[....] Starting enhanced syslogd: rsyslogd[ 11.118528] audit: type=1400 audit(1515605142.688:4): avc: denied { syslog } for pid=3177 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.222' (ECDSA) to the list of known hosts. executing program executing program executing program executing program syzkaller login: [ 34.206275] ================================================================== [ 34.213682] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 34.220755] Read of size 8 at addr ffff8801cd5b12c0 by task syzkaller874189/3345 [ 34.228256] [ 34.229867] CPU: 1 PID: 3345 Comm: syzkaller874189 Not tainted 4.9.76-g9154940 #20 [ 34.237550] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.247150] ffff8801cb677940 ffffffff81d93149 ffffea0007356c40 ffff8801cd5b12c0 [ 34.255215] 0000000000000000 ffff8801cd5b12c0 ffff8801cd692338 ffff8801cb677978 [ 34.263207] ffffffff8153cb43 ffff8801cd5b12c0 0000000000000008 0000000000000000 [ 34.271175] Call Trace: [ 34.273735] [] dump_stack+0xc1/0x128 [ 34.279070] [] print_address_description+0x73/0x280 [ 34.285719] [] kasan_report+0x275/0x360 [ 34.291319] [] ? sg_remove_request+0x103/0x120 [ 34.297524] [] __asan_report_load8_noabort+0x14/0x20 [ 34.304257] [] sg_remove_request+0x103/0x120 [ 34.310290] [] sg_finish_rem_req+0x295/0x340 [ 34.316338] [] sg_read+0xa1c/0x1440 [ 34.321601] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 34.328240] [] ? fsnotify+0xf30/0xf30 [ 34.333675] [] ? avc_policy_seqno+0x9/0x20 [ 34.339537] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 34.346526] [] ? security_file_permission+0x89/0x1e0 [ 34.353256] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 34.359911] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 34.366554] [] compat_do_readv_writev+0x522/0x760 [ 34.373024] [] ? trace_hardirqs_on+0xd/0x10 [ 34.378971] [] ? do_pwritev+0x1a0/0x1a0 [ 34.384570] [] ? __free_pages+0x5b/0x80 [ 34.390166] [] ? __fget+0x201/0x3a0 [ 34.395414] [] ? __fget+0x228/0x3a0 [ 34.400663] [] ? __fget+0x47/0x3a0 [ 34.405829] [] compat_readv+0xe3/0x150 [ 34.411342] [] do_compat_readv+0xf4/0x1d0 [ 34.417125] [] ? compat_readv+0x150/0x150 [ 34.422896] [] compat_SyS_readv+0x26/0x30 [ 34.428670] [] ? SyS_pwritev2+0x80/0x80 [ 34.434280] [] do_fast_syscall_32+0x2f7/0x890 [ 34.440404] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.447045] [] entry_SYSENTER_compat+0x74/0x83 [ 34.453252] [ 34.454851] Allocated by task 0: [ 34.458183] (stack is not available) [ 34.461862] [ 34.463455] Freed by task 0: [ 34.466435] (stack is not available) [ 34.470126] [ 34.471729] The buggy address belongs to the object at ffff8801cd5b1280 [ 34.471729] which belongs to the cache fasync_cache of size 96 [ 34.484360] The buggy address is located 64 bytes inside of [ 34.484360] 96-byte region [ffff8801cd5b1280, ffff8801cd5b12e0) [ 34.496031] The buggy address belongs to the page: [ 34.500939] page:ffffea0007356c40 count:1 mapcount:0 mapping: (null) index:0x0 [ 34.509168] flags: 0x8000000000000080(slab) [ 34.513458] page dumped because: kasan: bad access detected [ 34.519134] [ 34.520730] Memory state around the buggy address: [ 34.525642] ffff8801cd5b1180: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 34.532974] ffff8801cd5b1200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.540346] >ffff8801cd5b1280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.547677] ^ executing program [ 34.553099] ffff8801cd5b1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.560442] ffff8801cd5b1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.567779] ================================================================== [ 34.575111] Disabling lock debugging due to kernel taint [ 34.581174] Kernel panic - not syncing: panic_on_warn set ... [ 34.581174] [ 34.588526] CPU: 1 PID: 3345 Comm: syzkaller874189 Tainted: G B 4.9.76-g9154940 #20 [ 34.597419] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.606749] ffff8801cb677898 ffffffff81d93149 ffffffff84195c17 ffff8801cb677970 [ 34.614719] 0000000000000000 ffff8801cd5b12c0 ffff8801cd692338 ffff8801cb677960 [ 34.622678] ffffffff8142e371 0000000041b58ab3 ffffffff84189678 ffffffff8142e1b5 [ 34.630636] Call Trace: [ 34.633198] [] dump_stack+0xc1/0x128 [ 34.638549] [] panic+0x1bc/0x3a8 [ 34.643539] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 34.651744] [] ? preempt_schedule+0x25/0x30 [ 34.657689] [] ? ___preempt_schedule+0x16/0x18 [ 34.663893] [] kasan_end_report+0x50/0x50 [ 34.669677] [] kasan_report+0x167/0x360 [ 34.675283] [] ? sg_remove_request+0x103/0x120 [ 34.681489] [] __asan_report_load8_noabort+0x14/0x20 [ 34.688230] [] sg_remove_request+0x103/0x120 [ 34.694287] [] sg_finish_rem_req+0x295/0x340 [ 34.700320] [] sg_read+0xa1c/0x1440 [ 34.705569] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 34.712210] [] ? fsnotify+0xf30/0xf30 [ 34.717637] [] ? avc_policy_seqno+0x9/0x20 [ 34.723496] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 34.730483] [] ? security_file_permission+0x89/0x1e0 [ 34.737215] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 34.743856] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 34.750500] [] compat_do_readv_writev+0x522/0x760 [ 34.757908] [] ? trace_hardirqs_on+0xd/0x10 [ 34.763855] [] ? do_pwritev+0x1a0/0x1a0 [ 34.769468] [] ? __free_pages+0x5b/0x80 [ 34.775078] [] ? __fget+0x201/0x3a0 [ 34.780336] [] ? __fget+0x228/0x3a0 [ 34.785586] [] ? __fget+0x47/0x3a0 [ 34.790847] [] compat_readv+0xe3/0x150 [ 34.796356] [] do_compat_readv+0xf4/0x1d0 [ 34.802132] [] ? compat_readv+0x150/0x150 [ 34.807917] [] compat_SyS_readv+0x26/0x30 [ 34.813701] [] ? SyS_pwritev2+0x80/0x80 [ 34.819311] [] do_fast_syscall_32+0x2f7/0x890 [ 34.825447] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.832100] [] entry_SYSENTER_compat+0x74/0x83 [ 34.838680] Dumping ftrace buffer: [ 34.842191] (ftrace buffer empty) [ 34.845870] Kernel Offset: disabled [ 34.849468] Rebooting in 86400 seconds..