kern/59757: Trap in bridge_input()

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/59757: Trap in bridge_input()
From: gson%gson.org@localhost (Andreas Gustafsson)
Date: Thu, 13 Nov 2025 14:25:00 +0000 (UTC)

>Number:         59757
>Category:       kern
>Synopsis:       Trap in bridge_input()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 13 14:25:00 +0000 2025
>Originator:     Andreas Gustafsson
>Release:        NetBSD-current, source date 2025.10.27.10.29.41
>Organization:
  
>Environment:
System: NetBSD
Architecture: i386
Machine: i386
>Description:

My NetBSD-current/i386 router/firewall/NAT machine paniced with a trap in bridge_input()
and left a crash dump.

  gusev /var/crash # gdb /netbsd
  [...]
  (gdb) target kvm netbsd.15.core
  0xc012cf05 in maybe_dump (howto=260) at /usr/src/sys/arch/i386/i386/machdep.c:726
  726			dumpsys();
  (gdb) bt
  #0  0xc012cf05 in maybe_dump (howto=260) at /usr/src/sys/arch/i386/i386/machdep.c:726
  #1  cpu_reboot (howto=howto@entry=260, bootstr=bootstr@entry=0x0) at /usr/src/sys/arch/i386/i386/machdep.c:747
  #2  0xc0ca27be in kern_reboot (howto=howto@entry=260, bootstr=bootstr@entry=0x0) at /usr/src/sys/kern/kern_reboot.c:91
  #3  0xc0ceac18 in vpanic (fmt=fmt@entry=0xc1219c72 "trap", ap=0xdbb5dd68 "0\336\265\3330\336\265\333\003") at /usr/src/sys/kern/subr_prf.c:288
  #4  0xc0ceaccb in panic (fmt=fmt@entry=0xc1219c72 "trap") at /usr/src/sys/kern/subr_prf.c:209
  #5  0xc0130532 in trap (frame=0xdbb5de30) at /usr/src/sys/arch/i386/i386/trap.c:357
  #6  0xc0125333 in alltraps ()
  #7  0xdbb5de30 in ?? ()
  #8  0xc0db9d48 in bridge_input (ifp=0xc4253004, m=0xc49927cc) at /usr/src/sys/net/if_bridge.c:2051
  #9  0xc0dae6b4 in if_percpuq_softint (arg=0xc4168f20) at /usr/src/sys/net/if.c:849
  #10 0xc0cb15cb in softint_execute (l=0xc3e93300, s=4) at /usr/src/sys/kern/kern_softint.c:602
  #11 softint_dispatch (pinned=0xc3e93040, s=4) at /usr/src/sys/kern/kern_softint.c:848
  #12 0xc0102ab8 in Xsoftintr ()
  #13 0xc3e93040 in ?? ()
  Backtrace stopped: previous frame inner to this frame (corrupt stack?)
  (gdb) frame 8
  #8  0xc0db9d48 in bridge_input (ifp=0xc4253004, m=0xc49927cc) at /usr/src/sys/net/if_bridge.c:2051
  2051				if (bridge_ourether(_bif, eh, 0)) {
  (gdb) print _bif
  $1 = <optimized out>
  (gdb) print eh
  $2 = <optimized out>
  (gdb) print *ifp
  $3 = {if_softc = 0xc4253000, if_list = {tqe_next = 0xc4159004, 
      tqe_prev = 0xc3f0f008}, if_addrlist = {tqh_first = 0xc4252904, 
      tqh_last = 0xc4ab3554}, 
    if_xname = "re0", '\000' <repeats 12 times>, if_pcount = 1, 
    if_bpf = 0x0, if_index = 3, if_timer = 0, if_flags = 35651, 
    if_extflags = 0, if_type = 6 '\006', if_addrlen = 6 '\006', 
    if_hdrlen = 14 '\016', if_link_state = 2, if_mtu = 1500, 
    if_metric = 0, if_baudrate = 1000000000, if_lastchange = {
      tv_sec = 1761732964, tv_nsec = 124392625}, if_stats = 0xc4296680, 
    if_output = 0xc0dbd317 <ether_output>, 
    _if_input = 0xc0db9bb1 <bridge_input>, 
    if_start = 0xc060ddc3 <re_start>, 
    if_transmit = 0xc0dae449 <if_transmit>, 
    if_ioctl = 0xc060cf1e <re_ioctl>, if_init = 0xc060cff6 <re_init>, 
    if_stop = 0xc060c9cc <re_stop>, 
    if_slowtimo = 0xc060eabc <re_watchdog>, if_drain = 0x0, 
    if_bpf_mtap = 0xc0dbd180 <ether_bpf_mtap>, if_snd = {ifq_head = 0x0, 
      ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 512, ifq_drops = 0, 
      ifq_lock = 0xc4254400, altq_type = 0, altq_flags = 0, 
      altq_disc = 0x0, altq_ifp = 0x0, altq_enqueue = 0x0, 
      altq_dequeue = 0x0, altq_request = 0x0, altq_clfier = 0x0, 
      altq_classify = 0x0, altq_tbr = 0x0, altq_cdnr = 0x0}, 
    if_dl = 0xc4252904, if_sadl = 0xc4252958, if_hwdl = 0xc4252904, 
    if_broadcastaddr = 0xc11ffef8 <etherbroadcastaddr> "\377\377\377\377\377\377", if_bridge = 0xc452c740, if_bridgeif = 0xc46b1940, if_dlt = 1, 
    if_pfil = 0xc424da80, if_capabilities = 16256, if_capenable = 0, 
    if_carp_ptr = {carp_s = 0x0, carp_d = 0x0}, if_csum_flags_tx = 0, 
    if_csum_flags_rx = 0, if_afdata = {0x0, 0x0, 0xc3d519b0, 
      0x0 <repeats 21 times>, 0xc4345644, 0x0 <repeats 12 times>}, 
    if_mowner = 0x0, if_lagg = 0x0, if_npf_private = 0x42, 
    if_pf_kif = 0x0, if_pf_groups = 0x0, if_index_gen = 2, 
    if_sysctl_log = 0xc4168f44, if_initaddr = 0x0, if_setflags = 0x0, 
    if_ioctl_lock = 0xc4254580, if_description = 0x0, 
    if_slowtimo_data = 0xc4296780, if_afdata_lock = 0xc42544c0, 
    if_percpuq = 0xc4168f20, if_link_work = {wk_dummy = 0x0}, 
    if_link_queue = 65535, if_link_scheduled = false, if_pslist_entry = {
      ple_prevp = 0xc3f0f1f0, ple_next = 0xc41591ec}, if_psref = {
      prt_class = 0xc3d56a60, prt_draining = false}, if_addr_pslist = {
      plh_first = 0xc4252948}, if_deferred_start = 0xc4168f60, 
    if_multiaddrs = {lh_first = 0xc46ca044}, 
    if_linkstate_hooks = 0xc4252800}

Looks like the trap actually happened in bridge_ourether(), but gdb isn't
showing that frame because PR 52560.

>How-To-Repeat:

Don't know, it has only happened once.

>Fix:

Prev by Date: port-amd64/59756: NetBSD 10.1 UEFI bootloader does not work on ASRock Rack B650D4U mainboard with EPYC 4005 series CPU
Next by Date: PR/59664 CVS commit: src/external/bsd/dhcpcd/dist/src
Previous by Thread: port-amd64/59756: NetBSD 10.1 UEFI bootloader does not work on ASRock Rack B650D4U mainboard with EPYC 4005 series CPU
Indexes:

Home | Main Index | Thread Index | Old Index