LB BPF reconciler panics on zero-value backend address after map-full failure

[vipul-21]

Is there an existing issue for this?

• I have searched the existing issues

Version

1.18.6

What happened?

The Cilium agent crashes with a nil pointer panic in the BPF load-balancer reconciler when processing orphan backends after the BPF service map becomes full.

How can we reproduce the issue?

1. Create Service1 with backends [A, B].
2. Fill the BPF service map to capacity.
3. Scale S1: [A, B] → [A, C, D]. Remove B and add C, D. The new slot for D fails (map full). B is cleaned up internally, but the bookkeeping stays stale at {A, B}.
4. Re-add B to S1 → [A, B, C, D]. Still map full. The agent recreates B's tracking entry but with a zeroaddress. This is the bug.
5. Remove B from S1 → [A, C, D]. The agent finds B in its stale bookkeeping, tries to clean it up, and dereferences the zero address → PANIC.

Cilium Version

v1.18.6

Kernel Version

Linux lb-stress-test2-worker 6.6.87.2-microsoft-standard-WSL2 #1 SMP PREEMPT_DYNAMIC Thu Jun 5 18:30:46 UTC 2025 x86_64 GNU/Linux

Kubernetes Version

1.34

Regression

No response

Sysdump

No response

Relevant log output

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x35051e5]

goroutine 1018 [running]:
unique.Handle[...].Value(...)
        /usr/local/go/src/unique/handle.go:30
github.com/cilium/cilium/pkg/loadbalancer.L3n4Addr.rep(...)
        /go/src/github.com/cilium/cilium/pkg/loadbalancer/loadbalancer.go:796
github.com/cilium/cilium/pkg/loadbalancer.L3n4Addr.IsIPv6(...)
        /go/src/github.com/cilium/cilium/pkg/loadbalancer/loadbalancer.go:1061
github.com/cilium/cilium/pkg/loadbalancer/reconciler.(*BPFOps).updateFrontend(0xc000ce8960, 0xc003fda840)
        /go/src/github.com/cilium/cilium/pkg/loadbalancer/reconciler/bpf_reconciler.go:857 +0x1065
github.com/cilium/cilium/pkg/loadbalancer/reconciler.(*BPFOps).Update(0xc000ce8960, {0xc000b03548?, 0xc00497d7b8?}, {0x50f9020, 0xc004755e48}, 0x4082af?, 0xc003fda840)
        /go/src/github.com/cilium/cilium/pkg/loadbalancer/reconciler/bpf_reconciler.go:695 +0x2b8
github.com/cilium/statedb/reconciler.(*incrementalRound[...]).processSingle(0x515a360, 0xc00476adc0, 0x127, 0x0)
        /go/src/github.com/cilium/cilium/vendor/github.com/cilium/statedb/reconciler/incremental.go:214 +0x17b
github.com/cilium/statedb/reconciler.(*reconciler[...]).single-range1(0x127?)
        /go/src/github.com/cilium/cilium/vendor/github.com/cilium/statedb/reconciler/incremental.go:102 +0x192
github.com/cilium/statedb.(*changeIterator[...]).Next.func2()
        /go/src/github.com/cilium/cilium/vendor/github.com/cilium/statedb/iterator.go:326 +0xc4
github.com/cilium/statedb/reconciler.(*incrementalRound[...]).single(...)
        /go/src/github.com/cilium/cilium/vendor/github.com/cilium/statedb/reconciler/incremental.go:88
github.com/cilium/statedb/reconciler.(*reconciler[...]).incremental(0x513e200, {0x50f1198, 0xc00102e780}, {0x50f9020, 0xc004755e48}, 0xc003ff42a0)
        /go/src/github.com/cilium/cilium/vendor/github.com/cilium/statedb/reconciler/incremental.go:69 +0x2ad
github.com/cilium/statedb/reconciler.(*reconciler[...]).reconcileLoop(0x513e200, {0x50f1198, 0xc00102e780}, {0x50fb8a0, 0xc000501200})
        /go/src/github.com/cilium/cilium/vendor/github.com/cilium/statedb/reconciler/reconciler.go:92 +0x4f3
github.com/cilium/hive/job.(*jobOneShot).start(0xc0005013e0, {0x50f1198, 0xc00102e780}, 0x0?, {0x50fb8a0, 0xc000501380}, {{{0x0, 0x0, 0x0}}, 0xc000f4f800, ...})
        /go/src/github.com/cilium/cilium/vendor/github.com/cilium/hive/job/oneshot.go:138 +0x4fd
created by github.com/cilium/hive/job.(*queuedJob).Start.func1 in goroutine 1068
        /go/src/github.com/cilium/cilium/vendor/github.com/cilium/hive/job/job.go:126 +0x16f

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct