Help Understanding a Crash [kernel panic]

None 0

oh man
I knew if this was the case, the other process shouldn't still be running after the restart, but anyway:
/usr/local/bin/suricata -i igb1 -D -c /usr/local/etc/suricata/suricata_25400_igb1/suricata.yaml --pidfile /var/run/suricata_igb125400.pid
Only this one now.

You are running 2.5.2 RELEASE, so you don't have access to the latest Suricata updates with the new 6.0.3 binary. It will be interesting to see how that update performs for you when it becomes available.

I'm looking forward to the release! Unfortunatly I can't move to devel and try it right now, but I will update this topic (if possible) when I do.

Thanks again, @bmeeks!

None 0

Had another crash today :/
Same reason. Should I uninstall n install Suricata again?

bmeeks

@none-0 said in Help Understanding a Crash [kernel panic]:

Had another crash today :/
Same reason. Should I uninstall n install Suricata again?

No, uninstalling and then reinstalling the exact same binary will not likely have any effect on that error.

It is likely a problem within the compiled binary code, and the exact same code will get installed again if you remove and reinstall the package. The only way to have a meaningful test would be to move to the 2.6.0 snapshot branch and install the newer Suricata from there. That package has a completely different binary in it.

In my experience with that error, I have not seen it cause a kernel panic, but that does not mean it couldn't. Maybe it is tickling something in your system just right such that it triggers the crash. My suspicion is multithreaded access to the single pair of netmap RX/TX rings exposed by the host stack in the older netmap API used by Suricata in pfSense CE and pfSense+ RELEASE versions today. There is new code to address that in the 6.0.3 Suricata package currently available in the 2.6.0 Snapshots branch.

None 0

@bmeeks Just thought it could be a problem with my installation, but it doesn't seem to make sense...
Alright, disabled blocking, and gonna try the DEV branch when I have time.

Thanks!

bmeeks

@none-0 said in Help Understanding a Crash [kernel panic]:

@bmeeks Just thought it could be a problem with my installation, but it doesn't seem to make sense...
Alright, disabled blocking, and gonna try the DEV branch when I have time.

Thanks!

If you are using Legacy Blocking Mode, then netmap is 100% completely and totally out of the picture. You should never see a netmap_ring_reinit() error in Legacy Mode. The only way to see that error is if something is still running with the netmap kernel device. If you are still getting kernel crashes and not using Inline IPS Mode on any interface, then Suricata is not the root cause of the problem.

Everything I mentioned above about the new Suricata in the Snapshots branch only applies when using Inline IPS Mode.

None 0

@bmeeks
My mistake, there's no netmap_ring_reinit this time:

<6>arp: 192.168.0.30 moved from 00:1d:60:7d:8c:61 to 00:05:4b:04:5e:7c on igb1
<6>arp: 192.168.0.39 moved from 00:22:15:6c:eb:96 to 00:e0:53:0b:40:f8 on igb1
<6>pid 18785 (grep), jid 0, uid 0: exited on signal 10 (core dumped)
<6>igb1: link state changed to DOWN
<6>igb1: link state changed to UP
<6>igb1: link state changed to DOWN
<6>igb1: link state changed to UP
<6>igb1: link state changed to DOWN
<6>igb1: link state changed to UP
<6>igb1: link state changed to DOWN
<6>igb1: link state changed to UP
<6>arp: 192.168.0.30 moved from f4:6d:04:e4:84:54 to 00:05:4b:04:5e:7c on igb1
<6>igb1: promiscuous mode disabled
<6>igb1: promiscuous mode enabled
<6>igb1: link state changed to DOWN
<6>igb1: link state changed to UP
<6>igb1: link state changed to DOWN
<6>igb1: link state changed to UP


Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 02
fault virtual address	= 0xffff
fault code		= supervisor read data, page not present
instruction pointer	= 0x20:0xffffffff83cf7396
stack pointer	        = 0x28:0xfffffe0089906ac0
frame pointer	        = 0x28:0xfffffe0089906ac0
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 19 (dp_zil_clean_taskq_)
trap number		= 12
panic: page fault
cpuid = 2
time = 1630329038
KDB: enter: panic

So as you said, this is not related at all with Suricata. netmap is out.

Ok, so in this log there'r "promiscuous mode" changes, and even if that is normal, I uninstalled darkstat anyway.

Now the only other pkg installed is pfBlockerNG-devel. Let's see if my system will crash again in the next days....

Thanks.

stephenw10

You have the backtrace from the crash report?

None 0

@stephenw10 Hi! Yes, here: ddb.txt

stephenw10

Mmm, well very similar but not identical:

db:0:kdb.enter.default>  bt
Tracing pid 40766 tid 100593 td 0xfffff8013f829740
kdb_enter() at kdb_enter+0x37/frame 0xfffffe00910f4530
vpanic() at vpanic+0x197/frame 0xfffffe00910f4580
panic() at panic+0x43/frame 0xfffffe00910f45e0
trap_fatal() at trap_fatal+0x391/frame 0xfffffe00910f4640
trap_pfault() at trap_pfault+0x4f/frame 0xfffffe00910f4690
trap() at trap+0x286/frame 0xfffffe00910f47a0
calltrap() at calltrap+0x8/frame 0xfffffe00910f47a0
--- trap 0xc, rip = 0xffffffff8120874b, rsp = 0xfffffe00910f4870, rbp = 0xfffffe00910f4880 ---
vm_radix_remove() at vm_radix_remove+0x1b/frame 0xfffffe00910f4880
vm_page_free_prep() at vm_page_free_prep+0x55/frame 0xfffffe00910f48a0
vm_page_free_toq() at vm_page_free_toq+0x12/frame 0xfffffe00910f48d0
vm_object_page_remove() at vm_object_page_remove+0x61/frame 0xfffffe00910f4930
vm_map_entry_delete() at vm_map_entry_delete+0x104/frame 0xfffffe00910f4980
vm_map_delete() at vm_map_delete+0x184/frame 0xfffffe00910f49e0
vm_map_remove() at vm_map_remove+0xab/frame 0xfffffe00910f4a10
vmspace_exit() at vmspace_exit+0xcb/frame 0xfffffe00910f4a50
exit1() at exit1+0x55b/frame 0xfffffe00910f4ab0
sys_sys_exit() at sys_sys_exit+0xd/frame 0xfffffe00910f4ac0
amd64_syscall() at amd64_syscall+0x387/frame 0xfffffe00910f4bf0
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00910f4bf0
--- syscall (1, FreeBSD ELF64, sys_sys_exit), rip = 0x800c2a00a, rsp = 0x7fffffffec38, rbp = 0x7fffffffec50 ---

What is that running on?

None 0

@stephenw10

What is that running on?

Sorry, what you mean?

bmeeks

@none-0 said in Help Understanding a Crash [kernel panic]:

@stephenw10

What is that running on?

Sorry, what you mean?

I suspect he means what type of hardware -- Netgate appliance (and if so, which model, as different models have different CPU families) or generic Intel/AMD hardware.

None 0

@bmeeks @stephenw10

It's a generic Intel box:
CPU: i3-4170
RAM: Kingston 2x8GB
Mobo: Asus (don't remember the model, but I can check)
Network adp: Intel I350-T4V2

stephenw10

Mmm, well I would be running a RAM test there when you can to be sure it's not hardware issue.
Though it seems far too similar to be a RAM error which is usually pretty random.

None 0

@stephenw10 I think I ll buy a new stick... Memory tests work sometimes, but for intermittent problems I would possible need to run them for days...
I can do the tests with more time, and use them elsewhere if happens to be no problem with.

A single module would do the trick, or dual channel benefits pfsense? I mean, it won't use the bandwidth, but latency is better in dual too... What do you guys think?

stephenw10

Unlikely to make much difference IMO. For a test it doesn't really matter anyway.

Steve

None 0

Hello,

Just to update about the crashs: they didn't happen again.
Also, I've being using Suricata 6.0.3 release since than, and no netmap issues

So, I changed my RAM, and tested the old ones:
24H of MemTest86+ and at least 5hrs of GoldMemory (not the best tests, but still), resulted in not a single red flag for them (tested individually), AND I'm using them on other Win machines withouth BSOD or anything in the logs.

I already saw RAM tests failing to detect problems, so based on what you explained, I'm assuming that both 1 - the issue with Suricata's Multithreading ring access, and 2 - darkstat, were hitting some intermittent problem, that I could not with tests and other OS.

Anyway, thank you for helping me out solving this. Really appreciate @stephenw10 and @bmeeks !