[....] Starting enhanced syslogd: rsyslogd[ 10.891467] audit: type=1400 audit(1515953495.811:4): avc: denied { syslog } for pid=3176 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 38.837168] ================================================================== [ 38.838232] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 38.839166] Read of size 8 at addr ffff8801c7c3d140 by task syzkaller246930/3342 [ 38.840169] [ 38.840420] CPU: 0 PID: 3342 Comm: syzkaller246930 Not tainted 4.9.76-gf0f6293 #22 [ 38.841464] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.842732] ffff8801c7f17940 ffffffff81d93149 ffffea00071f0f40 ffff8801c7c3d140 [ 38.843880] 0000000000000000 ffff8801c7c3d140 ffff8801ccbb4438 ffff8801c7f17978 [ 38.845033] ffffffff8153cb43 ffff8801c7c3d140 0000000000000008 0000000000000000 [ 38.846210] Call Trace: [ 38.846585] [] dump_stack+0xc1/0x128 [ 38.847300] [] print_address_description+0x73/0x280 [ 38.848183] [] kasan_report+0x275/0x360 [ 38.848927] [] ? sg_remove_request+0x103/0x120 [ 38.849768] [] __asan_report_load8_noabort+0x14/0x20 [ 38.850680] [] sg_remove_request+0x103/0x120 [ 38.851482] [] sg_finish_rem_req+0x295/0x340 [ 38.852298] [] sg_read+0xa1c/0x1440 [ 38.853013] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 38.853917] [] ? fsnotify+0xf30/0xf30 [ 38.854640] [] ? avc_policy_seqno+0x9/0x20 [ 38.855481] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 38.856497] [] ? security_file_permission+0x89/0x1e0 [ 38.858269] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 38.864905] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 38.871556] [] compat_do_readv_writev+0x522/0x760 [ 38.878020] [] ? do_pwritev+0x1a0/0x1a0 [ 38.883615] [] ? _raw_spin_unlock+0x2c/0x50 [ 38.889558] [] ? handle_mm_fault+0x6ee/0x2530 [ 38.895676] [] ? __pmd_alloc+0x410/0x410 [ 38.901359] [] compat_readv+0xe3/0x150 [ 38.907822] [] do_compat_readv+0xf4/0x1d0 [ 38.913595] [] ? compat_readv+0x150/0x150 [ 38.919362] [] compat_SyS_readv+0x26/0x30 [ 38.925139] [] ? SyS_pwritev2+0x80/0x80 [ 38.931606] [] do_fast_syscall_32+0x2f7/0x890 [ 38.937718] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.944354] [] entry_SYSENTER_compat+0x74/0x83 [ 38.950556] [ 38.952157] Allocated by task 0: [ 38.955489] (stack is not available) [ 38.959175] [ 38.961032] Freed by task 0: [ 38.964018] (stack is not available) [ 38.967871] [ 38.970077] The buggy address belongs to the object at ffff8801c7c3d100 [ 38.970077] which belongs to the cache fasync_cache of size 96 [ 38.983656] The buggy address is located 64 bytes inside of [ 38.983656] 96-byte region [ffff8801c7c3d100, ffff8801c7c3d160) [ 38.995326] The buggy address belongs to the page: [ 39.000842] page:ffffea00071f0f40 count:1 mapcount:0 mapping: (null) index:0x0 [ 39.010642] flags: 0x8000000000000080(slab) [ 39.016241] page dumped because: kasan: bad access detected [ 39.021919] [ 39.023514] Memory state around the buggy address: [ 39.028423] ffff8801c7c3d000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 39.035749] ffff8801c7c3d080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.043079] >ffff8801c7c3d100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.050848] ^ [ 39.056277] ffff8801c7c3d180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.063605] ffff8801c7c3d200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.070933] ================================================================== [ 39.079213] Disabling lock debugging due to kernel taint [ 39.085181] Kernel panic - not syncing: panic_on_warn set ... [ 39.085181] [ 39.093215] CPU: 0 PID: 3342 Comm: syzkaller246930 Tainted: G B 4.9.76-gf0f6293 #22 [ 39.102108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.111783] ffff8801c7f17898 ffffffff81d93149 ffffffff84195c17 ffff8801c7f17970 [ 39.120109] 0000000000000000 ffff8801c7c3d140 ffff8801ccbb4438 ffff8801c7f17960 [ 39.128089] ffffffff8142e371 0000000041b58ab3 ffffffff84189678 ffffffff8142e1b5 [ 39.137280] Call Trace: [ 39.139847] [] dump_stack+0xc1/0x128 [ 39.145183] [] panic+0x1bc/0x3a8 [ 39.150172] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 39.158383] [] ? preempt_schedule+0x25/0x30 [ 39.164327] [] ? ___preempt_schedule+0x16/0x18 [ 39.170528] [] kasan_end_report+0x50/0x50 [ 39.176294] [] kasan_report+0x167/0x360 [ 39.182935] [] ? sg_remove_request+0x103/0x120 [ 39.189138] [] __asan_report_load8_noabort+0x14/0x20 [ 39.196466] [] sg_remove_request+0x103/0x120 [ 39.202506] [] sg_finish_rem_req+0x295/0x340 [ 39.208543] [] sg_read+0xa1c/0x1440 [ 39.213800] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 39.220794] [] ? fsnotify+0xf30/0xf30 [ 39.226215] [] ? avc_policy_seqno+0x9/0x20 [ 39.232507] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 39.241572] [] ? security_file_permission+0x89/0x1e0 [ 39.248293] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 39.254931] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 39.262008] [] compat_do_readv_writev+0x522/0x760 [ 39.268468] [] ? do_pwritev+0x1a0/0x1a0 [ 39.274070] [] ? _raw_spin_unlock+0x2c/0x50 [ 39.280012] [] ? handle_mm_fault+0x6ee/0x2530 [ 39.286127] [] ? __pmd_alloc+0x410/0x410 [ 39.292248] [] compat_readv+0xe3/0x150 [ 39.297754] [] do_compat_readv+0xf4/0x1d0 [ 39.303522] [] ? compat_readv+0x150/0x150 [ 39.309291] [] compat_SyS_readv+0x26/0x30 [ 39.315070] [] ? SyS_pwritev2+0x80/0x80 [ 39.321452] [] do_fast_syscall_32+0x2f7/0x890 [ 39.327574] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.334212] [] entry_SYSENTER_compat+0x74/0x83 [ 39.340912] Dumping ftrace buffer: [ 39.344424] (ftrace buffer empty) [ 39.348108] Kernel Offset: disabled [ 39.351704] Rebooting in 86400 seconds..