From frank@pinky.sax.de Tue Jun 5 09:05:43 2007 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E2B3516A46B for ; Tue, 5 Jun 2007 09:05:42 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from pinky.frank-behrens.de (pinky.frank-behrens.de [82.139.199.24]) by mx1.freebsd.org (Postfix) with ESMTP id 1D03D13C46C for ; Tue, 5 Jun 2007 09:05:41 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from moon.behrens (localhost [127.0.0.1]) by pinky.frank-behrens.de (8.14.1/8.14.1) with ESMTP-MSA id l558qnnR003339 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 5 Jun 2007 10:52:49 +0200 (CEST) (envelope-from frank@moon.behrens) Received: (from frank@localhost) by moon.behrens (8.14.1/8.14.1/Submit) id l558qm7J003337; Tue, 5 Jun 2007 10:52:48 +0200 (CEST) (envelope-from frank) Message-Id: <200706050852.l558qm7J003337@moon.behrens> Date: Tue, 5 Jun 2007 10:52:48 +0200 (CEST) From: Frank Behrens To: FreeBSD-gnats-submit@freebsd.org Subject: panic sbdrop after ICMP6, packet too big X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 113359 >Category: kern >Synopsis: [ipv6] panic sbdrop after ICMP6, packet too big >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-net >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jun 05 09:10:12 GMT 2007 >Closed-Date: Sun Aug 26 17:53:56 GMT 2007 >Last-Modified: Sun Aug 26 17:53:56 GMT 2007 >Originator: Frank Behrens >Release: FreeBSD 6.2-STABLE-200705211513 i386 >Organization: >Environment: System: FreeBSD moon.behrens 6.2-STABLE-200705211513 FreeBSD 6.2-STABLE-200705211513 #0: Tue Jun 5 09:07:43 CEST 2007 Custom kernel, Network Options: options SMP options INET # InterNETworking options INET6 # IPv6 communications protocols options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/ IPSEC) options IPSEC_DEBUG #debug for IP security Outgoing interface: tun0: flags=8051 mtu 1456 >Description: The machine panics with "sbdrop" after receiving ICMP6, packet to big. ping6 -m -v -b 8000 -c 1 -s 1408 2a01:xxxx::xxxx PING6(1456=40+8+1408 bytes) 2a01:yyyy::yyyy --> 2a01:xxxx::xxxx new path MTU (1440) is notified The exchanged packets are: 09:57:30.358528 IP6 (hlim 64, next-header: ICMPv6 (58), length: 1416) host > remote: [icmp6 sum ok] ICMP6, echo request, length 1416, seq 0 09:57:30.491101 IP6 (hlim 61, next-header: ICMPv6 (58), length: 1240) router > host: [icmp6 sum ok] ICMP6, packet too big, length 1240, mtu 1440 The panic is: (kgdb) bt #0 doadump () at pcpu.h:165 #1 0xc0525da1 in boot (howto=260) at /data3/sources/fbsd6/sys/kern/kern_shutdown.c:409 #2 0xc052649b in panic (fmt=0xc075c5ba "sbdrop") at /data3/sources/fbsd6/sys/kern/kern_shutdown.c:565 #3 0xc056dd40 in sbdrop_locked (sb=0xed1ba818, len=1316) at /data3/sources/fbsd6/sys/kern/uipc_socket2.c:1103 #4 0xc056ecf8 in sbflush_locked (sb=0xed1ba818) at /data3/sources/fbsd6/sys/kern/uipc_socket2.c:1070 #5 0xc056ed4d in sbrelease_locked (sb=0xed1ba818, so=0x0) at /data3/sources/fbsd6/sys/kern/uipc_socket2.c:569 #6 0xc056f502 in sbrelease (sb=0xed1ba818, so=0x0) at /data3/sources/fbsd6/sys/kern/uipc_socket2.c:582 #7 0xc056b838 in sorflush (so=0xc40cf590) at /data3/sources/fbsd6/sys/kern/uipc_socket.c:1502 #8 0xc056bb20 in sofree (so=0xc40cf590) at /data3/sources/fbsd6/sys/kern/uipc_socket.c:413 #9 0xc056c1e3 in soclose (so=0xc40cf590) at /data3/sources/fbsd6/sys/kern/uipc_socket.c:491 #10 0xc05576d9 in soo_close (fp=0xc3fd55e8, td=0xc3cb3c00) at /data3/sources/fbsd6/sys/kern/sys_socket.c:317 #11 0xc04f86b7 in fdrop_locked (fp=0xc3fd55e8, td=0xc3cb3c00) at file.h:296 #12 0xc04f8b76 in closef (fp=0xc3fd55e8, td=0xc3cb3c00) at /data3/sources/fbsd6/sys/kern/kern_descrip.c:1954 #13 0xc04fa7d5 in fdfree (td=0xc3cb3c00) at /data3/sources/fbsd6/sys/kern/kern_descrip.c:1639 #14 0xc0505d43 in exit1 (td=0xc3cb3c00) at /data3/sources/fbsd6/sys/kern/kern_exit.c:273 #15 0xc052a416 in sigexit (td=0xc3cb3c00, sig=2) at /data3/sources/fbsd6/sys/kern/kern_sig.c:2459 #16 0xc052b10f in postsig (sig=2) at /data3/sources/fbsd6/sys/kern/kern_sig.c:2340 #17 0xc054d4b6 in ast (framep=0xed1bad38) at /data3/sources/fbsd6/sys/kern/subr_trap.c:270 #18 0xc06fd17d in doreti_ast () at /data3/sources/fbsd6/sys/i386/i386/exception.s:293 #19 0xed1bad38 in ?? () #20 0x0000003b in ?? () #21 0x0000003b in ?? () #22 0x0000003b in ?? () #23 0xbfbfe6e0 in ?? () #24 0xbfbfeaf0 in ?? () #25 0xbfbfe2e8 in ?? () #26 0xed1bad64 in ?? () #27 0xbfbfe6b0 in ?? () #28 0x00000c31 in ?? () #29 0x00000002 in ?? () #30 0x00000000 in ?? () #31 0x00000000 in ?? () #32 0x00000002 in ?? () #33 0x28175e03 in ?? () #34 0x00000033 in ?? () #35 0x00000202 in ?? () #36 0xbfbfe2dc in ?? () #37 0x0000003b in ?? () #38 0x00000000 in ?? () #39 0x00000000 in ?? () #40 0x00000000 in ?? () #41 0x00000000 in ?? () #42 0x35aab000 in ?? () #43 0xc3cb1c90 in ?? () #44 0xc3cb3c00 in ?? () #45 0xed1ba6ac in ?? () #46 0xed1ba694 in ?? () #47 0xc34e8a80 in ?? () #48 0xc053b8ef in sched_switch (td=0xbfbfeaf0, newtd=0xbfbfe6b0, flags=Cannot access memory at address 0xbfbfe2f8 ) at /data3/sources/fbsd6/sys/kern/sched_4bsd.c:973 Previous frame inner to this frame (corrupt stack?) (kgdb) up #1 0xc0525da1 in boot (howto=260) at /data3/sources/fbsd6/sys/kern/kern_shutdown.c:409 409 doadump(); (kgdb) up #2 0xc052649b in panic (fmt=0xc075c5ba "sbdrop") at /data3/sources/fbsd6/sys/kern/kern_shutdown.c:565 565 boot(bootopt); (kgdb) up #3 0xc056dd40 in sbdrop_locked (sb=0xed1ba818, len=1316) at /data3/sources/fbsd6/sys/kern/uipc_socket2.c:1103 1103 panic("sbdrop"); (kgdb) print *sb $1 = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0, kl_unlock = 0, kl_locked = 0, kl_lockarg = 0x0}, si_flags = 0}, sb_mtx = {mtx_object = {lo_class = 0xc078e8a0, lo_name = 0xc075c534 "so_rcv", lo_type = 0xc075c534 "so_rcv", lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3284876288, mtx_recurse = 0}, sb_state = 0, sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 1316, sb_hiwat = 8000, sb_mbcnt = 3072, sb_mbmax = 64000, sb_ctl = 76, sb_lowat = 1, sb_timeo = 0, sb_flags = 64} (kgdb) >How-To-Repeat: ping6(8) to a host, where you get an "ICMP6, packet too big" answer. >Fix: >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Thu Jun 7 23:37:04 UTC 2007 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=113359 From: "Frank Behrens" To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org Cc: Subject: Re: kern/113359: panic sbdrop after ICMP6, packet too big Date: Sun, 26 Aug 2007 14:26:35 +0200 The bug is probably a duplicate of PR 99779 and was fixed on RELENG_6 with src/sys/kern/uipc_socket.c: 1.280. State-Changed-From-To: open->closed State-Changed-By: remko State-Changed-When: Sun Aug 26 17:53:54 UTC 2007 State-Changed-Why: Duplicate of 99779, which was fixed on RELENG_6 with: src/sys/kern/uipc_socket.c: 1.280 (thanks frank for the feedback!) http://www.freebsd.org/cgi/query-pr.cgi?pr=113359 >Unformatted: