[Bug 254496] kernel panic when destroying interface with ECMP route

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Mar 23 10:03:06 UTC 2021 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254496

            Bug ID: 254496
           Summary: kernel panic when destroying interface with ECMP route
           Product: Base System
           Version: 13.0-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: zlei.huang at gmail.com

Created attachment 223516
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=223516&action=edit
Core text dump

I was trying to reproduce bug #254303 , and found another bug, not sure if it
is related.

Steps to repeat:
1. Fresh install FreeBSD 13.0 RC3
2. Run the following script

<pre><code>
# set up interface and add ECMP route
tap=$( ifconfig tap create inet 10.10.10.1/24 )
route -n add 10.0.0.0 10.10.10.2
route -n add 10.0.0.0 10.10.10.3

# destroy interface to trigger the panic
ifconfig $tap destroy
</code></pre>


Kernel panic core dump text summary:
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x38
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80d48f38
stack pointer           = 0x28:0xfffffe0044dd6a80
frame pointer           = 0x28:0xfffffe0044dd6a80
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 0 (softirq_0)
trap number             = 12
panic: page fault
cpuid = 0
time = 1616522291
KDB: stack backtrace:
#0 0xffffffff80c570b5 at kdb_backtrace+0x65
#1 0xffffffff80c09cd1 at vpanic+0x181
#2 0xffffffff80c09b43 at panic+0x43
#3 0xffffffff8108a187 at trap_fatal+0x387
#4 0xffffffff8108a1df at trap_pfault+0x4f
#5 0xffffffff8108983d at trap+0x27d
#6 0xffffffff810612c8 at calltrap+0x8
#7 0xffffffff80d4b1de at destroy_rtentry_epoch+0x2e
#8 0xffffffff80c51e2a at epoch_call_task+0x16a
#9 0xffffffff80c55b1d at gtaskqueue_run_locked+0x15d
#10 0xffffffff80c557bc at gtaskqueue_thread_loop+0xac
#11 0xffffffff80bc7c0e at fork_exit+0x7e
#12 0xffffffff8106234e at fork_trampoline+0xe
Uptime: 18s
Dumping 137 out of 472 MB:..12%..24%..36%..47%..59%..71%..82%..94%

__curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
55              __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (offsetof(struct
pcpu,
(kgdb) #0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
#1  doadump (textdump=<optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:399
#2  0xffffffff80c098c6 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:486
#3  0xffffffff80c09d40 in vpanic (fmt=<optimized out>, ap=<optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:919
#4  0xffffffff80c09b43 in panic (fmt=<unavailable>)
    at /usr/src/sys/kern/kern_shutdown.c:843
#5  0xffffffff8108a187 in trap_fatal (frame=0xfffffe0044dd69c0, eva=56)
    at /usr/src/sys/amd64/amd64/trap.c:915
#6  0xffffffff8108a1df in trap_pfault (frame=frame at entry=0xfffffe0044dd69c0, 
    usermode=false, signo=<optimized out>, signo at entry=0x0, 
    ucode=<optimized out>, ucode at entry=0x0)
    at /usr/src/sys/amd64/amd64/trap.c:732
#7  0xffffffff8108983d in trap (frame=0xfffffe0044dd69c0)
    at /usr/src/sys/amd64/amd64/trap.c:398
#8  <signal handler called>
#9  0xffffffff80d48f38 in nhop_get_vnet (nh=0xfffff8001458b980)
    at /usr/src/sys/net/route/nhop_ctl.c:761
#10 0xffffffff80d4b1de in destroy_rtentry (rt=0xfffff80014627840)
    at /usr/src/sys/net/route/route_ctl.c:139
#11 destroy_rtentry_epoch (ctx=0xfffff800146278e0)
    at /usr/src/sys/net/route/route_ctl.c:159
#12 0xffffffff80c51e2a in epoch_call_task (arg=<optimized out>)
    at /usr/src/sys/kern/subr_epoch.c:816
#13 0xffffffff80c55b1d in gtaskqueue_run_locked (
    queue=queue at entry=0xfffff8000332b900)
    at /usr/src/sys/kern/subr_gtaskqueue.c:371
#14 0xffffffff80c557bc in gtaskqueue_thread_loop (arg=<optimized out>, 
    arg at entry=0xfffffe0044f09008) at /usr/src/sys/kern/subr_gtaskqueue.c:547
#15 0xffffffff80bc7c0e in fork_exit (
    callout=0xffffffff80c55710 <gtaskqueue_thread_loop>, 
    arg=0xfffffe0044f09008, frame=0xfffffe0044dd6c00)
    at /usr/src/sys/kern/kern_fork.c:1069
#16 <signal handler called>
(kgdb)

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list