[....] Starting enhanced syslogd: rsyslogd[ 11.548153] audit: type=1400 audit(1515521107.224:4): avc: denied { syslog } for pid=3174 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 19.186393] ================================================================== [ 19.193794] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 19.200863] Read of size 8 at addr ffff8801c961c140 by task syzkaller305739/3323 [ 19.208365] [ 19.209967] CPU: 1 PID: 3323 Comm: syzkaller305739 Not tainted 4.9.75-g8910fa5 #9 [ 19.217557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.226892] ffff8801c892f9b0 ffffffff81d93049 ffffea0007258700 ffff8801c961c140 [ 19.234847] 0000000000000000 ffff8801c961c140 ffff8801c8b60238 ffff8801c892f9e8 [ 19.242797] ffffffff8153ca53 ffff8801c961c140 0000000000000008 0000000000000000 [ 19.250749] Call Trace: [ 19.253321] [] dump_stack+0xc1/0x128 [ 19.258655] [] print_address_description+0x73/0x280 [ 19.265287] [] kasan_report+0x275/0x360 [ 19.270891] [] ? sg_remove_request+0x103/0x120 [ 19.277090] [] __asan_report_load8_noabort+0x14/0x20 [ 19.283816] [] sg_remove_request+0x103/0x120 [ 19.289845] [] sg_finish_rem_req+0x295/0x340 [ 19.295871] [] sg_read+0xa1c/0x1440 [ 19.301116] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 19.307750] [] ? fsnotify+0xf30/0xf30 [ 19.313168] [] ? avc_policy_seqno+0x9/0x20 [ 19.319020] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 19.326000] [] ? security_file_permission+0x89/0x1e0 [ 19.332721] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 19.339350] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 19.345985] [] do_readv_writev+0x520/0x750 [ 19.351847] [] ? vfs_write+0x530/0x530 [ 19.357356] [] ? __pmd_alloc+0x410/0x410 [ 19.363035] [] ? dev_seq_stop+0x50/0x50 [ 19.368635] [] ? __do_page_fault+0x5ec/0xd40 [ 19.374662] [] vfs_readv+0x84/0xc0 [ 19.379823] [] do_readv+0xe6/0x250 [ 19.384980] [] ? vfs_readv+0xc0/0xc0 [ 19.390312] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 19.396950] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 19.403757] [] SyS_readv+0x27/0x30 [ 19.408927] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 19.415474] [ 19.417073] Allocated by task 0: [ 19.420400] (stack is not available) [ 19.424074] [ 19.425667] Freed by task 0: [ 19.428648] (stack is not available) [ 19.432340] [ 19.433934] The buggy address belongs to the object at ffff8801c961c100 [ 19.433934] which belongs to the cache fasync_cache of size 96 [ 19.446567] The buggy address is located 64 bytes inside of [ 19.446567] 96-byte region [ffff8801c961c100, ffff8801c961c160) [ 19.458238] The buggy address belongs to the page: [ 19.463135] page:ffffea0007258700 count:1 mapcount:0 mapping: (null) index:0x0 [ 19.471357] flags: 0x8000000000000080(slab) [ 19.475642] page dumped because: kasan: bad access detected [ 19.481317] [ 19.482916] Memory state around the buggy address: [ 19.487819] ffff8801c961c000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 19.495166] ffff8801c961c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.502498] >ffff8801c961c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.509824] ^ [ 19.515242] ffff8801c961c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.522569] ffff8801c961c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 19.529905] ================================================================== [ 19.537235] Disabling lock debugging due to kernel taint [ 19.542759] Kernel panic - not syncing: panic_on_warn set ... [ 19.542759] [ 19.550111] CPU: 1 PID: 3323 Comm: syzkaller305739 Tainted: G B 4.9.75-g8910fa5 #9 [ 19.558935] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 19.568268] ffff8801c892f908 ffffffff81d93049 ffffffff84195be7 ffff8801c892f9e0 [ 19.576231] 0000000000000000 ffff8801c961c140 ffff8801c8b60238 ffff8801c892f9d0 [ 19.584180] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5 [ 19.592125] Call Trace: [ 19.594682] [] dump_stack+0xc1/0x128 [ 19.600017] [] panic+0x1bc/0x3a8 [ 19.605001] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 19.613202] [] ? preempt_schedule+0x25/0x30 [ 19.619143] [] ? ___preempt_schedule+0x16/0x18 [ 19.625347] [] kasan_end_report+0x50/0x50 [ 19.631119] [] kasan_report+0x167/0x360 [ 19.636709] [] ? sg_remove_request+0x103/0x120 [ 19.642909] [] __asan_report_load8_noabort+0x14/0x20 [ 19.649627] [] sg_remove_request+0x103/0x120 [ 19.655651] [] sg_finish_rem_req+0x295/0x340 [ 19.661676] [] sg_read+0xa1c/0x1440 [ 19.666921] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 19.673558] [] ? fsnotify+0xf30/0xf30 [ 19.678976] [] ? avc_policy_seqno+0x9/0x20 [ 19.684826] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 19.691806] [] ? security_file_permission+0x89/0x1e0 [ 19.698525] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 19.705158] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 19.711789] [] do_readv_writev+0x520/0x750 [ 19.717641] [] ? vfs_write+0x530/0x530 [ 19.723152] [] ? __pmd_alloc+0x410/0x410 [ 19.728848] [] ? dev_seq_stop+0x50/0x50 [ 19.734464] [] ? __do_page_fault+0x5ec/0xd40 [ 19.740496] [] vfs_readv+0x84/0xc0 [ 19.745651] [] do_readv+0xe6/0x250 [ 19.750806] [] ? vfs_readv+0xc0/0xc0 [ 19.756137] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 19.762773] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 19.769581] [] SyS_readv+0x27/0x30 [ 19.774738] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 19.781752] Dumping ftrace buffer: [ 19.785261] (ftrace buffer empty) [ 19.788937] Kernel Offset: disabled [ 19.792528] Rebooting in 86400 seconds..