NetBSD Problem Report #49956

From bouyer@antioche.lip6.fr  Tue Jun  9 13:35:48 2015
Return-Path: <bouyer@antioche.lip6.fr>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 6F1ACA6551
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  9 Jun 2015 13:35:48 +0000 (UTC)
Message-Id: <201506091335.t59DZeDB012390@antioche.lip6.fr>
Date: Tue, 9 Jun 2015 15:35:40 +0200 (MEST)
From: bouyer@antioche.eu.org
Reply-To: bouyer@antioche.eu.org
To: gnats-bugs@NetBSD.org
Subject: netbsd-7 panics, ipv6-related
X-Send-Pr-Version: 3.95

>Number:         49956
>Category:       kern
>Synopsis:       IPF: netbsd-7 panics, ipv6-related
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 09 13:40:01 +0000 2015
>Last-Modified:  Sun Feb 25 17:16:40 +0000 2018
>Originator:     Manuel Bouyer
>Release:        NetBSD 7.0_BETA
>Organization:
>Environment:
System: NetBSD antioche.lip6.fr 7.0_BETA NetBSD 7.0_BETA (ANTIOCHE7-64) #0: Thu Feb 12 09:58:20 CET 2015 bouyer@hop:/dsk/l1/misc/bouyer/tmp/amd64/obj/dsk/l1/misc/bouyer/netbsd-7/src/sys/arch/amd64/compile/ANTIOCHE7-64 amd64
Architecture: x86_64
Machine: amd64
>Description:
	I've seen this several times now, on the host running mainly 
	*.fr.netbsd.org:
panic: kernel diagnostic assertion "(m)->m_type != MT_FREE" failed: file "/dsk/l1/misc/bouyer/netbsd-7/src/sys/kern/uipc_mbuf.c", line 652 
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x13c
kern_assert() at netbsd:kern_assert+0x4f
m_freem() at netbsd:m_freem+0xa7
ipf_fastroute() at netbsd:ipf_fastroute+0x397
ipf_send_ip() at netbsd:ipf_send_ip+0x13c
ipf_send_icmp_err() at netbsd:ipf_send_icmp_err+0x1fa
ipf_check() at netbsd:ipf_check+0x88c
pfil_run_hooks() at netbsd:pfil_run_hooks+0xc4
ip6_input() at netbsd:ip6_input+0x1bb
ip6intr() at netbsd:ip6intr+0x45
softint_dispatch() at netbsd:softint_dispatch+0xd3
DDB lost frame for netbsd:Xsoftintr+0x4f, trying 0xfffffe810e95eff0
Xsoftintr() at netbsd:Xsoftintr+0x4f
--- interrupt ---

This could mean that the mbuf is freed twice.


>How-To-Repeat:
	run a ipv6-connected netbsd-7 host with ipf enabled and 
	'return-icmp' rules ?
>Fix:
	workaround: I removed "return-icmp" from my ipf6.conf for now,
	I don't know yet if this fixes the issue

>Release-Note:

>Audit-Trail:

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.