kern/60169: panic: ASan: Unauthorized Access In ADDR: Addr ADDR [NUM byte, read, KmemRedZone]

["r772577952%gmail.com@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60169
>Category:       kern
>Synopsis:       panic: ASan: Unauthorized Access In ADDR: Addr ADDR [NUM byte, read, KmemRedZone]
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 02 08:35:00 +0000 2026
>Originator:     Jiaming Zhang
>Release:        image: NetBSD-10.1; kernel: trunk branch, commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b
>Organization:
>Environment:
NetBSD  11.99.5 NetBSD 11.99.5 (CLOUD) #0: Wed Apr  1 18:34:06 CST 2026  root@ustb520lab-MS-7E07:/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/amd64/compile/obj/CLOUD amd64
>Description:
When fuzzing NetBSD kernel with syzkaller and our generated syscall descriptions, we encountered an issue: panic: ASan: Unauthorized Access In ADDR: Addr ADDR [NUM byte, read, KmemRedZone]. This issues is reproducible in a recent version of NetBSD kernel (commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b).

The kernel console output, kernel config, and reproducers are available at: https://drive.google.com/drive/folders/1UFjp4nInE9bunpuj2qcpmY-oFyXEzuqU?usp=sharing

The symbolized issue report is also shown below to help with analysis:

```
TITLE: panic: ASan: Unauthorized Access In ADDR: Addr ADDR [NUM byte, read, KmemRedZone]
CORRUPTED: true (matched title but not report regexp)
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []

login: [  15.2781922] panic: ASan: Unauthorized Access In 0xffffffff8201bc5f: Addr 0xffffb20004430408 [1 byte, read, KmemRedZone]

[  15.2781922] cpu1: Begin traceback...
[  15.2781922] asan.module_ctor() at ffffffff81ebbd0e
[  15.2881881] asan.module_ctor() at ffffffff81ebb905
[  15.2981853] kasan_report() at netbsd:kasan_report+0x6a
[  15.2981853] asan.module_dtor() at ffffffff81e5cf89
[  15.3081847] asan.module_ctor() at ffffffff8201bc5f
[  15.3181844] asan.module_ctor() at ffffffff8201b818
[  15.3281846] asan.module_dtor() at netbsd:asan.module_dtor+-0x962a40
[  15.3381862] cpu_xc_nointr() at netbsd:cpu_xc_nointr+0x136 vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_cpu.c:602
[  15.3481837] asan.module_dtor() at netbsd:asan.module_dtor+-0x963a00
[  15.3481837] asan.module_dtor() at ffffffff81d9fe39
[  15.3581826] devsw_detach_locked() at netbsd:devsw_detach_locked+0x5753 vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/subr_devsw.c:1537
[  15.3681824] asan.module_ctor() at ffffffff81fff86c
[  15.3781806] asan.module_ctor() at ffffffff81fe1a40
[  15.3881795] asan.module_ctor() at ffffffff81fc824e
[  15.3981789] asan.module_ctor() at ffffffff81ef2e5f
[  15.3981789] asan.module_dtor() at ffffffff81e1c909
[  15.4081791] syscall() at netbsd:syscall+0x26d sy_call vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:65 [inline]
[  15.4081791] syscall() at netbsd:syscall+0x26d sy_invoke vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:94 [inline]
[  15.4081791] syscall() at netbsd:syscall+0x26d vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/x86/x86/syscall.c:137
[  15.4081791] --- syscall (number 54 via SYS_syscall) ---
[  15.4181828] netbsd:syscall+0x26d:
[  15.4181828] cpu1: End traceback...

[  15.4181828] dumping to dev 168,1 (offset=29361126, size=524159):
[  15.4181828] dump 607 606 605 604 603 602 601 600 599 598 597 596 595 594 593 592 591 590 589 588 587 586 585 584 583 582 581 580 579 578 577 576 575 574 573 572 571 570 569 568 567 566 565 564 563 562 561 560 559 558 557 556 555 554 553 552 551 550 549 548 547 546 545 544 543 
```
>How-To-Repeat:
The issues can be reproduced by running the C or syz reproducer on the kernel under a specified config.
>Fix: