10.3-RELEASE in bhyve fatal trap 12


I do a fresh install of AMD64 FreeBSD 10.3-RELEASE without any additional ports or packages using bhyve as a hypervisor but this system crashes every time when netgraph node is shutdown. It doesn't matter if I do a ifconfig sppp0 down before shutdown or not. Is there a way to do this without blowing up the entire system?

The following is what I was able to collect about this issue:
# ifconfig spp0
sppp0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        inet6 fe80::2a0:98ff:feb9:442b%sppp0 prefixlen 64 tentative scopeid 0x3
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
# ngctl shutdown sppp0:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x378
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80936ae0
stack pointer           = 0x28:0xfffffe004e77d190
frame pointer           = 0x28:0xfffffe004e77d210
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 328 (ngctl)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff8098e390 at kdb_backtrace+0x60
#1 0xffffffff80951066 at vpanic+0x126
#2 0xffffffff80950f33 at panic+0x43
#3 0xffffffff80d55f7b at trap_fatal+0x36b
#4 0xffffffff80d5627d at trap_pfault+0x2ed
#5 0xffffffff80d558fa at trap+0x47a
#6 0xffffffff80d3b8d2 at calltrap+0x8
#7 0xffffffff8093691e at __mtx_lock_flags+0x5e
#8 0xffffffff81c24dc2 at sppp_ioctl+0x42
#9 0xffffffff80b1c8ed at in6_mc_leave+0x8d
#10 0xffffffff80b1c848 at in6_leavegroup+0x18
#11 0xffffffff80b1780c at in6_purgeaddr+0x1fc
#12 0xffffffff80a13fd0 at if_purgeaddrs+0xd0
#13 0xffffffff80a14291 at if_detach+0x1d1
#14 0xffffffff81c11366 at ng_sppp_shutdown+0x26
#15 0xffffffff81c14759 at ng_rmnode+0x189
#16 0xffffffff81c16112 at ng_apply_item+0x262
#17 0xffffffff81c15d1a at ng_snd_item+0x38a
Uptime: 1m35s
Note that bhyve is still experimental and may contain lots of bugs. Now, are you getting this on a bhyve guest? Or is it on the host itself?
Both on physical machine without any form of virtualization (this was the first encounter) and on a bhyve guest. This issue is one hundred percent reproductible. Now I managed to collect a "mini dump" of the kernel memory. My first suspicion is about the "fault virtual address" 0x378. For me it looks like an offset of some structure member when the address of the structure is passed as NULL for some reason.
It is not possible now because 10.3-RELEASE can't be selected. :(
Should I file a bug that 10.3-RELEASE isn't on the list?
I think you can safely pick 10.3-BETA2. Just add the full output of uname -a to the report so they're aware you have the -RELEASE version. The version in the report can be changed afterwards anyway.