netbsd-11 gcc bug

To: tech-toolchain%netbsd.org@localhost
Subject: netbsd-11 gcc bug
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Sat, 23 May 2026 10:59:36 +0200

Hello,
I tried upgrading a server to netbsd-11 and quickly got a panic
in ipf:
[ 150.0240120] fatal page fault in supervisor mode
[ 150.0586271] trap type 6 code 0 rip 0xffffffff8056dffa cs 0x8 rflags 0x10286 cr2 0xec ilevel 0x4 rsp 0xffff870268a63a50
[ 150.1225901] curlwp 0xffff869617c47400 pid 0.3 lowest kstack 0xffff870268a5f2c0
[ 150.1657501] panic: trap
[ 150.1803103] cpu0: Begin traceback...
[ 150.2016313] vpanic() at netbsd:vpanic+0x171
[ 150.2257081] panic() at netbsd:panic+0x3c
[ 150.2473911] trap() at netbsd:trap+0xb43
[ 150.2743808] --- trap (number 6) ---
[ 150.2951811] ipf_fastroute() at netbsd:ipf_fastroute+0x6ea
[ 150.3266935] ipf_send_ip() at netbsd:ipf_send_ip+0x127
[ 150.3544099] ipf_check() at netbsd:ipf_check+0xfd5
[ 150.3859226] pfil_run_hooks() at netbsd:pfil_run_hooks+0x11e
[ 150.4164994] ipintr() at netbsd:ipintr+0x21e
[ 150.4451003] softint_dispatch() at netbsd:softint_dispatch+0x112

ipf_fastroute+0x6ea points to external/bsd/ipf/netinet/ip_fil_netbsd.c
line 1200:
                if (!fr || !(fr->fr_flags & FR_RETMASK)) {

0xec matches the offset of fr_flags in struct frentry_t
This code shouldn't dereference fr_flags if fr is NULL.

The assembly code matching this part of ipf_fastroute() is:
1219                    fin->fin_fr = NULL;
   0xffffffff8056dfeb <+1755>:  movq   $0x0,0x10(%r15)

1220                    if (!fr || !(fr->fr_flags & FR_RETMASK)) {
   0xffffffff8056dff3 <+1763>:  mov    -0xd8(%rbp),%r8
--Type <RET> for more, q to quit, c to continue without paging--
   0xffffffff8056dffa <+1770>:  testl  $0x3000,0xec(%r8)
   0xffffffff8056e005 <+1781>:  mov    -0xf0(%rbp),%r9
   0xffffffff8056e00c <+1788>:  je     0xffffffff8056e326 <ipf_fastroute+2582>
   0xffffffff8056e012 <+1794>:  mov    %r9,-0xd8(%rbp)

1224                    }

ipf_fastroute+2582 does the call to ipf_state_check() and jumps back to +1794
 
But it seems to assume that fr cannot be NULL here but I can't find
on which basis. Any idea how I could force a NULL check here ?

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Prev by Date: Re: i915drmkms debug log issue
Previous by Thread: Re: i915drmkms debug log issue
Indexes:

Home | Main Index | Thread Index | Old Index