Bug #12548


Kernel panic in ``nd6_dad_timer()``

Added by Jim Pingle over 2 years ago. Updated over 2 years ago.

Operating System
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


I've hit this on my edge twice now on 22.01 snapshots but I don't have a lead on a cause yet. The panics happened a while apart (Nov 12th and Nov 29th), there were a few interface events this morning as I had an issue on one of my WANs.

Panic message:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 02
fault virtual address    = 0x10
fault code        = supervisor read data, page not present
instruction pointer    = 0x20:0xffffffff8105bbfb
stack pointer            = 0x0:0xfffffe00401f3b30
frame pointer            = 0x0:0xfffffe00401f3bc0
code segment        = base 0x0, limit 0xfffff, type 0x1b
            = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags    = interrupt enabled, resume, IOPL = 0
current process        = 12 (swi4: clock (0))
trap number        = 12
panic: page fault
cpuid = 3
time = 1638192056
KDB: enter: panic


db:0:kdb.enter.default>  bt
Tracing pid 12 tid 100056 td 0xfffff8000546c000
kdb_enter() at kdb_enter+0x37/frame 0xfffffe00401f37f0
vpanic() at vpanic+0x197/frame 0xfffffe00401f3840
panic() at panic+0x43/frame 0xfffffe00401f38a0
trap_fatal() at trap_fatal+0x391/frame 0xfffffe00401f3900
trap_pfault() at trap_pfault+0x4f/frame 0xfffffe00401f3950
trap() at trap+0x286/frame 0xfffffe00401f3a60
calltrap() at calltrap+0x8/frame 0xfffffe00401f3a60
--- trap 0xc, rip = 0xffffffff8105bbfb, rsp = 0xfffffe00401f3b30, rbp = 0xfffffe00401f3bc0 ---
nd6_dad_timer() at nd6_dad_timer+0x4b/frame 0xfffffe00401f3bc0
softclock_call_cc() at softclock_call_cc+0x141/frame 0xfffffe00401f3c70
softclock() at softclock+0x79/frame 0xfffffe00401f3c90
ithread_loop() at ithread_loop+0x23c/frame 0xfffffe00401f3cf0
fork_exit() at fork_exit+0x7e/frame 0xfffffe00401f3d30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00401f3d30
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---

Mateusz said he suspects it's fixed by

Actions #1

Updated by Jim Pingle over 2 years ago

  • Subject changed from Kernel panic in @nd6_dad_timer()@ to Kernel panic in ``nd6_dad_timer()``
Actions #2

Updated by Jim Pingle over 2 years ago

  • Description updated (diff)
  • Assignee set to Mateusz Guzik

Fixed review link in description to be

Mateusz said he'll look into it.

Actions #3

Updated by Mateusz Guzik over 2 years ago

I applied the change on top of devel-12 (needed minor editing because patch somehow failed to apply some of it).

Add nd6_ifinfo() function to do basic checks to avoid NULL pointer dereference

Patch by ae@ posted at

Direct commit as the patch is not going to go into main, which instead
is going to get an invasive solution not fit for MFC.

Jim Pingle sanity-tested ipv6 with a kernel containing the change and it works fine.

Reproducing the particular problem was not attempted, but the code adds a NULL check in the problematic func so it definitely sorts it out.

Actions #4

Updated by Mateusz Guzik over 2 years ago

  • Status changed from New to Resolved

Pushed to devel-12 and plus-devel-12.


Also available in: Atom PDF