From owner-freebsd-bugs Wed Mar 31 4:50:29 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 67D4515C81 for ; Wed, 31 Mar 1999 04:50:18 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.2/8.9.2) id EAA06967; Wed, 31 Mar 1999 04:50:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from spider.cris.net (spider.cris.net [212.110.128.65]) by hub.freebsd.org (Postfix) with ESMTP id 0E3F5152BB for ; Wed, 31 Mar 1999 04:39:02 -0800 (PST) (envelope-from maxim@bird.cris.net) Received: from bird.cris.net (bird.cris.net [212.110.128.67]) by spider.cris.net (8.8.8/8.8.8) with ESMTP id PAA15732 for ; Wed, 31 Mar 1999 15:38:20 +0300 (EET DST) Received: (from maxim@localhost) by bird.cris.net (8.9.2/8.9.2) id PAA01971; Wed, 31 Mar 1999 15:37:15 +0400 (MSD) (envelope-from maxim) Message-Id: <199903311137.PAA01971@bird.cris.net> Date: Wed, 31 Mar 1999 15:37:15 +0400 (MSD) From: maxim@cris.crimea.ua Reply-To: maxim@cris.crimea.ua To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/10889: kernel panics during ipfw flush with dummynet pipes configured Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 10889 >Category: kern >Synopsis: kernel panics during ipfw flush with dummynet pipes configured >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 31 04:50:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: Maxim A. Shwets >Release: FreeBSD 3.1-RELEASE i386 >Organization: CRIS >Environment: i386 >Description: Kernel sometimes panics during execution of ipfw flush with dummynet pipes configured. >How-To-Repeat: Configure pipe, then generate traffic that follows through this pipe. Do ipfw flush and reconfigure pipe. After several tries kernel panics. >Fix: The problem is in flush routine of ip_fw implementation and flush operation of ipfw. When rules are flushed and there are packets in pipe's queues some fields i.e. pointer to matched rule, becomes invalid. During later processing of these packets by dummynet this couses accessing memory at wrong location. I suggest two patches. One for ip_fw.c in kernel sources and one for ipfw.c. Kernel patch simply removes pointers to matched rule for all queued packets in pipe's queue if rule for this pipe is deleted during flush process. Here it is: *** ip_fw.c.orig Wed Mar 31 15:02:24 1999 --- ip_fw.c Wed Mar 31 11:31:56 1999 *************** *** 1165,1170 **** --- 1165,1173 ---- fcp = ip_fw_chain.lh_first) { s = splnet(); LIST_REMOVE(fcp, chain); + #ifdef DUMMYNET + dn_rule_delete(fcp); + #endif FREE(fcp->rule, M_IPFW); FREE(fcp, M_IPFW); splx(s); The second patch for ipfw.c enables new command: ipfw pipe flush, which first flushes rules and then flushes pipes. Here it is: *** ipfw.c.orig Wed Mar 31 15:04:31 1999 --- ipfw.c Wed Mar 31 11:35:49 1999 *************** *** 1441,1446 **** --- 1441,1449 ---- if ( do_flush ) { if (setsockopt(s,IPPROTO_IP,IP_FW_FLUSH,NULL,0) < 0) err(EX_UNAVAILABLE, "setsockopt(%s)", "IP_FW_FLUSH"); + if (do_pipe) + if (setsockopt(s,IPPROTO_IP,IP_DUMMYNET_FLUSH,NULL,0) < 0) + err(EX_UNAVAILABLE, "setsockopt(%s)", "IP_DUMMYNET_FLUSH"); if (!do_quiet) printf("Flushed all rules.\n"); } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message