287344 – FBSD 14.2 again panics on sendfile with nginx or lightttpd

Bug 287344 - FBSD 14.2 again panics on sendfile with nginx or lightttpd

Summary: FBSD 14.2 again panics on sendfile with nginx or lightttpd

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	amd64 Any

Importance:	--- Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	crash

Depends on:
Blocks:

Reported:	2025-06-06 13:44 UTC by Michael Meiszl
Modified:	2025-06-06 17:13 UTC (History)
CC List:	4 users (show)

See Also:	217789

Attachments
core dump file (260.31 KB, text/plain) 2025-06-06 13:44 UTC, Michael Meiszl	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Meiszl 2025-06-06 13:44:42 UTC

Created attachment 261035 [details]
core dump file

Installed ngnix binary package (later on tried ports tree, same result).
Tried to download a simple jpg with it.
Kernel panic!
(tried lighttpd late on: SAME EFFECT)
Found the old bug 217789 which seems to do the same.
Tried "sendmail off;" in nginx config: WORKS! (so this is a workaround)

I attach the core file here.

Comment 1 Mark Linimon freebsd_committer

2025-06-06 15:15:33 UTC

^Triage: previously referenced PR was closed via a commit.  So, let's let
this one stand on its own and just put the previous one in See Also.

Comment 2 Michael Meiszl 2025-06-06 15:53:51 UTC

If you need more infos / test or something, just tell me what to do.
The system hardware is quite new, all filesystems are ZFS now.
(The installed and configured programs are already running for 20yrs and more, but all are "recent")

Of course, crashing the box is no fun to me. this is my central router/web server / database server and a lot more.

I guess for more tests I will set up a harmless new system on old hardware. let me check if it happens there too...

Comment 3 Mark Johnston freebsd_committer

2025-06-06 15:57:10 UTC

I guess this is the result of ipfw+unmapped mbufs.  Maybe m_pullup() needs to try to handle unmapped mbufs?

Does the crash occur if you set sysctl kern.ipc.mb_use_ext_pgs=0?

Comment 4 Michael Meiszl 2025-06-06 16:03:11 UTC

Just tested "sysctl kern.ipc.mb_use_ext_pgs=0"
(no clue what it does...)

Anyway, no crash when fetching the pics for now...

That seems to have fixed it.

What to do next (how to make it permanent) ?

Comment 5 Mark Johnston freebsd_committer

2025-06-06 16:07:02 UTC

(In reply to Michael Meiszl from comment #4)
The sysctl disables an optimization such that sendfile no longer uses "unmapped mbufs".  This avoids a problem triggered by ipfw which results in a crash.

The sysctl can be added to /etc/sysctl.conf of course.  I think we should make m_pullup() handle unmapped mbufs, since that's the heart of the problem, but I haven't looked closely.  I hope Gleb can comment further.

Comment 6 Michael Meiszl 2025-06-06 16:10:48 UTC

tnx! this was a super-fast fix/help!

added it to sysctl.conf, so I guess, I am done with it

thanks again!

Comment 7 Gleb Smirnoff freebsd_committer

2025-06-06 17:13:09 UTC

IMHO, the kern.ipc.mb_use_ext_pgs was set 1 to one prematurely.  This is a raw
feature that conflicts not only with ipfw, but with bpf(4), too.  I'm afraid
there are more conflicts :(

We need to make a sweep over many kernel modules to call mb_unmapped_to_ext()
when kernel needs to read into unmapped mbuf.  We also should have a counter to
count such events and provide some kind of feedback to the user that their
setup is not benefiting from unmapped mbufs.