[BUG] Kernel Panic in br_do_suppress_nd when ipv6.disable=1 (NULL pointer... | netdev

[BUG] Kernel Panic in br_do_suppress_nd when ipv6.disable=1 (NULL pointer dereference)

From: Guruprasad C P <hidden>
Date: 2026-02-25 23:14:18

We have identified a 100% reproducible kernel panic in the bridge driver (
net/bridge/br_arp_nd_proxy.c) on kernels up to at least 5.15 and 6.x.

*Description:* The crash occurs when the kernel is booted with
ipv6.disable=1 and a bridge port has neigh_suppress enabled. When the
bridge receives an ICMPv6 Neighbor Solicitation, it attempts to perform a
lookup in the neighbor table via ipv6_stub->nd_tbl. Because IPv6 was
disabled at boot, nd_tbl is NULL, leading to an immediate dereference panic.

*Reproduction Matrix:*

   -

   ipv6.disable=1 + neigh_suppress=on -> *PANIC*
   -

   ipv6.disable=1 + neigh_suppress=off -> Stable
   -

   IPv6 enabled at boot + neigh_suppress=on -> Stable (even if
   disable_ipv6=1 via sysctl)

*Stack Trace Summary:* The RIP usually points to neigh_lookup+0x16.

*Proposed Fix:* A NULL pointer check for ipv6_stub->nd_tbl in
br_do_suppress_nd() before the neigh_lookup call would prevent the panic.

I have attached a bash script that sets up a full-stack topology (Bridge +
VXLAN + Guest VM + Namespace) to reproduce the crash.


Best regards,

Guruprasad

Attachments

vmcore-dmesg.txt [text/plain] 240860 bytes · preview
reproduce_full_stack_bridge_crash.sh [text/x-sh] 22320 bytes · preview

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help