Actions
Bug #14077
closed
Kernel panic from incoming IPv6 connections
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
23.05
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:
6100
Description
After upgrading to 23.01, the system crashes with the following test on a Netgate 6100:
- With a default configuration, download the following torrent file https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.1-x86_64-dvd.torrent (QNAP's Download Station was used in this case).
- The crash occurs seemingly randomly throughout the download - download speed is 1Gbps.
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 04
fault virtual address = 0x460
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80eb8606
stack pointer = 0x28:0xfffffe00107aa020
frame pointer = 0x28:0xfffffe00107aa020
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (if_io_tqg_0)
rdi: 0 rsi: 2 rdx: 1
rcx: 0 r8: 0 r9: 100000000000000
rax: 2 rbx: 0 rbp: fffffe00107aa020
r10: fffff8010f7de4f8 r11: 8 r12: fffffe00107aa088
r13: fffff8002ce71478 r14: 0 r15: fffff8002ce71400
trap number = 12
panic: page fault
cpuid = 0
time = 1677006198
KDB: enter: panic
db:1:pfs> bt
Tracing pid 0 tid 100007 td 0xfffffe0011f46720
kdb_enter() at kdb_enter+0x32/frame 0xfffffe00107a9de0
vpanic() at vpanic+0x182/frame 0xfffffe00107a9e30
panic() at panic+0x43/frame 0xfffffe00107a9e90
trap_fatal() at trap_fatal+0x409/frame 0xfffffe00107a9ef0
trap_pfault() at trap_pfault+0x4f/frame 0xfffffe00107a9f50
calltrap() at calltrap+0x8/frame 0xfffffe00107a9f50
--- trap 0xc, rip = 0xffffffff80eb8606, rsp = 0xfffffe00107aa020, rbp = 0xfffffe00107aa020 ---
if_inc_counter() at if_inc_counter+0x6/frame 0xfffffe00107aa020
looutput() at looutput+0x4f/frame 0xfffffe00107aa050
ip6_forward() at ip6_forward+0x888/frame 0xfffffe00107aa150
pf_refragment6() at pf_refragment6+0x164/frame 0xfffffe00107aa1a0
pf_test6() at pf_test6+0x1380/frame 0xfffffe00107aa310
pf_check6_out() at pf_check6_out+0x40/frame 0xfffffe00107aa340
pfil_mbuf_out() at pfil_mbuf_out+0x35/frame 0xfffffe00107aa370
ip6_output() at ip6_output+0x1204/frame 0xfffffe00107aa5b0
icmp6_reflect() at icmp6_reflect+0x2dd/frame 0xfffffe00107aa660
icmp6_error() at icmp6_error+0x37c/frame 0xfffffe00107aa6d0
pf_route6() at pf_route6+0x7ff/frame 0xfffffe00107aa7b0
pf_test6() at pf_test6+0xce3/frame 0xfffffe00107aa930
pf_check6_out() at pf_check6_out+0x40/frame 0xfffffe00107aa960
pfil_mbuf_out() at pfil_mbuf_out+0x35/frame 0xfffffe00107aa990
ip6_forward() at ip6_forward+0x3f4/frame 0xfffffe00107aaa90
ip6_input() at ip6_input+0x9a4/frame 0xfffffe00107aab70
netisr_dispatch_src() at netisr_dispatch_src+0x2a6/frame 0xfffffe00107aabc0
ether_demux() at ether_demux+0x144/frame 0xfffffe00107aabf0
ether_nh_input() at ether_nh_input+0x353/frame 0xfffffe00107aac50
netisr_dispatch_src() at netisr_dispatch_src+0xb9/frame 0xfffffe00107aaca0
ether_input() at ether_input+0x69/frame 0xfffffe00107aad00
iflib_rxeof() at iflib_rxeof+0xbdb/frame 0xfffffe00107aae00
_task_fn_rx() at _task_fn_rx+0x72/frame 0xfffffe00107aae40
gtaskqueue_run_locked() at gtaskqueue_run_locked+0x15d/frame 0xfffffe00107aaec0
gtaskqueue_thread_loop() at gtaskqueue_thread_loop+0xc3/frame 0xfffffe00107aaef0
fork_exit() at fork_exit+0x7e/frame 0xfffffe00107aaf30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00107aaf30
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
db:1:pfs> show registers
cs 0x20
ds 0x3b
es 0x3b
fs 0x13
gs 0x1b
ss 0x28
rax 0x12
rcx 0x1
rdx 0x3f8
rbx 0x100
rsp 0xfffffe00107a9de0
rbp 0xfffffe00107a9de0
rsi 0
rdi 0x4
r8 0xfefefefefefefeff
r9 0x8080808080808080
r10 0xfffffe00107a9cc0
r11 0xcedfc2df9afff59c
r12 0x400
r13 0xfffffe00107a9f60
r14 0xfffffe00107a9e70
r15 0xfffffe0011f46720
rip 0xffffffff80dd82f2 kdb_enter+0x32
rflags 0x82
kdb_enter+0x32: movq $0,0x27bd313(%rip)
db:1:pfs> show pcpu
cpuid = 0
dynamic pcpu = 0x126d800
curthread = 0xfffffe0011f46720: pid 0 tid 100007 critnest 1 "if_io_tqg_0"
curpcb = 0xfffffe0011f46c40
fpcurthread = none
idlethread = 0xfffffe0011f483a0: tid 100003 "idle: cpu0"
self = 0xffffffff84610000
curpmap = 0xffffffff83549750
tssp = 0xffffffff84610384
rsp0 = 0xfffffe00107ab000
kcr3 = 0xffffffffffffffff
ucr3 = 0xffffffffffffffff
scr3 = 0x0
gs32p = 0xffffffff84610404
ldt = 0xffffffff84610444
tss = 0xffffffff84610434
curvnet = 0xfffff800011d0900
Related issues
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by
Actions