[....] Starting enhanced syslogd: rsyslogd[ 11.229403] audit: type=1400 audit(1515658828.242:4): avc: denied { syslog } for pid=3175 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 27.868937] ================================================================== [ 27.870835] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 27.872473] Read of size 8 at addr ffff8801cc60e1c0 by task syzkaller879367/3334 [ 27.874539] [ 27.875104] CPU: 0 PID: 3334 Comm: syzkaller879367 Not tainted 4.9.76-g9154940 #20 [ 27.877281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.879632] ffff8801c8237940 ffffffff81d93149 ffffea0007318380 ffff8801cc60e1c0 [ 27.881816] 0000000000000000 ffff8801cc60e1c0 ffff8801c812c438 ffff8801c8237978 [ 27.884302] ffffffff8153cb43 ffff8801cc60e1c0 0000000000000008 0000000000000000 [ 27.886603] Call Trace: [ 27.887140] [] dump_stack+0xc1/0x128 [ 27.888430] [] print_address_description+0x73/0x280 [ 27.893732] [] kasan_report+0x275/0x360 [ 27.899334] [] ? sg_remove_request+0x103/0x120 [ 27.905560] [] __asan_report_load8_noabort+0x14/0x20 [ 27.912293] [] sg_remove_request+0x103/0x120 [ 27.918325] [] sg_finish_rem_req+0x295/0x340 [ 27.924356] [] sg_read+0xa1c/0x1440 [ 27.929609] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 27.936436] [] ? fsnotify+0xf30/0xf30 [ 27.942035] [] ? avc_policy_seqno+0x9/0x20 [ 27.947918] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 27.954909] [] ? security_file_permission+0x89/0x1e0 [ 27.961646] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 27.968281] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 27.974927] [] compat_do_readv_writev+0x522/0x760 [ 27.981398] [] ? do_pwritev+0x1a0/0x1a0 [ 27.987000] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.992956] [] ? check_preemption_disabled+0x3b/0x200 [ 27.999782] [] ? __fget+0x201/0x3a0 [ 28.005034] [] ? __fget+0x228/0x3a0 [ 28.010300] [] ? __fget+0x47/0x3a0 [ 28.015461] [] compat_readv+0xe3/0x150 [ 28.020964] [] do_compat_readv+0xf4/0x1d0 [ 28.026746] [] ? compat_readv+0x150/0x150 [ 28.032522] [] compat_SyS_readv+0x26/0x30 [ 28.038290] [] ? SyS_pwritev2+0x80/0x80 [ 28.043883] [] do_fast_syscall_32+0x2f7/0x890 [ 28.049999] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.056654] [] entry_SYSENTER_compat+0x74/0x83 [ 28.062853] [ 28.064456] Allocated by task 0: [ 28.067787] (stack is not available) [ 28.071465] [ 28.073059] Freed by task 0: [ 28.076042] (stack is not available) [ 28.079719] [ 28.081311] The buggy address belongs to the object at ffff8801cc60e180 [ 28.081311] which belongs to the cache fasync_cache of size 96 [ 28.093934] The buggy address is located 64 bytes inside of [ 28.093934] 96-byte region [ffff8801cc60e180, ffff8801cc60e1e0) [ 28.105601] The buggy address belongs to the page: [ 28.110503] page:ffffea0007318380 count:1 mapcount:0 mapping: (null) index:0x0 [ 28.118729] flags: 0x8000000000000080(slab) [ 28.123014] page dumped because: kasan: bad access detected [ 28.128700] [ 28.130293] Memory state around the buggy address: [ 28.135189] ffff8801cc60e080: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 28.142527] ffff8801cc60e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.149856] >ffff8801cc60e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.157184] ^ [ 28.162605] ffff8801cc60e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.169933] ffff8801cc60e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.177260] ================================================================== [ 28.184584] Disabling lock debugging due to kernel taint [ 28.190482] Kernel panic - not syncing: panic_on_warn set ... [ 28.190482] [ 28.197825] CPU: 0 PID: 3334 Comm: syzkaller879367 Tainted: G B 4.9.76-g9154940 #20 [ 28.206820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.216149] ffff8801c8237898 ffffffff81d93149 ffffffff84195c17 ffff8801c8237970 [ 28.224108] 0000000000000000 ffff8801cc60e1c0 ffff8801c812c438 ffff8801c8237960 [ 28.232062] ffffffff8142e371 0000000041b58ab3 ffffffff84189678 ffffffff8142e1b5 [ 28.240012] Call Trace: [ 28.242571] [] dump_stack+0xc1/0x128 [ 28.247908] [] panic+0x1bc/0x3a8 [ 28.252894] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 28.261100] [] ? preempt_schedule+0x25/0x30 [ 28.267044] [] ? ___preempt_schedule+0x16/0x18 [ 28.273244] [] kasan_end_report+0x50/0x50 [ 28.279010] [] kasan_report+0x167/0x360 [ 28.284615] [] ? sg_remove_request+0x103/0x120 [ 28.290818] [] __asan_report_load8_noabort+0x14/0x20 [ 28.297557] [] sg_remove_request+0x103/0x120 [ 28.303583] [] sg_finish_rem_req+0x295/0x340 [ 28.309612] [] sg_read+0xa1c/0x1440 [ 28.314868] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 28.321503] [] ? fsnotify+0xf30/0xf30 [ 28.326939] [] ? avc_policy_seqno+0x9/0x20 [ 28.332794] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 28.339775] [] ? security_file_permission+0x89/0x1e0 [ 28.346510] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 28.353144] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 28.359793] [] compat_do_readv_writev+0x522/0x760 [ 28.366270] [] ? do_pwritev+0x1a0/0x1a0 [ 28.371868] [] ? _raw_spin_unlock+0x2c/0x50 [ 28.377811] [] ? check_preemption_disabled+0x3b/0x200 [ 28.384619] [] ? __fget+0x201/0x3a0 [ 28.389862] [] ? __fget+0x228/0x3a0 [ 28.395107] [] ? __fget+0x47/0x3a0 [ 28.400266] [] compat_readv+0xe3/0x150 [ 28.405773] [] do_compat_readv+0xf4/0x1d0 [ 28.411538] [] ? compat_readv+0x150/0x150 [ 28.417304] [] compat_SyS_readv+0x26/0x30 [ 28.423071] [] ? SyS_pwritev2+0x80/0x80 [ 28.428675] [] do_fast_syscall_32+0x2f7/0x890 [ 28.434798] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.441435] [] entry_SYSENTER_compat+0x74/0x83 [ 28.447691] Dumping ftrace buffer: [ 28.451216] (ftrace buffer empty) [ 28.454898] Kernel Offset: disabled [ 28.458493] Rebooting in 86400 seconds..