[....] Starting enhanced syslogd: rsyslogd[ 13.328907] audit: type=1400 audit(1516034242.994:4): avc: denied { syslog } for pid=3168 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.733319] ================================================================== [ 26.740761] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 26.747855] Read of size 8 at addr ffff8801c91d8140 by task syzkaller063358/3325 [ 26.755359] [ 26.756961] CPU: 0 PID: 3325 Comm: syzkaller063358 Not tainted 4.9.76-g8dec074 #23 [ 26.764636] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.773960] ffff8801c8597940 ffffffff81d93169 ffffea0007247600 ffff8801c91d8140 [ 26.781961] 0000000000000000 ffff8801c91d8140 ffff8801c110c438 ffff8801c8597978 [ 26.789932] ffffffff8153cb43 ffff8801c91d8140 0000000000000008 0000000000000000 [ 26.797918] Call Trace: [ 26.800479] [] dump_stack+0xc1/0x128 [ 26.805828] [] print_address_description+0x73/0x280 [ 26.812465] [] kasan_report+0x275/0x360 [ 26.818060] [] ? sg_remove_request+0x103/0x120 [ 26.824261] [] __asan_report_load8_noabort+0x14/0x20 [ 26.830981] [] sg_remove_request+0x103/0x120 [ 26.837011] [] sg_finish_rem_req+0x295/0x340 [ 26.843038] [] sg_read+0xa1c/0x1440 [ 26.848294] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.854931] [] ? fsnotify+0xf30/0xf30 [ 26.860360] [] ? avc_policy_seqno+0x9/0x20 [ 26.866218] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 26.873198] [] ? security_file_permission+0x89/0x1e0 [ 26.879918] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.886551] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 26.893196] [] compat_do_readv_writev+0x522/0x760 [ 26.899678] [] ? do_pwritev+0x1a0/0x1a0 [ 26.905292] [] ? __lru_cache_add+0x187/0x250 [ 26.911328] [] ? _raw_spin_unlock+0x2c/0x50 [ 26.917270] [] ? handle_mm_fault+0x6ee/0x2530 [ 26.923382] [] ? fasync_helper+0x7a/0xb0 [ 26.929061] [] ? __pmd_alloc+0x410/0x410 [ 26.934741] [] compat_readv+0xe3/0x150 [ 26.940249] [] do_compat_readv+0xf4/0x1d0 [ 26.946016] [] ? compat_readv+0x150/0x150 [ 26.951784] [] compat_SyS_readv+0x26/0x30 [ 26.957548] [] ? SyS_pwritev2+0x80/0x80 [ 26.963144] [] do_fast_syscall_32+0x2f7/0x890 [ 26.969259] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.975894] [] entry_SYSENTER_compat+0x74/0x83 [ 26.982094] [ 26.983690] Allocated by task 0: [ 26.987022] (stack is not available) [ 26.990719] [ 26.992314] Freed by task 0: [ 26.995297] (stack is not available) [ 26.998976] [ 27.000574] The buggy address belongs to the object at ffff8801c91d8100 [ 27.000574] which belongs to the cache fasync_cache of size 96 [ 27.013197] The buggy address is located 64 bytes inside of [ 27.013197] 96-byte region [ffff8801c91d8100, ffff8801c91d8160) [ 27.024875] The buggy address belongs to the page: [ 27.029774] page:ffffea0007247600 count:1 mapcount:0 mapping: (null) index:0x0 [ 27.038006] flags: 0x8000000000000080(slab) [ 27.042294] page dumped because: kasan: bad access detected [ 27.047970] [ 27.049566] Memory state around the buggy address: [ 27.054475] ffff8801c91d8000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 27.061812] ffff8801c91d8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.069139] >ffff8801c91d8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.076465] ^ [ 27.081883] ffff8801c91d8180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.089211] ffff8801c91d8200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.096536] ================================================================== [ 27.103948] Disabling lock debugging due to kernel taint [ 27.109574] Kernel panic - not syncing: panic_on_warn set ... [ 27.109574] [ 27.116921] CPU: 0 PID: 3325 Comm: syzkaller063358 Tainted: G B 4.9.76-g8dec074 #23 [ 27.125812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.135138] ffff8801c8597898 ffffffff81d93169 ffffffff84195c2f ffff8801c8597970 [ 27.143130] 0000000000000000 ffff8801c91d8140 ffff8801c110c438 ffff8801c8597960 [ 27.151775] ffffffff8142e371 0000000041b58ab3 ffffffff84189690 ffffffff8142e1b5 [ 27.159752] Call Trace: [ 27.162322] [] dump_stack+0xc1/0x128 [ 27.167658] [] panic+0x1bc/0x3a8 [ 27.172644] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.180848] [] ? preempt_schedule+0x25/0x30 [ 27.186790] [] ? ___preempt_schedule+0x16/0x18 [ 27.193004] [] kasan_end_report+0x50/0x50 [ 27.198789] [] kasan_report+0x167/0x360 [ 27.204381] [] ? sg_remove_request+0x103/0x120 [ 27.210591] [] __asan_report_load8_noabort+0x14/0x20 [ 27.217313] [] sg_remove_request+0x103/0x120 [ 27.223338] [] sg_finish_rem_req+0x295/0x340 [ 27.229369] [] sg_read+0xa1c/0x1440 [ 27.234616] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 27.241254] [] ? fsnotify+0xf30/0xf30 [ 27.246677] [] ? avc_policy_seqno+0x9/0x20 [ 27.252533] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 27.259517] [] ? security_file_permission+0x89/0x1e0 [ 27.266240] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 27.272876] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 27.279510] [] compat_do_readv_writev+0x522/0x760 [ 27.285972] [] ? do_pwritev+0x1a0/0x1a0 [ 27.291581] [] ? __lru_cache_add+0x187/0x250 [ 27.297613] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.303555] [] ? handle_mm_fault+0x6ee/0x2530 [ 27.309946] [] ? fasync_helper+0x7a/0xb0 [ 27.315626] [] ? __pmd_alloc+0x410/0x410 [ 27.321326] [] compat_readv+0xe3/0x150 [ 27.326833] [] do_compat_readv+0xf4/0x1d0 [ 27.332601] [] ? compat_readv+0x150/0x150 [ 27.338380] [] compat_SyS_readv+0x26/0x30 [ 27.344156] [] ? SyS_pwritev2+0x80/0x80 [ 27.349752] [] do_fast_syscall_32+0x2f7/0x890 [ 27.355885] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.362525] [] entry_SYSENTER_compat+0x74/0x83 [ 27.369130] Dumping ftrace buffer: [ 27.372642] (ftrace buffer empty) [ 27.376325] Kernel Offset: disabled [ 27.379947] Rebooting in 86400 seconds..