Date: Wed, 31 Mar 1999 15:37:15 +0400 (MSD) From: maxim@cris.crimea.ua To: FreeBSD-gnats-submit@freebsd.org Subject: kern/10889: kernel panics during ipfw flush with dummynet pipes configured Message-ID: <199903311137.PAA01971@bird.cris.net>
next in thread | raw e-mail | index | archive | help
>Number: 10889
>Category: kern
>Synopsis: kernel panics during ipfw flush with dummynet pipes configured
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 31 04:50:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Maxim A. Shwets
>Release: FreeBSD 3.1-RELEASE i386
>Organization:
CRIS
>Environment:
i386
>Description:
Kernel sometimes panics during execution of ipfw flush with dummynet
pipes configured.
>How-To-Repeat:
Configure pipe, then generate traffic that follows through this pipe.
Do ipfw flush and reconfigure pipe. After several tries kernel panics.
>Fix:
The problem is in flush routine of ip_fw implementation and flush
operation of ipfw. When rules are flushed and there are packets in
pipe's queues some fields i.e. pointer to matched rule, becomes invalid.
During later processing of these packets by dummynet this couses
accessing memory at wrong location.
I suggest two patches. One for ip_fw.c in kernel sources and one for
ipfw.c. Kernel patch simply removes pointers to matched rule for all
queued packets in pipe's queue if rule for this pipe is deleted
during flush process. Here it is:
*** ip_fw.c.orig Wed Mar 31 15:02:24 1999
--- ip_fw.c Wed Mar 31 11:31:56 1999
***************
*** 1165,1170 ****
--- 1165,1173 ----
fcp = ip_fw_chain.lh_first) {
s = splnet();
LIST_REMOVE(fcp, chain);
+ #ifdef DUMMYNET
+ dn_rule_delete(fcp);
+ #endif
FREE(fcp->rule, M_IPFW);
FREE(fcp, M_IPFW);
splx(s);
The second patch for ipfw.c enables new command: ipfw pipe flush, which
first flushes rules and then flushes pipes. Here it is:
*** ipfw.c.orig Wed Mar 31 15:04:31 1999
--- ipfw.c Wed Mar 31 11:35:49 1999
***************
*** 1441,1446 ****
--- 1441,1449 ----
if ( do_flush ) {
if (setsockopt(s,IPPROTO_IP,IP_FW_FLUSH,NULL,0) < 0)
err(EX_UNAVAILABLE, "setsockopt(%s)", "IP_FW_FLUSH");
+ if (do_pipe)
+ if (setsockopt(s,IPPROTO_IP,IP_DUMMYNET_FLUSH,NULL,0) < 0)
+ err(EX_UNAVAILABLE, "setsockopt(%s)", "IP_DUMMYNET_FLUSH");
if (!do_quiet)
printf("Flushed all rules.\n");
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903311137.PAA01971>