[....] Starting enhanced syslogd: rsyslogd[ 16.031740] audit: type=1400 audit(1520709933.485:4): avc: denied { syslog } for pid=3649 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.264713] ================================================================== [ 27.272113] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 27.279181] Read of size 8 at addr ffff8801ca9a5140 by task syzkaller758985/3805 [ 27.286691] [ 27.288292] CPU: 0 PID: 3805 Comm: syzkaller758985 Not tainted 4.9.86-g00db063 #52 [ 27.295965] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.305292] ffff8801d7bf7a60 ffffffff81d956f9 ffffea00072a6940 ffff8801ca9a5140 [ 27.313259] 0000000000000000 ffff8801ca9a5140 ffff8801d858a338 ffff8801d7bf7a98 [ 27.321226] ffffffff8153e083 ffff8801ca9a5140 0000000000000008 0000000000000000 [ 27.329200] Call Trace: [ 27.331762] [] dump_stack+0xc1/0x128 [ 27.337098] [] print_address_description+0x73/0x280 [ 27.343731] [] kasan_report+0x275/0x360 [ 27.349325] [] ? sg_remove_request+0x103/0x120 [ 27.355525] [] __asan_report_load8_noabort+0x14/0x20 [ 27.362247] [] sg_remove_request+0x103/0x120 [ 27.368272] [] sg_finish_rem_req+0x295/0x340 [ 27.374297] [] sg_read+0xa16/0x1440 [ 27.379541] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 27.386184] [] ? fasync_insert_entry+0x147/0x2e0 [ 27.392555] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 27.399192] [] __vfs_read+0x103/0x670 [ 27.404611] [] ? default_llseek+0x290/0x290 [ 27.410576] [] ? fsnotify+0x86/0xf30 [ 27.415908] [] ? fsnotify+0xf30/0xf30 [ 27.421338] [] ? avc_policy_seqno+0x9/0x20 [ 27.427195] [] ? selinux_file_permission+0x82/0x460 [ 27.433831] [] ? security_file_permission+0x89/0x1e0 [ 27.440554] [] ? rw_verify_area+0xe5/0x2b0 [ 27.446421] [] vfs_read+0x11e/0x380 [ 27.451670] [] SyS_read+0xd9/0x1b0 [ 27.456830] [] ? vfs_copy_file_range+0x740/0x740 [ 27.463215] [] ? do_syscall_64+0x48/0x490 [ 27.468984] [] ? vfs_copy_file_range+0x740/0x740 [ 27.475358] [] do_syscall_64+0x1a4/0x490 [ 27.481052] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.487956] [ 27.489556] Allocated by task 0: [ 27.492913] (stack is not available) [ 27.496593] [ 27.498189] Freed by task 0: [ 27.501171] (stack is not available) [ 27.504849] [ 27.506448] The buggy address belongs to the object at ffff8801ca9a5100 [ 27.506448] which belongs to the cache fasync_cache of size 96 [ 27.519073] The buggy address is located 64 bytes inside of [ 27.519073] 96-byte region [ffff8801ca9a5100, ffff8801ca9a5160) [ 27.530754] The buggy address belongs to the page: [ 27.535767] page:ffffea00072a6940 count:1 mapcount:0 mapping: (null) index:0x0 [ 27.544008] flags: 0x8000000000000080(slab) [ 27.548295] page dumped because: kasan: bad access detected [ 27.553972] [ 27.555582] Memory state around the buggy address: [ 27.560481] ffff8801ca9a5000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 27.567812] ffff8801ca9a5080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.575142] >ffff8801ca9a5100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.582468] ^ [ 27.587901] ffff8801ca9a5180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.595228] ffff8801ca9a5200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 27.602558] ================================================================== [ 27.609885] Disabling lock debugging due to kernel taint [ 27.615611] Kernel panic - not syncing: panic_on_warn set ... [ 27.615611] [ 27.622981] CPU: 0 PID: 3805 Comm: syzkaller758985 Tainted: G B 4.9.86-g00db063 #52 [ 27.631879] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.641204] ffff8801d7bf79b8 ffffffff81d956f9 ffffffff84197a0f ffff8801d7bf7a90 [ 27.649177] 0000000000000000 ffff8801ca9a5140 ffff8801d858a338 ffff8801d7bf7a80 [ 27.657162] ffffffff8142f531 0000000041b58ab3 ffffffff8418b470 ffffffff8142f375 [ 27.665127] Call Trace: [ 27.667686] [] dump_stack+0xc1/0x128 [ 27.673021] [] panic+0x1bc/0x3a8 [ 27.678006] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 27.686204] [] ? preempt_schedule+0x25/0x30 [ 27.692144] [] ? ___preempt_schedule+0x16/0x18 [ 27.698356] [] kasan_end_report+0x50/0x50 [ 27.704123] [] kasan_report+0x167/0x360 [ 27.709727] [] ? sg_remove_request+0x103/0x120 [ 27.715934] [] __asan_report_load8_noabort+0x14/0x20 [ 27.722664] [] sg_remove_request+0x103/0x120 [ 27.728690] [] sg_finish_rem_req+0x295/0x340 [ 27.734715] [] sg_read+0xa16/0x1440 [ 27.739960] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 27.746595] [] ? fasync_insert_entry+0x147/0x2e0 [ 27.752980] [] ? sg_proc_seq_show_debug+0xd90/0xd90 [ 27.759617] [] __vfs_read+0x103/0x670 [ 27.765036] [] ? default_llseek+0x290/0x290 [ 27.770974] [] ? fsnotify+0x86/0xf30 [ 27.776302] [] ? fsnotify+0xf30/0xf30 [ 27.781731] [] ? avc_policy_seqno+0x9/0x20 [ 27.787587] [] ? selinux_file_permission+0x82/0x460 [ 27.794221] [] ? security_file_permission+0x89/0x1e0 [ 27.800943] [] ? rw_verify_area+0xe5/0x2b0 [ 27.806807] [] vfs_read+0x11e/0x380 [ 27.812053] [] SyS_read+0xd9/0x1b0 [ 27.817210] [] ? vfs_copy_file_range+0x740/0x740 [ 27.823586] [] ? do_syscall_64+0x48/0x490 [ 27.829351] [] ? vfs_copy_file_range+0x740/0x740 [ 27.835728] [] do_syscall_64+0x1a4/0x490 [ 27.841414] [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 27.848777] Dumping ftrace buffer: [ 27.852299] (ftrace buffer empty) [ 27.855979] Kernel Offset: disabled [ 27.859576] Rebooting in 86400 seconds..