page fault on RELENG_6_1

I'm experiencing kernel panics , and trying to understand something
(not a real kernel hacker... I'm more near 'Hello World' programmer:)

I think there is something like a null-pointer each time, in nd6_output (crashes 2 and 3)

I'm not sure crash 4 is the same (look like http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/96413 )

Here are my dmesg, and some kgdb logs, hope I didn't forgot anything important...

The machine (via C7) is hosting some websites, some mails, is ipv6-enabled via gif tunnel, and use 2 openvpn instances.

Please cc my mail address.
--
___________________________________________________________
/ Geoffroy DESVERNAY | \
/\ `Service info` | Tel: (+33|0)4 91 05 45 24 /\
\/ Ecole Centrale de Marseille | Fax: (+33|0)4 91 05 45 98 \/
\ (ex-EGIM) | Mail: dgeo@xxxxxxxxxxxxxxx /
-----------------------------------------------------------


Dump header from device /dev/ad4s1b
Architecture: i386
Architecture Version: 2
Dump Length: 1056505856B (1007 MB)
Blocksize: 512
Dumptime: Sun Oct 8 01:03:32 2006
Hostname: box.dgeos.net
Magic: FreeBSD Kernel Dump
Version String: FreeBSD 6.1-RELEASE-p10 #0: Wed Oct 4 09:30:30 CEST 2006
root@xxxxxxxxxxxxx:/usr/obj/usr/src/sys/BOX
Panic String: page fault
Dump Parity: 103186717
Bounds: 2
Dump Status: good

[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x24
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc0515778
stack pointer = 0x28:0xe338d828
frame pointer = 0x28:0xe338d848
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = resume, IOPL = 0
current process = 12 (swi1: net)
trap number = 12
panic: page fault
Uptime: 2d22h25m31s
Dumping 1007 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 1007MB (257776 pages) 991 975 959 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

#0 doadump () at pcpu.h:165
165 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) list *0xc0515778
0xc0515778 is in propagate_priority (/usr/src/sys/kern/subr_turnstile.c:241).
236 /*
237 * Pick up the lock that td is blocked on.
238 */
239 ts = td->td_blocked;
240 MPASS(ts != NULL);
241 tc = TC_LOOKUP(ts->ts_lockobj);
242 mtx_lock_spin(&tc->tc_lock);
243
244 /* Resort td on the list if needed. */
245 if (!turnstile_adjust_thread(ts, td)) {
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc04edbb7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
#2 0xc04edef9 in panic (fmt=0xc06c92d8 "%s") at /usr/src/sys/kern/kern_shutdown.c:558
#3 0xc06ac32c in trap_fatal (frame=0xe338d7e8, eva=0) at /usr/src/sys/i386/i386/trap.c:836
#4 0xc06ab9c4 in trap (frame=
{tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -995882752, tf_esi = -995882368, tf_ebp = -482813880, tf_isp = -482813932, tf_ebx = -995882752, tf_edx = -995882368, tf_ecx = -992324084, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068411016, tf_cs = 32, tf_eflags = 589954, tf_esp = -995882368, tf_ss = 40})
at /usr/src/sys/i386/i386/trap.c:269
#5 0xc0698a7a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#6 0xc0515778 in propagate_priority (td=0xc4a40a80) at /usr/src/sys/kern/subr_turnstile.c:239
#7 0xc0515ff3 in turnstile_wait (lock=0xc4da560c, owner=0x0) at /usr/src/sys/kern/subr_turnstile.c:634
#8 0xc04e2ba4 in _mtx_lock_sleep (m=0xc4da560c, tid=3299084544, opts=0, file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:565
#9 0xc05cc183 in nd6_output (ifp=0xc4b1d000, origifp=0x0, m0=0xc4f1f700, dst=0xc5185e1c, rt0=0xc4da59cc) at /usr/src/sys/netinet6/nd6.c:2004
#10 0xc05c505b in ip6_output (m0=0xe338da44, opt=0x0, ro=0xe338da44, flags=0, im6o=0x0, ifpp=0x0, inp=0xc4f81870) at /usr/src/sys/netinet6/ip6_output.c:994
#11 0xc05a7c77 in syncache_respond (sc=0xc8f8baf0, m=0xc4f1f700) at /usr/src/sys/netinet/tcp_syncache.c:1203
#12 0xc05a787b in syncache_add (inc=0xc520c1d0, to=0xe338dbb8, th=0x0, sop=0xe338db54, m=0xc4c8d000) at /usr/src/sys/netinet/tcp_syncache.c:1000
#13 0xc059e5b1 in tcp_input (m=0xc4c8d000, off0=40) at /usr/src/sys/netinet/tcp_input.c:976
#14 0xc059d82e in tcp6_input (mp=0x0, offp=0xe338dc30, proto=6) at /usr/src/sys/netinet/tcp_input.c:412
#15 0xc05c0a5b in ip6_input (m=0xc4c8d000) at /usr/src/sys/netinet6/ip6_input.c:789
#16 0xc0580849 in netisr_processqueue (ni=0xc0720a04) at /usr/src/sys/net/netisr.c:236
#17 0xc0580a59 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:343
#18 0xc04d34a8 in ithread_execute_handlers (p=0xc4a3f830, ie=0xc4a8f300) at /usr/src/sys/kern/kern_intr.c:684
#19 0xc04d3616 in ithread_loop (arg=0xc4a25640) at /usr/src/sys/kern/kern_intr.c:767
#20 0xc04d1f1f in fork_exit (callout=0xc04d35a0 <ithread_loop>, arg=0x0, frame=0x0) at /usr/src/sys/kern/kern_fork.c:805
#21 0xc0698adc in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
(kgdb) up 8
#8 0xc04e2ba4 in _mtx_lock_sleep (m=0xc4da560c, tid=3299084544, opts=0, file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:565
565 turnstile_wait(&m->mtx_object, mtx_owner(m));
(kgdb) x/a 0xc4da560c
0xc4da560c: 0xc06f79c4
(kgdb) x/a 0xc06f79c4
0xc06f79c4 <lock_class_mtx_sleep>: 0xc06dd8bf
(kgdb) up
#9 0xc05cc183 in nd6_output (ifp=0xc4b1d000, origifp=0x0, m0=0xc4f1f700, dst=0xc5185e1c, rt0=0xc4da59cc) at /usr/src/sys/netinet6/nd6.c:2004
2004 RT_LOCK(rt);
(kgdb) upx/a 0xc4f1f700
0xc4f1f700: 0x0
(kgdb) up
#10 0xc05c505b in ip6_output (m0=0xe338da44, opt=0x0, ro=0xe338da44, flags=0, im6o=0x0, ifpp=0x0, inp=0xc4f81870) at /usr/src/sys/netinet6/ip6_output.c:994
994 error = nd6_output(ifp, origifp, m, dst, ro->ro_rt);
(kgdb) x/a 0xe338da44
0xe338da44: 0xc4da59cc
(kgdb) x/a 0xc4da59cc
0xc4da59cc: 0x0
(kgdb) up
#11 0xc05a7c77 in syncache_respond (sc=0xc8f8baf0, m=0xc4f1f700) at /usr/src/sys/netinet/tcp_syncache.c:1203
1203 error = ip6_output(m, NULL, NULL, 0, NULL, NULL, inp);
(kgdb) x/a 0xc8f8baf0
0xc8f8baf0: 0x112
(kgdb) x/a 0x112
0x112: Cannot access memory at address 0x112
(kgdb) up
#12 0xc05a787b in syncache_add (inc=0xc520c1d0, to=0xe338dbb8, th=0x0, sop=0xe338db54, m=0xc4c8d000) at /usr/src/sys/netinet/tcp_syncache.c:1000
1000 if (syncache_respond(sc, m) == 0) {
(kgdb) x/a 0xc4c8d000
0xc4c8d000: 0x0
(kgdb) x/a 0xe338db54
0xe338db54: 0xc51f4858
(kgdb) x/a 0xc51f4858
0xc51f4858: 0x1
(kgdb) x/a 0xe338dbb8
0xe338dbb8: 0x131
(kgdb) x/a 0xc520c1d0
0xc520c1d0: 0x0
(kgdb) up
#13 0xc059e5b1 in tcp_input (m=0xc4c8d000, off0=40) at /usr/src/sys/netinet/tcp_input.c:976
976 if (!syncache_add(&inc, &to, th, &so, m))
(kgdb) x/a 0xc4c8d000
0xc4c8d000: 0x0
(kgdb) up
#14 0xc059d82e in tcp6_input (mp=0x0, offp=0xe338dc30, proto=6) at /usr/src/sys/netinet/tcp_input.c:412
412 tcp_input(m, *offp);
(kgdb) x/a 0xe338dc30
0xe338dc30: 0x28
(kgdb) up
#15 0xc05c0a5b in ip6_input (m=0xc4c8d000) at /usr/src/sys/netinet6/ip6_input.c:789
789 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
(kgdb) x/a 0xc4c8d000
0xc4c8d000: 0x0
(kgdb) up
#16 0xc0580849 in netisr_processqueue (ni=0xc0720a04) at /usr/src/sys/net/netisr.c:236
236 ni->ni_handler(m);
(kgdb) x/a 0xc0720a04
0xc0720a04 <netisrs+324>: 0xc05bfca0
(kgdb) up
#17 0xc0580a59 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:343
343 netisr_processqueue(ni);
(kgdb) up
#18 0xc04d34a8 in ithread_execute_handlers (p=0xc4a3f830, ie=0xc4a8f300) at /usr/src/sys/kern/kern_intr.c:684
684 ih->ih_handler(ih->ih_argument);
(kgdb) q

