Re: netbsd-11 gcc bug

To: tech-toolchain%netbsd.org@localhost
Subject: Re: netbsd-11 gcc bug
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Sat, 23 May 2026 12:55:18 +0200

On Sat, May 23, 2026 at 10:59:36AM +0200, Manuel Bouyer wrote:
> Hello,
> I tried upgrading a server to netbsd-11 and quickly got a panic
> in ipf:
> [ 150.0240120] fatal page fault in supervisor mode
> [ 150.0586271] trap type 6 code 0 rip 0xffffffff8056dffa cs 0x8 rflags 0x10286 cr2 0xec ilevel 0x4 rsp 0xffff870268a63a50
> [ 150.1225901] curlwp 0xffff869617c47400 pid 0.3 lowest kstack 0xffff870268a5f2c0
> [ 150.1657501] panic: trap
> [ 150.1803103] cpu0: Begin traceback...
> [ 150.2016313] vpanic() at netbsd:vpanic+0x171
> [ 150.2257081] panic() at netbsd:panic+0x3c
> [ 150.2473911] trap() at netbsd:trap+0xb43
> [ 150.2743808] --- trap (number 6) ---
> [ 150.2951811] ipf_fastroute() at netbsd:ipf_fastroute+0x6ea
> [ 150.3266935] ipf_send_ip() at netbsd:ipf_send_ip+0x127
> [ 150.3544099] ipf_check() at netbsd:ipf_check+0xfd5
> [ 150.3859226] pfil_run_hooks() at netbsd:pfil_run_hooks+0x11e
> [ 150.4164994] ipintr() at netbsd:ipintr+0x21e
> [ 150.4451003] softint_dispatch() at netbsd:softint_dispatch+0x112
> 
> ipf_fastroute+0x6ea points to external/bsd/ipf/netinet/ip_fil_netbsd.c
> line 1200:
>                 if (!fr || !(fr->fr_flags & FR_RETMASK)) {
> 
> 0xec matches the offset of fr_flags in struct frentry_t
> This code shouldn't dereference fr_flags if fr is NULL.
> 
> The assembly code matching this part of ipf_fastroute() is:
> 1219                    fin->fin_fr = NULL;
>    0xffffffff8056dfeb <+1755>:  movq   $0x0,0x10(%r15)
> 
> 1220                    if (!fr || !(fr->fr_flags & FR_RETMASK)) {
>    0xffffffff8056dff3 <+1763>:  mov    -0xd8(%rbp),%r8
> --Type <RET> for more, q to quit, c to continue without paging--
>    0xffffffff8056dffa <+1770>:  testl  $0x3000,0xec(%r8)
>    0xffffffff8056e005 <+1781>:  mov    -0xf0(%rbp),%r9
>    0xffffffff8056e00c <+1788>:  je     0xffffffff8056e326 <ipf_fastroute+2582>
>    0xffffffff8056e012 <+1794>:  mov    %r9,-0xd8(%rbp)
> 
> 1224                    }
> 
> ipf_fastroute+2582 does the call to ipf_state_check() and jumps back to +1794
>  
> But it seems to assume that fr cannot be NULL here but I can't find
> on which basis. Any idea how I could force a NULL check here ?

More data point:
on netbsd-10, the same code is compiled as:
1217                    if (!fr || !(fr->fr_flags & FR_RETMASK)) {
   0xffffffff8056aaa0 <+1811>:  test   %r14,%r14
   0xffffffff8056aaa3 <+1814>:  je     0xffffffff8056aae2 <ipf_fastroute+1877>
   0xffffffff8056aaa5 <+1816>:  testl  $0x3000,0xec(%r14)
   0xffffffff8056aab0 <+1827>:  je     0xffffffff8056aae2 <ipf_fastroute+1877>

1221                    }

On netbsd-11, building ipf_fastroute() with O0 or O1 makes the NULL test
show up in assembly. With O2 is't not present.

I'm now running  a kernel with the attached patch, lets see how it works.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Index: sys/external/bsd/ipf/netinet/ip_fil_netbsd.c
===================================================================
RCS file: /cvsroot/src/sys/external/bsd/ipf/netinet/ip_fil_netbsd.c,v
retrieving revision 1.39
diff -u -p -u -r1.39 ip_fil_netbsd.c
--- sys/external/bsd/ipf/netinet/ip_fil_netbsd.c	9 Jun 2024 20:30:36 -0000	1.39
+++ sys/external/bsd/ipf/netinet/ip_fil_netbsd.c	23 May 2026 10:53:17 -0000
@@ -1086,7 +1086,8 @@ ipf_send_icmp_err(int type, fr_info_t *f
 	return err;
 }
 
-
+#pragma GCC push_options
+#pragma GCC optimize ("O1")
 /*
  * m0 - pointer to mbuf where the IP packet starts
  * mpp - pointer to the mbuf pointer that is the start of the mbuf chain
@@ -1391,6 +1392,7 @@ bad:
 #endif /* INET */
 }
 
+#pragma GCC pop_options
 
 #if defined(USE_INET6)
 /*

References:
- netbsd-11 gcc bug
  - From: Manuel Bouyer

Prev by Date: netbsd-11 gcc bug
Previous by Thread: netbsd-11 gcc bug
Indexes:

Home | Main Index | Thread Index | Old Index