Web GUI crashes after upgrade from 22.05 to 23.01

jjstecchino · Jan 15, 2023, 7:24 PM

Here is what I did once I had physical access to my remote pfsense:

Reinstalled 2.6CE from scratch, kept default config but set LAN ipv4 to my network ip xxx.xxx.50.0/24. Lets call this my now local LAN
Updated to plus 22.01, kept default config
Updated to plus 22.05, default config
Updated to 23.01, default config.
Created ipsec vpn tunnel to my primary firewall. Lets call this the now remote LAN with ip xxx.xxx.100.0/24
Created a domain override on unbound to forward dns request for the domain on remote network.
I could ping remote hosts from my local clients but not from pfsense so ....
I needed to add a gateway to the remote network with a static route to xxx.xxx.100.0
IPSEC VPN working properly, can access remote network from any local clients and from pfsense.
Access to the local pfsense GUI gives no problems.
Connected to a windows pc on the xxx.xxx.100.0 network and tried to access the pfsense GUI on xxx.xxx.50.0 network and as before pfsense has a kernel fault.
restored my configuration file which adds a few DHCP static mapping
Installed debug kernel
rebooted to debug kernel
Retried to connect to the pfsense guy from the remote pc
kernel fault, I see the kernel dump in the local console

in /var/crash there is a text dump.tar.0 but no vmcore dump

Anything else I can do to help troubleshooting?

textdump.tar

jjstecchino · Jan 14, 2023, 6:02 PM

@stephenw10 @gimp

Looking at the debug trace

Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 02
fault virtual address	= 0x0
fault code		= supervisor read data, page not present
instruction pointer	= 0x20:0xffffffff81334a0a
stack pointer	        = 0x28:0xfffffe00d2378560
0xffffffff80fbe3c4 at tcp_defauframe pointer	        = 0x28:0xfffffe00d2378560
lt_output+0x2094
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
#10 0xffffffff80fd406e at tcp_usr_ready+0x11e
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 36274 (nginx)
#11 0xffffffff80d7e39e at sendfile_iodone+0x23e
rdi: fffff80106c34113 rsi:                0 rdx:              42c
#12 0xfffffffrcx:              42c  r8:                1  r9: fffff80106c61e00
f80d7db68 at vn_sendfile+0x1868
rax: fffff80106c34113 rbx: fffff8005f313100 rbp: fffffe00d2378560
#13 0xffffffff80d7e877 at %[sys_sendfile]+0xf7
r10:                1 r11:                0 r12: fffff80106c61e00
#14 0xffffffff813393be at amd64_syscall+0x12e
r13:                0 r14: fffff8005f2a5e00 r15:                1
#15 0xffffffff8130c72b at fast_sytrap number		= 12
panic: page fault
cpuid = 2
time = 1673708059
KDB: enter: panic

it seems sendfile may be causing the fault.

Just to try I disabled sendfile in nginx configuration by editing /etc/inc/system.inc -> function system_generate_nginx_config and set sendfile to off.

This solves the issue.

Now I can access the GUI remotely without kernel faults

Interesting the other firewall (Xeon D-1518 32Gb Ram) doesn't have a problem with sendfile on

Another workaround is to set the sysctl kern.ipc.mb_use_ext_pgs = 0 and leave sendfile on in nginx config.

This solves the issue as well.

It seems to be related to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254419 which was marked as fixed

stephenw10 · Jan 15, 2023, 1:13 PM

Ah, these are some nice findings, good job.
I'll get this to the developer who is looking at it.

jjstecchino · Jan 16, 2023, 2:16 PM

@stephenw10 @gimp

On further exploring the sysctl kern.ipc.mb_use_ext_pgs enables or disables the use of unmapped mbufs by sendfile(2) and other kernel functions.
Unmapped mbuffs can hold multiple pages of data in a single mbuff and are helpful in reducing cpu utilization https://reviews.freebsd.org/D20616.

For a NIC to use unmapped mbuffs the driver has to support this capability.
ifconfig will show NOMAP in the options flags if the driver offer unmapped mbuff support.

Checking both my firewalls, the one that faults uses the igb driver for its nic. This driver supports NOMAP.

The other firewall which doesn't fault uses the ix driver which also supports NOMAP but maybe a different implementation.

For me to fix the kernel fault it is either to disable sendfile on nginx, disable the use of unmapped mbuffs altogether or possibly disable the use of unmapped mbuffs on the nic with ifconfig -mextpg flag (did not test this).

In pfsense use scenario, the use of unmapped mbuffs may be useful to reduce load on the cpu and possibly beneficial to allow faster data move by the nic driver, so I would be reluctant to disable unmapped mbuffs altogether.

On the other hand, nginx in pfsense is not a high traffic web server as it just serves the GUI to a few users. In this scenario disabling the sendfile optimization would not make a difference and may avoid a kernel fault in few edge cases like mine.

This may be the preferred route, imo, until the issue is sorted out on freebsd 14.

Interestingly on pfsense 22.05 with freebsd 13 nginx has sendfile on, however the igb driver doesn't show the NOMAP capability flag

ifconfig igb1
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>

whereas in 23.01 the NOMAP capability is supported by the nic driver:

ifconfig igb1
igb1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: LAN
	options=4e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

Hope this helps reproducing the kernel fault. This is as far as my ability allows me to help. I wouldn't know how to submit bugs to the freebsd team.

I did not investigate the impact that the use of using ipsec may have but surely it is part of the problem as the fault happened only when accessing the pfsense GUI through the ipsec vpn, but didn't occur when accessing the GUI locally.

This bug may be difficult to reproduce as it may involve the interplay of a specific nic driver, ipsec and kernel optimizations which may be automatically enabled or disabled on specific hardware.

I wish I would have been able to get a full kernel core dump but even using the debug kernel package I get only the textdump in /var/crash.

stephenw10 · Jan 16, 2023, 2:18 PM

Mmm, yeah, a number of moving parts there. Hard to see why ipsec would trigger it...

I'll wait to see what out developers think. At least there's relatively simple workaround with that sysctl though.

Steve

jjstecchino · Jan 16, 2023, 2:28 PM

@stephenw10
Yeah but that disables a kernel wide optimization that may be important to allow better handling of network traffic by the firewall. Turning off the sendfile optimization on nginx may be a better option as what it does is allows direct move of a file data to a tcp socket without copying to a memory buffer first. This is important for a high traffic web server but overall irrelevant for pfsense.

As more people will start to use pfsense 23.xx with freebsd 14 this bug may start to affect others as well.

Setting sysctl kern.ipc.mb_use_ext=0 would allow seamlessly updates if sendfile remains set to on on nginx config but it would turn off an important kernel optimization.

I would respectfully suggest to consider turning off sendfile in nginx config instead.

jimp · Jan 16, 2023, 3:36 PM

I do have one box here with igb and NOMAP showing (A Netgate 7551), but so far I haven't been able to make it crash.

That said, the only IPsec tunnel I have on there that is testable without some work is VTI, not tunnel mode.

I'll see if I can rig up a tunnel mode test on there.

jimp · Jan 16, 2023, 3:49 PM

Setup a tunnel and still no crash. I can reach the GUI LAN to LAN with a full browser and it appears to be working fine.

Do you have something enabled on the dashboard that might be contributing? Maybe the picture widget with a large image?

Usually the web server wouldn't be using sendfile for much on pfSense since it doesn't have many static things to serve and typically that gets kicked in for stuff like large pictures.

jjstecchino · Jan 16, 2023, 3:55 PM

@jimp No, this happened also with a bare bone default config no widgets. Clean install and ipsec tunnel vpn

jimp · Jan 16, 2023, 3:56 PM

Curious. I even tried downloading a status output and some config backups with RRD (~4MB) but it keeps chugging along.

I tried with no crypto acceleration and also with QAT enabled.

There may be something specific to that exactl igb card that is different than mine.

jjstecchino · Jan 16, 2023, 4:00 PM

@jimp my nic is <Intel(R) I211 (Copper)> port 0xd000-0xd01f mem 0xf7200000-0xf721ffff,0xf7220000-0xf7223fff at device 0.0 on pci2

jimp · Jan 16, 2023, 4:05 PM

Yeah, that's quite a bit different from this one.

igb0@pci0:0:20:0:       class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1f41 subvendor=0x8086 subdevice=0x1f41
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection I354'
    class      = network
    subclass   = ethernet
    bar   [10] = type Memory, range 64, base 0xdfe60000, size 131072, enabled
    bar   [18] = type I/O Port, range 32, base 0xf0c0, size 32, enabled
    bar   [20] = type Memory, range 64, base 0xdff2c000, size 16384, enabled

I thought I had something around with an i211, but nope. I have some i210 devices but they aren't running pfSense.

jjstecchino · Jan 16, 2023, 4:18 PM

@jimp On my setup hardware acceleration (only ads-ni available) on or off doesn't make a difference.

Nginx sendfile in my case seems to be the culprit as if I set it to off, it solves the problem.

jimp · Jan 16, 2023, 4:20 PM

Right, I just tested that in case it was relevant since it seems to be sendfile in some combination with IPsec and your hardware since it works locally.

jjstecchino · Jan 16, 2023, 5:15 PM

@jimp Can it be related to this bug ?

jimp · Jan 16, 2023, 5:59 PM

It's possible, though hard to say for sure. It seems similar at least.

Dyk Evans · Feb 6, 2023, 3:00 AM

@jimp

I am having this exact same issue… just upgraded both my home and remote firewalls to the RC and now when I try to access either web gui over IPsec it immediately crashes the remote side.

jjstecchino · Feb 6, 2023, 3:08 PM

@dyk-dike
Would you mind posting the output of dmesg on the crashing firewall? I would like to compare your hardware to mine to see if there are any common threads that may help sorting out or reproducing the issue.
For the time being I patched the problem by disabling sendfile on nginx in the remote firewall

jimp · Feb 6, 2023, 2:24 PM

Also it would help to have the full textdump archive from any firewall that encounters this, will make getting the details and comparing easier.

If you are on 23.01 and can easily reproduce it, you may also want to install and boot from the debug kernel and try to trigger the crash, which will include a lot more detail in the backtrace.

And then you can use the System Patches package package to disable sendfile:

diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index d36efc2fca..b7cda99366 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -1380,7 +1380,7 @@ http {
        add_header X-Frame-Options SAMEORIGIN;
        server_tokens off;
 
-       sendfile        on;
+       sendfile        off;
 
        access_log      syslog:server=unix:/var/run/log,facility=local5 combined;

After applying that patch, use the console menu option to restart the GUI (11).

Dyk Evans · Feb 6, 2023, 3:08 PM

@jjstecchino
is this how I disable sendfile
kern.ipc.mb_use_ext_pgs=0