Dump header from device /dev/ad4s1b
Architecture: i386
Architecture Version: 2
Dump Length: 1056505856B (1007 MB)
Blocksize: 512
Dumptime: Wed Oct 11 11:45:12 2006
Hostname: box.dgeos.net
Magic: FreeBSD Kernel Dump
Version String: FreeBSD 6.1-RELEASE-p10 #0: Wed Oct 4 09:30:30 CEST 2006
root@xxxxxxxxxxxxx:/usr/obj/usr/src/sys/BOX
Panic String: page fault
Dump Parity: 1789494557
Bounds: 3
Dump Status: good

[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x24
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc0515778
stack pointer = 0x28:0xe338d828
frame pointer = 0x28:0xe338d848
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = resume, IOPL = 0
current process = 12 (swi1: net)
trap number = 12
panic: page fault
Uptime: 3d10h40m6s
Dumping 1007 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 1007MB (257776 pages) 991 975 959 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

#0 doadump () at pcpu.h:165
165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) list *0xc0515778
0xc0515778 is in propagate_priority (/usr/src/sys/kern/subr_turnstile.c:241).
236 /*
237 * Pick up the lock that td is blocked on.
238 */
239 ts = td->td_blocked;
240 MPASS(ts != NULL);
241 tc = TC_LOOKUP(ts->ts_lockobj);
242 mtx_lock_spin(&tc->tc_lock);
243
244 /* Resort td on the list if needed. */
245 if (!turnstile_adjust_thread(ts, td)) {
(kgdb) backtrace
#0 doadump () at pcpu.h:165
#1 0xc04edbb7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
#2 0xc04edef9 in panic (fmt=0xc06c92d8 "%s") at /usr/src/sys/kern/kern_shutdown.c:558
#3 0xc06ac32c in trap_fatal (frame=0xe338d7e8, eva=0)
at /usr/src/sys/i386/i386/trap.c:836
#4 0xc06ab9c4 in trap (frame=
{tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -995882752, tf_esi = -995882368, tf_ebp = -482813880, tf_isp = -482813932, tf_ebx = -995882752, tf_edx = -995882368, tf_ecx = -992312588, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068411016, tf_cs = 32, tf_eflags = 589954, tf_esp = -995882368, tf_ss = 40}) at /usr/src/sys/i386/i386/trap.c:269
#5 0xc0698a7a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#6 0xc0515778 in propagate_priority (td=0xc4a40a80)
at /usr/src/sys/kern/subr_turnstile.c:239
#7 0xc0515ff3 in turnstile_wait (lock=0xc4da82f4, owner=0x0)
at /usr/src/sys/kern/subr_turnstile.c:634
#8 0xc04e2ba4 in _mtx_lock_sleep (m=0xc4da82f4, tid=3299084544, opts=0, file=0x0, line=0)
at /usr/src/sys/kern/kern_mutex.c:565
#9 0xc05cc183 in nd6_output (ifp=0xc4b0c400, origifp=0x0, m0=0xc4dae200, dst=0xc4f6a9dc,
rt0=0xc4da89cc) at /usr/src/sys/netinet6/nd6.c:2004
#10 0xc05c505b in ip6_output (m0=0xe338da44, opt=0x0, ro=0xe338da44, flags=0, im6o=0x0,
ifpp=0x0, inp=0xc5041384) at /usr/src/sys/netinet6/ip6_output.c:994
#11 0xc05a7c77 in syncache_respond (sc=0xc91ff6a4, m=0xc4dae200)
at /usr/src/sys/netinet/tcp_syncache.c:1203
#12 0xc05a787b in syncache_add (inc=0xc5042910, to=0xe338dbb8, th=0x0, sop=0xe338db54,
m=0xc549d700) at /usr/src/sys/netinet/tcp_syncache.c:1000
#13 0xc059e5b1 in tcp_input (m=0xc549d700, off0=40)
at /usr/src/sys/netinet/tcp_input.c:976
#14 0xc059d82e in tcp6_input (mp=0x0, offp=0xe338dc30, proto=6)
at /usr/src/sys/netinet/tcp_input.c:412
#15 0xc05c0a5b in ip6_input (m=0xc549d700) at /usr/src/sys/netinet6/ip6_input.c:789
#16 0xc0580849 in netisr_processqueue (ni=0xc0720a04) at /usr/src/sys/net/netisr.c:236
#17 0xc0580a59 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:343
#18 0xc04d34a8 in ithread_execute_handlers (p=0xc4a3f830, ie=0xc4a8f300)
at /usr/src/sys/kern/kern_intr.c:684
#19 0xc04d3616 in ithread_loop (arg=0xc4a25640) at /usr/src/sys/kern/kern_intr.c:767
#20 0xc04d1f1f in fork_exit (callout=0xc04d35a0 <ithread_loop>, arg=0x0, frame=0x0)
at /usr/src/sys/kern/kern_fork.c:805
#21 0xc0698adc in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
(kgdb) backtrace

