[....] Starting enhanced syslogd: rsyslogd[ 13.602465] audit: type=1400 audit(1515452996.397:4): avc: denied { syslog } for pid=3187 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.224' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 45.425086] ================================================================== [ 45.435278] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 45.445136] Read of size 8 at addr ffff8801cd4d7140 by task syzkaller745399/3358 [ 45.455396] [ 45.457415] CPU: 1 PID: 3358 Comm: syzkaller745399 Not tainted 4.9.75-gb54d99a #8 [ 45.465003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.474334] ffff8801c74b79b0 ffffffff81d93049 ffffea00073535c0 ffff8801cd4d7140 [ 45.482306] 0000000000000000 ffff8801cd4d7140 ffff8801d7ed4438 ffff8801c74b79e8 [ 45.490294] ffffffff8153ca53 ffff8801cd4d7140 0000000000000008 0000000000000000 [ 45.498272] Call Trace: [ 45.500840] [] dump_stack+0xc1/0x128 [ 45.506184] [] print_address_description+0x73/0x280 [ 45.512827] [] kasan_report+0x275/0x360 [ 45.518427] [] ? sg_remove_request+0x103/0x120 [ 45.524633] [] __asan_report_load8_noabort+0x14/0x20 [ 45.531362] [] sg_remove_request+0x103/0x120 [ 45.537394] [] sg_finish_rem_req+0x295/0x340 [ 45.543426] [] sg_read+0xa1c/0x1440 [ 45.548685] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 45.555331] [] ? fsnotify+0xf30/0xf30 [ 45.560764] [] ? avc_policy_seqno+0x9/0x20 [ 45.566633] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 45.573629] [] ? security_file_permission+0x89/0x1e0 [ 45.580360] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 45.587008] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 45.593675] [] do_readv_writev+0x520/0x750 [ 45.599546] [] ? vfs_write+0x530/0x530 [ 45.605064] [] ? __pmd_alloc+0x410/0x410 [ 45.610758] [] ? dev_seq_stop+0x50/0x50 [ 45.616365] [] ? __do_page_fault+0x5ec/0xd40 [ 45.622401] [] vfs_readv+0x84/0xc0 [ 45.627572] [] do_readv+0xe6/0x250 [ 45.632744] [] ? vfs_readv+0xc0/0xc0 [ 45.638089] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 45.644739] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 45.651562] [] SyS_readv+0x27/0x30 [ 45.656734] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 45.663286] [ 45.664890] Allocated by task 0: [ 45.668225] (stack is not available) [ 45.671912] [ 45.673508] Freed by task 0: [ 45.676494] (stack is not available) [ 45.680179] [ 45.681794] The buggy address belongs to the object at ffff8801cd4d7100 [ 45.681794] which belongs to the cache fasync_cache of size 96 [ 45.694425] The buggy address is located 64 bytes inside of [ 45.694425] 96-byte region [ffff8801cd4d7100, ffff8801cd4d7160) [ 45.706101] The buggy address belongs to the page: [ 45.711016] page:ffffea00073535c0 count:1 mapcount:0 mapping: (null) index:0x0 [ 45.719264] flags: 0x8000000000000080(slab) [ 45.723558] page dumped because: kasan: bad access detected [ 45.729241] [ 45.730847] Memory state around the buggy address: [ 45.735755] ffff8801cd4d7000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 45.743097] ffff8801cd4d7080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.750434] >ffff8801cd4d7100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.757764] ^ [ 45.763189] ffff8801cd4d7180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.770518] ffff8801cd4d7200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.777852] ================================================================== [ 45.785186] Disabling lock debugging due to kernel taint [ 45.790800] Kernel panic - not syncing: panic_on_warn set ... [ 45.790800] [ 45.798152] CPU: 1 PID: 3358 Comm: syzkaller745399 Tainted: G B 4.9.75-gb54d99a #8 [ 45.806964] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.816296] ffff8801c74b7908 ffffffff81d93049 ffffffff84195be7 ffff8801c74b79e0 [ 45.824300] 0000000000000000 ffff8801cd4d7140 ffff8801d7ed4438 ffff8801c74b79d0 [ 45.832289] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5 [ 45.840351] Call Trace: [ 45.842922] [] dump_stack+0xc1/0x128 [ 45.848269] [] panic+0x1bc/0x3a8 [ 45.853272] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 45.861480] [] ? preempt_schedule+0x25/0x30 [ 45.867427] [] ? ___preempt_schedule+0x16/0x18 [ 45.873643] [] kasan_end_report+0x50/0x50 [ 45.879418] [] kasan_report+0x167/0x360 [ 45.885024] [] ? sg_remove_request+0x103/0x120 [ 45.891241] [] __asan_report_load8_noabort+0x14/0x20 [ 45.897981] [] sg_remove_request+0x103/0x120 [ 45.904044] [] sg_finish_rem_req+0x295/0x340 [ 45.910087] [] sg_read+0xa1c/0x1440 [ 45.915350] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 45.921998] [] ? fsnotify+0xf30/0xf30 [ 45.927454] [] ? avc_policy_seqno+0x9/0x20 [ 45.933313] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 45.940304] [] ? security_file_permission+0x89/0x1e0 [ 45.947037] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 45.953690] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 45.960342] [] do_readv_writev+0x520/0x750 [ 45.966209] [] ? vfs_write+0x530/0x530 [ 45.971726] [] ? __pmd_alloc+0x410/0x410 [ 45.977418] [] ? dev_seq_stop+0x50/0x50 [ 45.983037] [] ? __do_page_fault+0x5ec/0xd40 [ 45.989081] [] vfs_readv+0x84/0xc0 [ 45.994258] [] do_readv+0xe6/0x250 [ 45.999429] [] ? vfs_readv+0xc0/0xc0 [ 46.004772] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 46.011417] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 46.018231] [] SyS_readv+0x27/0x30 [ 46.023397] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 46.030008] Dumping ftrace buffer: [ 46.033526] (ftrace buffer empty) [ 46.037213] Kernel Offset: disabled [ 46.042117] Rebooting in 86400 seconds..