We've just found a nasty bug in ancillary data management for IP raw sockets.
It was in my IPv6 code but it is inherited from NetBSD code.
When two (or more) raw receivers ask to receive some options
(receiving interface, destination address, ...) in ancillary data
(aka control parameters) then kernel panics with receive 1
(received queue empty when receive queue byte count not zero).
The problem is the opts variable in sys/netinet/raw_ip.c rip_input()
function must be reset to (struct mbuf *)0 after usage, for instance
just after sorwakeup call line. In udp_usrreq udp_input() function
is very similar but correct.

Francis.Dupont@inria.fr

PS: I have more than 6500 unread mails in NetBSD mailing lists then
reply directly to me if needed.