[....] Starting enhanced syslogd: rsyslogd[ 13.534072] audit: type=1400 audit(1513932089.625:4): avc: denied { syslog } for pid=3178 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-android-49-kasan-gce-8,10.128.0.53' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 27.789118] ================================================================== [ 27.789258] kasan: CONFIG_KASAN_INLINE enabled [ 27.789260] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 27.789266] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 27.789268] Dumping ftrace buffer: [ 27.789271] (ftrace buffer empty) [ 27.789273] Modules linked in: [ 27.789278] CPU: 0 PID: 3844 Comm: syzkaller977133 Not tainted 4.9.71-g2506378 #113 [ 27.789281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.789284] task: ffff8801c5ee9800 task.stack: ffff8801c5ef8000 [ 27.789295] RIP: 0010:[] [] __lock_acquire+0x194/0x3640 [ 27.789297] RSP: 0018:ffff8801c5eff8e0 EFLAGS: 00010086 [ 27.789300] RAX: dead4ead00000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 27.789302] RDX: 1ffff10038f88950 RSI: 0000000000000000 RDI: ffff8801c7c44a80 [ 27.789304] RBP: ffff8801c5effaa0 R08: 0000000000000001 R09: 0000000000000001 [ 27.789306] R10: 0000000000000000 R11: ffff8801c5ee9800 R12: 0000000000000001 [ 27.789308] R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801c7c44a78 [ 27.789311] FS: 00007fb399772700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 [ 27.789313] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.789315] CR2: 00007fb399771e78 CR3: 00000001c8971000 CR4: 00000000001406f0 [ 27.789320] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.789322] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 27.789323] Stack: [ 27.789329] ffffffff814ccab0 ffff8801c939caa8 ffff8801c5ee9800 ffffed0038bdd415 [ 27.789333] dffffc0000000000 ffff8801c8a3e5c0 0000000000000000 ffff8801c5eea0b0 [ 27.789344] ffff8801c5eea088 ffff8801c5eff9e0 0000000000000246 ffff8801c5ee9800 [ 27.789345] Call Trace: [ 27.789352] [] ? __pmd_alloc+0x410/0x410 [ 27.789358] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.789361] [] ? up_read+0x1a/0x40 [ 27.789367] [] ? __do_page_fault+0x3bd/0xd40 [ 27.789372] [] ? retint_kernel+0x2d/0x2d [ 27.789376] [] lock_acquire+0x12e/0x410 [ 27.789381] [] ? sg_remove_request+0x70/0x120 [ 27.789385] [] _raw_write_lock_irqsave+0x4e/0x62 [ 27.789388] [] ? sg_remove_request+0x70/0x120 [ 27.789391] [] sg_remove_request+0x70/0x120 [ 27.789395] [] sg_finish_rem_req+0x295/0x340 [ 27.789398] [] sg_read+0xa1c/0x1440 [ 27.789402] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 27.789406] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 27.789410] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 27.789415] [] __vfs_read+0x103/0x670 [ 27.789419] [] ? default_llseek+0x290/0x290 [ 27.789425] [] ? fsnotify+0x86/0xf30 [ 27.789429] [] ? fsnotify+0xf30/0xf30 [ 27.789435] [] ? avc_policy_seqno+0x9/0x20 [ 27.789439] [] ? selinux_file_permission+0x82/0x460 [ 27.789443] [] ? security_file_permission+0x89/0x1e0 [ 27.789447] [] ? rw_verify_area+0xe5/0x2b0 [ 27.789450] [] vfs_read+0x11e/0x380 [ 27.789454] [] SyS_read+0xd9/0x1b0 [ 27.789458] [] ? vfs_copy_file_range+0x740/0x740 [ 27.789462] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 27.789467] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 27.789470] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 27.789523] Code: 9e ff ff 44 8b 94 24 98 00 00 00 48 85 c0 8b 8c 24 90 00 00 00 44 8b 8c 24 88 00 00 00 4c 8b 9c 24 80 00 00 00 0f 84 ff 07 00 00 ff 80 98 01 00 00 49 8d b3 a8 08 00 00 48 ba 00 00 00 00 00 [ 27.789527] RIP [] __lock_acquire+0x194/0x3640 [ 27.789528] RSP [ 27.789534] ---[ end trace 83f0cb5afceb023a ]--- [ 27.789536] Kernel panic - not syncing: Fatal exception [ 28.174737] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0x103/0x120 [ 28.181800] Read of size 8 at addr ffff8801c7c44bc0 by task syzkaller977133/3843 [ 28.189302] [ 28.190899] CPU: 1 PID: 3843 Comm: syzkaller977133 Tainted: G D 4.9.71-g2506378 #113 [ 28.199877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.209197] ffff8801c5ef7ab0 ffffffff81d922b9 ffffea00071f1100 ffff8801c7c44bc0 [ 28.217161] 0000000000000000 ffff8801c7c44bc0 ffff8801c5de2338 ffff8801c5ef7ae8 [ 28.225114] ffffffff8153bab3 ffff8801c7c44bc0 0000000000000008 0000000000000000 [ 28.233070] Call Trace: [ 28.235622] [] dump_stack+0xc1/0x128 [ 28.240951] [] print_address_description+0x73/0x280 [ 28.247581] [] kasan_report+0x275/0x360 [ 28.253176] [] ? sg_remove_request+0x103/0x120 [ 28.259373] [] __asan_report_load8_noabort+0x14/0x20 [ 28.266089] [] sg_remove_request+0x103/0x120 [ 28.272110] [] sg_finish_rem_req+0x295/0x340 [ 28.278130] [] sg_read+0xa1c/0x1440 [ 28.283377] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 28.290007] [] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 28.297003] [] ? sg_proc_seq_show_debug+0xd10/0xd10 [ 28.303634] [] __vfs_read+0x103/0x670 [ 28.309047] [] ? default_llseek+0x290/0x290 [ 28.314985] [] ? fsnotify+0x86/0xf30 [ 28.320314] [] ? fsnotify+0xf30/0xf30 [ 28.325731] [] ? avc_policy_seqno+0x9/0x20 [ 28.331580] [] ? selinux_file_permission+0x82/0x460 [ 28.338212] [] ? security_file_permission+0x89/0x1e0 [ 28.344928] [] ? rw_verify_area+0xe5/0x2b0 [ 28.350775] [] vfs_read+0x11e/0x380 [ 28.356014] [] SyS_read+0xd9/0x1b0 [ 28.361166] [] ? vfs_copy_file_range+0x740/0x740 [ 28.367535] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.374338] [] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.380881] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 28.387429] [ 28.389019] Allocated by task 0: [ 28.392348] (stack is not available) [ 28.396036] [ 28.397637] Freed by task 0: [ 28.400618] (stack is not available) [ 28.404292] [ 28.405885] The buggy address belongs to the object at ffff8801c7c44b80 [ 28.405885] which belongs to the cache fasync_cache of size 96 [ 28.418501] The buggy address is located 64 bytes inside of [ 28.418501] 96-byte region [ffff8801c7c44b80, ffff8801c7c44be0) [ 28.430171] The buggy address belongs to the page: [ 28.435062] page:ffffea00071f1100 count:1 mapcount:0 mapping: (null) index:0x0 [ 28.443276] flags: 0x8000000000000080(slab) [ 28.447558] page dumped because: kasan: bad access detected [ 28.453227] [ 28.454817] Memory state around the buggy address: [ 28.459707] ffff8801c7c44a80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 28.467030] ffff8801c7c44b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.474353] >ffff8801c7c44b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.481675] ^ [ 28.487087] ffff8801c7c44c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.494409] ffff8801c7c44c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.501729] ================================================================== [ 28.509523] Dumping ftrace buffer: [ 28.513093] (ftrace buffer empty) [ 28.516770] Kernel Offset: disabled [ 28.520365] Rebooting in 86400 seconds..