kern/45914: destroying a network interface crashes dom0 kernel

[riz%NetBSD.org@localhost]

>Number:         45914
>Category:       kern
>Synopsis:       destroying a network interface crashes dom0 kernel
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 02 19:05:00 +0000 2012
>Originator:     Jeff Rizzo
>Release:        NetBSD 5.99.63, also late 5.99.60
>Organization:
        
>Environment:
        
        
System: NetBSD xenserver1.boogers.sf.ca.us 5.99.60 NetBSD 5.99.60 (XS1) #56: 
Wed Feb  1 21:37:45 PST 2012  
riz%hack.lan@localhost:/Users/riz/Documents/code/netbsd/obj.amd64/sys/arch/amd64/compile/XS1
 amd64
Architecture: x86_64
Machine: amd64
>Description:

As of this commit:
http://mail-index.netbsd.org/source-changes/2012/01/27/msg031054.html

...destroying a network interface on my Xen DOM0 box crashes the kernel:

****************
xenserver1# ifconfig vlan0 create
xenserver1# ifconfig vlan0 destroy
fatal protection fault in supervisor mode
trap type 4 code 0 rip ffffffff804dfaf5 cs e030 rflags 10206 cr2  7f7ff780d93f 
cpl 6 rsp ffffa00000d7d660
kernel: protection fault trap, code=0
Stopped in pid 436.1 (ifconfig) at      netbsd:nd6_purge+0xb5:  movl    14(%r12)
,%eax
nd6_purge() at netbsd:nd6_purge+0xb5
in6_ifdetach() at netbsd:in6_ifdetach+0x21
udp6_usrreq() at netbsd:udp6_usrreq+0x208
if_detach() at netbsd:if_detach+0x112
vlan_clone_destroy() at netbsd:vlan_clone_destroy+0x63
ifioctl() at netbsd:ifioctl+0x3c3
sys_ioctl() at netbsd:sys_ioctl+0x13c
syscall() at netbsd:syscall+0xc4
ds          a5c0
es          a788
fs          0
gs          0
rdi         ffffa000011bdd80
rsi         0
rbp         ffffa00000d7d680
rbx         ffffa00000eaf008
rdx         ffffffff803c8617    in6_purgeaddr
rcx         ffffa00000eaa5c0
rax         4
r8          ffffa00000eaf008
r9          ffffa00000eaa5c0
r10         ffffa000018d62c4
r11         2
r12         2687e94bad0e70d2
r13         0
r14         0
r15         0
rip         ffffffff804dfaf5    nd6_purge+0xb5
cs          e030
rflags      10206
rsp         ffffa00000d7d660
ss          e02b
netbsd:nd6_purge+0xb5:  movl    14(%r12),%eax
db>
****************


My assumption is that the kmem changes in that commit have exposed a
longer-standing bug.  Please note PR#45764, which is against 5.1, and looks
very similar to this.

>How-To-Repeat:

xenserver1# ifconfig vlan0 create
xenserver1# ifconfig vlan0 destroy
fatal protection fault in supervisor mode
trap type 4 code 0 rip ffffffff804dfaf5 cs e030 rflags 10206 cr2  7f7ff780d93f c
pl 6 rsp ffffa00000d7d660
kernel: protection fault trap, code=0
Stopped in pid 436.1 (ifconfig) at      netbsd:nd6_purge+0xb5:  movl    14(%r12)
,%eax
nd6_purge() at netbsd:nd6_purge+0xb5
in6_ifdetach() at netbsd:in6_ifdetach+0x21
udp6_usrreq() at netbsd:udp6_usrreq+0x208
if_detach() at netbsd:if_detach+0x112
vlan_clone_destroy() at netbsd:vlan_clone_destroy+0x63
ifioctl() at netbsd:ifioctl+0x3c3
sys_ioctl() at netbsd:sys_ioctl+0x13c
syscall() at netbsd:syscall+0xc4
ds          a5c0
es          a788
fs          0
gs          0
rdi         ffffa000011bdd80
rsi         0
rbp         ffffa00000d7d680
rbx         ffffa00000eaf008
rdx         ffffffff803c8617    in6_purgeaddr
rcx         ffffa00000eaa5c0
rax         4
r8          ffffa00000eaf008
r9          ffffa00000eaa5c0
r10         ffffa000018d62c4
r11         2
r12         2687e94bad0e70d2
r13         0
r14         0
r15         0
rip         ffffffff804dfaf5    nd6_purge+0xb5
cs          e030
rflags      10206
rsp         ffffa00000d7d660
ss          e02b
netbsd:nd6_purge+0xb5:  movl    14(%r12),%eax
db>
>Fix:
        None given.

>Unformatted: