt.ro_dst.sin6_addr is equal to ip6->ip6_dst */
 -		if (V_ip6_forward_rt.ro_rt == 0 ||
 -		    (V_ip6_forward_rt.ro_rt->rt_flags & RTF_UP) == 0) {
 -			if (V_ip6_forward_rt.ro_rt) {
 -				RTFREE(V_ip6_forward_rt.ro_rt);
 -				V_ip6_forward_rt.ro_rt = 0;
 -			}
 -
 -			/* this probably fails but give it a try again */
 -			rtalloc((struct route *)&V_ip6_forward_rt);
 -		}
 -
 -		if (V_ip6_forward_rt.ro_rt == 0) {
 -			V_ip6stat.ip6s_noroute++;
 -			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute);
 -			if (mcopy) {
 -				icmp6_error(mcopy, ICMP6_DST_UNREACH,
 -					    ICMP6_DST_UNREACH_NOROUTE, 0);
 -			}
 -			m_freem(m);
 -			return;
 -		}
 -	} else if ((rt = V_ip6_forward_rt.ro_rt) == 0 ||
 -		   !IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &dst->sin6_addr)) {
 -		if (V_ip6_forward_rt.ro_rt) {
 -			RTFREE(V_ip6_forward_rt.ro_rt);
 -			V_ip6_forward_rt.ro_rt = 0;
 -		}
 -		bzero(dst, sizeof(*dst));
 -		dst->sin6_len = sizeof(struct sockaddr_in6);
 -		dst->sin6_family = AF_INET6;
 -		dst->sin6_addr = ip6->ip6_dst;
 -
 -		rtalloc((struct route *)&V_ip6_forward_rt);
 -		if (V_ip6_forward_rt.ro_rt == 0) {
 -			V_ip6stat.ip6s_noroute++;
 -			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute);
 -			if (mcopy) {
 -				icmp6_error(mcopy, ICMP6_DST_UNREACH,
 -					    ICMP6_DST_UNREACH_NOROUTE, 0);
 -			}
 -			m_freem(m);
 -			return;
 +	bzero(&rin6, sizeof(struct route_in6));
 +	dst = (struct sockaddr_in6 *)&rin6.ro_dst;
 +	dst->sin6_len = sizeof(struct sockaddr_in6);
 +	dst->sin6_family = AF_INET6;
 +	dst->sin6_addr = ip6->ip6_dst;
 +
 +	rin6.ro_rt = rtalloc1((struct sockaddr *)dst, 0, 0);
 +	if (rin6.ro_rt != NULL)
 +		RT_UNLOCK(rin6.ro_rt);
 +	else {
 +		V_ip6stat.ip6s_noroute++;
 +		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_noroute);
 +		if (mcopy) {
 +			icmp6_error(mcopy, ICMP6_DST_UNREACH,
 +			ICMP6_DST_UNREACH_NOROUTE, 0);
  		}
 +		goto bad;
  	}
 -	rt = V_ip6_forward_rt.ro_rt;
 +	rt = rin6.ro_rt;
  #ifdef IPSEC
 -    skip_routing:;
 +skip_routing:
  #endif
  
  	/*
 @@ -421,14 +387,12 @@ skip_ipsec:
  		/* XXX: this should not happen */
  		V_ip6stat.ip6s_cantforward++;
  		V_ip6stat.ip6s_badscope++;
 -		m_freem(m);
 -		return;
 +		goto bad;
  	}
  	if (in6_setscope(&src_in6, m->m_pkthdr.rcvif, &inzone)) {
  		V_ip6stat.ip6s_cantforward++;
  		V_ip6stat.ip6s_badscope++;
 -		m_freem(m);
 -		return;
 +		goto bad;
  	}
  	if (inzone != outzone
  #ifdef IPSEC
 @@ -452,8 +416,7 @@ skip_ipsec:
  		if (mcopy)
  			icmp6_error(mcopy, ICMP6_DST_UNREACH,
  				    ICMP6_DST_UNREACH_BEYONDSCOPE, 0);
 -		m_freem(m);
 -		return;
 +		goto bad;
  	}
  
  	/*
 @@ -469,8 +432,7 @@ skip_ipsec:
  	    inzone != outzone) {
  		V_ip6stat.ip6s_cantforward++;
  		V_ip6stat.ip6s_badscope++;
 -		m_freem(m);
 -		return;
 +		goto bad;
  	}
  
  	if (m->m_pkthdr.len > IN6_LINKMTU(rt->rt_ifp)) {
 @@ -510,8 +472,7 @@ skip_ipsec:
  #endif /* IPSEC */
  			icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu);
  		}
 -		m_freem(m);
 -		return;
 +		goto bad;
  	}
  
  	if (rt->rt_flags & RTF_GATEWAY)
 @@ -544,8 +505,7 @@ skip_ipsec:
  			 */
  			icmp6_error(mcopy, ICMP6_DST_UNREACH,
  				    ICMP6_DST_UNREACH_ADDR, 0);
 -			m_freem(m);
 -			return;
 +			goto bad;
  		}
  		type = ND_REDIRECT;
  	}
 @@ -624,12 +584,12 @@ pass:
  
  senderr:
  	if (mcopy == NULL)
 -		return;
 +		goto out;
  	switch (error) {
  	case 0:
  		if (type == ND_REDIRECT) {
  			icmp6_redirect_output(mcopy, rt);
 -			return;
 +			goto out;
  		}
  		goto freecopy;
  
 @@ -651,9 +611,18 @@ senderr:
  		break;
  	}
  	icmp6_error(mcopy, type, code, 0);
 -	return;
 +	goto out;
  
   freecopy:
  	m_freem(mcopy);
 -	return;
 +	goto out;
 +bad:
 +	m_freem(m);
 +out:
 +	if (rt != NULL
 +#ifdef IPSEC
 +	    && !ipsecrt
 +#endif
 +	    )
 +		RTFREE(rt);
  }
 
 Modified: head/sys/netinet6/ip6_input.c
 ==============================================================================
 --- head/sys/netinet6/ip6_input.c	Sun Feb  1 20:18:27 2009	(r187988)
 +++ head/sys/netinet6/ip6_input.c	Sun Feb  1 21:11:08 2009	(r187989)
 @@ -143,8 +143,6 @@ extern int icmp6errppslim;
  extern int icmp6_nodeinfo;
  extern int udp6_sendspace;
  extern int udp6_recvspace;
 -
 -extern struct	route_in6 ip6_forward_rt;
  #endif
  
  struct pfil_head inet6_pfil_hook;
 @@ -309,10 +307,12 @@ ip6_input(struct mbuf *m)
  	int nxt, ours = 0;
  	struct ifnet *deliverifp = NULL, *ifp = NULL;
  	struct in6_addr odst;
 +	struct route_in6 rin6;
  	int srcrt = 0;
  	struct llentry *lle = NULL;
 -	struct sockaddr_in6 dst6;
 +	struct sockaddr_in6 dst6, *dst;
  
 +	bzero(&rin6, sizeof(struct route_in6));
  #ifdef IPSEC
  	/*
  	 * should the inner packet be considered authentic?
 @@ -565,29 +565,13 @@ passin:
  	if (lle != NULL)
  		LLE_RUNLOCK(lle);
  
 -	if (V_ip6_forward_rt.ro_rt != NULL &&
 -	    (V_ip6_forward_rt.ro_rt->rt_flags & RTF_UP) != 0 &&
 -	    IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
 -	    &((struct sockaddr_in6 *)(&V_ip6_forward_rt.ro_dst))->sin6_addr))
 -		V_ip6stat.ip6s_forward_cachehit++;
 -	else {
 -		struct sockaddr_in6 *dst6;
 -
 -		if (V_ip6_forward_rt.ro_rt) {
 -			/* route is down or destination is different */
 -			V_ip6stat.ip6s_forward_cachemiss++;
 -			RTFREE(V_ip6_forward_rt.ro_rt);
 -			V_ip6_forward_rt.ro_rt = 0;
 -		}
 -
 -		bzero(&V_ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6));
 -		dst6 = (struct sockaddr_in6 *)&V_ip6_forward_rt.ro_dst;
 -		dst6->sin6_len = sizeof(struct sockaddr_in6);
 -		dst6->sin6_family = AF_INET6;
 -		dst6->sin6_addr = ip6->ip6_dst;
 -
 -		rtalloc((struct route *)&V_ip6_forward_rt);
 -	}
 +	dst = &rin6.ro_dst;
 +	dst->sin6_len = sizeof(struct sockaddr_in6);
 +	dst->sin6_family = AF_INET6;
 +	dst->sin6_addr = ip6->ip6_dst;
 +	rin6.ro_rt = rtalloc1((struct sockaddr *)dst, 0, 0);
 +	if (rin6.ro_rt)
 +		RT_UNLOCK(rin6.ro_rt);
  
