Bug 15709

Summary: rtfree()/rtrequest() kernel panic
Product: Base System Reporter: digital <digital>
Component: kernAssignee: dan <dan>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 3.4-STABLE   
Hardware: Any   
OS: Any   

Description digital 1999-12-27 03:40:01 UTC 
We have Zebra (Routing Daemon, http://www.zebra.org) installed on this
system.  Zebra is connected to two Routers by BGP,  approx 70k worth
of routes are installed in FreeBSD kernel.  After a few mins of the routes being imported into the kernel,  the system panics:

#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
#1  0xc013165c in at_shutdown (
    function=0xc0241b26 <__set_sysinit_set_sym_memdev_sys_init+1050>,
    arg=0xc82199c0, queue=-936989352) at ../../kern/kern_shutdown.c:446
#2  0xc01f1c65 in trap_fatal (frame=0xc826ad58, eva=8)
    at ../../i386/i386/trap.c:942
#3  0xc01f1943 in trap_pfault (frame=0xc826ad58, usermode=0, eva=8)
    at ../../i386/i386/trap.c:835
#4  0xc01f15e6 in trap (frame={tf_es = -937033712, tf_ds = -937033712,
      tf_edi = -1036505088, tf_esi = -1036505088, tf_ebp = -936989288,
      tf_isp = -936989312, tf_ebx = -1044579072, tf_edx = -1044579072,
      tf_ecx = -1041478888, tf_eax = 7, tf_trapno = 12, tf_err = 0,
      tf_eip = -1072220146, tf_cs = 8, tf_eflags = 66199, tf_esp = 49153,
      tf_ss = -936989232}) at ../../i386/i386/trap.c:437
#5  0xc017380e in rtfree (rt=0xc1bcfd00) at ../../net/route.c:201
#6  0xc0173c13 in rtrequest (req=2, dst=0xc1bcfd5c, gateway=0xc1bcfd6c,
    netmask=0xc1bcfd7c, flags=49153, ret_nrt=0xc826ae08)
    at ../../net/route.c:509
#7  0xc0174977 in route_output (m=0xc0786000, so=0xc7d12820)
    at ../../net/rtsock.c:345
#8  0xc01735e2 in raw_usend (so=0xc7d12820, flags=0, m=0xc0786000, nam=0x0,     control=0x0, p=0xc82199c0) at ../../net/raw_usrreq.c:258
#9  0xc01746dc in rts_send (so=0xc7d12820, flags=0, m=0xc0786000, nam=0x0,     c
ontrol=0x0, p=0xc82199c0) at ../../net/rtsock.c:237
#10 0xc01494c6 in sosend (so=0xc7d12820, addr=0x0, uio=0xc826af10,
    top=0xc0786000, control=0x0, flags=0, p=0xc82199c0)
    at ../../kern/uipc_socket.c:530
#11 0xc013f404 in soo_write (fp=0xc1bdc7c0, uio=0xc826af10, cred=0xc1bd8a00,
    flags=0) at ../../kern/sys_socket.c:82
#12 0xc013c34e in dofilewrite (p=0xc82199c0, fp=0xc1bdc7c0, fd=5,
    buf=0xbfbfd838, nbyte=140, offset=-1, flags=0)
    at ../../kern/sys_generic.c:363
#13 0xc013c257 in write (p=0xc82199c0, uap=0xc826af94)
    at ../../kern/sys_generic.c:298
#14 0xc01f1ea7 in syscall (frame={tf_es = 134742055, tf_ds = -1078001625,
      tf_edi = -1077945632, tf_esi = -1077946172, tf_ebp = -1077945692,
      tf_isp = -936988700, tf_ebx = 16, tf_edx = -1077946312, tf_ecx = 0,
      tf_eax = 4, tf_trapno = 7, tf_err = 2, tf_eip = 671800936, tf_cs = 31,
      tf_eflags = 514, tf_esp = -1077946340, tf_ss = 39})
    at ../../i386/i386/trap.c:1100
#15 0xc01e55cc in Xint0x80_syscall ()
#16 0x804d132 in ?? ()
#17 0x804d16a in ?? ()                  
#18 0x804bcf5 in ?? ()
#19 0x8049688 in ?? ()
#20 0x80498f9 in ?? ()
#21 0x8054e6c in ?? ()
#22 0x804a591 in ?? ()
#23 0x8049565 in ?? ()

How-To-Repeat: Install the Zebra BGP4 daemon and peer with an Internet Router carrying
full routing table.  (We can do ebgp-multihop for full routes if you need to reproduce the problem in your enviornment). Access to our
machine is also available.
Comment 1 dan freebsd_committer freebsd_triage 1999-12-27 16:21:30 UTC 
Responsible Changed
From-To: freebsd-bugs->dan

I'll look after this
Comment 2 digital 1999-12-31 22:53:53 UTC 
More kernel panics on multiple systems running GateD on 3.4-STABLE:

(kgdb) exec kernel.1
(kgdb) core vmcore.1
IdlePTD 2936832
initial pcb at 25f88c
panicstr: rtfree
panic messages:
---
panic: rtfree

syncing disks... done

dumping to dev 20001, offset 0
dump 255 254 253 252 251 250 249 248 247 246 245 244 243 242 241 240 239 238 237
 236 235 234 233 232 231 230 229 228 227 226 225 224 223 222 221 220 219 218 217
 216 215 214 213 212 211 210 209 208 207 206 205 204 203 202 201 200 199 198 197
 196 195 194 193 192 191 190 189 188 187 186 185 184 183 182 181 180 179 178 177
 176 175 174 173 172 171 170 169 168 167 166 165 164 163 162 161 160 159 158 157
 156 155 154 153 152 151 150 149 148 147 146 145 144 143 142 141 140 139 138 137
 136 135 134 133 132 131 130 129 128 127 126 125 124 123 122 121 120 119 118 117
 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96
 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 6
9 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43
42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16
 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
---
#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
285     in ../../kern/kern_shutdown.c
(kgdb) bt
#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
#1  0xc013167c in at_shutdown (
    function=0xc0239b4e <__set_sysctl__debug_sym_sysctl___debug_if_tun_debug+934
>, arg=0x3, queue=-1071338044) at ../../kern/kern_shutdown.c:446
#2  0xc017384b in rtfree (rt=0xc3156d00) at ../../net/route.c:206
#3  0xc0173c33 in rtrequest (req=2, dst=0xc1f45640, gateway=0xc1f45650,
    netmask=0xc1f50d70, flags=3, ret_nrt=0x0) at ../../net/route.c:509
#4  0xc01791b1 in in_ifadownkill (rn=0xc1f57c00, xap=0xc024ae1c)
    at ../../netinet/in_rmx.c:390
#5  0xc01730a4 in rn_walktree (h=0xc1f20100, f=0xc017917c <in_ifadownkill>,
    w=0xc024ae1c) at ../../net/radix.c:959
#6  0xc01791f8 in in_ifadown (ifa=0xc1f27100) at ../../netinet/in_rmx.c:410
#7  0xc017d6ab in rip_ctlinput (cmd=0, sa=0xc1f27148, vip=0x0)
    at ../../netinet/raw_ip.c:408
#8  0xc0147225 in pfctlinput (cmd=0, sa=0xc1f27148)
    at ../../kern/uipc_domain.c:265
#9  0xc016b6bb in if_unroute (ifp=0xc028e344, flag=1, fam=0)
    at ../../net/if.c:414
#10 0xc016b747 in if_down (ifp=0xc028e344) at ../../net/if.c:449
#11 0xc022e7c0 in etp_linkdown ()
#12 0xc0231096 in cisco_notify ()
#13 0xc0234065 in etp_notify ()
#14 0xc023069c in hdlc_rcvhandler ()
#15 0xc02167fe in l3_rcvhandler ()
#16 0xc020fa1d in lind_event ()
#17 0xc0211810 in timer_cleanup ()
#18 0xc022e8dd in hdlc_timeout ()
#19 0xc0135eaa in softclock () at ../../kern/kern_timeout.c:132


And the other one:

IdlePTD 2936832
initial pcb at 25f88c
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x3030133
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc0173850
stack pointer           = 0x10:0xc024ad90
frame pointer           = 0x10:0xc024ad94
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = Idle
interrupt mask          = net tty
trap number             = 12
panic: page fault

syncing disks... done

dumping to dev 20001, offset 0
dump 255 254 253 252 251 250 249 248 247 246 245 244 243 242 241 240 239 238 237
 236 235 234 233 232 231 230 229 228 227 226 225 224 223 222 221 220 219 218 217
 216 215 214 213 212 211 210 209 208 207 206 205 204 203 202 201 200 199 198 197
 196 195 194 193 192 191 190 189 188 187 186 185 184 183 182 181 180 179 178 177
 176 175 174 173 172 171 170 169 168 167 166 165 164 163 162 161 160 159 158 157
 156 155 154 153 152 151 150 149 148 147 146 145 144 143 142 141 140 139 138 137
 136 135 134 133 132 131 130 129 128 127 126 125 124 123 122 121 120 119 118 117
 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96
 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 6
9 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43
42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16
 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
---
#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
285     in ../../kern/kern_shutdown.c
(kgdb) bt
#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
#1  0xc013167c in at_shutdown (
    function=0xc0241c72 <__set_sysinit_set_sym_memdev_sys_init+1050>, arg=0x0,
    queue=12) at ../../kern/kern_shutdown.c:446
#2  0xc01f1d55 in trap_fatal (frame=0xc024ad54, eva=50528563)
    at ../../i386/i386/trap.c:942
#3  0xc01f1a33 in trap_pfault (frame=0xc024ad54, usermode=0, eva=50528563)
    at ../../i386/i386/trap.c:835
#4  0xc01f16d6 in trap (frame={tf_es = -1071382512, tf_ds = -1072234480,
      tf_edi = -1040913408, tf_esi = -1040913408, tf_ebp = -1071338092,
      tf_isp = -1071338116, tf_ebx = -1040972288, tf_edx = -1040972288,
      tf_ecx = -1041104564, tf_eax = 50528515, tf_trapno = 12, tf_err = 0,
      tf_eip = -1072220080, tf_cs = 8, tf_eflags = 66178, tf_esp = 3,
      tf_ss = -1071338036}) at ../../i386/i386/trap.c:437
#5  0xc0173850 in rtfree (rt=0xc1f40600) at ../../net/route.c:212
#6  0xc0173c33 in rtrequest (req=2, dst=0xc1f438e0, gateway=0xc1f438f0,
    netmask=0xc1ea5940, flags=3, ret_nrt=0x0) at ../../net/route.c:509
#7  0xc01791b1 in in_ifadownkill (rn=0xc1f4ec00, xap=0xc024ae24)
    at ../../netinet/in_rmx.c:390
#8  0xc01730a4 in rn_walktree (h=0xc1f20100, f=0xc017917c <in_ifadownkill>,
    w=0xc024ae24) at ../../net/radix.c:959
#9  0xc01791f8 in in_ifadown (ifa=0xc1f27500) at ../../netinet/in_rmx.c:410
#10 0xc017d6ab in rip_ctlinput (cmd=0, sa=0xc1f27548, vip=0x0)
    at ../../netinet/raw_ip.c:408
#11 0xc0147225 in pfctlinput (cmd=0, sa=0xc1f27548)
    at ../../kern/uipc_domain.c:265
#12 0xc016b6bb in if_unroute (ifp=0xc028e344, flag=1, fam=0)
    at ../../net/if.c:414
#13 0xc016b747 in if_down (ifp=0xc028e344) at ../../net/if.c:449
#14 0xc022e7c0 in etp_linkdown ()
#15 0xc0230c63 in cisco_keepalive ()
#16 0xc0231060 in cisco_notify ()
#17 0xc0234065 in etp_notify ()
#18 0xc023069c in hdlc_rcvhandler ()
#19 0xc02167fe in l3_rcvhandler ()
#20 0xc020fa1d in lind_event ()
#21 0xc022e8fd in hdlc_timeout ()
#22 0xc0135eaa in softclock () at ../../kern/kern_timeout.c:132
Comment 3 dan freebsd_committer freebsd_triage 2000-02-08 16:53:07 UTC 
State Changed
From-To: open->closed

peter fixed this in all branches