Subject: Re: kern/34212: Kernel panic with IPv6 and IPF v4.1.8
To: None <gnats-bugs@netbsd.org>
From: Martti Kuparinen <martti.kuparinen@iki.fi>
List: netbsd-bugs
Date: 10/09/2006 09:05:51 
Panic this morning

#0  0x3fec0000 in ?? ()
#1  0xc03a0077 in cpu_reboot (howto=256, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:751
#2  0xc0327804 in panic (fmt=0xc06d3ae1 "trap")
    at ../../../../kern/subr_prf.c:242
#3  0xc03aa535 in trap (frame=0xc0894750)
    at ../../../../arch/i386/i386/trap.c:336
#4  0xc0102ed3 in calltrap ()
#5  0xc01445c4 in fr_stlookup (fin=0xc0894960, tcp=0xc2069ff8, ifqp=0xc0894928)
    at ../../../../dist/ipf/netinet/ip_state.c:2279
#6  0xc0144ac7 in fr_checkstate (fin=0xc0894960, passp=0xc089495c)
    at ../../../../dist/ipf/netinet/ip_state.c:2493
#7  0xc01296b9 in fr_check (ip=0xc2069fd0, hlen=40, ifp=0xc1b2b04c, out=1,
    mp=0xc0894a68) at ../../../../dist/ipf/netinet/fil.c:2369
#8  0xc012e733 in fr_check_wrapper6 (arg=0x0, mp=0xc0894a68, ifp=0xc1b2b04c,
    dir=2) at ../../../../dist/ipf/netinet/ip_fil_netbsd.c:210
#9  0xc036c6da in pfil_run_hooks (ph=0xc07cdfe0, mp=0xc0894af4,
    ifp=0xc1b2b04c, dir=2) at ../../../../net/pfil.c:72
#10 0xc0156bd1 in ip6_output (m0=0xc2069f00, opt=0x0, ro=0xc0894bb0, flags=4,
    im6o=0x0, so=0x0, ifpp=0xc0894c38) at ../../../../netinet6/ip6_output.c:811
#11 0xc01499ff in icmp6_reflect (m=0xc2069f00, off=40)
    at ../../../../netinet6/icmp6.c:2144



(gdb) print *(fr_info_t *)0xc0894960
$1 = {fin_ifp = 0xc1b2b04c, fin_fi = {fi_v = 6, fi_xx = 0, fi_tos = 0,
    fi_ttl = 64, fi_p = 58, fi_optmsk = 0, fi_src = {i6 = {3088318752,
        16842756, 0, 16777216}, in4 = {s_addr = 3088318752}, in6 = {
        __u6_addr = {
          __u6_addr8 = " \001\024�\004\0\001\001\0\0\0\0\0\0\0\001",
          __u6_addr16 = {288, 47124, 4, 257, 0, 0, 0, 256}, __u6_addr32 = {
            3088318752, 16842756, 0, 16777216}}}, vptr = {0xb8140120,
        0x1010004}, lptr = {0xb8140120, 0x1010004}}, fi_dst = {i6 = {
        3088318752, 16842756, 0, 33554432}, in4 = {s_addr = 3088318752},
      in6 = {__u6_addr = {
          __u6_addr8 = " \001\024�\004\0\001\001\0\0\0\0\0\0\0\002",
          __u6_addr16 = {288, 47124, 4, 257, 0, 0, 0, 512}, __u6_addr32 = {
            3088318752, 16842756, 0, 33554432}}}, vptr = {0xb8140120,
        0x1010004}, lptr = {0xb8140120, 0x1010004}}, fi_secmsk = 0,
    fi_auth = 0, fi_flx = 135168, fi_tcpmsk = 0, fi_res1 = 0}, fin_dat = {
    fid_16 = {2, 0}, fid_32 = 2}, fin_out = 1, fin_rev = 0, fin_hlen = 40,
  fin_tcpf = 0 '\0', fin_icode = 0 '\0', fin_rule = 4294967295,
  fin_group = "�", '\0' <repeats 14 times>, fin_fr = 0x0, fin_dp = 0xc2069ff8,
  fin_dlen = 1240, fin_plen = 1280, fin_ipoff = 0, fin_id = 96, fin_off = 0,
  fin_depth = 0, fin_error = 51, fin_nat = 0x0, fin_state = 0x0,
  fin_nattag = 0x0, fin_ip = 0xc2069fd0, fin_mp = 0xc0894a68,
  fin_m = 0xc2069f00}
(gdb)


I started to read ip_state.c (starting from line #3436) and I noticed that if
the code tries to return at #3546 the lock is still active.

Should there be a "RWLOCK_EXIT(&ipf_state);" just before return statements at
lines 3546 and 3601?