  #define rt6_key(r) ((struct sockaddr_in6 *)((r)->rt_nodes->rn_key))
  
 @@ -611,14 +595,14 @@ passin:
  	 * while it would be less efficient.  Or, should we rather install a
  	 * reject route for such a case?
  	 */
 -	if (V_ip6_forward_rt.ro_rt &&
 -	    (V_ip6_forward_rt.ro_rt->rt_flags &
 +	if (rin6.ro_rt &&
 +	    (rin6.ro_rt->rt_flags &
  	     (RTF_HOST|RTF_GATEWAY)) == RTF_HOST &&
  #ifdef RTF_WASCLONED
 -	    !(V_ip6_forward_rt.ro_rt->rt_flags & RTF_WASCLONED) &&
 +	    !(rin6.ro_rt->rt_flags & RTF_WASCLONED) &&
  #endif
  #ifdef RTF_CLONED
 -	    !(V_ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) &&
 +	    !(rin6.ro_rt->rt_flags & RTF_CLONED) &&
  #endif
  #if 0
  	    /*
 @@ -627,11 +611,11 @@ passin:
  	     * already done through looking up the routing table.
  	     */
  	    IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst,
 -	    &rt6_key(V_ip6_forward_rt.ro_rt)->sin6_addr)
 +	    &rt6_key(rin6.ro_rt)->sin6_addr)
  #endif
 -	    V_ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_LOOP) {
 +	    rin6.ro_rt->rt_ifp->if_type == IFT_LOOP) {
  		struct in6_ifaddr *ia6 =
 -			(struct in6_ifaddr *)V_ip6_forward_rt.ro_rt->rt_ifa;
 +			(struct in6_ifaddr *)rin6.ro_rt->rt_ifa;
  
  		/*
  		 * record address information into m_tag.
 @@ -667,11 +651,11 @@ passin:
  	 * FAITH (Firewall Aided Internet Translator)
  	 */
  	if (V_ip6_keepfaith) {
 -		if (V_ip6_forward_rt.ro_rt && V_ip6_forward_rt.ro_rt->rt_ifp
 -		 && V_ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) {
 +		if (rin6.ro_rt && rin6.ro_rt->rt_ifp &&
 +		    rin6.ro_rt->rt_ifp->if_type == IFT_FAITH) {
  			/* XXX do we need more sanity checks? */
  			ours = 1;
 -			deliverifp = V_ip6_forward_rt.ro_rt->rt_ifp; /* faith */
 +			deliverifp = rin6.ro_rt->rt_ifp; /* faith */
  			goto hbhcheck;
  		}
  	}
 @@ -721,7 +705,7 @@ passin:
  #if 0	/*touches NULL pointer*/
  			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_discard);
  #endif
 -			return;	/* m have already been freed */
 +			goto out;	/* m have already been freed */
  		}
  
  		/* adjust pointer */
 @@ -744,7 +728,7 @@ passin:
  			icmp6_error(m, ICMP6_PARAM_PROB,
  				    ICMP6_PARAMPROB_HEADER,
  				    (caddr_t)&ip6->ip6_plen - (caddr_t)ip6);
 -			return;
 +			goto out;
  		}
  #ifndef PULLDOWN_TEST
  		/* ip6_hopopts_input() ensures that mbuf is contiguous */
 @@ -754,7 +738,7 @@ passin:
  			sizeof(struct ip6_hbh));
  		if (hbh == NULL) {
  			V_ip6stat.ip6s_tooshort++;
 -			return;
 +			goto out;
  		}
  #endif
  		nxt = hbh->ip6h_nxt;
 @@ -816,16 +800,13 @@ passin:
  		if (ip6_mrouter && ip6_mforward &&
  		    ip6_mforward(ip6, m->m_pkthdr.rcvif, m)) {
  			V_ip6stat.ip6s_cantforward++;
 -			m_freem(m);
 -			return;
 -		}
 -		if (!ours) {
 -			m_freem(m);
 -			return;
 +			goto bad;
  		}
 +		if (!ours)
 +			goto bad;
  	} else if (!ours) {
  		ip6_forward(m, srcrt);
 -		return;
 +		goto out;
  	}
  
  	ip6 = mtod(m, struct ip6_hdr *);
 @@ -880,9 +861,12 @@ passin:
  #endif /* IPSEC */
  		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
  	}
 -	return;
 - bad:
 +	goto out;
 +bad:
  	m_freem(m);
 +out:
 +	if (rin6.ro_rt)
 +		RTFREE(rin6.ro_rt);
  }
  
  /*
 
 Modified: head/sys/netinet6/ip6_var.h
 ==============================================================================
 --- head/sys/netinet6/ip6_var.h	Sun Feb  1 20:18:27 2009	(r187988)
 +++ head/sys/netinet6/ip6_var.h	Sun Feb  1 21:11:08 2009	(r187989)
 @@ -229,9 +229,6 @@ struct	ip6stat {
  	/* number of times that a deprecated address is chosen */
  	u_quad_t ip6s_sources_deprecated[16];
  
 -	u_quad_t ip6s_forward_cachehit;
 -	u_quad_t ip6s_forward_cachemiss;
 -
  	/* number of times that each rule of source selection is applied. */
  	u_quad_t ip6s_sources_rule[16];
  };
 
 Modified: head/sys/netinet6/vinet6.h
 ==============================================================================
 --- head/sys/netinet6/vinet6.h	Sun Feb  1 20:18:27 2009	(r187988)
 +++ head/sys/netinet6/vinet6.h	Sun Feb  1 21:11:08 2009	(r187989)
 @@ -54,7 +54,7 @@ struct vnet_inet6 {
  	u_int				_frag6_nfrags;
  	struct ip6q			_ip6q;
  
 -	struct route_in6 		_ip6_forward_rt;
 +	struct route_in6 		_ip6_forward_rt;	/* XXX remove */
  
  	struct in6_addrpolicy 		_defaultaddrpolicy;
  	TAILQ_HEAD(, addrsel_policyent) _addrsel_policytab;
 @@ -194,7 +194,6 @@ extern struct vnet_inet6 vnet_inet6_0;
  #define	V_ip6_defhlim			VNET_INET6(ip6_defhlim)
  #define	V_ip6_defmcasthlim		VNET_INET6(ip6_defmcasthlim)
  #define	V_ip6_desync_factor		VNET_INET6(ip6_desync_factor)
 -#define	V_ip6_forward_rt		VNET_INET6(ip6_forward_rt)
  #define	V_ip6_forwarding		VNET_INET6(ip6_forwarding)
  #define	V_ip6_hdrnestlimit		VNET_INET6(ip6_hdrnestlimit)
  #define	V_ip6_keepfaith			VNET_INET6(ip6_keepfaith)
 
 Modified: head/usr.bin/netstat/inet6.c
 ==============================================================================
 --- head/usr.bin/netstat/inet6.c	Sun Feb  1 20:18:27 2009	(r187988)
 +++ head/usr.bin/netstat/inet6.c	Sun Feb  1 21:11:08 2009	(r187989)
 @@ -512,8 +512,6 @@ ip6_stats(u_long off, const char *name, 
  		}
  	}
  
 -	p1a(ip6s_forward_cachehit, "\t%ju forward cache hit\n");
 -	p1a(ip6s_forward_cachemiss, "\t%ju forward cache miss\n");
  	printf("\tSource addresses selection rule applied:\n");
  	for (i = 0; i < 16; i++) {
  		if (ip6stat.ip6s_sources_rule[i])
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Mark Atkinson <m.atkinson@f5.com>
To: <bug-followup@freebsd.org>, <m.atkinson@f5.com>
Cc:  
Subject: Re: kern/128247: [ip6] [panic] Fatal Trap 12 in ip6_forward  (/usr/src/sys/netinet6/ip6_forward.c:420)
Date: Tue, 3 Feb 2009 07:13:41 -0800

