Page fault in rt_newaddrmsg on gif0 destruction

Hello,

since I updated kernel + world two days ago, I get a reproducible panic
on system shutdown. It seems to happen when gif0 is destroyed. 
Is there anything I could do to help debugging this problem?

Regards,
Andreas Kohn


--- 
This GDB was configured as "i386-undermydesk-freebsd"...
panic: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x0
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc058a8cd
stack pointer           = 0x10:0xd2a85a7c
frame pointer           = 0x10:0xd2a85ac0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 2772 (ifconfig)
trap number             = 12
panic: page fault
at line 815 in file /usr/src/sys/i386/i386/trap.c

---
(kgdb) bt full
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:236
No locals.
#1  0xc05203ae in boot (howto=16640) at
/usr/src/sys/kern/kern_shutdown.c:370
No locals.
#2  0xc0520689 in __panic () at /usr/src/sys/kern/kern_shutdown.c:548
        td = (struct thread *) 0xc2d95e70
        bootopt = 256
        newpanic = 0
        ap = 0xd2a859bc "fZmˢ
        buf = "page fault", '\0' <repeats 245 times>
#3  0xc0680fb6 in trap_fatal (frame=0xd2a85a3c, eva=0)
    at /usr/src/sys/i386/i386/trap.c:815
        code = 16
        type = 12
        ss = 16
        esp = 0
        softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, 
  ssd_dpl = 0, ssd_p = 1, ssd_xx = 1, ssd_xx1 = 0, ssd_def32 = 1,
ssd_gran = 1}
#4  0xc0680d0f in trap_pfault (frame=0xd2a85a3c, usermode=0, eva=0)
    at /usr/src/sys/i386/i386/trap.c:733
        va = 0
        vm = (struct vmspace *) 0x0
        map = 0x1
        rv = 1
        ftype = 1 '\001'
        td = (struct thread *) 0xc2d95e70
        p = (struct proc *) 0xc2f5c1b8
#5  0xc0680985 in trap (frame=
      {tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = -1051668736, tf_esi
= 2, tf_ebp = -760718656, tf_isp = -760718744, tf_ebx = 2, tf_edx =
-1051799040, tf_ecx = 13, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip
= -1067931443, tf_cs = 8, tf_eflags = 66050, tf_esp = -1027659776, tf_ss
= -1027084640})
    at /usr/src/sys/i386/i386/trap.c:420
        td = (struct thread *) 0xc2d95e70
        p = (struct proc *) 0xc2f5c1b8
        sticks = 3243296768
        i = 0
        ucode = 0
        type = 12
        code = 0
        eva = 0
#6  0xc058a8cd in rt_newaddrmsg (cmd=2, ifa=0xc2c7ee00, error=0,
rt=0xc2dad600)
    at /usr/src/sys/net/rtsock.c:815
        ifam = (struct ifa_msghdr *) 0x0
        ncmd = 0
        info = {rti_addrs = 0, rti_info = {0x0, 0x0, 0x0, 0x0, 0x0, 
    0xc2c7eea0, 0x0, 0x0}, rti_flags = 0, rti_ifa = 0x0, rti_ifp = 0x0}
        sa = (struct sockaddr *) 0xc2c7eea0
        pass = 2
        m = (struct mbuf *) 0xc150cf00
        ifp = (struct ifnet *) 0xc2bf2800
#7  0xc05895a3 in rtinit (ifa=0xc2c7ee00, cmd=2, flags=4)
    at /usr/src/sys/net/route.c:1220
        dst = (struct sockaddr *) 0xc2c7eed8
        netmask = (struct sockaddr *) 0x0
        m = (struct mbuf *) 0x0
        rt = (struct rtentry *) 0xc2dad600
        info = {rti_addrs = 0, rti_info = {0xc2c7eed8, 0xc2c7eea0, 0x0,
0x0, 
    0x0, 0x0, 0x0, 0x0}, rti_flags = 5, rti_ifa = 0xc2c7ee00, rti_ifp =
0x0}
        error = 0
#8  0xc05bcdf7 in in6_purgeaddr (ifa=0x0) at
/usr/src/sys/netinet6/in6.c:1111
        e = 0
        ifp = (struct ifnet *) 0xc2bf2800
        ia = (struct in6_ifaddr *) 0xc2c7ee00
#9  0xc057f6e3 in if_detach (ifp=0xc2bf2800) at
/usr/src/sys/net/if.c:553
        ifa = (struct ifaddr *) 0xc2c7ee00
        next = (struct ifaddr *) 0xc2f1e600
        rnh = (struct radix_node_head *) 0xc2c7ee00
        i = 4
        dp = (struct domain *) 0xc2c7ee00
#10 0xc0583144 in gif_destroy (sc=0xc2bf2800) at
/usr/src/sys/net/if_gif.c:206
        ifp = (struct ifnet *) 0xc2bf2800
#11 0xc05831f2 in gif_clone_destroy (ifp=0x0) at
/usr/src/sys/net/if_gif.c:220
        sc = (struct gif_softc *) 0xc2bf2800
#12 0xc057fc38 in if_clone_destroy (name=0xd2a85c60 "gif0")
    at /usr/src/sys/net/if.c:752
        ifc = (struct if_clone *) 0xc07153c0
        ifp = (struct ifnet *) 0xc2bf2800
        bytoff = 0
        bitoff = -1027659776
        unit = 0
#13 0xc0580fbe in ifioctl (so=0xc2f383c0, cmd=2149607801, 
    data=0xd2a85c60 "gif0", td=0xc2d95e70) at /usr/src/sys/net/if.c:1529
        ifp = (struct ifnet *) 0x20
        ifr = (struct ifreq *) 0xd2a85c60
        error = -1025941904
        oif_flags = -1027863552
#14 0xc0547f29 in soo_ioctl (fp=0x0, cmd=0, data=0xd2a85c60, 
    active_cred=0xc14f8d80, td=0xc2d95e70)
    at /usr/src/sys/kern/sys_socket.c:176
        so = (struct socket *) 0x0
#15 0xc05430da in ioctl (td=0xc2d95e70, uap=0xd2a85d14)
    at /usr/src/sys/sys/file.h:257
        fp = (struct file *) 0xc2dd52a8
        fdp = (struct filedesc *) 0x0
        com = 2149607801
        error = 0
        size = 32
        data = 0xd2a85c60 "gif0"
        memp = 0x0
        tmp = -1067890175
        ubuf = {
  stkbuf = "gif0", '\0' <repeats 13 times>, "\002", '\0' <repeats 14
times>, "ÀÜ203óÂ
ÚóÀú_at_lÀÀ\203óÂTgqÀ´\\¨Ò~TUÀÀ\203óÂ\0\0\0\0¨ÒÝÂP\202NÁÄ\\¨ÒýÕPÀ¨RÝÂp^ÙÂ\0¬ºÃÜ0\0\0\0ìÜ\¨Ò¸ÁõÂp^ÙÂèÜ\¨ÒY\017TÀð^Ù¸ÁõÂ", align = 812018023}
#16 0xc06812a7 in syscall (frame=
      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 1, tf_esi =
-1077940564, tf_ebp = -1077940888, tf_isp = -760717964, tf_ebx =
134872720, tf_edx = 134985389, tf_ecx = 0, tf_eax = 54, tf_trapno = 12,
tf_err = 2, tf_eip = 134538743, tf_cs = 31, tf_eflags = 646, tf_esp =
-1077940916, tf_ss = 47})
    at /usr/src/sys/i386/i386/trap.c:1004
        params = 0xbfbfed50---Can't read userspace from dump, or kernel
process---

(kgdb) frame 6
#6  0xc058a8cd in rt_newaddrmsg (cmd=2, ifa=0xc2c7ee00, error=0,
rt=0xc2dad600)
    at /usr/src/sys/net/rtsock.c:815
815                             info.rti_info[RTAX_IFP] =