Subject: kern/26937: ipv6 activity can panic DIAGNOSTIC kernel
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <carton@Ivy.NET>
List: netbsd-bugs
Date: 09/13/2004 02:40:17
>Number: 26937
>Category: kern
>Synopsis: ipv6 activity can panic DIAGNOSTIC kernel
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Sep 13 06:41:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: Miles Nordin
>Release: NetBSD 2.0_BETA 2004-08-15
>Organization:
Le fascisme est la dictature ouverte de la bourgeoisie.
-- Georg Dimitrov
>Environment:
System: NetBSD castrovalva 2.0_BETA NetBSD 2.0_BETA (CASTROVALVA-$Revision: 1.7 $) #0: Mon Sep 13 01:45:01 EDT 2004 carton@castrovalva:/scratch/src/sys/arch/alpha/compile/CASTROVALVA alpha
Architecture: alpha
Machine: alpha
>Description:
kernel panics repeatably with a certian IPv6 configuration in uipc_mbuf.c line 713
>How-To-Repeat:
The typescript below requires:
* net/tspc and a freenet6 account
* quagga-devel from pkgsrc-wip
$ sudo tspc -v -f /usr/home/carton/tspc.conf
Password:
tspc - Tunnel Server Protocol Client
Loading configuration file
Connecting to server
Using [216.158.24.196] as source IPv4 address.
Send request
Process response from server
TSP_HOST_TYPE router
TSP_TUNNEL_INTERFACE gif0
TSP_HOME_INTERFACE tlp1
TSP_CLIENT_ADDRESS_IPV4 216.158.24.196
TSP_CLIENT_ADDRESS_IPV6 3ffe:0bc0:8000:0000:0000:0000:0000:0773
TSP_SERVER_ADDRESS_IPV4 206.123.31.115
TSP_SERVER_ADDRESS_IPV6 3ffe:0bc0:8000:0000:0000:0000:0000:0772
TSP_TUNNEL_PREFIXLEN 128
TSP_PREFIX 3ffe:0bc0:0206
TSP_PREFIXLEN 48
TSP_VERBOSE 1
TSP_HOME_DIR /usr/pkg/share/tspc
--- Start of configuration script. ---
Script: netbsd.sh
Setting up interface gif0
Adding default route to 3ffe:0bc0:8000:0000:0000:0000:0000:0772
writing to routing socket: No such process
delete net default: not in table
add net default: gateway 3ffe:0bc0:8000:0000:0000:0000:0000:0772
--- End of configuration script. ---
Exiting with return code : 0 (0 = no error)
$ sudo route delete -inet6 ::0 -prefixlen 0
delete net ::0
$ sudo route delete -inet6 ::0 -prefixlen 0
writing to routing socket: No such process
delete net ::0: not in table
$ sudo vtysh
Hello, this is quagga (version 0.96.5).
Copyright 1996-2002 Kunihiro Ishiguro.
castrovalva> en
castrovalva# conf t
castrovalva(config)# ipv6 route ::0/0 gif0 10
castrovalva(config)# end
castrovalva#
$ sync
$ ping6 ftp.netbsd.org
PING6(56=40+8+8 bytes) 3ffe:bc0:206:c0::3 --> 2001:4f8:4:7:2e0:81ff:fe21:6563
panic: kernel diagnostic assertion "n->m_len == 0 || m->m_type == n->m_type" failed: file "../../../../kern/uipc_mbuf.c", line 713
Stopped in pid 7842.1 (ping6) at netbsd:cpu_Debugger+0x4: ret z
ero,(ra)
db> bt
cpu_Debugger() at netbsd:cpu_Debugger+0x4
panic() at netbsd:panic+0x1f8
__assert() at netbsd:__assert+0x38
m_adj() at netbsd:m_adj
--- root of call graph ---
db> ps
PID PPID PGRP UID S FLAGS LWPS COMMAND WAIT
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
with the following files updated by hand
netinet/fil.c 1.61.2.7 pr#26666 t#783
kern/uipc_mbuf.c 1.80.2.4 pr#26733 t#831, and t#841
sys/mbuf.h 1.90.2.4 pr#26733 t#831, and t#839
netinet/ip_fil_netbsd.c 1.3.2.10 pr#26733 t#833
netinet6/raw_ip6.c 1.63.2.2 pr#26733 t#836
kern/kern_lock.c 1.75.2.1 t#752
>7842 8152 7842 405 2 0x4102 1 ping6
8152 7824 8152 405 2 0x4002 1 ksh pause
7824 5316 5316 405 2 0x100 1 sshd select
5316 105 5316 0 2 0x100 1 sshd netio
7796 235 235 12 2 0x4100 1 pickup select
1456 535 535 105 2 0x100 1 httpd semwait
740 483 740 405 2 0x4002 1 ksh ttyin
483 673 673 405 2 0x100 1 sshd select
673 105 673 0 2 0x101 1 sshd netio
664 535 535 105 2 0x100 1 httpd semwait
828 535 535 105 2 0x100 1 httpd semwait
1206 535 535 105 2 0x100 1 httpd semwait
1210 535 535 105 2 0x100 1 httpd poll
859 535 535 105 2 0x100 1 httpd semwait
354 535 535 105 2 0x100 1 httpd semwait
1177 1 1177 595 2 0x4003 1 ksh ttyin
789 1 789 405 2 0x4003 1 ksh ttyin
535 1 535 0 2 0 1 httpd select
750 1 750 1003 2 0 1 clamd netcon
914 1 914 0 2 0 1 cron nanosle
593 1 593 0 2 0 1 inetd kqread
--db_more- 291 1 291 0 2 0x101 1 ospf6d select
1050 1 1050 0 2 0x101 1 ospfd select
1046 235 235 12 2 0x4100 1 qmgr select
235 1 235 0 2 0x4108 1 master select
105 1 105 0 2 0 1 sshd select
889 690 690 0 2 0 1 ntpd pause
719 1 719 0 2 0 1 rarpd select
690 1 690 15 2 0x100 1 ntpd pause
571 1 571 0 2 0 1 rpc.bootparamd select
501 446 446 0 2 0 1 nfsd nfsd
479 446 446 0 2 0 1 nfsd nfsd
375 446 446 0 2 0 1 nfsd nfsd
563 446 446 0 2 0 1 nfsd nfsd
446 1 446 0 2 0 1 nfsd poll
476 1 476 0 2 0 1 mountd select
436 1 436 0 2 0 1 mount_mfs mfsidl
376 1 376 0 2 0 1 rpcbind poll
369 1 369 14 2 0x500 3 named *
398 1 398 0 2 0 1 ipmon nanosle
336 1 336 0 2 0 1 syslogd poll
285 1 285 0 2 0x101 1 zebra select
12 0 0 0 2 0x20200 1 aiodoned aiodone
11 0 0 0 2 0x20200 1 ioflush syncer
--db_more- 10 0 0 0 2 0x20200 1 pagedaemon pgdaemo
9 0 0 0 2 0x20200 1 lfs_writer lfswrit
8 0 0 0 2 0x20200 1 atapibus0 sccomp
7 0 0 0 2 0x20200 1 fwohci0 fwohcie
6 0 0 0 2 0x20200 1 scsibus1 sccomp
5 0 0 0 2 0x20200 1 scsibus0 sccomp
4 0 0 0 2 0x20200 1 atabus1 atath
3 0 0 0 2 0x20200 1 atabus0 atath
2 0 0 0 2 0x20200 1 cryptoret crypto_
1 0 1 0 2 0x4000 1 init wait
0 -1 0 0 2 0x20200 1 swapper schedul
db> sync
syncing disks... panic: kernel diagnostic assertion "n->m_len == 0 || m->m_type == n->m_type" failed: file "../../../../kern/uipc_mbuf.c", line 713
Stopped in pid 7842.1 (ping6) at netbsd:cpu_Debugger+0x4: ret z
ero,(ra)
db> sync
dumping to dev 8,1 offset 789343
dump 512 511 510 [...]