Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 3 Aug 2002 19:05:08 +0300
From:      "Valentine Zaretsky" <valik@apex.dp.ua>
To:        <ipfw@freebsd.org>
Cc:        "Luigi Rizzo" <rizzo@icir.org>
Subject:   ipfw2 & dummynet
Message-ID:  <007601c23b07$8c667550$226e03d4@zhome>
next in thread | raw e-mail | index | archive | help 
This is a multi-part message in MIME format.

------=_NextPart_000_0073_01C23B20.AF580A10
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,

Playing with ipfw2 in -stable (last time cvsup'ed yesterday), I found a =
bug when using dummynet pipes and queues

Here is the simplest example to repeat it:

ipfw pipe 1 config bw 20KBytes/s
ipfw add 400 pipe 1 ip from any to me

The first packet matching rule 400 leads to kernel panic caused by =
"division by zero"

Analyzing crashdump with gdb, I found that it happens in the following =
code in /usr/src/sys/netinet/ip_dummynet.c:
(lines 1198-1205)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
        if (DN_KEY_GT(q->S, q->F)) { /* means timestamps are invalid */
            q->S =3D pipe->V ;
            pipe->sum +=3D fs->weight ; /* add weight of new queue */
        } else {
            heap_extract(&(pipe->idle_heap), q);
            q->S =3D MAX64(q->F, pipe->V ) ;
        }
        q->F =3D q->S + ( len<<MY_M )/(u_int64_t) fs->weight;     =20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D

So the weight is 0 when it should be 1.=20
And it's not quite understood why should this code execute at all? There =
is no queues (only simple pipe, so "is_pipe" should be 1)

Adding dumb "if(fs->weight=3D=3D0) fs->weight=3D1;" before the code =
above, fixes this kernel panic.

I think it could/should be fixed a little smarter ;)

--
With best regards, Valentine Zaretsky



------=_NextPart_000_0073_01C23B20.AF580A10
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2713.1100" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>Hi,</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>Playing with ipfw2 in -stable (last time cvsup'ed =
yesterday),=20
I found a bug when using dummynet pipes and queues</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>Here is the simplest example to repeat =
it:</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>ipfw pipe 1 config bw 20KBytes/s</FONT></DIV>
<DIV><FONT size=3D2>ipfw add 400 pipe 1 ip from any to me</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>The first packet matching&nbsp;rule 400 leads to =
kernel=20
panic&nbsp;caused by "division&nbsp;by zero"</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>Analyzing crashdump with gdb, I found that it =
happens in the=20
following code in /usr/src/sys/netinet/ip_dummynet.c:</FONT></DIV>
<DIV><FONT size=3D2>(lines 1198-1205)</FONT></DIV>
<DIV><FONT =
size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</FONT></DIV>
<DIV><FONT size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if=20
(DN_KEY_GT(q-&gt;S, q-&gt;F)) { /* means timestamps are invalid=20
*/<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
q-&gt;S=20
=3D pipe-&gt;V=20
;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
pipe-&gt;sum +=3D fs-&gt;weight ; /* add weight of new queue=20
*/<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } else=20
{<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
heap_extract(&amp;(pipe-&gt;idle_heap),=20
q);<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
=20
q-&gt;S =3D MAX64(q-&gt;F, pipe-&gt;V )=20
;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
}<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; q-&gt;F =3D q-&gt;S + (=20
len&lt;&lt;MY_M )/(u_int64_t) =
fs-&gt;weight;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
</FONT></DIV>
<DIV><FONT size=3D2>
<DIV><FONT =
size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</FONT></DIV></FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>So the weight is 0 when it should be 1. =
</FONT></DIV>
<DIV><FONT size=3D2>And it's not quite understood why should this=20
code&nbsp;execute at all?&nbsp;There is no queues (only simple =
pipe,&nbsp;so=20
"is_pipe" should be 1)</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>Adding&nbsp;dumb "if(fs-&gt;weight=3D=3D0) =
fs-&gt;weight=3D1;"=20
before&nbsp;the code&nbsp;above, fixes this kernel panic.</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>I&nbsp;think&nbsp;it could/should be fixed&nbsp;a =
little=20
smarter&nbsp;;)</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>--</FONT></DIV>
<DIV><FONT size=3D2>With best regards, Valentine Zaretsky</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0073_01C23B20.AF580A10--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007601c23b07$8c667550$226e03d4>