From nobody@FreeBSD.ORG  Sun Dec 26 19:30:54 1999
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 496DE14E58; Sun, 26 Dec 1999 19:30:54 -0800 (PST)
Message-Id: <19991227033054.496DE14E58@hub.freebsd.org>
Date: Sun, 26 Dec 1999 19:30:54 -0800 (PST)
From: digital@stealth.net
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@freebsd.org
Subject: rtfree()/rtrequest() kernel panic
X-Send-Pr-Version: www-1.0

>Number:         15709
>Category:       kern
>Synopsis:       rtfree()/rtrequest() kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dan
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 26 19:40:01 PST 1999
>Closed-Date:    Tue Feb 8 08:53:07 PST 2000
>Last-Modified:  Tue Feb  8 08:53:32 PST 2000
>Originator:     Shrihari Pandit
>Release:        3.4-STABLE (1999-12-25)
>Organization:
Stealth Communications, Inc.
>Environment:
FreeBSD c3.ny1 3.4-STABLE FreeBSD 3.4-STABLE #0: Sat Dec 25 15:36:55 EST 1999

>Description:
We have Zebra (Routing Daemon, http://www.zebra.org) installed on this
system.  Zebra is connected to two Routers by BGP,  approx 70k worth
of routes are installed in FreeBSD kernel.  After a few mins of the routes being imported into the kernel,  the system panics:

#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
#1  0xc013165c in at_shutdown (
    function=0xc0241b26 <__set_sysinit_set_sym_memdev_sys_init+1050>,
    arg=0xc82199c0, queue=-936989352) at ../../kern/kern_shutdown.c:446
#2  0xc01f1c65 in trap_fatal (frame=0xc826ad58, eva=8)
    at ../../i386/i386/trap.c:942
#3  0xc01f1943 in trap_pfault (frame=0xc826ad58, usermode=0, eva=8)
    at ../../i386/i386/trap.c:835
#4  0xc01f15e6 in trap (frame={tf_es = -937033712, tf_ds = -937033712,
      tf_edi = -1036505088, tf_esi = -1036505088, tf_ebp = -936989288,
      tf_isp = -936989312, tf_ebx = -1044579072, tf_edx = -1044579072,
      tf_ecx = -1041478888, tf_eax = 7, tf_trapno = 12, tf_err = 0,
      tf_eip = -1072220146, tf_cs = 8, tf_eflags = 66199, tf_esp = 49153,
      tf_ss = -936989232}) at ../../i386/i386/trap.c:437
#5  0xc017380e in rtfree (rt=0xc1bcfd00) at ../../net/route.c:201
#6  0xc0173c13 in rtrequest (req=2, dst=0xc1bcfd5c, gateway=0xc1bcfd6c,
    netmask=0xc1bcfd7c, flags=49153, ret_nrt=0xc826ae08)
    at ../../net/route.c:509
#7  0xc0174977 in route_output (m=0xc0786000, so=0xc7d12820)
    at ../../net/rtsock.c:345
#8  0xc01735e2 in raw_usend (so=0xc7d12820, flags=0, m=0xc0786000, nam=0x0,     control=0x0, p=0xc82199c0) at ../../net/raw_usrreq.c:258
#9  0xc01746dc in rts_send (so=0xc7d12820, flags=0, m=0xc0786000, nam=0x0,     c
ontrol=0x0, p=0xc82199c0) at ../../net/rtsock.c:237
#10 0xc01494c6 in sosend (so=0xc7d12820, addr=0x0, uio=0xc826af10,
    top=0xc0786000, control=0x0, flags=0, p=0xc82199c0)
    at ../../kern/uipc_socket.c:530
#11 0xc013f404 in soo_write (fp=0xc1bdc7c0, uio=0xc826af10, cred=0xc1bd8a00,
    flags=0) at ../../kern/sys_socket.c:82
#12 0xc013c34e in dofilewrite (p=0xc82199c0, fp=0xc1bdc7c0, fd=5,
    buf=0xbfbfd838, nbyte=140, offset=-1, flags=0)
    at ../../kern/sys_generic.c:363
#13 0xc013c257 in write (p=0xc82199c0, uap=0xc826af94)
    at ../../kern/sys_generic.c:298
#14 0xc01f1ea7 in syscall (frame={tf_es = 134742055, tf_ds = -1078001625,
      tf_edi = -1077945632, tf_esi = -1077946172, tf_ebp = -1077945692,
      tf_isp = -936988700, tf_ebx = 16, tf_edx = -1077946312, tf_ecx = 0,
      tf_eax = 4, tf_trapno = 7, tf_err = 2, tf_eip = 671800936, tf_cs = 31,
      tf_eflags = 514, tf_esp = -1077946340, tf_ss = 39})
    at ../../i386/i386/trap.c:1100
#15 0xc01e55cc in Xint0x80_syscall ()
#16 0x804d132 in ?? ()
#17 0x804d16a in ?? ()                  
#18 0x804bcf5 in ?? ()
#19 0x8049688 in ?? ()
#20 0x80498f9 in ?? ()
#21 0x8054e6c in ?? ()
#22 0x804a591 in ?? ()
#23 0x8049565 in ?? () 
>How-To-Repeat:
Install the Zebra BGP4 daemon and peer with an Internet Router carrying
full routing table.  (We can do ebgp-multihop for full routes if you need to reproduce the problem in your enviornment). Access to our
machine is also available.
>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->dan 
Responsible-Changed-By: dan 
Responsible-Changed-When: Mon Dec 27 08:21:30 PST 1999 
Responsible-Changed-Why:  
I'll look after this 

From: Shrihari Pandit <digital@stealth.net>
To: freeBSD-gnats-submit@FreeBSD.org
Cc: dan@FreeBSD.org
Subject: Re: kern/15709: rtfree()/rtrequest() kernel panic
Date: Fri, 31 Dec 1999 17:53:53 -0500

 More kernel panics on multiple systems running GateD on 3.4-STABLE:
 
 (kgdb) exec kernel.1
 (kgdb) core vmcore.1
 IdlePTD 2936832
 initial pcb at 25f88c
 panicstr: rtfree
 panic messages:
 ---
 panic: rtfree
 
 syncing disks... done
 
 dumping to dev 20001, offset 0
 dump 255 254 253 252 251 250 249 248 247 246 245 244 243 242 241 240 239 238 237
  236 235 234 233 232 231 230 229 228 227 226 225 224 223 222 221 220 219 218 217
  216 215 214 213 212 211 210 209 208 207 206 205 204 203 202 201 200 199 198 197
  196 195 194 193 192 191 190 189 188 187 186 185 184 183 182 181 180 179 178 177
  176 175 174 173 172 171 170 169 168 167 166 165 164 163 162 161 160 159 158 157
  156 155 154 153 152 151 150 149 148 147 146 145 144 143 142 141 140 139 138 137
  136 135 134 133 132 131 130 129 128 127 126 125 124 123 122 121 120 119 118 117
  116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96
  95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 6
 9 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43
 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16
  15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
 ---
 #0  boot (howto=256) at ../../kern/kern_shutdown.c:285
 285     in ../../kern/kern_shutdown.c
 (kgdb) bt
 #0  boot (howto=256) at ../../kern/kern_shutdown.c:285
 #1  0xc013167c in at_shutdown (
     function=0xc0239b4e <__set_sysctl__debug_sym_sysctl___debug_if_tun_debug+934
 >, arg=0x3, queue=-1071338044) at ../../kern/kern_shutdown.c:446
 #2  0xc017384b in rtfree (rt=0xc3156d00) at ../../net/route.c:206
 #3  0xc0173c33 in rtrequest (req=2, dst=0xc1f45640, gateway=0xc1f45650,
     netmask=0xc1f50d70, flags=3, ret_nrt=0x0) at ../../net/route.c:509
 #4  0xc01791b1 in in_ifadownkill (rn=0xc1f57c00, xap=0xc024ae1c)
     at ../../netinet/in_rmx.c:390
 #5  0xc01730a4 in rn_walktree (h=0xc1f20100, f=0xc017917c <in_ifadownkill>,
     w=0xc024ae1c) at ../../net/radix.c:959
 #6  0xc01791f8 in in_ifadown (ifa=0xc1f27100) at ../../netinet/in_rmx.c:410
 #7  0xc017d6ab in rip_ctlinput (cmd=0, sa=0xc1f27148, vip=0x0)
     at ../../netinet/raw_ip.c:408
 #8  0xc0147225 in pfctlinput (cmd=0, sa=0xc1f27148)
     at ../../kern/uipc_domain.c:265
 #9  0xc016b6bb in if_unroute (ifp=0xc028e344, flag=1, fam=0)
     at ../../net/if.c:414
 #10 0xc016b747 in if_down (ifp=0xc028e344) at ../../net/if.c:449
 #11 0xc022e7c0 in etp_linkdown ()
 #12 0xc0231096 in cisco_notify ()
 #13 0xc0234065 in etp_notify ()
 #14 0xc023069c in hdlc_rcvhandler ()
 #15 0xc02167fe in l3_rcvhandler ()
 #16 0xc020fa1d in lind_event ()
 #17 0xc0211810 in timer_cleanup ()
 #18 0xc022e8dd in hdlc_timeout ()
 #19 0xc0135eaa in softclock () at ../../kern/kern_timeout.c:132
 
 
 And the other one:
 
 IdlePTD 2936832
 initial pcb at 25f88c
 panicstr: page fault
 panic messages:
 ---
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x3030133
 fault code              = supervisor read, page not present
 instruction pointer     = 0x8:0xc0173850
 stack pointer           = 0x10:0xc024ad90
 frame pointer           = 0x10:0xc024ad94
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = Idle
 interrupt mask          = net tty
 trap number             = 12
 panic: page fault
 
 syncing disks... done
 
 dumping to dev 20001, offset 0
 dump 255 254 253 252 251 250 249 248 247 246 245 244 243 242 241 240 239 238 237
  236 235 234 233 232 231 230 229 228 227 226 225 224 223 222 221 220 219 218 217
  216 215 214 213 212 211 210 209 208 207 206 205 204 203 202 201 200 199 198 197
  196 195 194 193 192 191 190 189 188 187 186 185 184 183 182 181 180 179 178 177
  176 175 174 173 172 171 170 169 168 167 166 165 164 163 162 161 160 159 158 157
  156 155 154 153 152 151 150 149 148 147 146 145 144 143 142 141 140 139 138 137
  136 135 134 133 132 131 130 129 128 127 126 125 124 123 122 121 120 119 118 117
  116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96
  95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 6
 9 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43
 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16
  15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
 ---
 #0  boot (howto=256) at ../../kern/kern_shutdown.c:285
 285     in ../../kern/kern_shutdown.c
 (kgdb) bt
 #0  boot (howto=256) at ../../kern/kern_shutdown.c:285
 #1  0xc013167c in at_shutdown (
     function=0xc0241c72 <__set_sysinit_set_sym_memdev_sys_init+1050>, arg=0x0,
     queue=12) at ../../kern/kern_shutdown.c:446
 #2  0xc01f1d55 in trap_fatal (frame=0xc024ad54, eva=50528563)
     at ../../i386/i386/trap.c:942
 #3  0xc01f1a33 in trap_pfault (frame=0xc024ad54, usermode=0, eva=50528563)
     at ../../i386/i386/trap.c:835
 #4  0xc01f16d6 in trap (frame={tf_es = -1071382512, tf_ds = -1072234480,
       tf_edi = -1040913408, tf_esi = -1040913408, tf_ebp = -1071338092,
       tf_isp = -1071338116, tf_ebx = -1040972288, tf_edx = -1040972288,
       tf_ecx = -1041104564, tf_eax = 50528515, tf_trapno = 12, tf_err = 0,
       tf_eip = -1072220080, tf_cs = 8, tf_eflags = 66178, tf_esp = 3,
       tf_ss = -1071338036}) at ../../i386/i386/trap.c:437
 #5  0xc0173850 in rtfree (rt=0xc1f40600) at ../../net/route.c:212
 #6  0xc0173c33 in rtrequest (req=2, dst=0xc1f438e0, gateway=0xc1f438f0,
     netmask=0xc1ea5940, flags=3, ret_nrt=0x0) at ../../net/route.c:509
 #7  0xc01791b1 in in_ifadownkill (rn=0xc1f4ec00, xap=0xc024ae24)
     at ../../netinet/in_rmx.c:390
 #8  0xc01730a4 in rn_walktree (h=0xc1f20100, f=0xc017917c <in_ifadownkill>,
     w=0xc024ae24) at ../../net/radix.c:959
 #9  0xc01791f8 in in_ifadown (ifa=0xc1f27500) at ../../netinet/in_rmx.c:410
 #10 0xc017d6ab in rip_ctlinput (cmd=0, sa=0xc1f27548, vip=0x0)
     at ../../netinet/raw_ip.c:408
 #11 0xc0147225 in pfctlinput (cmd=0, sa=0xc1f27548)
     at ../../kern/uipc_domain.c:265
 #12 0xc016b6bb in if_unroute (ifp=0xc028e344, flag=1, fam=0)
     at ../../net/if.c:414
 #13 0xc016b747 in if_down (ifp=0xc028e344) at ../../net/if.c:449
 #14 0xc022e7c0 in etp_linkdown ()
 #15 0xc0230c63 in cisco_keepalive ()
 #16 0xc0231060 in cisco_notify ()
 #17 0xc0234065 in etp_notify ()
 #18 0xc023069c in hdlc_rcvhandler ()
 #19 0xc02167fe in l3_rcvhandler ()
 #20 0xc020fa1d in lind_event ()
 #21 0xc022e8fd in hdlc_timeout ()
 #22 0xc0135eaa in softclock () at ../../kern/kern_timeout.c:132
 
 
State-Changed-From-To: open->closed 
State-Changed-By: dan 
State-Changed-When: Tue Feb 8 08:53:07 PST 2000 
State-Changed-Why:  
peter fixed this in all branches 
>Unformatted:
