kern/49682: reproducable panic when detaching bge (IPv6 related)

[martin%NetBSD.org@localhost]

>Number:         49682
>Category:       kern
>Synopsis:       reproducable panic when detaching bge (IPv6 related)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 20 14:00:00 +0000 2015
>Originator:     Martin Husemann
>Release:        NetBSD 7.99.5
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD night-owl.duskware.de 7.99.5 NetBSD 7.99.5 (NIGHT-OWL) #299: Fri Feb 20 09:55:15 CET 2015 martin%night-owl.duskware.de@localhost:/usr/src/sys/arch/amd64/compile/NIGHT-OWL amd64
Architecture: x86_64
Machine: amd64
>Description:

When shutting down this notebook I get (since a few weeks?) a reproducable
panic when bge0 tries to detach:

defrtlist_del+0x19
nd6_purge+0x14c
in6_ifdetach+0x21
udp6_purgeif_wrapper+0x35
if_detach+0x168
bge_detach

and this is:

(gdb) list *(nd6_purge+0x14c)
0xffffffff80539a8a is in nd6_purge (../../../../netinet6/nd6.c:774).
769             TAILQ_FOREACH_SAFE(dr, &nd_defrouter, dr_entry, ndr) {
770                     if (!dr->installed)
771                             continue;
772     
773                     if (dr->ifp == ifp)
774                             defrtrlist_del(dr);
775             }
776     
777             /* Nuke prefix list entries toward ifp */
778             LIST_FOREACH_SAFE(pr, &nd_prefix, ndpr_entry, npr) {

and there:

0xffffffff8053fc54 is in defrtrlist_del (../../../../netinet6/nd6_rtr.c:488).
483     }
484     
485     void
486     defrtrlist_del(struct nd_defrouter *dr)
487     {
488             struct nd_ifinfo *ndi = ND_IFINFO(dr->ifp);
489             struct nd_defrouter *deldr = NULL;
490             struct nd_prefix *pr;
491             struct in6_ifextra *ext = dr->ifp->if_afdata[AF_INET6];

to be exact:

(gdb) x/16i defrtrlist_del     
   0xffffffff8053fc3b <defrtrlist_del>: push   %rbp
   0xffffffff8053fc3c <defrtrlist_del+1>:       mov    %rsp,%rbp
   0xffffffff8053fc3f <defrtrlist_del+4>:       push   %r14
   0xffffffff8053fc41 <defrtrlist_del+6>:       push   %r13
   0xffffffff8053fc43 <defrtrlist_del+8>:       push   %r12
   0xffffffff8053fc45 <defrtrlist_del+10>:      push   %rbx
   0xffffffff8053fc46 <defrtrlist_del+11>:      mov    %rdi,%rbx
   0xffffffff8053fc49 <defrtrlist_del+14>:      mov    0x30(%rdi),%rax
   0xffffffff8053fc4d <defrtrlist_del+18>:      mov    0x2b0(%rax),%r13
   0xffffffff8053fc54 <defrtrlist_del+25>:      mov    0x10(%r13),%rdi

%r13 must be bogus.

#define ND_IFINFO(ifp) \
        (((struct in6_ifextra *)(ifp)->if_afdata[AF_INET6])->nd_ifinfo)

so the ->nd_ifinfo fails - how can this happen?

>How-To-Repeat:
Just run a machine with bge0 and configure IPv6 via dhcpcd - not sure why
my sparc64 machines with bge do not show the issue (but those use a static
IPv6 configuration).

>Fix:
n/a