 --nextPart2661174.oAMLYx4QdS
 Content-Type: text/plain;
   charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 
 I updated sources yesterday and rebuilt to catch this change.   This mornin=
 g I=20
 came in to find two machines at the debug prompt.   These machines differ=20
 somewhat from the other in that they are not forwarding, don't use pf, but =
 do=20
 use the vlan device. =20
 
 net.inet6.ip6.forwarding: 0 -> 0
 net.inet6.ip6.accept_rtadv: 0 -> 1
 IPv4 mapped IPv6 address support=3DYES
 
 # panic: Lock (rw) lle not locked @ /usr/src/sys/netinet6/nd6_rtr.c:655.
 cpuid =3D 1
 KDB: enter: panic
 [thread pid 0 tid 100025 ]
 Stopped at      kdb_enter+0x3a: movl    $0,kdb_why
 db> show alllocks
 db>=20
 
 
 [root@pogo-3 /usr/obj/usr/src/sys/POGO]#  kgdb ./kernel.debug /vmcore.0
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain condition=
 s.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd"...
 
 Unread portion olf the kernel mesosage buffer:
 pack nic: Lock (rw) lordle not locked @=20
 er /usr/src/sys/netrinet6/nd6_rtr.c:eve655.
 rsuid =3D 1
   KDB: enter: panal:ic
 ory: 1006 MB
 Du
   mping 58 MB: 43  127 11
 
 st 0xc4a68044 user map (user map) @ /usr/src/sys/vm/vm_map.c:3198
  2nd 0xc4d0f6a0 nfs (nfs) @ /usr/src/sys/kern/vfs_subr.c:2071
 KDB: stack backtrace:
 db_trace_self_wrapper(c0c00262,c43d1920,c0888eb5,4,c0bfb7e0,...) at=20
 db_trace_self_wrapper+0x26
 kdb_backtrace(4,c0bfb7e0,c4522728,c45279a0,c43d197c,...) at kdb_backtrace+0=
 x29
 _witness_debugger(c0c02f87,c4d0f6a0,c0c1c804,c45279a0,c0c09c6a,...) at=20
 _witness_debugger+0x25
 witness_checkorder(c4d0f6a0,1,c0c09c6a,817,0,...) at witness_checkorder+0x8=
 2b
 __lockmgr_args(c4d0f6a0,200501,c4d0f6bc,0,0,...) at __lockmgr_args+0x228
 vop_stdlock(c43d1a80,c0888c5b,c0c260c9,200501,c4d0f648,...) at=20
 vop_stdlock+0x62
 VOP_LOCK1_APV(c0d02c20,c43d1a80,c4d3e764,c0d1e7c0,c4d0f648,...) at=20
 VOP_LOCK1_APV+0xb5
 _vn_lock(c4d0f648,200501,c0c09c6a,817,4,...) at _vn_lock+0x5e
 vget(c4d0f648,200501,c4d3e6c0,4b2,0,...) at vget+0xcb
 vnode_pager_lock(c4cfe9b0,0,c0c236aa,127,c43d1c18,...) at=20
 vnode_pager_lock+0x1d9
 vm_fault(c4a68000,2ba00000,1,0,2ba00000,...) at vm_fault+0x1e9
 trap_pfault(5,0,c0c3382b,c0bfb7e0,c4d3e6c0,...) at trap_pfault+0xf5
 trap(c43d1d38) at trap+0x2a9
 calltrap() at calltrap+0x6
 =2D-- trap 0xc, eip =3D 0x2835b797, esp =3D 0xbfbfdaa0, ebp =3D 0xbfbfdb48 =
 =2D--
 #0  doadump () at pcpu.h:246
 246             __asm __volatile("movl %%fs:0,%0" : "=3Dr" (td));
 (kgdb) bt
 #0  doadump () at pcpu.h:246
 #1  0xc04be049 in db_fncall (dummy1=3D1, dummy2=3D0, dummy3=3D0,=20
 dummy4=3D0xc42353a4 "\200=F4Z=C4") at /usr/src/sys/ddb/db_command.c:548
 #2  0xc04be441 in db_command (last_cmdp=3D0xc0d1fedc, cmd_table=3D0x0, dopa=
 ger=3D1)=20
 at /usr/src/sys/ddb/db_command.c:445
 #3  0xc04be5a5 in db_command_loop () at /usr/src/sys/ddb/db_command.c:498
 #4  0xc04c04ac in db_trap (type=3D3, code=3D0) at /usr/src/sys/ddb/db_main.=
 c:229
 #5  0xc08770a1 in kdb_trap (type=3D3, code=3D0, tf=3D0xc423554c)=20
 at /usr/src/sys/kern/subr_kdb.c:534
 #6  0xc0b56377 in trap (frame=3D0xc423554c) at /usr/src/sys/i386/i386/trap.=
 c:680
 #7  0xc0b3a64b in calltrap () at /usr/src/sys/i386/i386/exception.s:165
 #8  0xc087723a in kdb_enter (why=3D0xc0bfcf53 "panic", msg=3D0xc0bfcf53 "pa=
 nic")=20
 at cpufunc.h:71
 #9  0xc0847ed8 in panic (fmt=3D0xc0c02a27 "Lock (%s) %s not locked @ %s:%d.=
 ")=20
 at /usr/src/sys/kern/kern_shutdown.c:559
 #10 0xc0889007 in witness_assert (lock=3D0xc4c7d908, flags=3DVariable "flag=
 s" is=20
 not available.
 ) at /usr/src/sys/kern/subr_witness.c:2206
 #11 0xc0845ad5 in _rw_assert (rw=3D0xc4c7d908, what=3DVariable "what" is no=
 t=20
 available.
 ) at /usr/src/sys/kern/kern_rwlock.c:936
 #12 0xc0845f88 in _rw_runlock (rw=3D0xc4c7d908,=20
 file=3D0xc0c1a5db "/usr/src/sys/netinet6/nd6_rtr.c", line=3D655)=20
 at /usr/src/sys/kern/kern_rwlock.c:476
 #13 0xc09d96df in defrouter_select () at /usr/src/sys/netinet6/nd6_rtr.c:655
 #14 0xc09da6b6 in nd6_ra_input (m=3D0xc4c9c200, off=3D40, icmp6len=3D56)=20
 at /usr/src/sys/netinet6/nd6_rtr.c:811
 #15 0xc09be9ce in icmp6_input (mp=3D0xc4235af0, offp=3D0xc4235b04, proto=3D=
 58)=20
 at /usr/src/sys/netinet6/icmp6.c:776
 #16 0xc09cc794 in ip6_input (m=3D0xc4d13d00)=20
 at /usr/src/sys/netinet6/ip6_input.c:862
 #17 0xc08f94b7 in netisr_dispatch (num=3D27, m=3D0xc4d13d00)=20
 at /usr/src/sys/net/netisr.c:178
 #18 0xc08f0cf1 in ether_demux (ifp=3D0xc46da400, m=3D0xc4d13d00)=20
 at /usr/src/sys/net/if_ethersubr.c:864
 #19 0xc08f117f in ether_input (ifp=3D0xc46da400, m=3D0xc4d13d00)=20
 at /usr/src/sys/net/if_ethersubr.c:721
 #20 0xc0606d84 in em_rxeof (adapter=3D0xc46e6000, count=3D99)=20
 at /usr/src/sys/dev/e1000/if_em.c:4540
 #21 0xc0606f0e in em_handle_rxtx (context=3D0xc46e6000, pending=3D1)=20
 at /usr/src/sys/dev/e1000/if_em.c:1703
 #22 0xc0881d68 in taskqueue_run (queue=3D0xc46e4040)=20
 at /usr/src/sys/kern/subr_taskqueue.c:282
 #23 0xc0881eb8 in taskqueue_thread_loop (arg=3D0xc46ea358)=20
 at /usr/src/sys/kern/subr_taskqueue.c:403
 #24 0xc0824325 in fork_exit (callout=3D0xc0881e50 <taskqueue_thread_loop>,=
 =20
 arg=3D0xc46ea358, frame=3D0xc4235d38) at /usr/src/sys/kern/kern_fork.c:821
 #25 0xc0b3a6c0 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:=
 270
 (kgdb) show alllocks
 Undefined show command: "alllocks".  Try "help show".
 (kgdb) show locks
 Undefined show command: "locks".  Try "help show".
 (kgdb) frame 12
 #12 0xc0845f88 in _rw_runlock (rw=3D0xc4c7d908,=20
 file=3D0xc0c1a5db "/usr/src/sys/netinet6/nd6_rtr.c", line=3D655)=20
 at /usr/src/sys/kern/kern_rwlock.c:476
 476             _rw_assert(rw, RA_RLOCKED, file, line);
 (kgdb) list
 471             struct turnstile *ts;
 472             uintptr_t x, v, queue;
 473
 474             KASSERT(rw->rw_lock !=3D RW_DESTROYED,
 475                 ("rw_runlock() of destroyed rwlock @ %s:%d", file, line=
 ));
 476             _rw_assert(rw, RA_RLOCKED, file, line);
 477             curthread->td_locks--;
 478             curthread->td_rw_rlocks--;
 479             WITNESS_UNLOCK(&rw->lock_object, 0, file, line);
 480             LOCK_LOG_LOCK("RUNLOCK", &rw->lock_object, 0, 0, file, line=
 );
 (kgdb)
 
