[....] Starting enhanced syslogd: rsyslogd[ 13.602992] audit: type=1400 audit(1521682290.618:4): avc: denied { syslog } for pid=3651 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 26.962111] ================================================================== [ 26.969512] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 26.976591] Read of size 8 at addr ffff8801b9fce140 by task syzkaller144536/3808 [ 26.984096] [ 26.985699] CPU: 1 PID: 3808 Comm: syzkaller144536 Not tainted 4.9.88-g71df7bb #60 [ 26.993372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.002698] ffff8801d7d5fa60 ffffffff81d95f19 ffffea0006e7f380 ffff8801b9fce140 [ 27.010673] 0000000000000000 ffff8801b9fce140 ffff8801d81ca338 ffff8801d7d5fa98 [ 27.018646] ffffffff8153e793 ffff8801b9fce140 0000000000000008 0000000000000000 [ 27.026621] Call Trace: [ 27.029183] [] dump_stack+0xc1/0x128 [ 27.034522] [] print_address_description+0x73/0x280 [ 27.041168] [] kasan_report+0x255/0x380 [ 27.046778] [] ? sg_remove_request+0x103/0x120 [ 27.052994] [] __asan_report_load8_noabort+0x14/0x20 [ 27.059717] [] sg_remove_request+0x103/0x120 [ 27.065765] [] sg_finish_rem_req+0x295/0x340 [ 27.071797] [] sg_read+0xa16/0x1440 [ 27.077046] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 27.083685] [] ? new_slab+0x318/0x420 [ 27.089107] [] ? fasync_helper+0x37/0xb0 [ 27.094791] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 27.101442] [] __vfs_read+0x103/0x670 [ 27.106866] [] ? default_llseek+0x290/0x290 [ 27.112812] [] ? fsnotify+0x86/0xf30 [ 27.118148] [] ? fsnotify+0xf30/0xf30 [ 27.123574] [] ? avc_policy_seqno+0x9/0x20 [ 27.129432] [] ? selinux_file_permission+0x82/0x460 [ 27.136072] [] ? security_file_permission+0x89/0x1e0 [ 27.142800] [] ? rw_verify_area+0xe5/0x2b0 [ 27.148656] [] vfs_read+0x11e/0x380 [ 27.153907] [] SyS_read+0xd9/0x1b0 [ 27.159078] [] ? vfs_copy_file_range+0x740/0x740 [ 27.165456] [] ? do_syscall_64+0x48/0x490 [ 27.171227] [] ? vfs_copy_file_range+0x740/0x740 [ 27.177603] [] do_syscall_64+0x1a4/0x490 [ 27.183286] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.190181] [ 27.191781] Allocated by task 0: [ 27.195113] (stack is not available) [ 27.198795] [ 27.200393] Freed by task 0: [ 27.203379] (stack is not available) [ 27.207059] [ 27.208659] The buggy address belongs to the object at ffff8801b9fce100 [ 27.208659] which belongs to the cache fasync_cache of size 96 [ 27.221287] The buggy address is located 64 bytes inside of [ 27.221287] 96-byte region [ffff8801b9fce100, ffff8801b9fce160) [ 27.232966] The buggy address belongs to the page: [ 27.237873] page:ffffea0006e7f380 count:1 mapcount:0 mapping: (null) index:0x0 [ 27.246111] flags: 0x8000000000000080(slab) [ 27.250399] page dumped because: kasan: bad access detected [ 27.256075] [ 27.257671] Memory state around the buggy address: [ 27.262570] ffff8801b9fce000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 27.269902] ffff8801b9fce080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.277233] >ffff8801b9fce100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.284563] ^ [ 27.289981] ffff8801b9fce180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.297312] ffff8801b9fce200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.304638] ================================================================== [ 27.311967] Disabling lock debugging due to kernel taint [ 27.317693] Kernel panic - not syncing: panic_on_warn set ... [ 27.317693] [ 27.325040] CPU: 1 PID: 3808 Comm: syzkaller144536 Tainted: G B 4.9.88-g71df7bb #60 [ 27.333936] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.343267] ffff8801d7d5f9b8 ffffffff81d95f19 ffffffff841981e7 ffff8801d7d5fa90 [ 27.351242] 0000000000000000 ffff8801b9fce140 ffff8801d81ca338 ffff8801d7d5fa80 [ 27.359212] ffffffff8142fa71 0000000041b58ab3 ffffffff8418bc48 ffffffff8142f8b5 [ 27.367185] Call Trace: [ 27.369748] [] dump_stack+0xc1/0x128 [ 27.375082] [] panic+0x1bc/0x3a8 [ 27.380087] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.388289] [] ? preempt_schedule+0x25/0x30 [ 27.394234] [] ? ___preempt_schedule+0x16/0x18 [ 27.400441] [] kasan_end_report+0x50/0x50 [ 27.406221] [] kasan_report+0x16b/0x380 [ 27.411819] [] ? sg_remove_request+0x103/0x120 [ 27.418024] [] __asan_report_load8_noabort+0x14/0x20 [ 27.425304] [] sg_remove_request+0x103/0x120 [ 27.431336] [] sg_finish_rem_req+0x295/0x340 [ 27.437368] [] sg_read+0xa16/0x1440 [ 27.442617] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 27.449255] [] ? new_slab+0x318/0x420 [ 27.454677] [] ? fasync_helper+0x37/0xb0 [ 27.460371] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 27.467012] [] __vfs_read+0x103/0x670 [ 27.472434] [] ? default_llseek+0x290/0x290 [ 27.478553] [] ? fsnotify+0x86/0xf30 [ 27.483890] [] ? fsnotify+0xf30/0xf30 [ 27.489312] [] ? avc_policy_seqno+0x9/0x20 [ 27.495168] [] ? selinux_file_permission+0x82/0x460 [ 27.501805] [] ? security_file_permission+0x89/0x1e0 [ 27.508535] [] ? rw_verify_area+0xe5/0x2b0 [ 27.514398] [] vfs_read+0x11e/0x380 [ 27.519651] [] SyS_read+0xd9/0x1b0 [ 27.524813] [] ? vfs_copy_file_range+0x740/0x740 [ 27.531195] [] ? do_syscall_64+0x48/0x490 [ 27.536985] [] ? vfs_copy_file_range+0x740/0x740 [ 27.543363] [] do_syscall_64+0x1a4/0x490 [ 27.549049] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.556459] Dumping ftrace buffer: [ 27.559982] (ftrace buffer empty) [ 27.563667] Kernel Offset: disabled [ 27.567269] Rebooting in 86400 seconds..