kern/60318: reproducable bpfjit crash

["martin%NetBSD.org@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60318
>Category:       kern
>Synopsis:       reproducable bpfjit crash
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 09 09:25:00 +0000 2026
>Originator:     Martin Husemann
>Release:        NetBSD 11.99.6
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD fth-gw.duskware.de 11.99.6 NetBSD 11.99.6 (GENERIC64_FW) #6: Fri Jun 5 18:34:07 CEST 2026 martin%seven-days-to-the-wolves.aprisoft.de@localhost:/work/src/sys/arch/evbarm/compile/GENERIC64_FW evbarm
Architecture: aarch64
Machine: evbarm
>Description:

When I enable npf in rc.conf with a tiny config based on
/usr/share/examples/npf/soho_gw-npf.conf
with the only strange thing that my $localnet is a /22, the sljit
code generation crashes:

Enabling NPF /etc/npf.conf
[  77.5077585] panic: Trap: Instruction Abort (EL1): Translation Fault L2 for 0000000000000000, PAN Set: pc 0000000000000000: opcode unknown

[  77.5177580] cpu1: Begin traceback...
[  77.5277601] trace fp ffffc002dec723b0
[  77.5277601] fp ffffc002dec723e0 vpanic() at ffffc0000052abe0 netbsd:vpanic+0x1c0
[  77.5377578] fp ffffc002dec72440 panic() at ffffc0000052aca4 netbsd:panic+0x44
[  77.5477602] fp ffffc002dec724d0 data_abort_handler() at ffffc000000b2de8 netbsd:data_abort_handler+0x4e8
[  77.5577595] tf ffffc002dec72540 el1_trap() at ffffc000000b3f84 netbsd:el1_vectors+0x784
[  77.5577595] ---- Instruction Abort (EL1): trapframe 0xffffc002dec72540 (304 bytes) ----
[  77.5677587]     pc=0000000000000000,   spsr=0000000080400005
[  77.5777593]    esr=0000000086000006,    far=0000000000000000
[  77.5777593]     x0=ffffc00001219010,     x1=0000000000000036
[  77.5877612]     x2=0000000000000000,     x3=00000000001fffff
[  77.5877612]     x4=000000000010007c,     x5=00000000000000d8
[  77.5977589]     x6=00000000f2c00000,     x7=0000000007fffff0
[  77.6077590]     x8=00000000ffffffff,     x9=0000ffffffffffff
[  77.6077590]    x10=0000000000000057,    x11=ffffc000012190ac
[  77.6177594]    x12=0000000000000000,    x13=ffffc00001219000
[  77.6177594]    x14=0000000000001000,    x15=ffffc0000113eed8
[  77.6277592]    x16=ffffc00000004620,    x17=0000f5c3c916532c
[  77.6277592]    x18=ffffc00001200000,    x19=0000000000000006
[  77.6377598]    x20=0000000000000000,    x21=ffffc000012190a8
[  77.6377598]    x22=00000000f2a00000,    x23=0000000000000036
[  77.6477596]    x24=00000000d2800000,    x25=0000ffffffffffff
[  77.6577603]    x26=ffff0001fc1d6c10,    x27=00000000f2e00000
[  77.6577603]    x28=ffffc00001219010, fp=x29=ffffc002dec72870
[  77.6677601] lr=x30=ffffc0000120e10c,     sp=ffffc002dec72870
[  77.6677601] ------------------------------------------------
[  77.6777622] fp ffffc002dec72870 sljit_generate_code() at ffffc0000120e10c sljit:sljit_generate_code+0x22c
[  77.6877617] fp ffffc002dec728f0 ?() at ffffc00001201f30
[  77.6877617] fp ffffc002dec729b0 npf_rule_setcode() at ffffc00000326854 netbsd:npf_rule_setcode+0x24
[  77.6977638] fp ffffc002dec729d0 npf_mk_singlerule.constprop.0() at ffffc000003235fc netbsd:npf_mk_singlerule.constprop.0+0xec
[  77.7177652] fp ffffc002dec72a20 npf_mk_singlenat.constprop.0() at ffffc0000032383c netbsd:npf_mk_singlenat.constprop.0+0x3c
[  77.7277655] fp ffffc002dec72a80 npf_mk_natlist() at ffffc00000323a00 netbsd:npf_mk_natlist+0x9c
[  77.7377653] fp ffffc002dec72ad0 npfctl_run_op() at ffffc0000032451c netbsd:npfctl_run_op+0x3bc


Using npf w/o the bpfjit module (by setting npf=NO in rc.conf and then
starting it later at securlevel=1 with "/etc/rc.d/npf onestart") works.

>How-To-Repeat:
s/a

>Fix:
n/a