Bug 205678 - [panic] Fatal trap 12: page fault while in kernel mode (in function rtsock_addrmsg)
Summary: [panic] Fatal trap 12: page fault while in kernel mode (in function rtsock_ad...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.2-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords: crash
Depends on:
Blocks:
 
Reported: 2015-12-29 01:46 UTC by Alexander
Modified: 2023-01-23 10:16 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander 2015-12-29 01:46:03 UTC 
I've used an openconnect to connect to my work via vpn.

tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1406
        options=80000<LINKSTATE>
        inet 10.21.9.162 --> 10.21.9.162 netmask 0xffffffff
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        Opened by PID 42635

every 30 minutes this connection disconnecting (for security reasons by server), and reinstalling again by cron.
Every 24 hours disconnecting this tunnel causes page fault in kernel in function: rtsock_addrmsg
/usr/src/sys/net/rtsock.c:line1345> info.rti_info[RTAX_IFP] = ifp->if_addr->ifa_addr;

logs contains:
Dec 29 03:43:36 rail devd: Processing event '!system=IFNET subsystem=tun1 type=DETACH'
Dec 29 03:43:36 rail kernel:
Dec 29 03:43:36 rail kernel:
Dec 29 03:43:36 rail kernel: Fatal trap 12: page fault while in kernel mode
Dec 29 03:43:36 rail devd: Pushing table
Dec 29 03:43:36 rail devd: Processing notify event
Dec 29 03:43:36 rail devd: Popping table
Dec 29 03:45:14 rail syslogd: restart

in core.txt:
Unread portion of the kernel message buffer:
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 2593 (openconnect)
trap number             = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xffffffff809960c0 at kdb_backtrace+0x60
#1 0xffffffff80959306 at vpanic+0x126
#2 0xffffffff809591d3 at panic+0x43
#3 0xffffffff80d8096b at trap_fatal+0x36b
#4 0xffffffff80d80c6d at trap_pfault+0x2ed
#5 0xffffffff80d8030a at trap+0x47a
#6 0xffffffff80d66682 at calltrap+0x8
#7 0xffffffff80a31767 at rtinit+0x5a7
#8 0xffffffff80a27e88 at tunclose+0x1c8
#9 0xffffffff80838403 at devfs_close+0x313
#10 0xffffffff80ea8861 at VOP_CLOSE_APV+0xa1
#11 0xffffffff80a0bcc3 at vn_close+0x133
#12 0xffffffff80a0ab08 at vn_closefile+0x48
#13 0xffffffff80839cfc at devfs_close_f+0x2c
#14 0xffffffff8090e749 at _fdrop+0x29
#15 0xffffffff80910fee at closef+0x21e
#16 0xffffffff8090eaf8 at closefp+0x98
#17 0xffffffff80d81287 at amd64_syscall+0x357
Uptime: 23h53m32s

my temporary patch:
-- info.rti_info[RTAX_IFP] = ifp->if_addr->ifa_addr;
++        if ( !sa )
++                return (EFAULT);
++
++        info.rti_info[RTAX_IFP] = ifp->if_addr->ifa_addr;
 

here is the backtrace:
(kgdb) bt
#0  doadump (textdump=<value optimized out>) at pcpu.h:219
#1  0xffffffff80958f62 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:451
#2  0xffffffff80959345 in vpanic (fmt=<value optimized out>,
    ap=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:758
#3  0xffffffff809591d3 in panic (fmt=0x0)
    at /usr/src/sys/kern/kern_shutdown.c:687
#4  0xffffffff80d8096b in trap_fatal (frame=<value optimized out>,
    eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:851
#5  0xffffffff80d80c6d in trap_pfault (frame=0xfffffe0072a68500,
    usermode=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:674
#6  0xffffffff80d8030a in trap (frame=0xfffffe0072a68500)
    at /usr/src/sys/amd64/amd64/trap.c:440
#7  0xffffffff80d66682 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:236
#8  0xffffffff80a32085 in rtsock_addrmsg (cmd=<value optimized out>,
    ifa=0xfffff800493bc400, fibnum=3) at /usr/src/sys/net/rtsock.c:1345
#9  0xffffffff80a31767 in rtinit (ifa=0xfffff800493bc400, cmd=2, flags=0)
    at /usr/src/sys/net/route.c:1701
#10 0xffffffff80a27e88 in tunclose (dev=<value optimized out>, foo=96, bar=3,
    td=0x0) at /usr/src/sys/net/if_tun.c:478
#11 0xffffffff80838403 in devfs_close (ap=0xfffffe0072a688e0)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:618
---Type <return> to continue, or q <return> to quit---
#12 0xffffffff80ea8861 in VOP_CLOSE_APV (vop=<value optimized out>,
    a=<value optimized out>) at vnode_if.c:535
#13 0xffffffff80a0bcc3 in vn_close (vp=0xfffff8005c97c938, flags=7,
    file_cred=0xfffff800504b3c00, td=0xfffff80012e9e4a0) at vnode_if.h:225
#14 0xffffffff80a0ab08 in vn_closefile (fp=0xfffff8004cbf0370,
    td=0xfffff80012e9e4a0) at /usr/src/sys/kern/vfs_vnops.c:1566
#15 0xffffffff80839cfc in devfs_close_f (fp=0xfffff8004cbf0370, td=0x60)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:637
#16 0xffffffff8090e749 in _fdrop (fp=0xfffff8004cbf0370, td=0x60) at file.h:343
#17 0xffffffff80910fee in closef (fp=<value optimized out>,
    td=<value optimized out>) at /usr/src/sys/kern/kern_descrip.c:2338
#18 0xffffffff8090eaf8 in closefp (fdp=0xfffff80012eff000,
    fd=<value optimized out>, fp=0xfffff8004cbf0370, td=0xfffff80012e9e4a0,
    holdleaders=<value optimized out>) at /usr/src/sys/kern/kern_descrip.c:1194
#19 0xffffffff80d81287 in amd64_syscall (td=0xfffff80012e9e4a0, traced=0)
    at subr_syscall.c:134
#20 0xffffffff80d6696b in Xfast_syscall ()
    at /usr/src/sys/amd64/amd64/exception.S:396
#21 0x00000008031b9f2a in ?? ()
Previous frame inner to this frame (corrupt stack?)


This bug hasnt been occurs in FreeBSD8.3 RELEASE
Comment 1 Niclas Zeising freebsd_committer freebsd_triage 2019-07-10 08:56:28 UTC 
Is this still relevant?
Comment 2 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:17:45 UTC 
Keyword: 

    crash

– in lieu of summary line prefix: 

    [panic]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>