(kgdb) list *0xc0515778

(kgdb) backtrace

(kgdb) backtrace

(kgdb) up 9
#9 0xc05cc183 in nd6_output (ifp=0xc4b0c400, origifp=0x0, m0=0xc4dae200, dst=0xc4f6a9dc,
rt0=0xc4da89cc) at /usr/src/sys/netinet6/nd6.c:2004
2004 RT_LOCK(rt);
(kgdb) frame frame->tf_ebp frame->tf_eipbt
#0 doadump () at pcpu.h:165
#1 0xc04edbb7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
#2 0xc04edef9 in panic (fmt=0xc06c92d8 "%s") at /usr/src/sys/kern/kern_shutdown.c:558
#3 0xc06ac32c in trap_fatal (frame=0xe338d7e8, eva=0)
at /usr/src/sys/i386/i386/trap.c:836
#4 0xc06ab9c4 in trap (frame=
{tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -995882752, tf_esi = -995882368, tf_ebp = -482813880, tf_isp = -482813932, tf_ebx = -995882752, tf_edx = -995882368, tf_ecx = -992312588, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068411016, tf_cs = 32, tf_eflags = 589954, tf_esp = -995882368, tf_ss = 40}) at /usr/src/sys/i386/i386/trap.c:269
#5 0xc0698a7a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#6 0xc0515778 in propagate_priority (td=0xc4a40a80)
at /usr/src/sys/kern/subr_turnstile.c:239
#7 0xc0515ff3 in turnstile_wait (lock=0xc4da82f4, owner=0x0)
at /usr/src/sys/kern/subr_turnstile.c:634
#8 0xc04e2ba4 in _mtx_lock_sleep (m=0xc4da82f4, tid=3299084544, opts=0, file=0x0, line=0)
at /usr/src/sys/kern/kern_mutex.c:565
#9 0xc05cc183 in nd6_output (ifp=0xc4b0c400, origifp=0x0, m0=0xc4dae200, dst=0xc4f6a9dc,
rt0=0xc4da89cc) at /usr/src/sys/netinet6/nd6.c:2004
#10 0xc05c505b in ip6_output (m0=0xe338da44, opt=0x0, ro=0xe338da44, flags=0, im6o=0x0,
ifpp=0x0, inp=0xc5041384) at /usr/src/sys/netinet6/ip6_output.c:994
#11 0xc05a7c77 in syncache_respond (sc=0xc91ff6a4, m=0xc4dae200)
at /usr/src/sys/netinet/tcp_syncache.c:1203
#12 0xc05a787b in syncache_add (inc=0xc5042910, to=0xe338dbb8, th=0x0, sop=0xe338db54,
m=0xc549d700) at /usr/src/sys/netinet/tcp_syncache.c:1000
#13 0xc059e5b1 in tcp_input (m=0xc549d700, off0=40)
at /usr/src/sys/netinet/tcp_input.c:976
#14 0xc059d82e in tcp6_input (mp=0x0, offp=0xe338dc30, proto=6)
at /usr/src/sys/netinet/tcp_input.c:412
#15 0xc05c0a5b in ip6_input (m=0xc549d700) at /usr/src/sys/netinet6/ip6_input.c:789
#16 0xc0580849 in netisr_processqueue (ni=0xc0720a04) at /usr/src/sys/net/netisr.c:236
#17 0xc0580a59 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:343
#18 0xc04d34a8 in ithread_execute_handlers (p=0xc4a3f830, ie=0xc4a8f300)
at /usr/src/sys/kern/kern_intr.c:684
#19 0xc04d3616 in ithread_loop (arg=0xc4a25640) at /usr/src/sys/kern/kern_intr.c:767
#20 0xc04d1f1f in fork_exit (callout=0xc04d35a0 <ithread_loop>, arg=0x0, frame=0x0)
at /usr/src/sys/kern/kern_fork.c:805
#21 0xc0698adc in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
(kgdb) list 0xc05cc183
Function "0xc05cc183" not defined.
(kgdb) list *0xc05cc183
0xc05cc183 is in nd6_output (/usr/src/sys/netinet6/nd6.c:2005).
2000
2001 if (rt->rt_gwroute == 0)
