From sp@rvrng.ra.alkor.ru  Tue Nov 11 04:14:27 2003
Return-Path: <sp@rvrng.ra.alkor.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C56516A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 11 Nov 2003 04:14:27 -0800 (PST)
Received: from rvrng.alkor.ru (rvrng.ra.alkor.ru [194.186.122.164])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 022C243FE0
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 11 Nov 2003 04:14:26 -0800 (PST)
	(envelope-from sp@rvrng.ra.alkor.ru)
Received: from rvrng.alkor.ru (localhost [127.0.0.1])
	by rvrng.alkor.ru (8.12.9p2/8.12.9) with ESMTP id hABCENwu017633
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 11 Nov 2003 15:14:23 +0300 (MSK)
	(envelope-from sp@rvrng.ra.alkor.ru)
Received: (from root@localhost)
	by rvrng.alkor.ru (8.12.9p2/8.12.9/Submit) id hABCENGc017632;
	Tue, 11 Nov 2003 15:14:23 +0300 (MSK)
	(envelope-from sp)
Message-Id: <200311111214.hABCENGc017632@rvrng.alkor.ru>
Date: Tue, 11 Nov 2003 15:14:23 +0300 (MSK)
From: sp@alkor.ru
Reply-To: sp@alkor.ru
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Zebra interface route causes kernel panic for cloned interface
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         59172
>Category:       kern
>Synopsis:       Zebra interface route causes kernel panic for cloned interface
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 11 04:20:13 PST 2003
>Closed-Date:    Sat Sep 23 09:27:54 GMT 2006
>Last-Modified:  Sat Sep 23 09:27:54 GMT 2006
>Originator:     
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
>Environment:
System: FreeBSD rvrng.alkor.ru 4.9-STABLE FreeBSD 4.9-STABLE #4: Tue Nov 11 13:25:14 MSK 2003 sp@rvrng.alkor.ru:/usr/obj/usr/src/sys/GENERIC i386


>Description:

	If you are using zebra with interface route with cloned interface
	you can get kernel panic. Of course this is rare situation, but
	it indicates something wrong in kernel.

>How-To-Repeat:

	/usr/local/etc/zebra/zebra.conf
	--------------------------------
	ip route 0.0.0.0/0 your-gw
	ip route 192.0.2.1/25 vlan10 8
	--------------------------------
	# zebra is running,
	# interface vlan10 does not exists

	ifconfig vlan10 create
	ifconfig vlan10 192.0.2.129/30 vlan 123 vlandev your_ether_if

	The last command causes kernel panic
	current process is indicated as zebra.

>Fix:
	Don't use interface route.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kris 
State-Changed-When: Wed Nov 12 00:54:07 PST 2003 
State-Changed-Why:  
Please obtain a gdb traceback of the panic as described in 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/kerneldebug.html 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59172 
Responsible-Changed-From-To: freebsd-bugs->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Tue 25 Nov 2003 08:26:28 PST 
Responsible-Changed-Why:  
I'm in hoover up network PRs mode. I'll look into this. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=59172 
State-Changed-From-To: feedback->suspended 
State-Changed-By: bms 
State-Changed-When: Wed Jun 16 03:52:10 GMT 2004 
State-Changed-Why:  
Timeout on feedback 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59172 
State-Changed-From-To: suspended->feedback 
State-Changed-By: bms 
State-Changed-When: Thu Jun 17 18:26:16 GMT 2004 
State-Changed-Why:  
Re-opened at submitter's request; awaiting further feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59172 

From: Steve Clark <sclark@netwolves.com>
To: bug-followup@FreeBSD.org,  sp@alkor.ru
Cc:  
Subject: Re: kern/59172: Zebra interface route causes kernel panic for cloned
 interface
Date: Fri, 10 Mar 2006 11:21:58 -0500

 This happens when I try to start 30 tun interfaces very quickly.
 IdlePTD at phsyical address 0x00398000
 initial pcb at physical address 0x002fbf20
 panicstr: page fault
 panic messages:
 ---
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x4
 fault code              = supervisor read, page not present
 instruction pointer     = 0x8:0xc01bc035
 stack pointer           = 0x10:0xc98a0d1c
 frame pointer           = 0x10:0xc98a0d28
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                          = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 1249 (zebra)
 interrupt mask          =
 trap number             = 12
 panic: page fault
 
 syncing disks... 47 2
 done
 Uptime: 14m30s
 
 dumping to dev #ad/1, offset 1851392
 dump ata0: resetting devices .. done
 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 
 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 
 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 
 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 
 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
 ---
 #0  dumpsys () at ../../kern/kern_shutdown.c:487
 487             if (dumping++) {
 (kgdb) list *0xc01bc035
 0xc01bc035 is in arp_rtrequest (../../netinet/if_ether.c:186).
 181                     /*
 182                      * XXX: If this is a manually added route to interface
 183                      * such as older version of routed or gated might provide,
 184                      * restore cloning bit.
 185                      */
 186                     if ((rt->rt_flags & RTF_HOST) == 0 &&
 187                         SIN(rt_mask(rt))->sin_addr.s_addr != 0xffffffff)
 188                             rt->rt_flags |= RTF_CLONING;
 189                     if (rt->rt_flags & RTF_CLONING) {
 190                             /*
 (kgdb)
State-Changed-From-To: feedback->closed 
State-Changed-By: bms 
State-Changed-When: Sat Sep 23 09:26:27 UTC 2006 
State-Changed-Why:  
I can't reproduce this issue in HEAD with INVARIANTS as of today. 
The fix for kern/42030 is in revision 1.131 of src/sys/netinet/if_ether.c 
and this bug is believed to be a duplicate, based on the dates. 
Whilst further feedback was submitted, the code in the backtrace doesn't 
appear to be rev 1.131 as it's missing the rt_mask guard. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=59172 
>Unformatted:
