[....] Starting enhanced syslogd: rsyslogd[ 13.153395] audit: type=1400 audit(1516055102.915:4): avc: denied { syslog } for pid=3179 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.15' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 25.085920] ================================================================== [ 25.093312] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 25.100384] Read of size 8 at addr ffff8801c146f140 by task syzkaller365119/3335 [ 25.107885] [ 25.109512] CPU: 0 PID: 3335 Comm: syzkaller365119 Not tainted 4.9.76-g8dec074 #13 [ 25.117190] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.126518] ffff8801cc1efab0 ffffffff81d93169 ffffea0007051bc0 ffff8801c146f140 [ 25.134497] 0000000000000000 ffff8801c146f140 ffff8801c8268238 ffff8801cc1efae8 [ 25.142495] ffffffff8153cb43 ffff8801c146f140 0000000000000008 0000000000000000 [ 25.150464] Call Trace: [ 25.153027] [] dump_stack+0xc1/0x128 [ 25.158364] [] print_address_description+0x73/0x280 [ 25.164999] [] kasan_report+0x275/0x360 [ 25.170594] [] ? sg_remove_request+0x103/0x120 [ 25.176807] [] __asan_report_load8_noabort+0x14/0x20 [ 25.183533] [] sg_remove_request+0x103/0x120 [ 25.189561] [] sg_finish_rem_req+0x295/0x340 [ 25.195589] [] sg_read+0xa1c/0x1440 [ 25.200836] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.207475] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 25.214460] [] ? fasync_helper+0x37/0xb0 [ 25.220147] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.226796] [] __vfs_read+0x103/0x670 [ 25.232219] [] ? default_llseek+0x290/0x290 [ 25.238169] [] ? fsnotify+0x86/0xf30 [ 25.243503] [] ? fsnotify+0xf30/0xf30 [ 25.248930] [] ? avc_policy_seqno+0x9/0x20 [ 25.254791] [] ? selinux_file_permission+0x82/0x460 [ 25.261434] [] ? security_file_permission+0x89/0x1e0 [ 25.268171] [] ? rw_verify_area+0xe5/0x2b0 [ 25.274027] [] vfs_read+0x11e/0x380 [ 25.279274] [] SyS_read+0xd9/0x1b0 [ 25.284441] [] ? vfs_copy_file_range+0x740/0x740 [ 25.290820] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 25.297641] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.304201] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 25.310748] [ 25.312347] Allocated by task 0: [ 25.315688] (stack is not available) [ 25.319367] [ 25.320963] Freed by task 0: [ 25.323949] (stack is not available) [ 25.327629] [ 25.329225] The buggy address belongs to the object at ffff8801c146f100 [ 25.329225] which belongs to the cache fasync_cache of size 96 [ 25.341847] The buggy address is located 64 bytes inside of [ 25.341847] 96-byte region [ffff8801c146f100, ffff8801c146f160) [ 25.353515] The buggy address belongs to the page: [ 25.358413] page:ffffea0007051bc0 count:1 mapcount:0 mapping: (null) index:0x0 [ 25.366644] flags: 0x8000000000000080(slab) [ 25.370929] page dumped because: kasan: bad access detected [ 25.376607] [ 25.378204] Memory state around the buggy address: [ 25.383101] ffff8801c146f000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 25.390429] ffff8801c146f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.397757] >ffff8801c146f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.405086] ^ [ 25.410513] ffff8801c146f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.417843] ffff8801c146f200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 25.425182] ================================================================== [ 25.432517] Disabling lock debugging due to kernel taint [ 25.438204] Kernel panic - not syncing: panic_on_warn set ... [ 25.438204] [ 25.445557] CPU: 0 PID: 3335 Comm: syzkaller365119 Tainted: G B 4.9.76-g8dec074 #13 [ 25.454452] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.463779] ffff8801cc1efa08 ffffffff81d93169 ffffffff84195c2f ffff8801cc1efae0 [ 25.471752] 0000000000000000 ffff8801c146f140 ffff8801c8268238 ffff8801cc1efad0 [ 25.479725] ffffffff8142e371 0000000041b58ab3 ffffffff84189690 ffffffff8142e1b5 [ 25.487713] Call Trace: [ 25.490274] [] dump_stack+0xc1/0x128 [ 25.495609] [] panic+0x1bc/0x3a8 [ 25.500596] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 25.508794] [] ? preempt_schedule+0x25/0x30 [ 25.514735] [] ? ___preempt_schedule+0x16/0x18 [ 25.520935] [] kasan_end_report+0x50/0x50 [ 25.526713] [] kasan_report+0x167/0x360 [ 25.532307] [] ? sg_remove_request+0x103/0x120 [ 25.538508] [] __asan_report_load8_noabort+0x14/0x20 [ 25.545231] [] sg_remove_request+0x103/0x120 [ 25.551258] [] sg_finish_rem_req+0x295/0x340 [ 25.557294] [] sg_read+0xa1c/0x1440 [ 25.562542] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.569180] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 25.576166] [] ? fasync_helper+0x37/0xb0 [ 25.582619] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 25.589261] [] __vfs_read+0x103/0x670 [ 25.594693] [] ? default_llseek+0x290/0x290 [ 25.600634] [] ? fsnotify+0x86/0xf30 [ 25.605970] [] ? fsnotify+0xf30/0xf30 [ 25.611393] [] ? avc_policy_seqno+0x9/0x20 [ 25.617252] [] ? selinux_file_permission+0x82/0x460 [ 25.623896] [] ? security_file_permission+0x89/0x1e0 [ 25.630624] [] ? rw_verify_area+0xe5/0x2b0 [ 25.636496] [] vfs_read+0x11e/0x380 [ 25.641745] [] SyS_read+0xd9/0x1b0 [ 25.646905] [] ? vfs_copy_file_range+0x740/0x740 [ 25.653281] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 25.660093] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 25.666644] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 25.673749] Dumping ftrace buffer: [ 25.677288] (ftrace buffer empty) [ 25.680970] Kernel Offset: disabled [ 25.684574] Rebooting in 86400 seconds..