From olgeni@uli.it  Tue Jun 27 05:13:31 2000
Return-Path: <olgeni@uli.it>
Received: from vega.uli.it (vega.uli.it [62.212.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id F3DCE37B5E4
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 27 Jun 2000 05:13:29 -0700 (PDT)
	(envelope-from olgeni@uli.it)
Received: from dev1.localdomain.net (ippp10.mi.uli.it [62.212.5.70])
	by vega.uli.it (Postfix) with ESMTP id A2F8D3B013
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 27 Jun 2000 14:13:26 +0200 (CEST)
Message-Id: <Pine.LNX.4.21.0006271411001.1699-100000@dev1.localdomain.net>
Date: Tue, 27 Jun 2000 14:12:05 +0200 (CEST)
From: Jimmy Olgeni <olgeni@uli.it>
To: FreeBSD-gnats-submit@freebsd.org
Subject: panic in delete_pipe (ipfw pipe delete)

>Number:         19544
>Category:       kern
>Synopsis:       panic in delete_pipe
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    luigi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 27 05:20:00 PDT 2000
>Closed-Date:    Tue Jul 18 00:49:21 PDT 2000
>Last-Modified:  Tue Jul 18 00:49:51 PDT 2000
>Originator:     Jimmy Olgeni
>Release:        FreeBSD 4.0-STABLE i386
>Organization:
Colby
>Environment:
Kernel that supports dummynet.

>Description:
If there are no dummynet pipes configured in the system, an attempt to delete
any pipe with "ipfw pipe delete" will result in a kernel panic (trap 12).

(kgdb) up
#3  0xc032fe09 in trap_pfault (frame=0xc64a0d58, usermode=0, eva=0)
    at ../../i386/i386/trap.c:820
820                     trap_fatal(frame, eva);
(kgdb) up
#4  0xc032f9c3 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16,
      tf_edi = -968225348, tf_esi = 0, tf_ebp = -968225368,
      tf_isp = -968225404, tf_ebx = -1058306304, tf_edx = -968232960,
      tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0,
      tf_eip = -1071642696, tf_cs = 8, tf_eflags = 66182, tf_esp = -968225348,
      tf_ss = 0}) at ../../i386/i386/trap.c:426
426                             (void) trap_pfault(&frame, FALSE, eva);
(kgdb) up
#5  0xc02007b8 in delete_pipe (p=0xc64a0dbc)
    at ../../netinet/ip_dummynet.c:1559
1559                all_pipes = b->next ;
(kgdb) print b
$1 = (struct dn_pipe *) 0x0
^^^^^^^^^^^^^^^^^^^^^^^^^^^
(kgdb) up
#6  0xc0200c32 in ip_dn_ctl (sopt=0xc64a0f14)
    at ../../netinet/ip_dummynet.c:1750
1750            error = delete_pipe(p);
(kgdb) print p
$2 = (struct dn_pipe *) 0xc64a0dbc
(kgdb)

>How-To-Repeat:
As root, run:

# ipfw pipe show
[to check that the pipe list is really empty]
# ipfw pipe delete 1
[panic]


>Fix:
>Release-Note:
>Audit-Trail:

From: Peter Pentchev <roam@orbitel.bg>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: kern/19544: panic in delete_pipe (ipfw pipe delete)
Date: Fri, 14 Jul 2000 17:18:13 +0300

 The attached patch solves this problem for me.  I think that with the
 upcoming 4.1-release, it would be nice if the kernel panicked on one
 less occassion ;) Granted, this panic only comes as a result of an
 incorrect ipfw command, but how long ago was the last time you
 issued a command out of sequence?
 
 G'luck,
 Peter
 
 ----------------------------------------------
 Hey, out there - is it *you* reading me, or is it someone else?
 
 diff -c src/sys/netinet/ip_dummynet.c mysrc/sys/netinet/ip_dummynet.c
 *** src/sys/netinet/ip_dummynet.c	Tue Jun 27 18:40:50 2000
 --- mysrc/sys/netinet/ip_dummynet.c	Tue Jun 27 18:35:11 2000
 ***************
 *** 1546,1551 ****
 --- 1546,1554 ----
   	struct dn_pipe *a, *b;
   	struct dn_flow_set *fs;
   
 + 	if (all_pipes == NULL)
 + 	    return EINVAL; /* no pipes defined, nothing to do */
 + 
   	/* locate pipe */
   	for (a = NULL , b = all_pipes ; b && b->pipe_nr < p->pipe_nr ;
   		 a = b , b = b->next) ;
 ***************
 *** 1581,1586 ****
 --- 1584,1592 ----
   	    free(b, M_IPFW);
       } else { /* this is a dummynet queue (dn_flow_set) */
   	struct dn_flow_set *a, *b;
 + 
 + 	if (all_flow_sets == NULL)
 + 	    return EINVAL; /* no flow sets defined, nothing to do */
   
   	/* locate set */
   	for (a = NULL, b = all_flow_sets ; b && b->fs_nr < p->fs.fs_nr ;
 
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Mon Jul 17 10:01:56 PDT 2000 
Responsible-Changed-Why:  
Luigi, are you going to have time to look at this for  
4.1-RELEASE? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19544 

From: Jimmy Olgeni <olgeni@uli.it>
To: freebsd-gnats-submit@FreeBSD.org, olgeni@uli.it
Cc:  
Subject: Re: kern/19544: panic in delete_pipe
Date: Tue, 18 Jul 2000 01:24:25 +0200

 Out of sequence? Who? Me? :-) Well, I did... "something" in my firewall
 script that caused this kind of panic, and this was the simpler way to
 reproduce it... anyway, it works now!
 
 Thanks!
 
 bye
   Jimmy
 

From: Jimmy Olgeni <olgeni@uli.it>
To: freebsd-gnats-submit@FreeBSD.org, olgeni@uli.it
Cc:  
Subject: Re: kern/19544: panic in delete_pipe
Date: Tue, 18 Jul 2000 01:47:03 +0200

 ... 5 minutes later the kernel locked up solid while receiving data via
 pipe: I ran a script that did a "ipfw -f flush" and "ipfw pipe 1 config
 bw 1024b/s", maybe dummynet doesn't like if you remove pipes while it is
 using them?
 
 I was under X, I don't know if the kernel tried to save core (but the
 hard disk led was off).
 
 bye 
   Jimmy
 
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Tue Jul 18 00:49:21 PDT 2000 
State-Changed-Why:  
Luigi has fixed this in HEAD and RELENG_4 and has asked me to close 
this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19544 
>Unformatted:
