Bug #13896


Panic: page fault with ipV6

Added by Grischa Zengel about 1 year ago. Updated about 1 year ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


The pfsense crashes if the pfsense gets a IPv6 subnet over a PPPoE interface.
The pfsense gets the subnet via DHCPv6 and delegates it to 2 VLANs.
Thees VLANs are managed as captive portal zones each.


<118>pfSense 2.7.0-DEVELOPMENT amd64 Sat Jan 14 02:41:40 UTC 2023
<118>Bootup complete
<7>cannot forward src fe80:13::648c:80ff:fea1:41bf, dst 2a00:1450:4001:80b::200a, nxt 58, rcvif igb2.215, outif pppoe1
<7>cannot forward src fe80:13::648c:80ff:fea1:41bf, dst 2a00:1450:4001:82a::200a, nxt 58, rcvif igb2.215, outif pppoe1
lock order reversal:
 1st 0xfffff8031035c590 lle (lle, rw) @ /var/jenkins/workspace/pfSense-CE-snapshots-master-main/sources/FreeBSD-src-devel-main/sys/netinet6/in6.c:2401
 2nd 0xfffffe0021f30270 nd6 list (nd6 list, rw) @ /var/jenkins/workspace/pfSense-CE-snapshots-master-main/sources/FreeBSD-src-devel-main/sys/netinet6/nd6_rtr.c:863
lock order nd6 list -> lle established at:
#0 0xffffffff80debf1d at witness_checkorder+0x32d
#1 0xffffffff80d74c97 at _rw_wlock_cookie+0x67
#2 0xffffffff810077ed at nd6_llinfo_timer+0x9d
#3 0xffffffff80d98ed1 at softclock_call_cc+0x151
#4 0xffffffff80d9a726 at softclock_thread+0xc6
#5 0xffffffff80d31dc0 at fork_exit+0x80
#6 0xffffffff813072de at fork_trampoline+0xe
lock order lle -> nd6 list attempted at:
#0 0xffffffff80dec7ed at witness_checkorder+0xbfd
#1 0xffffffff80d74c97 at _rw_wlock_cookie+0x67
#2 0xffffffff8100dce1 at defrouter_remove+0x41
#3 0xffffffff8100ab0d at nd6_na_input+0x97d
#4 0xffffffff80fdb7e4 at icmp6_input+0x8a4
#5 0xffffffff80ff53d3 at ip6_input+0xbc3
#6 0xffffffff80eea7a0 at netisr_dispatch_src+0x220
#7 0xffffffff80ec4e7c at ether_demux+0x17c
#8 0xffffffff80ec64f6 at ether_nh_input+0x3f6
#9 0xffffffff80eea62f at netisr_dispatch_src+0xaf
#10 0xffffffff80ec5339 at ether_input+0x99
#11 0xffffffff80ec4dcd at ether_demux+0xcd
#12 0xffffffff80ec64f6 at ether_nh_input+0x3f6
#13 0xffffffff80eea62f at netisr_dispatch_src+0xaf
#14 0xffffffff80ec5339 at ether_input+0x99
#15 0xffffffff80ee5ed4 at iflib_rxeof+0xdf4
#16 0xffffffff80edfeea at _task_fn_rx+0x7a
#17 0xffffffff80dc7917 at gtaskqueue_run_locked+0xa7
<7>cannot forward src fe80:13::648c:80ff:fea1:41bf, dst 2a00:1450:4001:80e::2014, nxt 58, rcvif igb2.215, outif pppoe1
<7>cannot forward src fe80:13::648c:80ff:fea1:41bf, dst 2600:9000:21f3:ac00:13:48f8:7bc0:93a1, nxt 58, rcvif igb2.215, outif pppoe1
<7>cannot forward src fe80:13::7cec:b157:babc:971e, dst 2a00:1450:4001:809::200a, nxt 6, rcvif igb2.215, outif pppoe1

Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 10
fault virtual address    = 0x460
fault code        = supervisor read data, page not present
instruction pointer    = 0x20:0xffffffff80eb567d
stack pointer            = 0x28:0xfffffe00c86dc280
frame pointer            = 0x28:0xfffffe00c86dc280
code segment        = base 0x0, limit 0xfffff, type 0x1b
            = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags    = interrupt enabled, resume, IOPL = 0
current process        = 12 (swi1: netisr 2)
rdi:                0 rsi:                2 rdx:                1
rcx:                0  r8:                0  r9: 2c5f55feffefec3e
rax:                2 rbx: fffff801bbc95200 rbp: fffffe00c86dc280
r10:                1 r11:                0 r12: fffffe00c86dc2e8
r13: fffff801bbc95278 r14:                0 r15:                0
trap number        = 12
panic: page fault
cpuid = 2
time = 1674235212
KDB: enter: panic


db:0:kdb.enter.default>  bt
Tracing pid 12 tid 100039 td 0xfffffe0021fed000
kdb_enter() at kdb_enter+0x32/frame 0xfffffe00c86dc040
vpanic() at vpanic+0x182/frame 0xfffffe00c86dc090
panic() at panic+0x43/frame 0xfffffe00c86dc0f0
trap_fatal() at trap_fatal+0x409/frame 0xfffffe00c86dc150
trap_pfault() at trap_pfault+0xab/frame 0xfffffe00c86dc1b0
calltrap() at calltrap+0x8/frame 0xfffffe00c86dc1b0
--- trap 0xc, rip = 0xffffffff80eb567d, rsp = 0xfffffe00c86dc280, rbp = 0xfffffe00c86dc280 ---
if_inc_counter() at if_inc_counter+0xd/frame 0xfffffe00c86dc280
looutput() at looutput+0x64/frame 0xfffffe00c86dc2b0
ip6_forward() at ip6_forward+0x8cd/frame 0xfffffe00c86dc3b0
pf_refragment6() at pf_refragment6+0x174/frame 0xfffffe00c86dc400
pf_test6() at pf_test6+0xed6/frame 0xfffffe00c86dc570
pf_check6_out() at pf_check6_out+0x57/frame 0xfffffe00c86dc5a0
pfil_mbuf_out() at pfil_mbuf_out+0x55/frame 0xfffffe00c86dc5e0
ip6_output() at ip6_output+0x11e8/frame 0xfffffe00c86dc810
icmp6_reflect() at icmp6_reflect+0x2f7/frame 0xfffffe00c86dc8d0
icmp6_error() at icmp6_error+0x41a/frame 0xfffffe00c86dc940
pf_route6() at pf_route6+0xa91/frame 0xfffffe00c86dca10
pf_test6() at pf_test6+0xe47/frame 0xfffffe00c86dcb90
pf_check6_out() at pf_check6_out+0x57/frame 0xfffffe00c86dcbc0
pfil_mbuf_out() at pfil_mbuf_out+0x55/frame 0xfffffe00c86dcc00
ip6_forward() at ip6_forward+0x42f/frame 0xfffffe00c86dcd00
ip6_input() at ip6_input+0xc38/frame 0xfffffe00c86dcde0
swi_net() at swi_net+0x191/frame 0xfffffe00c86dce60
ithread_loop() at ithread_loop+0x279/frame 0xfffffe00c86dcef0
fork_exit() at fork_exit+0x80/frame 0xfffffe00c86dcf30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00c86dcf30
--- trap 0x720061, rip = 0x20003000620061, rsp = 0x30003000300031, rbp = 0 ---


crash.txt (916 KB) crash.txt Marcos M, 01/24/2023 01:02 PM
Actions #1

Updated by Marcos M about 1 year ago

Does this happen without the Captive Portal configuration? It looks like IPv6 on Captive Portal isn't yet supported according to

Actions #2

Updated by Marcos M about 1 year ago

Actions #3

Updated by Grischa Zengel about 1 year ago

Even this is a pre-release, the Pfsense is used in production.
So I can't provoke a crash.

Since the crash is only while work time, I think there is one device which behave strange and provoke this crash.
I don't know this particular device and I can't move it to another VLAN without authorization.

Even captive portal couldn't handle IPv6, the Pfsense should never crash with page fault in kernel mode.


Also available in: Atom PDF