From owner-freebsd-stable@FreeBSD.ORG  Fri Jun  6 19:37:37 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0338237B404
	for <stable@freebsd.org>; Fri,  6 Jun 2003 19:37:37 -0700 (PDT)
Received: from pyroxene.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BFC1C43F75
	for <stable@freebsd.org>; Fri,  6 Jun 2003 19:37:35 -0700 (PDT)
	(envelope-from mike@sentex.net)
Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27])
	by pyroxene.sentex.ca (8.12.9/8.12.8) with ESMTP id h572bX8D056742;
	Fri, 6 Jun 2003 22:37:33 -0400 (EDT)
	(envelope-from mike@sentex.net)
Message-Id: <5.2.0.9.0.20030606222952.05d4c6d0@209.112.4.2>
X-Sender: mdtpop@209.112.4.2 (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
Date: Fri, 06 Jun 2003 22:37:17 -0400
To: stable@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: By Sentex Communications (lava/20020517)
Subject: crash in networking code (with bt and debug kernel)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jun 2003 02:37:37 -0000


While I was tying down a supernet to the discard interface, the box crashed 
on me.  Its a STABLE box from June 4th. I was in zebra at the time and 
thought I would route a /24 to ds0 instead of to the IP on ds0 (which I had 
done for a number of other aggregate routes).  The only other "strange" 
thing about the box is that ds0 is loaded via kld.  I will see if I can 
reproduce it on a non production box.

	---Mike

IdlePTD at phsyical address 0x0032e000
initial pcb at physical address 0x002a3d80
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc019a569
stack pointer           = 0x10:0xdf0b1d28
frame pointer           = 0x10:0xdf0b1d34
code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 2528 (zebra)
interrupt mask          =
trap number             = 12
panic: page fault


