From land@gx.dnepr.net  Thu Jul 18 00:28:59 2002
Return-Path: <land@gx.dnepr.net>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5A96E37B400
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 18 Jul 2002 00:28:59 -0700 (PDT)
Received: from gx.dnepr.net (gx.dnepr.net [217.198.131.109])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1707F43E58
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 18 Jul 2002 00:28:57 -0700 (PDT)
	(envelope-from land@gx.dnepr.net)
Received: from gx.dnepr.net (localhost.dnepr.net [127.0.0.1])
	by gx.dnepr.net with ESMTP id g6I7Sqgj079156
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 18 Jul 2002 10:28:52 +0300 (EEST)
	(envelope-from land@gx.dnepr.net)
Received: (from land@localhost)
	by gx.dnepr.net id g6I7SqQf079155;
	Thu, 18 Jul 2002 10:28:52 +0300 (EEST)
	(envelope-from land)
Message-Id: <200207180728.g6I7SqQf079155@gx.dnepr.net>
Date: Thu, 18 Jul 2002 10:28:52 +0300 (EEST)
From: land@dnepr.net
Reply-To: land@dnepr.net
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Disabling multicast on vlan interface caused kernel panic
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         40723
>Category:       kern
>Synopsis:       Disabling multicast on vlan interface caused kernel panic
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 18 00:30:01 PDT 2002
>Closed-Date:    Sat Jul 26 04:48:53 PDT 2003
>Last-Modified:  Sat Jul 26 04:48:53 PDT 2003
>Originator:     Andrey Lakhno
>Release:        FreeBSD 4.6-RELEASE-p2 i386
>Organization:
>Environment:
System: FreeBSD xxx.dnepr.net 4.6-RELEASE-p2 FreeBSD 4.6-RELEASE-p2 #0: Sun Jul 14 12:18:03 EEST 2002 land@xxx.dnepr.net:/usr/obj/usr/src/sys/GX i386

>Description:
I use FreeBSD 4.6-R with zebra routing software (zebra-0.93a).
Both ripd and ospfd is running. With non-zero probability, when I kill ripd
or ospfd process, system panics with the following diagnostics:

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x6
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc01856c7
stack pointer           = 0x10:0xca01bc90
frame pointer           = 0x10:0xca01bca4
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 629 (ripd)
interrupt mask          = net
trap number             = 12
panic: page fault

syncing disks... 40 2 1 1 1 1 1 1 1
done

I found that such panics occurs only on machines with vlan interfaces.

ifconfig:
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet x.x.x.x netmask 0xffffffe0 broadcast x.x.x.x
        ether 00:03:47:xx:xx:xx
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet x.x.x.x netmask 0xffffffe0 broadcast x.x.x.x
        ether 00:03:47:xx:xx:xx
        vlan: 5 parent interface: fxp0
vlan1: flags=0<> mtu 1500
        ether 00:00:00:00:00:00
        vlan: 0 parent interface: <none>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000

Here is output from gdb -k:

(kgdb) where
#0  dumpsys () at ../../kern/kern_shutdown.c:487
#1  0xc01445bf in boot (howto=256) at ../../kern/kern_shutdown.c:316
#2  0xc01449e4 in poweroff_wait (junk=0xc0211d6c, howto=-1071572849)
    at ../../kern/kern_shutdown.c:595
#3  0xc01eb71e in trap_fatal (frame=0xca01bc50, eva=6)
    at ../../i386/i386/trap.c:966
#4  0xc01eb3f1 in trap_pfault (frame=0xca01bc50, usermode=0, eva=6)
    at ../../i386/i386/trap.c:859
#5  0xc01eafdb in trap (frame={tf_fs = -1071448048, tf_es = 6422544,
      tf_ds = -1066074096, tf_edi = -1066046208, tf_esi = 1,
      tf_ebp = -905855836, tf_isp = -905855876, tf_ebx = -1053640192,
      tf_edx = 6, tf_ecx = -905855812, tf_eax = 2, tf_trapno = 12, tf_err = 0,
      tf_eip = -1072146745, tf_cs = 8, tf_eflags = 66050,
      tf_esp = -1053640192, tf_ss = -1052190624}) at ../../i386/i386/trap.c:458
#6  0xc01856c7 in rt_msg1 (type=16, rtinfo=0xca01bcbc)
    at ../../net/rtsock.c:613
#7  0xc0185b35 in rt_newmaddrmsg (cmd=16, ifma=0xc148d860)
    at ../../net/rtsock.c:848
#8  0xc018020c in if_delmulti (ifp=0xc132ba00, sa=0xca01bd3c)
    at ../../net/if.c:1507
#9  0xc01818f5 in vlan_setmulti (ifp=0xc132b400) at ../../net/if_vlan.c:154
#10 0xc0182416 in vlan_ioctl (ifp=0xc132b400, cmd=2149607730, data=0x0)
    at ../../net/if_vlan.c:704
#11 0xc01802e6 in if_delmulti (ifp=0xc132b400, sa=0xc0724040)
    at ../../net/if.c:1548
#12 0xc0188b6f in in_delmulti (inm=0xc14c4820) at ../../netinet/in.c:893
#13 0xc019352c in ip_freemoptions (imo=0xc14fba00)
    at ../../netinet/ip_output.c:1886
#14 0xc01894ad in in_pcbdetach (inp=0xc93dbfc0) at ../../netinet/in_pcb.c:567
#15 0xc019b418 in udp_detach (so=0xc931e940) at ../../netinet/udp_usrreq.c:871
#16 0xc0162511 in soclose (so=0xc931e940) at ../../kern/uipc_socket.c:320
#17 0xc0156a56 in soo_close (fp=0xc14ad600, p=0xc890d6c0)
    at ../../kern/sys_socket.c:195
#18 0xc013a2df in fdrop (fp=0xc14ad600, p=0xc890d6c0) at ../../sys/file.h:217
#19 0xc013a227 in closef (fp=0xc14ad600, p=0xc890d6c0)
    at ../../kern/kern_descrip.c:1277
#20 0xc0139629 in close (p=0xc890d6c0, uap=0xca01bf80)
    at ../../kern/kern_descrip.c:581
#21 0xc01eb9cd in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
      tf_edi = -1077937712, tf_esi = 0, tf_ebp = -1077938364,
      tf_isp = -905855020, tf_ebx = 134973184, tf_edx = 134754364,
      tf_ecx = 134956992, tf_eax = 6, tf_trapno = 12, tf_err = 2,
      tf_eip = 672846696, tf_cs = 31, tf_eflags = 659, tf_esp = -1077938408,
      tf_ss = 47}) at ../../i386/i386/trap.c:1167
#22 0xc01dfe15 in Xint0x80_syscall ()
#23 0x8049ab8 in ?? ()
#24 0xbfbfffac in ?? ()
#25 0x8049d47 in ?? ()
#26 0x8049909 in ?? ()

(kgdb) up 5
#5  0xc01eafdb in trap (frame={tf_fs = -1071448048, tf_es = 6422544,
      tf_ds = -1066074096, tf_edi = -1066046208, tf_esi = 1,
      tf_ebp = -905855836, tf_isp = -905855876, tf_ebx = -1053640192,
      tf_edx = 6, tf_ecx = -905855812, tf_eax = 2, tf_trapno = 12, tf_err = 0,
      tf_eip = -1072146745, tf_cs = 8, tf_eflags = 66050,
      tf_esp = -1053640192, tf_ss = -1052190624}) at ../../i386/i386/trap.c:458
458                             (void) trap_pfault(&frame, FALSE, eva);

(kgdb) frame frame->tf_ebp frame->tf_eip
#0  rt_msg1 (type=16, rtinfo=0xca01bcbc) at ../../net/rtsock.c:614
614                     dlen = ROUNDUP(sa->sa_len);

(kgdb) list
609             bzero((caddr_t)rtm, len);
610             for (i = 0; i < RTAX_MAX; i++) {
611                     if ((sa = rtinfo->rti_info[i]) == NULL)
612                             continue;
613                     rtinfo->rti_addrs |= (1 << i);
614                     dlen = ROUNDUP(sa->sa_len);
615                     m_copyback(m, len, dlen, (caddr_t)sa);
616                     len += dlen;
617             }
618             if (m->m_pkthdr.len != len) {

(kgdb) print sa
$1 = (struct sockaddr *) 0x0

(kgdb) up
#1  0xc0185b35 in rt_newmaddrmsg (cmd=16, ifma=0xc148d860)
    at ../../net/rtsock.c:848
848             if ((m = rt_msg1(cmd, &info)) == NULL)
(kgdb) list
843             /*
844              * If a link-layer address is present, present it as a
+``gateway''
845              * (similarly to how ARP entries, e.g., are presented).
846              */
847             gate = ifma->ifma_lladdr;
848             if ((m = rt_msg1(cmd, &info)) == NULL)
849                     return;
850             ifmam = mtod(m, struct ifma_msghdr *);
851             ifmam->ifmam_index = ifp->if_index;
852             ifmam->ifmam_addrs = info.rti_addrs;
(kgdb) up
#2  0xc018020c in if_delmulti (ifp=0xc132ba00, sa=0xca01bd3c)
    at ../../net/if.c:1507
1507            rt_newmaddrmsg(RTM_DELMADDR, ifma);
(kgdb) list
1502            if (ifma->ifma_refcount > 1) {
1503                    ifma->ifma_refcount--;
1504                    return 0;
1505            }
1506
1507            rt_newmaddrmsg(RTM_DELMADDR, ifma);
1508            sa = ifma->ifma_lladdr;
1509            s = splimp();
1510            LIST_REMOVE(ifma, ifma_link);
1511            /*
(kgdb) up
#3  0xc01818f5 in vlan_setmulti (ifp=0xc132b400) at ../../net/if_vlan.c:154
154                     error = if_delmulti(ifp_p, (struct sockaddr *)&sdl);
(kgdb) list
149
150             /* First, remove any existing filter entries. */
151             while(SLIST_FIRST(&sc->vlan_mc_listhead) != NULL) {
152                     mc = SLIST_FIRST(&sc->vlan_mc_listhead);
153                     bcopy((char *)&mc->mc_addr, LLADDR(&sdl),
+ETHER_ADDR_LEN);
154                     error = if_delmulti(ifp_p, (struct sockaddr *)&sdl);
155                     if (error)
156                             return(error);
157                     SLIST_REMOVE_HEAD(&sc->vlan_mc_listhead, mc_entries);
158                     free(mc, M_VLAN);
(kgdb) up
#4  0xc0182416 in vlan_ioctl (ifp=0xc132b400, cmd=2149607730, data=0x0)
    at ../../net/if_vlan.c:704
704                     error = vlan_setmulti(ifp);
(kgdb) list
699                             error = EINVAL;
700                     }
701                     break;
702             case SIOCADDMULTI:
703             case SIOCDELMULTI:
704                     error = vlan_setmulti(ifp);
705                     break;
706             default:
707                     error = EINVAL;
708             }
(kgdb) up
#5  0xc01802e6 in if_delmulti (ifp=0xc132b400, sa=0xc0724040)
    at ../../net/if.c:1548
1548            ifp->if_ioctl(ifp, SIOCDELMULTI, 0);
(kgdb) list
1543                    return 0;
1544            }
1545
1546            s = splimp();
1547            LIST_REMOVE(ifma, ifma_link);
1548            ifp->if_ioctl(ifp, SIOCDELMULTI, 0);
1549            splx(s);
1550            free(ifma->ifma_addr, M_IFMADDR);
1551            free(sa, M_IFMADDR);
1552            free(ifma, M_IFMADDR);
(kgdb) up
#6  0xc0188b6f in in_delmulti (inm=0xc14c4820) at ../../netinet/in.c:893
893             if_delmulti(ifma->ifma_ifp, ifma->ifma_addr);
(kgdb) list
888                     ifma->ifma_protospec = 0;
889                     LIST_REMOVE(inm, inm_link);
890                     free(inm, M_IPMADDR);
891             }
892             /* XXX - should be separate API for when we have an ifma? */
893             if_delmulti(ifma->ifma_ifp, ifma->ifma_addr);
894             if (my_inm.inm_ifp != NULL)
895                     igmp_leavegroup(&my_inm);
896             splx(s);
897     }
(kgdb) up
#7  0xc019352c in ip_freemoptions (imo=0xc14fba00)
    at ../../netinet/ip_output.c:1886
1886                            in_delmulti(imo->imo_membership[i]);
(kgdb) list
1881    {
1882            register int i;
1883
1884            if (imo != NULL) {
1885                    for (i = 0; i < imo->imo_num_memberships; ++i)
1886                            in_delmulti(imo->imo_membership[i]);
1887                    free(imo, M_IPMOPTS);
1888            }
1889    }
1890
(kgdb) up
#8  0xc01894ad in in_pcbdetach (inp=0xc93dbfc0) at ../../netinet/in_pcb.c:567
567             ip_freemoptions(inp->inp_moptions);
(kgdb) list
562             sofree(so);
563             if (inp->inp_options)
564                     (void)m_free(inp->inp_options);
565             if (inp->inp_route.ro_rt)
566                     rtfree(inp->inp_route.ro_rt);
567             ip_freemoptions(inp->inp_moptions);
568             inp->inp_vflag = 0;
569             zfreei(ipi->ipi_zone, inp);
570     }
571

	
>How-To-Repeat:
	
On FreeBSD 4.6 configure vlan's on fxp interface. Start zebra and ripd
with following ripd.conf:

hostname xxx.dnepr.net
password xxx
enable password xxx
log syslog
log record-priority
!
router rip
 redistribute connected
 network fxp0
 network vlan0

Try to kill and restart ripd several times until system panics.

>Fix:


>Release-Note:
>Audit-Trail:

From: "KAREN THODE" <thode12@msn.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <land@dnepr.net>
Cc:  
Subject: Re: kern/40723: Disabling multicast on vlan interface caused kernel panic
Date: Thu, 3 Jul 2003 17:11:43 -0500

 ------=_NextPart_001_0007_01C34186.2D659140
 Content-Type: text/plain; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 Could someone tell me the file where the ROUNDUP() macro/function is defi=
 ned?
 
 Lucas
 
 ------=_NextPart_001_0007_01C34186.2D659140
 Content-Type: text/html; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 <HTML><BODY STYLE=3D"font:10pt verdana; border:none;"><DIV>Could someone =
 tell me&nbsp;the file&nbsp;where the ROUNDUP() macro/function is defined?=
 <BR><BR>Lucas</DIV></BODY></HTML>
 
 ------=_NextPart_001_0007_01C34186.2D659140--
State-Changed-From-To: open->feedback 
State-Changed-By: kris 
State-Changed-When: Mon Jul 14 02:54:02 PDT 2003 
State-Changed-Why:  
Does this problem persist on recent releases? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40723 

From: Kris Kennaway <kris@obsecurity.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: [land@dnepr.net: Re: kern/40723: Disabling multicast on vlan interface caused kernel panic]
Date: Mon, 14 Jul 2003 14:38:31 -0700

