[....] Starting enhanced syslogd: rsyslogd[ 10.484987] audit: type=1400 audit(1515442816.152:4): avc: denied { syslog } for pid=3177 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.224' (ECDSA) to the list of known hosts. executing program executing program executing program syzkaller login: [ 30.625641] ================================================================== [ 30.626741] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 30.627711] Read of size 8 at addr ffff8801c8952140 by task syzkaller234572/3337 [ 30.628739] [ 30.628970] CPU: 1 PID: 3337 Comm: syzkaller234572 Not tainted 4.9.75-gb54d99a #8 [ 30.629966] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.631196] ffff8801c85a79b0 ffffffff81d93049 ffffea0007225480 ffff8801c8952140 [ 30.632331] 0000000000000000 ffff8801c8952140 ffff8801c8588238 ffff8801c85a79e8 [ 30.633459] ffffffff8153ca53 ffff8801c8952140 0000000000000008 0000000000000000 [ 30.634586] Call Trace: [ 30.634943] [] dump_stack+0xc1/0x128 [ 30.635665] [] print_address_description+0x73/0x280 [ 30.636556] [] kasan_report+0x275/0x360 [ 30.637339] [] ? sg_remove_request+0x103/0x120 [ 30.638159] [] __asan_report_load8_noabort+0x14/0x20 [ 30.639056] [] sg_remove_request+0x103/0x120 [ 30.639856] [] sg_finish_rem_req+0x295/0x340 [ 30.640698] [] sg_read+0xa1c/0x1440 [ 30.641414] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 30.642340] [] ? fsnotify+0xf30/0xf30 [ 30.643062] [] ? avc_policy_seqno+0x9/0x20 [ 30.643840] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 30.644759] [] ? security_file_permission+0x89/0x1e0 [ 30.645645] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 30.651574] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 30.658206] [] do_readv_writev+0x520/0x750 [ 30.664065] [] ? vfs_write+0x530/0x530 [ 30.669569] [] ? _raw_spin_unlock+0x2c/0x50 [ 30.675511] [] ? __fget+0x201/0x3a0 [ 30.680753] [] ? __fget+0x228/0x3a0 [ 30.685993] [] ? __fget+0x47/0x3a0 [ 30.691148] [] vfs_readv+0x84/0xc0 [ 30.696302] [] do_readv+0xe6/0x250 [ 30.701466] [] ? vfs_readv+0xc0/0xc0 [ 30.706795] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 30.713432] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.720239] [] SyS_readv+0x27/0x30 [ 30.725396] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 30.731938] [ 30.733540] Allocated by task 0: [ 30.736868] (stack is not available) [ 30.740542] [ 30.742134] Freed by task 0: [ 30.745115] (stack is not available) [ 30.748799] [ 30.750400] The buggy address belongs to the object at ffff8801c8952100 [ 30.750400] which belongs to the cache fasync_cache of size 96 [ 30.763020] The buggy address is located 64 bytes inside of [ 30.763020] 96-byte region [ffff8801c8952100, ffff8801c8952160) [ 30.774685] The buggy address belongs to the page: [ 30.779589] page:ffffea0007225480 count:1 mapcount:0 mapping: (null) index:0x0 [ 30.787807] flags: 0x8000000000000080(slab) [ 30.792093] page dumped because: kasan: bad access detected [ 30.797765] [ 30.799356] Memory state around the buggy address: [ 30.804252] ffff8801c8952000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 30.811577] ffff8801c8952080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.818988] >ffff8801c8952100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc executing program [ 30.826319] ^ [ 30.831732] ffff8801c8952180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.839058] ffff8801c8952200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.846381] ================================================================== [ 30.853705] Disabling lock debugging due to kernel taint [ 30.860741] Kernel panic - not syncing: panic_on_warn set ... [ 30.860741] [ 30.868094] CPU: 1 PID: 3337 Comm: syzkaller234572 Tainted: G B 4.9.75-gb54d99a #8 [ 30.876896] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.886227] ffff8801c85a7908 ffffffff81d93049 ffffffff84195be7 ffff8801c85a79e0 [ 30.894178] 0000000000000000 ffff8801c8952140 ffff8801c8588238 ffff8801c85a79d0 [ 30.902142] ffffffff8142e281 0000000041b58ab3 ffffffff84189648 ffffffff8142e0c5 [ 30.910088] Call Trace: [ 30.912644] [] dump_stack+0xc1/0x128 [ 30.917974] [] panic+0x1bc/0x3a8 [ 30.922955] [] ? percpu_up_read_preempt_enable.constprop.53+0xd7/0xd7 [ 30.931149] [] ? preempt_schedule+0x25/0x30 [ 30.937085] [] ? ___preempt_schedule+0x16/0x18 [ 30.943282] [] kasan_end_report+0x50/0x50 [ 30.949044] [] kasan_report+0x167/0x360 [ 30.954645] [] ? sg_remove_request+0x103/0x120 [ 30.960845] [] __asan_report_load8_noabort+0x14/0x20 [ 30.967564] [] sg_remove_request+0x103/0x120 [ 30.973588] [] sg_finish_rem_req+0x295/0x340 [ 30.979614] [] sg_read+0xa1c/0x1440 [ 30.984857] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 30.991502] [] ? fsnotify+0xf30/0xf30 [ 30.996920] [] ? avc_policy_seqno+0x9/0x20 [ 31.002780] [] do_loop_readv_writev.part.17+0x141/0x1e0 [ 31.009758] [] ? security_file_permission+0x89/0x1e0 [ 31.016477] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 31.023105] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 31.029733] [] do_readv_writev+0x520/0x750 [ 31.035583] [] ? vfs_write+0x530/0x530 [ 31.041097] [] ? _raw_spin_unlock+0x2c/0x50 [ 31.047033] [] ? __fget+0x201/0x3a0 [ 31.052281] [] ? __fget+0x228/0x3a0 [ 31.057531] [] ? __fget+0x47/0x3a0 [ 31.062698] [] vfs_readv+0x84/0xc0 [ 31.067853] [] do_readv+0xe6/0x250 [ 31.073006] [] ? vfs_readv+0xc0/0xc0 [ 31.078334] [] ? entry_SYSCALL_64_fastpath+0x5/0xe2 [ 31.084967] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 31.091781] [] SyS_readv+0x27/0x30 [ 31.096934] [] entry_SYSCALL_64_fastpath+0x23/0xe2 [ 31.103840] Dumping ftrace buffer: [ 31.107347] (ftrace buffer empty) [ 31.111023] Kernel Offset: disabled [ 31.114616] Rebooting in 86400 seconds..