(kgdb) where
#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
#1  0xc0150bec in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:316
#2  0xc0151020 in poweroff_wait (junk=0xc02794ec, howto=-1071149073) at 
/usr/src/sys/kern/kern_shutdown.c:595
#3  0xc0242283 in trap_fatal (frame=0xdf0b1ce8, eva=4) at 
/usr/src/sys/i386/i386/trap.c:974
#4  0xc0241f3d in trap_pfault (frame=0xdf0b1ce8, usermode=0, eva=4) at 
/usr/src/sys/i386/i386/trap.c:867
#5  0xc0241b13 in trap (frame={tf_fs = -1041694704, tf_es = -1040056304, 
tf_ds = -1071120368, tf_edi = -1010457600,
       tf_esi = -1039998416, tf_ebp = -552919756, tf_isp = -552919788, 
tf_ebx = 0, tf_edx = -1010457600, tf_ecx = 1, tf_eax = 0,
       tf_trapno = 12, tf_err = 0, tf_eip = -1072061079, tf_cs = 8, 
tf_eflags = 66118, tf_esp = -552919644, tf_ss = -1040745984})
     at /usr/src/sys/i386/i386/trap.c:466
#6  0xc019a569 in arp_rtrequest (req=1, rt=0xc3c5a400, info=0xdf0b1da4) at 
/usr/src/sys/netinet/if_ether.c:186
#7  0xc01980be in rtrequest1 (req=1, info=0xdf0b1da4, ret_nrt=0xdf0b1da0) 
at /usr/src/sys/net/route.c:750
#8  0xc0198b21 in route_output (m=0xc11ae200, so=0xdd8e5080) at 
/usr/src/sys/net/rtsock.c:341
#9  0xc01974ee in raw_usend (so=0xdd8e5080, flags=0, m=0xc11ae200, nam=0x0, 
control=0x0, p=0xdf0bfc60)
     at /usr/src/sys/net/raw_usrreq.c:258
#10 0xc01988b0 in rts_send (so=0xdd8e5080, flags=0, m=0xc11ae200, nam=0x0, 
control=0x0, p=0xdf0bfc60)
     at /usr/src/sys/net/rtsock.c:236
#11 0xc017042f in sosend (so=0xdd8e5080, addr=0x0, uio=0xdf0b1ee0, 
top=0xc11ae200, control=0x0, flags=0, p=0xdf0bfc60)
     at /usr/src/sys/kern/uipc_socket.c:609
#12 0xc0163876 in soo_write (fp=0xc1fe1a40, uio=0xdf0b1ee0, 
cred=0xc1fb3d80, flags=0, p=0xdf0bfc60)
     at /usr/src/sys/kern/sys_socket.c:81
#13 0xc0160342 in dofilewrite (p=0xdf0bfc60, fp=0xc1fe1a40, fd=5, 
buf=0xbfbff298, nbyte=128, offset=-1, flags=0)
     at /usr/src/sys/sys/file.h:163
#14 0xc01601f3 in write (p=0xdf0bfc60, uap=0xdf0b1f80) at 
/usr/src/sys/kern/sys_generic.c:329
#15 0xc02424e9 in syscall2 (frame={tf_fs = 47, tf_es = -1078001617, tf_ds = 
-1078001617, tf_edi = 128, tf_esi = 134902316,
       tf_ebp = -1077938912, tf_isp = -552919084, tf_ebx = 16, tf_edx = 
-1077939560, tf_ecx = 0, tf_eax = 4, tf_trapno = 7,
       tf_err = 2, tf_eip = 673833116, tf_cs = 31, tf_eflags = 663, tf_esp 
= -1077939612, tf_ss = 47})
     at /usr/src/sys/i386/i386/trap.c:1175
#16 0xc0236595 in Xint0x80_syscall ()
#17 0x8069138 in ?? ()
#18 0x8069187 in ?? ()
#19 0x804fea2 in ?? ()
#20 0x80500bf in ?? ()
#21 0x80507bb in ?? ()
#22 0x8050b16 in ?? ()
#23 0x80543b7 in ?? ()
#24 0x805440a in ?? ()
#25 0x805d913 in ?? ()
#26 0x8058324 in ?? ()
#27 0x8059539 in ?? ()
#28 0x8059989 in ?? ()
#29 0x8061456 in ?? ()
#30 0x804c929 in ?? ()
#31 0x8049c3e in ?? ()
(kgdb) list
482     dumpsys(void)
483     {
484             int     error;
485
486             savectx(&dumppcb);
487             if (dumping++) {
488                     printf("Dump already in progress, bailing...\n");
489                     return;
490             }
491             if (!dodump)
(kgdb) up 1
#1  0xc0150bec in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:316
316                     dumpsys();
(kgdb) list
311              * been completed.
312              */
313             EVENTHANDLER_INVOKE(shutdown_post_sync, howto);
314             splhigh();
315             if ((howto & (RB_HALT|RB_DUMP)) == RB_DUMP && !cold)
316                     dumpsys();
317
318             /* Now that we're going to really halt the system... */
319             EVENTHANDLER_INVOKE(shutdown_final, howto);
320
(kgdb) up
#2  0xc0151020 in poweroff_wait (junk=0xc02794ec, howto=-1071149073) at 
/usr/src/sys/kern/kern_shutdown.c:595
595             boot(bootopt);
(kgdb) list
590
591     #if defined(DDB)
592             if (debugger_on_panic)
593                     Debugger ("panic");
594     #endif
595             boot(bootopt);
596     }
597
598     /*
599      * Support for poweroff delay.
(kgdb) up 1
#3  0xc0242283 in trap_fatal (frame=0xdf0b1ce8, eva=4) at 
/usr/src/sys/i386/i386/trap.c:974
974                     panic("%s", trap_msg[type]);
(kgdb) list
969             if ((debugger_on_panic || db_active) && kdb_trap(type, 0, 
frame))
970                     return;
971     #endif
972             printf("trap number             = %d\n", type);
973             if (type <= MAX_TRAP_MSG)
974                     panic("%s", trap_msg[type]);
975             else
976                     panic("unknown/reserved trap");
977     }
978
(kgdb) up 1
#4  0xc0241f3d in trap_pfault (frame=0xdf0b1ce8, usermode=0, eva=4) at 
/usr/src/sys/i386/i386/trap.c:867
867                     trap_fatal(frame, eva);
(kgdb) list
862             if (!usermode) {
863                     if (intr_nesting_level == 0 && curpcb && 
curpcb->pcb_onfault) {
864                             frame->tf_eip = (int)curpcb->pcb_onfault;
865                             return (0);
866                     }
867                     trap_fatal(frame, eva);
868                     return (-1);
869             }
870
871             /* kludge to pass faulting virtual address to sendsig */
(kgdb) up 1
#5  0xc0241b13 in trap (frame={tf_fs = -1041694704, tf_es = -1040056304, 
tf_ds = -1071120368, tf_edi = -1010457600,
       tf_esi = -1039998416, tf_ebp = -552919756, tf_isp = -552919788, 
tf_ebx = 0, tf_edx = -1010457600, tf_ecx = 1, tf_eax = 0,
       tf_trapno = 12, tf_err = 0, tf_eip = -1072061079, tf_cs = 8, 
tf_eflags = 66118, tf_esp = -552919644, tf_ss = -1040745984})
     at /usr/src/sys/i386/i386/trap.c:466
466                             (void) trap_pfault(&frame, FALSE, eva);
(kgdb) list
461     kernel_trap:
462                     /* kernel trap */
463
464                     switch (type) {
465                     case T_PAGEFLT:                 /* page fault */
466                             (void) trap_pfault(&frame, FALSE, eva);
467                             return;
468
469                     case T_DNA:
470     #if NNPX > 0
(kgdb) up 1
#6  0xc019a569 in arp_rtrequest (req=1, rt=0xc3c5a400, info=0xdf0b1da4) at 
/usr/src/sys/netinet/if_ether.c:186
186                     if ((rt->rt_flags & RTF_HOST) == 0 &&
(kgdb) list
181                     /*
182                      * XXX: If this is a manually added route to interface
183                      * such as older version of routed or gated might 
provide,
184                      * restore cloning bit.
185                      */
186                     if ((rt->rt_flags & RTF_HOST) == 0 &&
187                         SIN(rt_mask(rt))->sin_addr.s_addr != 0xffffffff)
188                             rt->rt_flags |= RTF_CLONING;
189                     if (rt->rt_flags & RTF_CLONING) {
190                             /*
(kgdb)
--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike