kern/60020: Using ipf -D -T -E crashes the kernel

["manu%netbsd.org@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60020
>Category:       kern
>Synopsis:       Using ipf -D -T -E crashes the kernel
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 20 01:35:00 +0000 2026
>Originator:     Emmanuel Dreyfus
>Release:        NetBSD 10.0_STABLE
>Organization:
NetBSD
>Environment:
NetBSD plaque 10.0 NetBSD 10.0 (KITGW3BIG_COM) #4: Fri Feb 20 02:05:32 CET 2026  manu@xmai:/home2/manu/kitgw3nb100/netbsd-obj/sys/arch/i386/compile/KITGW3BIG_COM i386
Architecture: x86_64
Machine: amd64
>Description:
As suggested in ipf(8) I tried:
ipf -D -T tcp_idle_timeout=86400 -E

This panics the kerne:

[ 87277.7454900] uvm_fault(0xffffffff81b12140, 0xfffffffffffff000, 1) -> e
[ 87277.7454900] fatal page fault in supervisor mode
[ 87277.7554982] trap type 6 code 0 rip 0xffffffff80e266ac cs 0x8 rflags 0x10286
 cr2 0xfffffffffffffff0 ilevel 0 rsp 0xffff838073520aa0
 [ 87277.7655037] curlwp 0xffffe7d4648a5a80 pid 5873.5873 lowest kstack 0xffff838
 07351c2c0
 kernel: page fault trap, code=0
 Stopped in pid 5873.5873 (ipf) at       netbsd:mutex_oncpu+0x1e:        movq
 0(%rbx),%rax
 mutex_oncpu() at netbsd:mutex_oncpu+0x1e
 mutex_vector_enter() at netbsd:mutex_vector_enter+0xb7
 ipf_settimeout_tcp() at netbsd:ipf_settimeout_tcp+0x60
 ipf_settimeout() at netbsd:ipf_settimeout+0x1c
 ipf_ipftune() at netbsd:ipf_ipftune+0x3ef
 ipfioctl() at netbsd:ipfioctl+0x9a
 cdev_ioctl() at netbsd:cdev_ioctl+0x99
 spec_ioctl() at netbsd:spec_ioctl+0x58
 VOP_IOCTL() at netbsd:VOP_IOCTL+0x47
 vn_ioctl() at netbsd:vn_ioctl+0xaf
 sys_ioctl() at netbsd:sys_ioctl+0x56d
 syscall() at netbsd:syscall+0x196

>How-To-Repeat:
Run ipf -D -T tcp_idle_timeout=86400 -E while ip is enabled
>Fix:
Not known yet