Date: Tue, 30 Apr 2002 11:13:40 -0700 From: "Qing Li" <Qing.Li@windriver.com> To: <FreeBSD-gnats-submit@FreeBSD.org> Subject: kern/37606: genmask, rt_fixchange, and kernel panic Message-ID: <DMEGKJAJNLKBGDDBEAIPAEFEEOAA.Qing.Li@windriver.com>
next in thread | raw e-mail | index | archive | help
>Number: 37606
>Category: kern
>Synopsis: genmask, rt_fixchange causes kernel panic
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 30 11:20:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Qing Li
>Release: FreeBSD 4.5-STABLE i386
>Organization:
>Environment:
System: FreeBSD a.b.com 4.5-STABLE FreeBSD 4.5-STABLE #0: Tue Mar 5 17:05:43
GMT 2002 root@a.b.com:/usr/obj/usr/src/sys/GENERIC i386
CPU: Pentium II/Pentium II Xeon/Celeron (265.37-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x634 Stepping = 4
Features=0x80f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,M
MX>
real memory = 167772160 (163840K bytes)
avail memory = 158347264 (154636K bytes)
>Description:
Creating a route entry with -cloning flag and the -genmask
option causes a kernel panic on 4.5-STABLE.
The cloned entry created is a network route. The problem
appears to be in route.c, in "rtrequest1" function, where
if (!(rt->rt_flags & RTF_HOST) && (rt_mask(rt) !=0)
<snip>
rnh->rnh_walktree_from(..,rt_fixchange,.)
This newly created entry is immediately removed inside
rt_fixchange. This invalid "rt" pointer is returned back
to the caller.
This problem did not show up in the previous version of
the code apparently due to the missing flag check on
RTF_CLONING in the code above,
if (cmd == RTM_RESOLVE)
<snip>
if ((*ret_nrt)->rt_flags & RTF_PRCLONING) (old version)
new version
if ((*ret_nrt)->rt_flags & (RTF_CLONING & RTF_PRCLONING)
The rt_parent is not assigned so rt_fixchange returned
immediately in the previous version.
I am also not sure why rt_fixchange is needed if
cmd is RTM_RESOLVE.
>How-To-Repeat:
route add -net 10.2.10.5 -netmask 255.255.0.0 -cloning
-genmask 255.255.255.0 64.81.55.1
ping 10.2.10.6
>Fix:
*** route.c.org Tue Apr 30 10:19:47 2002
--- route.c Tue Apr 30 10:20:49 2002
***************
*** 846,851 ****
--- 846,854 ----
printf("rt_fixchange: rt %p, rt0 %p\n", rt, rt0);
#endif
+ if (rt == rt0)
+ return 0;
+
if (!rt->rt_parent || (rt->rt_flags & RTF_PINNED)) {
#ifdef DEBUG
if(rtfcdebug) printf("no parent or pinned\n");
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DMEGKJAJNLKBGDDBEAIPAEFEEOAA.Qing.Li>