 --nextPart2661174.oAMLYx4QdS
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: This is a digitally signed message part.
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (FreeBSD)
 
 iEYEABECAAYFAkmIXyYACgkQrDN5kXnx8yasDQCfddcab0x3Ge9Dg0+eJ7SQZXnO
 4h8AoJkv87IzryXo87bRpiptT9u+x9OH
 =oyI0
 -----END PGP SIGNATURE-----
 
 --nextPart2661174.oAMLYx4QdS--

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, m.atkinson@F5.com
Cc:  
Subject: Re: kern/128247: [ip6] [panic] Fatal Trap 12 in ip6_forward =
Date: Tue, 3 Feb 2009 18:39:35 +0000 (UTC)

 Hi,
 
 > # panic: Lock (rw) lle not locked @ /usr/src/sys/netinet6/nd6_rtr.c:655.
 
 This is ``good'' ;) -
 that's new-arp fallout and not from the changes of this PR.
 
 
 > #11 0xc0845ad5 in _rw_assert (rw=3D0xc4c7d908, what=3DVariable "what" is no=
 > t=20
 > available.
 > ) at /usr/src/sys/kern/kern_rwlock.c:936
 > #12 0xc0845f88 in _rw_runlock (rw=3D0xc4c7d908,=20
 > file=3D0xc0c1a5db "/usr/src/sys/netinet6/nd6_rtr.c", line=3D655)=20
 > at /usr/src/sys/kern/kern_rwlock.c:476
 > #13 0xc09d96df in defrouter_select () at /usr/src/sys/netinet6/nd6_rtr.c:655
 > #14 0xc09da6b6 in nd6_ra_input (m=3D0xc4c9c200, off=3D40, icmp6len=3D56)=20
 > at /usr/src/sys/netinet6/nd6_rtr.c:811
 > #15 0xc09be9ce in icmp6_input (mp=3D0xc4235af0, offp=3D0xc4235b04, proto=3D=
 > 58)=20
 > at /usr/src/sys/netinet6/icmp6.c:776
 > #16 0xc09cc794 in ip6_input (m=3D0xc4d13d00)=20
 > at /usr/src/sys/netinet6/ip6_input.c:862
 
 We should discuss this elsewhere but let me see. It seems to be
 reproducale for you? Can you try this patch (pasted in):
 
 Index: sys/netinet6/nd6_rtr.c
 ===================================================================
 --- sys/netinet6/nd6_rtr.c      (revision 188082)
 +++ sys/netinet6/nd6_rtr.c      (working copy)
 @@ -651,8 +651,10 @@
                          selected_dr = dr;
                  }
                  IF_AFDATA_UNLOCK(dr->ifp);
 -               if (ln != NULL)
 +               if (ln != NULL) {
                          LLE_RUNLOCK(ln);
 +                       ln = NULL;
 +               }
 
                  if (dr->installed && installed_dr == NULL)
                          installed_dr = dr;
 
 
 Also temporary fetchable from
 http://people.freebsd.org/~bz/20090203-01-new-arp-fix-nd6_rtr.diff
 
 /bz
 
 -- 
 Bjoern A. Zeeb                      The greatest risk is not taking one.

From: Mark Atkinson <m.atkinson@f5.com>
To: <bug-followup@freebsd.org>, <m.atkinson@f5.com>
Cc:  
Subject: Re: kern/128247: [ip6] [panic] Fatal Trap 12 in ip6_forward (/usr/src/sys/netinet6/ip6_forward.c:420)
Date: Tue, 3 Feb 2009 14:29:01 -0800

 --nextPart1698304.tGd0tKq8Iu
 Content-Type: text/plain;
   charset="us-ascii"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 
 Thanks.  This may have occurred when the router failed over and began=20
 advertising  a new link local address.   I've applied the patch and failed=
 =20
 over a couple times without any panics so far.
 
 =2D-=20
 Mark Atkinson
 m.atkinson@f5.com
 (!wired)?(coffee++):(wired);
 
 --nextPart1698304.tGd0tKq8Iu
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: This is a digitally signed message part.
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (FreeBSD)
 
 iEYEABECAAYFAkmIxS4ACgkQrDN5kXnx8yZxPgCbBK2lKyamVeAhQfwyxJejOZHy
 pNMAnjgv7aFJvjTKWOGoNgWzMK7D0CdQ
 =5qKe
 -----END PGP SIGNATURE-----
 
 --nextPart1698304.tGd0tKq8Iu--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/128247: commit references a PR
Date: Wed,  4 Feb 2009 10:35:41 +0000 (UTC)

 Author: bz
 Date: Wed Feb  4 10:35:27 2009
 New Revision: 188113
 URL: http://svn.freebsd.org/changeset/base/188113
 
 Log:
   When iterating through the list trying to find a router in
   defrouter_select(), NULL the cached llentry after unlocking
   as we are no longer interested in it and with the second
   iteration would try to unlock it again resulting in
   panic: Lock (rw) lle not locked @ ...
   
   Reported by:	Mark Atkinson <m.atkinson@f5.com>
   Tested by:	Mark Atkinson <m.atkinson@f5.com>
   PR:		kern/128247 (in follow-up, unrelated to original report)
 
 Modified:
   head/sys/netinet6/nd6_rtr.c
 
 Modified: head/sys/netinet6/nd6_rtr.c
 ==============================================================================
 --- head/sys/netinet6/nd6_rtr.c	Wed Feb  4 01:14:06 2009	(r188112)
 +++ head/sys/netinet6/nd6_rtr.c	Wed Feb  4 10:35:27 2009	(r188113)
 @@ -651,8 +651,10 @@ defrouter_select(void)
  			selected_dr = dr;
  		}
  		IF_AFDATA_UNLOCK(dr->ifp);
 -		if (ln != NULL)
 +		if (ln != NULL) {
  			LLE_RUNLOCK(ln);
 +			ln = NULL;
 +		}
  
  		if (dr->installed && installed_dr == NULL)
  			installed_dr = dr;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, m.atkinson@F5.com
Cc:  
Subject: Re: kern/128247: [ip6] [panic] Fatal Trap 12 in ip6_forward =
Date: Wed, 4 Feb 2009 10:38:59 +0000 (UTC)

 Hi Mark,
 
 
 > Thanks.  This may have occurred when the router failed over and began
 > advertising  a new link local address.
 
 that sounds likely.
 
 >   I've applied the patch and failed
 > over a couple times without any panics so far.
 
 Thanks for testing!
 I just comitted the patch with SVN r188113.
 
 /bz
 
 -- 
 Bjoern A. Zeeb                      The greatest risk is not taking one.
Responsible-Changed-From-To: bz->gnn 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 18 05:02:07 UTC 2014 
Responsible-Changed-Why:  
I shall not use bugzilla (at least until we will have a CLI). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128247 
>Unformatted:
