Date: Wed, 15 Nov 2000 12:46:06 +0100 From: Marko Cuk <cuk@pcx.si> To: freebsd-stable@FreeBSD.ORG Subject: Re: Bridging code in 4.2RC1 still not fixed Message-ID: <3A12777E.DEA187E0@pcx.si>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------1DDD82267694B37E3032F085
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 7bit
I know, Bosko, that I still didn't send you debugging information about
it, but I'm trying to do that in near future.
Read the following forward, please.
Marko Cuk
--------------1DDD82267694B37E3032F085
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-ID: <3A1273FB.2C1C40A5@pcx.si>
Date: Wed, 15 Nov 2000 12:31:07 +0100
From: Marko Cuk <cuk@pcx.si>
Organization: Pcx computers d.o.o., Tehnika
X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: tmoestl@gmx.net, bmilekic@dsuper.net
Subject: Re: bug in bridging/dummynet code - PR kern/19551 (fwd)
References: <Pine.BSF.4.21.0011150544060.68267-100000@titanic.medinet.si>
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 7bit
Hello !!
I tried that "fix" and maschine is now stable and won't crash, but
dummynet wont work. When I insert rule
ipfw add 5000 pipe 1 tcp from any to any
only ICMP packets goes through, but maschine remains stable.
Can I test something more ? Do you have additional ideas ?
Inform me ASAP.
Regards, Cuk
> Date: Tue, 14 Nov 2000 22:01:17 +0100
> From: Thomas Moestl <tmoestl@gmx.net>
> To: freebsd-net@freebsd.org
> Cc: bmilekic@dsuper.net
> Subject: bug in bridging/dummynet code - PR kern/19551
>
> Hi,
>
> I think I have spotted a bug in the bridge/dummynet code that might be
> responsible for some panics people have reported recently - see e.g.
> PR kern/19551.
> PR kern/21534 seems related and are probably about the same thing,
> PR kern/19488 goes in the same direction.
>
> Bosko, I'm CCing this to you because the PR is currently assigned to
> you.
>
> Here is the relevant section of code from netinet/ip_dummynet.c:402:
>
> #ifdef BRIDGE
> case DN_TO_BDG_FWD : {
> struct mbuf *m = (struct mbuf *)pkt ;
> struct ether_header hdr;
>
> if (m->m_len < ETHER_HDR_LEN
> && (m = m_pullup(m, ETHER_HDR_LEN)) == NULL) {
> m_freem(m);
> break;
> }
> bcopy(mtod(m, struct ether_header *), &hdr, ETHER_HDR_LEN);
> m_adj(m, ETHER_HDR_LEN);
> bdg_forward(&m, &hdr, pkt->ifp);
> if (m)
> m_freem(m);
> }
> break ;
> #endif
>
> Now, pkt is a malloc()ed structure, not an mbuf! Calling m_pullup() on it
> seems defective, at least because m_free may be called in m_pullup(),
> which leaks kernel memory if the freed structure is not an mbuf.
> And of course, the ethernet header should be in the mbuf in pkt->dn_m.
> Should it be:
>
> #ifdef BRIDGE
> case DN_TO_BDG_FWD : {
> struct mbuf *m = (struct mbuf *)pkt ;
> struct ether_header hdr;
>
> if (pkt->dn_m->m_len < ETHER_HDR_LEN
> && (pkt->dn_m = m_pullup(pkt->dn_m, ETHER_HDR_LEN)) == NULL) {
> m_freem(pkt->dn_m);
> break;
> }
> bcopy(mtod(pkt->dn_m, struct ether_header *), &hdr, ETHER_HDR_LEN);
> m_adj(pkt->dn_m, ETHER_HDR_LEN);
> bdg_forward(&m, &hdr, pkt->ifp);
> if (m)
> /* bdg_format will put pkt->dn_m into mbuf into m in our case */
> m_freem(m);
> }
> break ;
> #endif
>
> Hmm, maybe I'm wrong here, but that seems odd to me. Please enlighten
> me! Unfortunetly, I have no machine I could use to test it at the moment.
>
> I just wanted to ask before I add this to the PR.
>
> Sorry if I was wrong,
> - Thomas
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
--------------1DDD82267694B37E3032F085--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A12777E.DEA187E0>