2002 goto lookup;
2003 if (((rt = rt->rt_gwroute)->rt_flags & RTF_UP) == 0) {
2004 RT_LOCK(rt);
2005 rtfree(rt); rt = rt0;
2006 lookup:
2007 rt->rt_gwroute = rtalloc1(rt->rt_gateway, 1, 0UL);
2008 if ((rt = rt->rt_gwroute) == 0)
2009 senderr(EHOSTUNREACH);
(kgdb) f 9
#9 0xc05cc183 in nd6_output (ifp=0xc4b0c400, origifp=0x0, m0=0xc4dae200, dst=0xc4f6a9dc,
rt0=0xc4da89cc) at /usr/src/sys/netinet6/nd6.c:2004
2004 RT_LOCK(rt);
(kgdb) f 8
#8 0xc04e2ba4 in _mtx_lock_sleep (m=0xc4da82f4, tid=3299084544, opts=0, file=0x0, line=0)
at /usr/src/sys/kern/kern_mutex.c:565
565 turnstile_wait(&m->mtx_object, mtx_owner(m));
(kgdb) f 10
#10 0xc05c505b in ip6_output (m0=0xe338da44, opt=0x0, ro=0xe338da44, flags=0, im6o=0x0,
ifpp=0x0, inp=0xc5041384) at /usr/src/sys/netinet6/ip6_output.c:994
994 error = nd6_output(ifp, origifp, m, dst, ro->ro_rt);
(kgdb) f 11
#11 0xc05a7c77 in syncache_respond (sc=0xc91ff6a4, m=0xc4dae200)
at /usr/src/sys/netinet/tcp_syncache.c:1203
1203 error = ip6_output(m, NULL, NULL, 0, NULL, NULL, inp);
(kgdb) f 12
#12 0xc05a787b in syncache_add (inc=0xc5042910, to=0xe338dbb8, th=0x0, sop=0xe338db54,
m=0xc549d700) at /usr/src/sys/netinet/tcp_syncache.c:1000
1000 if (syncache_respond(sc, m) == 0) {
(kgdb) f 10
#10 0xc05c505b in ip6_output (m0=0xe338da44, opt=0x0, ro=0xe338da44, flags=0, im6o=0x0,
ifpp=0x0, inp=0xc5041384) at /usr/src/sys/netinet6/ip6_output.c:994
994 error = nd6_output(ifp, origifp, m, dst, ro->ro_rt);
(kgdb) i args
m0 = (struct mbuf *) 0xe338da44
opt = (struct ip6_pktopts *) 0x0
ro = (struct route_in6 *) 0xe338da44
flags = 0
im6o = (struct ip6_moptions *) 0x0
ifpp = (struct ifnet **) 0x0
inp = (struct inpcb *) 0xc5041384
(kgdb) f 11
#11 0xc05a7c77 in syncache_respond (sc=0xc91ff6a4, m=0xc4dae200)
at /usr/src/sys/netinet/tcp_syncache.c:1203
1203 error = ip6_output(m, NULL, NULL, 0, NULL, NULL, inp);
(kgdb) i args
sc = (struct syncache *) 0xc91ff6a4
m = (struct mbuf *) 0xc4dae200
(kgdb) f 9
#9 0xc05cc183 in nd6_output (ifp=0xc4b0c400, origifp=0x0, m0=0xc4dae200, dst=0xc4f6a9dc,
rt0=0xc4da89cc) at /usr/src/sys/netinet6/nd6.c:2004
2004 RT_LOCK(rt);
(kgdb) i args
ifp = (struct ifnet *) 0xc4b0c400
origifp = (struct ifnet *) 0x0
m0 = (struct mbuf *) 0xc4dae200
dst = (struct sockaddr_in6 *) 0xc4f6a9dc
rt0 = (struct rtentry *) 0xc4da89cc
(kgdb) f 8
#8 0xc04e2ba4 in _mtx_lock_sleep (m=0xc4da82f4, tid=3299084544, opts=0, file=0x0, line=0)
at /usr/src/sys/kern/kern_mutex.c:565
565 turnstile_wait(&m->mtx_object, mtx_owner(m));
(kgdb) i args
m = (struct mtx *) 0xc4da82f4
tid = 3299084544
opts = 0
file = 0x0
line = 0
(kgdb) f 8
#8 0xc04e2ba4 in _mtx_lock_sleep (m=0xc4da82f4, tid=3299084544, opts=0, file=0x0, line=0)
at /usr/src/sys/kern/kern_mutex.c:565
565 turnstile_wait(&m->mtx_object, mtx_owner(m));
(kgdb) i args
m = (struct mtx *) 0xc4da82f4
tid = 3299084544
opts = 0
file = 0x0
line = 0
(kgdb) quit

