Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Recurring kernel panics — page fault with rip=0 (NULL function pointer dereference) in a netlink_socket kernel thread. Crashes correlate with WAN interface (igc3) link state changes. The WAN link was flapping frequently (28+ times/day), and each link flap triggers interface reconfiguration through rc.newwanip, which appears to hit a race condition in the netlink subsystem.
Some crashes also occurred at exactly 04:02 AM, correlating with a scheduled IDS rule update cron job that triggers network stack activity.
Five crash dumps collected. All show "page fault" panic except one "general protection fault." The most recent crash dump (textdump.tar.4) shows:
Crashing thread: netlink_socket (PID — pid 0 tid 138872
rip = 0, rbp = 0 — NULL function pointer call
ifconfig process stuck in state D waiting on tq_qdra (task queue drain)
Backtrace: trap_pfault → calltrap → trap 0xc, rip = 0
Related: Issue #245 (same crash family — page fault during Suricata/netmap/interface reconfiguration). This report adds a distinct variant: NULL pointer dereference through the netlink_socket code path rather than sleepq_remove_thread.
Relevant log files
I've attached my crash logs.
igc3-flaps.txt
opnsense-crash.zip
root@iktomi-firewall:~ # tar xf /var/crash/textdump.tar.1 -C /tmp && cat /tmp/ddb.txt | head -40
db:0:kdb.enter.default> run lockinfo
db:1:lockinfo> show locks
No such command; use "help" to list available commands
db:1:lockinfo> show alllocks
No such command; use "help" to list available commands
db:1:lockinfo> show lockedvnods
Locked vnodes
db:0:kdb.enter.default> show pcpu
cpuid = 0
dynamic pcpu = 0x126a200
curthread = 0xfffff801a736d000: pid 0 tid 254795 critnest 1 "netlink_socket (PID"
curpcb = 0xfffff801a736d520
fpcurthread = none
idlethread = 0xfffff80001699740: tid 100003 "idle: cpu0"
self = 0xffffffff82e10000
curpmap = 0xfffff80236f3f868
tssp = 0xffffffff82e10384
rsp0 = 0xfffffe00af1f2000
kcr3 = 0xffffffffffffffff
ucr3 = 0xffffffffffffffff
scr3 = 0x0
gs32p = 0xffffffff82e10404
ldt = 0xffffffff82e10444
tss = 0xffffffff82e10434
curvnet = 0
db:0:kdb.enter.default> bt
Tracing pid 0 tid 254795 td 0xfffff801a736d000
kdb_enter() at kdb_enter+0x33/frame 0xfffffe00af1f1ba0
panic() at panic+0x43/frame 0xfffffe00af1f1c00
trap_fatal() at trap_fatal+0x68/frame 0xfffffe00af1f1c20
calltrap() at calltrap+0x8/frame 0xfffffe00af1f1c20
--- trap 0x9, rip = 0xffffffff810e6a2e, rsp = 0xfffffe00af1f1cf0, rbp = 0xe76e695f3001df7c ---
pmap_activate_sw_pcid_nopti() at pmap_activate_sw_pcid_nopti+0xee/frame 0xe76e695f3001df7c
db:0:kdb.enter.default> ps
pid ppid pgrp uid state wmesg wchan cmd
84043 83293 83293 0 R CPU -1 ifconfig
84006 83736 83588 0 RE CPU 1 netstat
83816 83552 83552 0 R CPU 3 python3.11
83736 83588 83588 0 R CPU 2 php
83588 82996 83588 0 Ss wait 0xfffffe00845b9ac0 flock
Additional context
I'm not sure whether the modem is causing the interface to drop or the Newsmay N100 device itself is failing for some reason.
The link flapping probably has been caused by unstable PoE power delivery to the device rather than a modem or cable issue. Switching to barrel connector power significantly reduced crash frequency. However, the kernel should handle rapid link state changes gracefully without panicking — the NULL pointer dereference in the netlink_socket thread remains a valid kernel bug regardless of the trigger.
Environment
OPNsense 26.1.7_1 (amd64)
FreeBSD 14.3-RELEASE-p9 / p12
Hardware: Newsmay N100, 4x igc (I225-V) NICs
ZFS root on SATA SSD
Suricata was installed (since removed)
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Recurring kernel panics — page fault with rip=0 (NULL function pointer dereference) in a netlink_socket kernel thread. Crashes correlate with WAN interface (igc3) link state changes. The WAN link was flapping frequently (28+ times/day), and each link flap triggers interface reconfiguration through rc.newwanip, which appears to hit a race condition in the netlink subsystem.
Some crashes also occurred at exactly 04:02 AM, correlating with a scheduled IDS rule update cron job that triggers network stack activity.
Five crash dumps collected. All show "page fault" panic except one "general protection fault." The most recent crash dump (textdump.tar.4) shows:
Crashing thread: netlink_socket (PID — pid 0 tid 138872
rip = 0, rbp = 0 — NULL function pointer call
ifconfig process stuck in state D waiting on tq_qdra (task queue drain)
Backtrace: trap_pfault → calltrap → trap 0xc, rip = 0
Related: Issue #245 (same crash family — page fault during Suricata/netmap/interface reconfiguration). This report adds a distinct variant: NULL pointer dereference through the netlink_socket code path rather than sleepq_remove_thread.
Relevant log files
I've attached my crash logs.
igc3-flaps.txt
opnsense-crash.zip
Additional context
I'm not sure whether the modem is causing the interface to drop or the Newsmay N100 device itself is failing for some reason.
The link flapping probably has been caused by unstable PoE power delivery to the device rather than a modem or cable issue. Switching to barrel connector power significantly reduced crash frequency. However, the kernel should handle rapid link state changes gracefully without panicking — the NULL pointer dereference in the netlink_socket thread remains a valid kernel bug regardless of the trigger.
Environment
OPNsense 26.1.7_1 (amd64)
FreeBSD 14.3-RELEASE-p9 / p12
Hardware: Newsmay N100, 4x igc (I225-V) NICs
ZFS root on SATA SSD
Suricata was installed (since removed)