 Adding to audit trail
 
 ----- Forwarded message from Andrey Lakhno <land@dnepr.net> -----
 
 X-Original-To: kkenn@localhost
 Delivered-To: kkenn@localhost.obsecurity.org
 Delivered-To: kris@freebsd.org
 Date: Mon, 14 Jul 2003 23:03:29 +0300
 From: Andrey Lakhno <land@dnepr.net>
 To: Kris Kennaway <kris@FreeBSD.org>
 Subject: Re: kern/40723: Disabling multicast on vlan interface caused kernel panic
 In-Reply-To: <200307140954.h6E9sCxR088220@freefall.freebsd.org>
 X-UIDL: b8a983b5caa08d3a01bfb26f00a59285
 X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.13.7.2
 
 Hello,
 
 On Mon, 14 Jul 2003, Kris Kennaway wrote:
 
 > Synopsis: Disabling multicast on vlan interface caused kernel panic
 > 
 > State-Changed-From-To: open->feedback
 > State-Changed-By: kris
 > State-Changed-When: Mon Jul 14 02:54:02 PDT 2003
 > State-Changed-Why: 
 > Does this problem persist on recent releases?
 
 Yes. I can reproduce it on 4.8-RELEASE.
 
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=40723
 
 -- 
 Andrey Lakhno,
 land-ripe
 
 ----- End forwarded message -----

From: Hideki ONO <ono@kame.net>
To: freebsd-gnats-submit@FreeBSD.org, land@dnepr.net
Cc:  
Subject: Re: kern/40723: Disabling multicast on vlan interface caused kernel panic
Date: Thu, 17 Jul 2003 15:48:26 +0900

 This problem is caused by not initializing ifma properly.
 Following patch fix this problem for me.
 
 --- if.c        14 Jun 2003 08:22:02 -0000      1.34
 +++ if.c        25 Jun 2003 09:16:59 -0000
 @@ -1556,8 +1556,10 @@
                                M_IFMADDR, M_WAITOK);
                         bcopy(llsa, dupsa, llsa->sa_len);
                         ifma->ifma_addr = dupsa;
 +                       ifma->ifma_lladdr = NULL;
                         ifma->ifma_ifp = ifp;
                         ifma->ifma_refcount = 1;
 +                       ifma->ifma_protospec = 0;
                         s = splimp();
                         LIST_INSERT_HEAD(&ifp->if_multiaddrs, ifma,
                         ifma_link);
                         splx(s);
 --
 Hideki ONO

From: Andrey Lakhno <land@dnepr.net>
To: Hideki ONO <ono@kame.net>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/40723: Disabling multicast on vlan interface caused kernel panic
Date: Thu, 17 Jul 2003 11:43:03 +0300

 Hello,
 
 On Thu, 17 Jul 2003, Hideki ONO wrote:
 
 > This problem is caused by not initializing ifma properly.
 > Following patch fix this problem for me.
 
 This patch fix problem for me too.
 FreeBSD-4.8 RELEASE
 Thanks !
 
 > 
 > --- if.c        14 Jun 2003 08:22:02 -0000      1.34
 > +++ if.c        25 Jun 2003 09:16:59 -0000
 > @@ -1556,8 +1556,10 @@
 >                                M_IFMADDR, M_WAITOK);
 >                         bcopy(llsa, dupsa, llsa->sa_len);
 >                         ifma->ifma_addr = dupsa;
 > +                       ifma->ifma_lladdr = NULL;
 >                         ifma->ifma_ifp = ifp;
 >                         ifma->ifma_refcount = 1;
 > +                       ifma->ifma_protospec = 0;
 >                         s = splimp();
 >                         LIST_INSERT_HEAD(&ifp->if_multiaddrs, ifma,
 >                         ifma_link);
 >                         splx(s);
 
 -- 
 Andrey Lakhno,
 land-ripe
State-Changed-From-To: feedback->closed 
State-Changed-By: ume 
State-Changed-When: Sat Jul 26 04:46:47 PDT 2003 
State-Changed-Why:  
Because, I committed it. 


Responsible-Changed-From-To: freebsd-bugs->ume 
Responsible-Changed-By: ume 
Responsible-Changed-When: Sat Jul 26 04:46:47 PDT 2003 
Responsible-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40723 
>Unformatted:
