[....] Starting enhanced syslogd: rsyslogd[ 11.586922] audit: type=1400 audit(1566023943.803:4): avc: denied { syslog } for pid=1909 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.183' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 22.330649] ================================================================== [ 22.331850] BUG: KASAN: global-out-of-bounds in __blockdev_direct_IO+0x9209/0xb030 [ 22.332880] Read of size 8 at addr ffffffff8284b220 by task syz-executor533/2057 [ 22.333902] [ 22.334135] CPU: 0 PID: 2057 Comm: syz-executor533 Not tainted 4.4.174+ #4 [ 22.335178] 0000000000000000 394af2dd16140742 ffff8800b72c71d0 ffffffff81aad1a1 [ 22.336467] 0000000000000000 0000000000000000 ffffffff8284b220 0000000000000008 [ 22.337675] ffff8800b6c34000 ffff8800b72c7208 ffffffff81490120 0000000000000000 [ 22.338835] Call Trace: [ 22.339197] [] dump_stack+0xc1/0x120 [ 22.340046] [] print_address_description+0x6f/0x21b [ 22.341105] [] kasan_report.cold+0x8c/0x2be [ 22.341920] [] ? __blockdev_direct_IO+0x9209/0xb030 [ 22.342816] [] __asan_report_load8_noabort+0x14/0x20 [ 22.343708] [] __blockdev_direct_IO+0x9209/0xb030 [ 22.344603] [] ? sb_init_dio_done_wq+0x80/0x80 [ 22.345437] [] ? check_preemption_disabled+0x3c/0x200 [ 22.346338] [] ? check_preemption_disabled+0x3c/0x200 [ 22.347248] [] ? _ext4_get_block+0x690/0x690 [ 22.348052] [] ? ext4_ind_direct_IO+0x6dc/0xb90 [ 22.349026] [] ? ext4_journal_check_start+0x116/0x1a0 [ 22.349976] [] ? __ext4_journal_start_sb+0x13e/0x510 [ 22.350893] [] ext4_ind_direct_IO+0x3e1/0xb90 [ 22.357005] [] ? ext4_ind_map_blocks+0x21f0/0x21f0 [ 22.363551] [] ext4_direct_IO+0x8c1/0x2a80 [ 22.369404] [] ? __lock_acquire+0x22e3/0x4f50 [ 22.375518] [] ? ext4_end_io_dio+0xc0/0xc0 [ 22.381366] [] ? trace_hardirqs_on+0x10/0x10 [ 22.387394] [] ? ext4_xattr_security_get+0x85/0xb0 [ 22.393939] [] ? generic_getxattr+0x128/0x1a0 [ 22.400047] [] ? xattr_resolve_name+0x1f0/0x1f0 [ 22.406341] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 22.413064] [] ? mark_held_locks+0xb1/0x100 [ 22.419003] [] ? filemap_check_errors+0x9d/0xe0 [ 22.425289] [] generic_file_direct_write+0x276/0x4f0 [ 22.432011] [] ? current_fs_time+0x18/0x70 [ 22.437862] [] ? filemap_write_and_wait_range+0xb0/0xb0 [ 22.444847] [] ? file_update_time+0xc1/0x3c0 [ 22.450873] [] ? mutex_trylock+0x500/0x500 [ 22.456726] [] __generic_file_write_iter+0x245/0x540 [ 22.463494] [] ext4_file_write_iter+0x9ec/0xc70 [ 22.469786] [] ? mntput_no_expire+0xfc/0x830 [ 22.475816] [] ? ext4_unwritten_wait+0x200/0x200 [ 22.482335] [] ? mark_held_locks+0xb1/0x100 [ 22.488290] [] ? pipe_lock+0x63/0x80 [ 22.493636] [] ? mutex_lock_nested+0x7dd/0xb80 [ 22.499859] [] ? mutex_lock_nested+0x645/0xb80 [ 22.499865] [] ? pipe_lock+0x63/0x80 [ 22.499871] [] ? trace_hardirqs_on+0xd/0x10 [ 22.499880] [] vfs_iter_write+0x1d0/0x3f0 [ 22.499885] [] ? default_llseek+0x290/0x290 [ 22.499891] [] ? kasan_unpoison_shadow+0x35/0x50 [ 22.499897] [] ? splice_from_pipe_next.part.0+0x20d/0x2c0 [ 22.499903] [] iter_file_splice_write+0x5c1/0xb30 [ 22.499908] [] ? vmsplice_to_user+0x1e0/0x1e0 [ 22.499914] [] ? trace_hardirqs_on+0x10/0x10 [ 22.499920] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 22.499926] [] ? rcu_sync_lockdep_assert+0x73/0xb0 [ 22.499932] [] ? __sb_start_write+0x14f/0x310 [ 22.499937] [] ? vmsplice_to_user+0x1e0/0x1e0 [ 22.499942] [] SyS_splice+0xd71/0x13a0 [ 22.499948] [] ? compat_SyS_vmsplice+0x160/0x160 [ 22.499957] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 22.499963] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 22.499965] [ 22.499967] The buggy address belongs to the variable: [ 22.499973] sched_tunable_scaling_names+0x380/0x4740 [ 22.499974] [ 22.499975] Memory state around the buggy address: [ 22.499981] ffffffff8284b100: 00 00 00 00 00 01 fa fa fa fa fa fa 00 00 07 fa [ 22.499985] ffffffff8284b180: fa fa fa fa 00 00 00 00 00 04 fa fa fa fa fa fa [ 22.499989] >ffffffff8284b200: 00 00 00 03 fa fa fa fa 00 07 fa fa fa fa fa fa [ 22.499990] ^ [ 22.499995] ffffffff8284b280: 00 00 00 fa fa fa fa fa 00 00 07 fa fa fa fa fa [ 22.499999] ffffffff8284b300: 00 06 fa fa fa fa fa fa 00 00 05 fa fa fa fa fa [ 22.500000] ================================================================== [ 22.500002] Disabling lock debugging due to kernel taint [ 22.503849] Kernel panic - not syncing: panic_on_warn set ... [ 22.503849] [ 22.503857] CPU: 0 PID: 2057 Comm: syz-executor533 Tainted: G B 4.4.174+ #4 [ 22.503865] 0000000000000000 394af2dd16140742 ffff8800b72c7110 ffffffff81aad1a1 [ 22.503872] ffff8800b72c7220 ffffffff82c5cf1b ffffffff8284b220 0000000000000008 [ 22.503878] ffff8800b6c34000 ffff8800b72c71f0 ffffffff813a48c2 0000000041b58ab3 [ 22.503879] Call Trace: [ 22.503888] [] dump_stack+0xc1/0x120 [ 22.503895] [] panic+0x1b9/0x37b [ 22.503901] [] ? add_taint.cold+0x16/0x16 [ 22.503909] [] ? preempt_schedule+0x24/0x30 [ 22.503916] [] ? ___preempt_schedule+0x12/0x14 [ 22.503924] [] kasan_end_report+0x47/0x4f [ 22.503929] [] kasan_report.cold+0xa9/0x2be [ 22.503935] [] ? __blockdev_direct_IO+0x9209/0xb030 [ 22.503942] [] __asan_report_load8_noabort+0x14/0x20 [ 22.503947] [] __blockdev_direct_IO+0x9209/0xb030 [ 22.503953] [] ? sb_init_dio_done_wq+0x80/0x80 [ 22.503959] [] ? check_preemption_disabled+0x3c/0x200 [ 22.503964] [] ? check_preemption_disabled+0x3c/0x200 [ 22.503971] [] ? _ext4_get_block+0x690/0x690 [ 22.503977] [] ? ext4_ind_direct_IO+0x6dc/0xb90 [ 22.503984] [] ? ext4_journal_check_start+0x116/0x1a0 [ 22.503990] [] ? __ext4_journal_start_sb+0x13e/0x510 [ 22.503995] [] ext4_ind_direct_IO+0x3e1/0xb90 [ 22.504001] [] ? ext4_ind_map_blocks+0x21f0/0x21f0 [ 22.504007] [] ext4_direct_IO+0x8c1/0x2a80 [ 22.504012] [] ? __lock_acquire+0x22e3/0x4f50 [ 22.504018] [] ? ext4_end_io_dio+0xc0/0xc0 [ 22.504023] [] ? trace_hardirqs_on+0x10/0x10 [ 22.504029] [] ? ext4_xattr_security_get+0x85/0xb0 [ 22.504034] [] ? generic_getxattr+0x128/0x1a0 [ 22.504040] [] ? xattr_resolve_name+0x1f0/0x1f0 [ 22.504045] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 22.504050] [] ? mark_held_locks+0xb1/0x100 [ 22.504056] [] ? filemap_check_errors+0x9d/0xe0 [ 22.504062] [] generic_file_direct_write+0x276/0x4f0 [ 22.504068] [] ? current_fs_time+0x18/0x70 [ 22.504074] [] ? filemap_write_and_wait_range+0xb0/0xb0 [ 22.504080] [] ? file_update_time+0xc1/0x3c0 [ 22.504086] [] ? mutex_trylock+0x500/0x500 [ 22.504092] [] __generic_file_write_iter+0x245/0x540 [ 22.504098] [] ext4_file_write_iter+0x9ec/0xc70 [ 22.504104] [] ? mntput_no_expire+0xfc/0x830 [ 22.504110] [] ? ext4_unwritten_wait+0x200/0x200 [ 22.504115] [] ? mark_held_locks+0xb1/0x100 [ 22.504120] [] ? pipe_lock+0x63/0x80 [ 22.504125] [] ? mutex_lock_nested+0x7dd/0xb80 [ 22.504132] [] ? mutex_lock_nested+0x645/0xb80 [ 22.504136] [] ? pipe_lock+0x63/0x80 [ 22.504141] [] ? trace_hardirqs_on+0xd/0x10 [ 22.504146] [] vfs_iter_write+0x1d0/0x3f0 [ 22.504152] [] ? default_llseek+0x290/0x290 [ 22.504157] [] ? kasan_unpoison_shadow+0x35/0x50 [ 22.504163] [] ? splice_from_pipe_next.part.0+0x20d/0x2c0 [ 22.504169] [] iter_file_splice_write+0x5c1/0xb30 [ 22.504174] [] ? vmsplice_to_user+0x1e0/0x1e0 [ 22.504179] [] ? trace_hardirqs_on+0x10/0x10 [ 22.504185] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 22.504190] [] ? rcu_sync_lockdep_assert+0x73/0xb0 [ 22.504197] [] ? __sb_start_write+0x14f/0x310 [ 22.504202] [] ? vmsplice_to_user+0x1e0/0x1e0 [ 22.504207] [] SyS_splice+0xd71/0x13a0 [ 22.504212] [] ? compat_SyS_vmsplice+0x160/0x160 [ 22.504218] [] ? lockdep_sys_exit_thunk+0x12/0x14 [ 22.504224] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 22.506558] Kernel Offset: disabled [ 23.095155] Rebooting in 86400 seconds..