Dump header from device /dev/ad4s1b
Architecture: i386
Architecture Version: 2
Dump Length: 1056505856B (1007 MB)
Blocksize: 512
Dumptime: Sat Nov 4 09:04:18 2006
Hostname: box.dgeos.net
Magic: FreeBSD Kernel Dump
Version String: FreeBSD 6.1-RELEASE-p10 #0: Wed Oct 4 09:30:30 CEST 2006
root@xxxxxxxxxxxxx:/usr/obj/usr/src/sys/BOX
Panic String: page fault
Dump Parity: 3227378973
Bounds: 4
Dump Status: good

[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x24
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc0515778
stack pointer = 0x28:0xe338db40
frame pointer = 0x28:0xe338db60
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = resume, IOPL = 0
current process = 12 (swi1: net)
trap number = 12
panic: page fault
Uptime: 23h57m45s
Dumping 1007 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 1007MB (257776 pages) 991 975 959 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

#0 doadump () at pcpu.h:165
165 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) list *0xc0515778
0xc0515778 is in propagate_priority (/usr/src/sys/kern/subr_turnstile.c:241).
236 /*
237 * Pick up the lock that td is blocked on.
238 */
239 ts = td->td_blocked;
240 MPASS(ts != NULL);
241 tc = TC_LOOKUP(ts->ts_lockobj);
242 mtx_lock_spin(&tc->tc_lock);
243
244 /* Resort td on the list if needed. */
245 if (!turnstile_adjust_thread(ts, td)) {
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc04edbb7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
#2 0xc04edef9 in panic (fmt=0xc06c92d8 "%s") at /usr/src/sys/kern/kern_shutdown.c:558
#3 0xc06ac32c in trap_fatal (frame=0xe338db00, eva=0) at /usr/src/sys/i386/i386/trap.c:836
#4 0xc06ab9c4 in trap (frame=
{tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -995882752, tf_esi = -995882368, tf_ebp = -482813088, tf_isp = -482813140, tf_ebx = -1066279568, tf_edx = -995882368, tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068411016, tf_cs = 32, tf_eflags = 65666, tf_esp = -995882368, tf_ss = 40})
at /usr/src/sys/i386/i386/trap.c:269
#5 0xc0698a7a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#6 0xc0515778 in propagate_priority (td=0xc4a40a80) at /usr/src/sys/kern/subr_turnstile.c:239
#7 0xc0515ff3 in turnstile_wait (lock=0xc0721e0c, owner=0x0) at /usr/src/sys/kern/subr_turnstile.c:634
#8 0xc04e2ba4 in _mtx_lock_sleep (m=0xc0721e0c, tid=3299084544, opts=0, file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:565
#9 0xc05ac846 in udp_input (m=0xc4dfbe00, off=20) at /usr/src/sys/netinet/udp_usrreq.c:265
#10 0xc059579e in ip_input (m=0xc4dfbe00) at /usr/src/sys/netinet/ip_input.c:786
#11 0xc0580849 in netisr_processqueue (ni=0xc07208d8) at /usr/src/sys/net/netisr.c:236
#12 0xc0580aaf in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:349
#13 0xc04d34a8 in ithread_execute_handlers (p=0xc4a3f830, ie=0xc4a8f300) at /usr/src/sys/kern/kern_intr.c:684
#14 0xc04d3616 in ithread_loop (arg=0xc4a25640) at /usr/src/sys/kern/kern_intr.c:767
#15 0xc04d1f1f in fork_exit (callout=0xc04d35a0 <ithread_loop>, arg=0x0, frame=0x0) at /usr/src/sys/kern/kern_fork.c:805
#16 0xc0698adc in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
(kgdb) up 7
#7 0xc0515ff3 in turnstile_wait (lock=0xc0721e0c, owner=0x0) at /usr/src/sys/kern/subr_turnstile.c:634
634 propagate_priority(td);
(kgdb) up
#8 0xc04e2ba4 in _mtx_lock_sleep (m=0xc0721e0c, tid=3299084544, opts=0, file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:565
565 turnstile_wait(&m->mtx_object, mtx_owner(m));
(kgdb) x/a 0xc0721e0c
0xc0721e0c <udbinfo+44>: 0xc06f79c4
(kgdb) up
#9 0xc05ac846 in udp_input (m=0xc4dfbe00, off=20) at /usr/src/sys/netinet/udp_usrreq.c:265
265 INP_INFO_RLOCK(&udbinfo);
(kgdb) x/a 0xc4dfbe00
0xc4dfbe00: 0x0
(kgdb) q

Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 6.1-RELEASE-p10 #0: Wed Oct 4 09:30:30 CEST 2006
root@xxxxxxxxxxxxx:/usr/obj/usr/src/sys/BOX
ACPI APIC Table: <P4M80P AWRDACPI>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: VIA/IDT Unknown (1995.02-MHz 686-class CPU)
Origin = "CentaurHauls" Id = 0x6a9 Stepping = 9
Features=0xa7c9bbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,CMOV,PAT,CLFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,PBE>
Features2=0x181<SSE3,EST,TM2>
real memory = 1056899072 (1007 MB)
avail memory = 1025302528 (977 MB)
ioapic0 <Version 0.3> irqs 0-23 on motherboard
kbd1 at kbdmux0
PADLOCK: No ACE support.
module_register_init: MOD_LOAD (padlock, 0xc07f5740, 0) error 22
acpi0: <P4M80P AWRDACPI> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_throttle0: <ACPI CPU Throttling> on cpu0
acpi_button0: <Power Button> on acpi0
acpi_button1: <Sleep Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pci1: <display, VGA> at device 0.0 (no driver attached)
vge0: <VIA Networking Gigabit Ethernet> port 0xfc00-0xfcff mem 0xfdfff000-0xfdfff0ff irq 18 at device 14.0 on pci0
miibus0: <MII bus> on vge0
ciphy0: <Cicada CS8201 10/100/1000TX PHY> on miibus0
ciphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
vge0: Ethernet address: 00:40:63:e5:ca:bc
atapci0: <VIA 6420 SATA150 controller> port 0xf800-0xf807,0xf400-0xf403,0xf000-0xf007,0xec00-0xec03,0xe800-0xe80f,0xe400-0xe4ff irq 20 at device 15.0 on pci0
ata2: <ATA channel 0> on atapci0
ata3: <ATA channel 1> on atapci0
atapci1: <VIA 8237 UDMA133 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xe000-0xe00f at device 15.1 on pci0
ata0: <ATA channel 0> on atapci1
ata1: <ATA channel 1> on atapci1
isab0: <PCI-ISA bridge> at device 17.0 on pci0
isa0: <ISA bus> on isab0
acpi_tz0: <Thermal Zone> on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
pmtimer0 on isa0
orm0: <ISA Option ROM> at iomem 0xd0000-0xd0fff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sio0: configured irq 4 not in bitmap of probed irqs 0
sio0: port may not be enabled
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 8250 or not responding
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
Timecounter "TSC" frequency 1995019998 Hz quality 800
Timecounters tick every 1.000 msec
ad4: 152627MB <Seagate ST3160812AS 3.AAE> at ata2-master SATA150
Trying to mount root from ufs:/dev/ad4s1a

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature