Loss of RFNMs on ARPAnet hosts (the REAL FIX)
Clyde W. Hoover
clyde at ut-ngp.UTEXAS
Wed Oct 30 01:24:49 AEST 1985
Index: /sys/vaxif/if_acc.c 4.2BSD
APOLOGIA:
The previous fix posted was **** ALL WRONG. ****
My colleague who tracked down this bug did not (by his own admission)
explain the nature of the bug sufficently, hence the wrong
'fix'. This person, who will remain nameless, has suffered
and will continue to suffer the pains of the damned
because *I* ended up looking stupid on USENET. (I know, USENET
is full of stupid-looking people, but I was saving that for
net.singles).
Thanks to Art Berggreen <Art at ACC.ARPA> for his analysis of the
problem (included below) and to my nameless colleagues for spending
hours pouring over logic diagrams to figure out just how this bloody
box works.
NOTE: This is **not applicable** unless the modifications from Chris Kent
(cak at purdue.ARPA, posted 21 March 1984) have been made to
/sys/netinet/tcp_output.c. These modifications advertise a
maximum TCP segment size that is tuned per network interface.
Description:
Connections to certain hosts on the ARPAnet will start failing with
"out of buffer space" messages. Doing a 'netstat -h' shows
that the host (or the gateway to it) has a RFNM count of 8.
The RFNM count never drops below 8 and so the network path is
unusable until the system is rebooted.
The problem lies in the LH/DH-11 IMP interface.
Sometimes, most likely always, it will not set the <END OF MESSAGE>
flag in the control & status register if the input buffer is filled
at the same time that <LAST BIT SIGNAL> from the
IMP comes up.
This causes the LH/DH driver to append the next
incoming message from the IMP to the the previous message.
This process (appending of messages) will continue until
a message SHORTER then the input buffer size is sent --
a RFNM response does nicely.
This results in the LOSS of the succeeding messages (e.g. RFNMs)
since the 1822 protocol handling code expects to get only
<ONE> message from the LH/DH at a time.
This problem happens when the IMP MTU is advertised as the TCP
maximum segment size (as is done by the TCP changes from cak at purdue).
This allows an incoming message to be 1006 + 12 bytes long, which
equals the size of the 1018 byte input buffer in
the IMP (I believe) and so exercises the bug in the LH/DH.
The described problem would appear to happen ONLY if a message
from the IMP is one word longer than the buffer being read into.
When the buffer fills, leaving the data that contains the Last
Bit in the LH/DH data buffer, the Receive DMA terminates and
the EOM flag is NOT ON (because the user has not yet DMA'd
the End-of-Message into memory). What should happen when the
Receive DMA is restarted, is that the remaining word is read into memory
and the DMA should terminate with the EOM flag ON. If when the DMA is
restarted, the internal EOM status is lost, the following message would
be concatenated with the end of previous message.
A better solution than reducing IMPMTU (which doesn't really
fix the problem) would be to use I/O buffers that are slightly
larger than IMPMTU (and of course setting the Receive Byte Counter
to be larger than any expected message).
Fix:
/sys/vaxif/if_acc.c:
163c164
< (int)btoc(IMPMTU)) == 0) {
---
> (int)btoc(IMPMTU+2)) == 0) {
190c191
< addr->iwc = -(IMPMTU >> 1);
---
> addr->iwc = -((IMPMTU + 2) >> 1);
328,330c329,331
< len = IMPMTU + (addr->iwc << 1);
< if (len < 0 || len > IMPMTU) {
< printf("acc%d: bad length=%d\n", len);
---
> len = IMPMTU+2 + (addr->iwc << 1);
> if (len < 0 || len > IMPMTU+2) {
> printf("acc%d: bad length=%d\n", unit, len);
362c363
< addr->iwc = -(IMPMTU >> 1);
---
> addr->iwc = -((IMPMTU + 2)>> 1);
This fix really does the job properly.
--
Shouter-To-Dead-Parrots @ Univ. of Texas Computation Center; Austin, Texas
"All life is a blur of Republicans and meat." -Zippy the Pinhead
clyde at ngp.UTEXAS.EDU, clyde at sally.UTEXAS.EDU
...!ihnp4!ut-ngp!clyde, ...!allegra!ut-ngp!clyde
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list