[....] Starting enhanced syslogd: rsyslogd[ 10.684090] audit: type=1400 audit(1516136240.444:4): avc: denied { syslog } for pid=3172 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 25.108475] ================================================================== [ 25.109624] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 25.110582] Read of size 8 at addr ffff8801cbf9c140 by task syzkaller854887/3328 [ 25.111572] [ 25.111893] CPU: 0 PID: 3328 Comm: syzkaller854887 Not tainted 4.9.76-g8dec074 #23 [ 25.113026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.114350] ffff8801c8677940 ffffffff81d93169 ffffea00072fe700 ffff8801cbf9c140 [ 25.115688] 0000000000000000 ffff8801cbf9c140 ffff8801c8458238 ffff8801c8677978 [ 25.116914] ffffffff8153cb43 ffff8801cbf9c140 0000000000000008 0000000000000000 [ 25.118174] Call Trace: [ 25.118553] [] dump_stack+0xc1/0x128 [ 25.119342] [] print_address_description+0x73/0x280 [ 25.120239] [] kasan_report+0x275/0x360 [ 25.121004] [] ? sg_remove_request+0x103/0x120 [ 25.121847] [] __asan_report_load8_noabort+0x14/0x20 [ 25.122780] [] sg_remove_request+0x103/0x120 [ 25.123601] [] sg_finish_rem_req+0x295/0x340 [ 25.124443] [] sg_read+0xa1c/0x1440 [ 25.125148] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.126108] [] ? fsnotify+0xf30/0xf30 [ 25.126891] [] ? avc_policy_seqno+0x9/0x20 [ 25.127693] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 25.128635] [] ? security_file_permission+0x89/0x1e0 [ 25.135357] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.141994] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.148632] [] compat_do_readv_writev+0x522/0x760 [ 25.155097] [] ? do_pwritev+0x1a0/0x1a0 [ 25.160692] [] ? _raw_spin_unlock+0x2c/0x50 [ 25.166635] [] ? __pmd_alloc+0x410/0x410 [ 25.172316] [] compat_readv+0xe3/0x150 [ 25.177824] [] do_compat_readv+0xf4/0x1d0 [ 25.183589] [] ? compat_readv+0x150/0x150 [ 25.189356] [] compat_SyS_readv+0x26/0x30 [ 25.195124] [] ? SyS_pwritev2+0x80/0x80 [ 25.200722] [] do_fast_syscall_32+0x2f7/0x890 [ 25.206845] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.213479] [] entry_SYSENTER_compat+0x74/0x83 [ 25.219678] [ 25.221276] Allocated by task 0: [ 25.224611] (stack is not available) [ 25.228293] [ 25.229888] Freed by task 0: [ 25.232874] (stack is not available) [ 25.236553] [ 25.238149] The buggy address belongs to the object at ffff8801cbf9c100 [ 25.238149] which belongs to the cache fasync_cache of size 96 [ 25.250776] The buggy address is located 64 bytes inside of [ 25.250776] 96-byte region [ffff8801cbf9c100, ffff8801cbf9c160) [ 25.262445] The buggy address belongs to the page: [ 25.267344] page:ffffea00072fe700 count:1 mapcount:0 mapping: (null) index:0x0 [ 25.275569] flags: 0x8000000000000080(slab) [ 25.279856] page dumped because: kasan: bad access detected [ 25.285531] [ 25.287126] Memory state around the buggy address: [ 25.292023] ffff8801cbf9c000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 25.299355] ffff8801cbf9c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.306682] >ffff8801cbf9c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.314010] ^ [ 25.319427] ffff8801cbf9c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.326752] ffff8801cbf9c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.334078] ================================================================== [ 25.341403] Disabling lock debugging due to kernel taint [ 25.346907] Kernel panic - not syncing: panic_on_warn set ... [ 25.346907] [ 25.354246] CPU: 0 PID: 3328 Comm: syzkaller854887 Tainted: G B 4.9.76-g8dec074 #23 [ 25.363138] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.372467] ffff8801c8677898 ffffffff81d93169 ffffffff84195c2f ffff8801c8677970 [ 25.380444] 0000000000000000 ffff8801cbf9c140 ffff8801c8458238 ffff8801c8677960 [ 25.388416] ffffffff8142e371 0000000041b58ab3 ffffffff84189690 ffffffff8142e1b5 [ 25.396401] Call Trace: [ 25.398964] [] dump_stack+0xc1/0x128 [ 25.404297] [] panic+0x1bc/0x3a8 [ 25.409284] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 25.417493] [] ? preempt_schedule+0x25/0x30 [ 25.423435] [] ? ___preempt_schedule+0x16/0x18 [ 25.429638] [] kasan_end_report+0x50/0x50 [ 25.435408] [] kasan_report+0x167/0x360 [ 25.441004] [] ? sg_remove_request+0x103/0x120 [ 25.447209] [] __asan_report_load8_noabort+0x14/0x20 [ 25.453930] [] sg_remove_request+0x103/0x120 [ 25.459956] [] sg_finish_rem_req+0x295/0x340 [ 25.465984] [] sg_read+0xa1c/0x1440 [ 25.471228] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.477863] [] ? fsnotify+0xf30/0xf30 [ 25.483282] [] ? avc_policy_seqno+0x9/0x20 [ 25.489138] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 25.496120] [] ? security_file_permission+0x89/0x1e0 [ 25.502843] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.509477] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.516112] [] compat_do_readv_writev+0x522/0x760 [ 25.522572] [] ? do_pwritev+0x1a0/0x1a0 [ 25.528169] [] ? _raw_spin_unlock+0x2c/0x50 [ 25.534107] [] ? __pmd_alloc+0x410/0x410 [ 25.539789] [] compat_readv+0xe3/0x150 [ 25.545297] [] do_compat_readv+0xf4/0x1d0 [ 25.551063] [] ? compat_readv+0x150/0x150 [ 25.556833] [] compat_SyS_readv+0x26/0x30 [ 25.562600] [] ? SyS_pwritev2+0x80/0x80 [ 25.568194] [] do_fast_syscall_32+0x2f7/0x890 [ 25.574307] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 25.580944] [] entry_SYSENTER_compat+0x74/0x83 [ 25.587557] Dumping ftrace buffer: [ 25.591067] (ftrace buffer empty) [ 25.594747] Kernel Offset: disabled [ 25.598344] Rebooting in 86400 seconds..