netbsd-bugs: kern/28669: kernel crash with IPv6 packets

Subject: kern/28669: kernel crash with IPv6 packets
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <martti.kuparinen@iki.fi>
List: netbsd-bugs
Date: 12/15/2004 18:09:00
>Number:         28669
>Category:       kern
>Synopsis:       kernel crash with IPv6 packets
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 15 18:09:00 +0000 2004
>Originator:     Martti Kuparinen
>Release:        NetBSD 2.0
>Organization:
>Environment:
System: NetBSD fw.somedomain.com 2.0 NetBSD 2.0 (FW) #0: Tue Nov 30 09:02:44 EET 2004  root@fw.somedomain.com:/usr/src/sys/arch/i386/compile/FW i386
Architecture: i386
Machine: i386
>Description:

My NetBSD/i386 2.0 based firewall crashed today. It seems like this is an
IPv6 related problem. Here's the kernel backtrace:

ROOT fw:/usr/src/sys/arch/i386/compile/FW> gdb netbsd.gdb
GNU gdb 5.3nb1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...
(gdb) target kcore /var/crash/netbsd.2.core
panic: trap
#0  0x3fec0000 in ?? ()
(gdb) bt
#0  0x3fec0000 in ?? ()
#1  0xc035443b in cpu_reboot (howto=256, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:745
#2  0xc02e1564 in panic (fmt=0xc06179b5 "trap")
    at ../../../../kern/subr_prf.c:242
#3  0xc035e5cd in trap (frame=0xce62b828)
    at ../../../../arch/i386/i386/trap.c:296
#4  0xc0102e9f in calltrap ()
#5  0xc012b152 in frpr_ipv6hdr (fin=0xce62b8f8)
    at ../../../../netinet/fil.c:464
#6  0xc0126bfd in fr_makefrip (hlen=40, ip=0xc1acef64, fin=0xce62b8f8)
    at ../../../../netinet/fil.c:1330
#7  0xc01425cd in fr_checkicmp6matchingstate (fin=0xce62baa8)
    at ../../../../netinet/ip_state.c:3393
#8  0xc014150c in fr_stlookup (fin=0xce62baa8, tcp=0xc1acef5c, ifqp=0xce62ba70)
    at ../../../../netinet/ip_state.c:2196
#9  0xc014192f in fr_checkstate (fin=0xce62baa8, passp=0xce62baa4)
    at ../../../../netinet/ip_state.c:2420
#10 0xc01278b5 in fr_check (ip=0xc1a7a9d0, hlen=40, ifp=0xc1a2e000, out=1, 
    mp=0xce62bbb0) at ../../../../netinet/fil.c:2359
#11 0xc012ca31 in fr_check_wrapper6 (arg=0x0, mp=0xce62bbb0, ifp=0xc1a2e000, 
    dir=2) at ../../../../netinet/ip_fil_netbsd.c:212
#12 0xc0322a2b in pfil_run_hooks (ph=0xc072aca0, mp=0xce62bc3c, 
    ifp=0xc1a2e000, dir=2) at ../../../../net/pfil.c:69
#13 0xc0153845 in ip6_output (m0=0xc1a7a900, opt=0x0, ro=0xce62bcf8, flags=4, 
    im6o=0x0, so=0x0, ifpp=0xce62bd80) at ../../../../netinet6/ip6_output.c:810
#14 0xc014673f in icmp6_reflect (m=0xc1a7a900, off=40)
    at ../../../../netinet6/icmp6.c:2146
#15 0xc0143bb7 in icmp6_error (m=0xc1a7fd00, type=1, code=3, param=0)
    at ../../../../netinet6/icmp6.c:401
#16 0xc014e853 in ip6_forward (m=0x0, srcrt=0)
    at ../../../../netinet6/ip6_forward.c:602
#17 0xc014f58d in ip6_input (m=0xc238bf00)
    at ../../../../netinet6/ip6_input.c:686
#18 0xc014f0d5 in ip6intr () at ../../../../netinet6/ip6_input.c:212

>How-To-Repeat:
>Fix: