kern/60060: NPF with filtering ports per user causes kernel panic

["rachel316%pm.me@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60060
>Category:       kern
>Synopsis:       NPF with filtering ports per user causes kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 07 14:15:00 +0000 2026
>Originator:     Rachel
>Release:        NetBSD-11.0_RC2
>Organization:
-
>Environment:
NetBSD localhost 11.0_RC2 NetBSD 11.0_RC2 (GENERIC) #0: Wed Mar  4 21:02:00 UTC 2026  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd4
>Description:
Setting simple NPF to filter system users ports and running netcat cause kernel Panic.

The kernel panic log:
    localhost# nc 1.1.1.1 443
    [  35.8580190] Mutex error: mutex_vector_enter,551: locking against myself
    
    [  35.8580190] lock address : ffff8c8859196500
    [  35.8580190] current cpu  :                  1
    [  35.8580190] current lwp  : 0xffff8c885893e000
    [  35.8674259] owner field  : 0xffff8c885893e000 wait/spin:                0/0
    
    [  35.8674259] panic: lock error: Mutex: mutex_vector_enter,551: locking against myself: lock 0xffff8c8859196500 cpu 1 lwp 0xffff8c8850
    [  35.8674259] cpu1: Begin traceback...
    [  35.8674259] vpanic() at netbsd:vpanic+0x171
    [  35.8674259] panic() at netbsd:panic+0x3c
    [  35.8674259] lockdebug_abort() at netbsd:lockdebug_abort+0x114
    [  35.8774286] mutex_vector_enter() at netbsd:mutex_vector_enter+0x397
    [  35.8774286] npf_socket_lookup_rid() at netbsd:npf_socket_lookup_rid+0x29
    [  35.8774286] npf_rule_match_rid() at netbsd:npf_rule_match_rid+0xa9
    [  35.8774286] npfk_packet_handler() at netbsd:npfk_packet_handler+0x19c
    [  35.8774286] pfil_run_hooks() at netbsd:pfil_run_hooks+0x114
    [  35.8774286] ip_output() at netbsd:ip_output+0x46e
    [  35.8874134] tcp_output() at netbsd:tcp_output+0x1661
    [  35.8874134] tcp_connect_wrapper() at netbsd:tcp_connect_wrapper+0x150
    [  35.8874134] do_sys_connect() at netbsd:do_sys_connect+0xa2
    [  35.8874134] sys_connect() at netbsd:sys_connect+0x49
    [  35.8874134] syscall() at netbsd:syscall+0x9a
    [  35.8874134] --- syscall (number 98) ---
    [  35.8874134] netbsd:syscall+0x9a:
    [  35.8874134] cpu1: End traceback...
    [  35.8974127] rebooting...

>How-To-Repeat:
1. Install NetBSD 10.1 inside QEMU (maybe this old version install could be skipped but this is what i did)
2. Upgrade to NetBSD-11.0_RC2
3. Write `/etc/npf.conf`.
4. Run `nc 1.1.1.1 443`


/etc/npf.conf:

    $tls_ports = { 443, 853, 4460 }
    
    group default {
        pass final on lo0 all
    
        block in final family inet4 from 127.0.0.0/8 to any
        block in final family inet6 from ::1 to any
    
        pass stateful out final proto udp from any to any port 53
    
        pass stateful out final proto tcp from any to any port $tls_ports user < 1024
        block out final proto tcp from any to any user < 1024
    
        pass stateful out final from any to any user >= 1024
    
        block all
    }


QEMU run.sh:
    #!/bin/sh
    
    ARGS="$ARGS -nodefaults -no-user-config"
    ARGS="$ARGS -machine vmport=off"
    ARGS="$ARGS -cpu core2duo,kvm=off,-hypervisor -smp 2,cores=2"
    ARGS="$ARGS -m 512"
    ARGS="$ARGS -nographic -serial mon:stdio" # press boot 3; consdev com0; boot
    ARGS="$ARGS -netdev user,id=nd0,ipv6=off"
    ARGS="$ARGS -device e1000,netdev=nd0"
    ARGS="$ARGS -drive if=virtio,format=raw,file=drive.raw"
    ARGS="$ARGS -cdrom cdrom.iso"
    ARGS="$ARGS -boot c"
    
    qemu-system-x86_64 $ARGS


>Fix:
I don't know :(