[....] Starting enhanced syslogd: rsyslogd[ 13.311382] audit: type=1400 audit(1516047271.235:4): avc: denied { syslog } for pid=3170 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.210' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 25.587452] ================================================================== [ 25.594842] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 25.601913] Read of size 8 at addr ffff8801c940a140 by task syzkaller177050/3325 [ 25.609422] [ 25.611021] CPU: 0 PID: 3325 Comm: syzkaller177050 Not tainted 4.9.76-g8dec074 #13 [ 25.618697] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.628039] ffff8801cf3879b0 ffffffff81d93169 ffffea0007250280 ffff8801c940a140 [ 25.636023] 0000000000000000 ffff8801c940a140 ffff8801c8aa0238 ffff8801cf3879e8 [ 25.644019] ffffffff8153cb43 ffff8801c940a140 0000000000000008 0000000000000000 [ 25.651995] Call Trace: [ 25.654557] [] dump_stack+0xc1/0x128 [ 25.659903] [] print_address_description+0x73/0x280 [ 25.666539] [] kasan_report+0x275/0x360 [ 25.672133] [] ? sg_remove_request+0x103/0x120 [ 25.678336] [] __asan_report_load8_noabort+0x14/0x20 [ 25.685068] [] sg_remove_request+0x103/0x120 [ 25.691095] [] sg_finish_rem_req+0x295/0x340 [ 25.697124] [] sg_read+0xa1c/0x1440 [ 25.702369] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.709005] [] ? fsnotify+0xf30/0xf30 [ 25.714437] [] ? avc_policy_seqno+0x9/0x20 [ 25.720293] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 25.727276] [] ? security_file_permission+0x89/0x1e0 [ 25.733997] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.740631] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.747269] [] do_readv_writev+0x520/0x750 [ 25.753124] [] ? vfs_write+0x530/0x530 [ 25.758634] [] ? __pmd_alloc+0x410/0x410 [ 25.764316] [] ? dev_seq_stop+0x50/0x50 [ 25.769911] [] ? __do_page_fault+0x5ec/0xd40 [ 25.775943] [] vfs_readv+0x84/0xc0 [ 25.781103] [] do_readv+0xe6/0x250 [ 25.786263] [] ? vfs_readv+0xc0/0xc0 [ 25.791598] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 25.798236] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 25.805046] [] SyS_readv+0x27/0x30 [ 25.810207] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 25.816754] [ 25.818353] Allocated by task 0: [ 25.821685] (stack is not available) [ 25.825369] [ 25.826965] Freed by task 0: [ 25.829947] (stack is not available) [ 25.833625] [ 25.835223] The buggy address belongs to the object at ffff8801c940a100 [ 25.835223] which belongs to the cache fasync_cache of size 96 [ 25.847849] The buggy address is located 64 bytes inside of [ 25.847849] 96-byte region [ffff8801c940a100, ffff8801c940a160) [ 25.859523] The buggy address belongs to the page: [ 25.864426] page:ffffea0007250280 count:1 mapcount:0 mapping: (null) index:0x0 [ 25.872657] flags: 0x8000000000000080(slab) [ 25.876947] page dumped because: kasan: bad access detected [ 25.882626] [ 25.884221] Memory state around the buggy address: [ 25.889117] ffff8801c940a000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 25.896455] ffff8801c940a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.903796] >ffff8801c940a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.911124] ^ [ 25.916542] ffff8801c940a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.923870] ffff8801c940a200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.931194] ================================================================== [ 25.938527] Disabling lock debugging due to kernel taint [ 25.944159] Kernel panic - not syncing: panic_on_warn set ... [ 25.944159] [ 25.951498] CPU: 0 PID: 3325 Comm: syzkaller177050 Tainted: G B 4.9.76-g8dec074 #13 [ 25.960391] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.969718] ffff8801cf387908 ffffffff81d93169 ffffffff84195c2f ffff8801cf3879e0 [ 25.977689] 0000000000000000 ffff8801c940a140 ffff8801c8aa0238 ffff8801cf3879d0 [ 25.985672] ffffffff8142e371 0000000041b58ab3 ffffffff84189690 ffffffff8142e1b5 [ 25.993644] Call Trace: [ 25.996203] [] dump_stack+0xc1/0x128 [ 26.001538] [] panic+0x1bc/0x3a8 [ 26.006526] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 26.014729] [] ? preempt_schedule+0x25/0x30 [ 26.020674] [] ? ___preempt_schedule+0x16/0x18 [ 26.026877] [] kasan_end_report+0x50/0x50 [ 26.032654] [] kasan_report+0x167/0x360 [ 26.038247] [] ? sg_remove_request+0x103/0x120 [ 26.044461] [] __asan_report_load8_noabort+0x14/0x20 [ 26.051187] [] sg_remove_request+0x103/0x120 [ 26.057213] [] sg_finish_rem_req+0x295/0x340 [ 26.063251] [] sg_read+0xa1c/0x1440 [ 26.068495] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.075141] [] ? fsnotify+0xf30/0xf30 [ 26.080561] [] ? avc_policy_seqno+0x9/0x20 [ 26.086417] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 26.093400] [] ? security_file_permission+0x89/0x1e0 [ 26.100122] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.106758] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.113394] [] do_readv_writev+0x520/0x750 [ 26.119246] [] ? vfs_write+0x530/0x530 [ 26.124753] [] ? __pmd_alloc+0x410/0x410 [ 26.130444] [] ? dev_seq_stop+0x50/0x50 [ 26.136052] [] ? __do_page_fault+0x5ec/0xd40 [ 26.142081] [] vfs_readv+0x84/0xc0 [ 26.147240] [] do_readv+0xe6/0x250 [ 26.152409] [] ? vfs_readv+0xc0/0xc0 [ 26.157745] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 26.164386] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 26.171197] [] SyS_readv+0x27/0x30 [ 26.176357] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 26.183292] Dumping ftrace buffer: [ 26.186801] (ftrace buffer empty) [ 26.190478] Kernel Offset: disabled [ 26.194073] Rebooting in 86400 seconds..