[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.711314] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.976879] random: sshd: uninitialized urandom read (32 bytes read)
[   24.270443] random: sshd: uninitialized urandom read (32 bytes read)
[   25.068741] random: sshd: uninitialized urandom read (32 bytes read)
[   25.223068] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts.
[   30.719441] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.901563] ==================================================================
[   30.909090] BUG: KASAN: slab-out-of-bounds in rmd320_final+0x201/0x240
[   30.915757] Write of size 4 at addr ffff8801cdca6330 by task syz-executor147/4556
[   30.923366] 
[   30.924983] CPU: 1 PID: 4556 Comm: syz-executor147 Not tainted 4.17.0+ #115
[   30.932064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.941403] Call Trace:
[   30.943974]  dump_stack+0x1b9/0x294
[   30.947586]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.952803]  ? printk+0x9e/0xba
[   30.956080]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.960829]  ? kasan_check_write+0x14/0x20
[   30.965069]  print_address_description+0x6c/0x20b
[   30.969903]  ? rmd320_final+0x201/0x240
[   30.973874]  kasan_report.cold.7+0x242/0x2fe
[   30.978277]  __asan_report_store4_noabort+0x17/0x20
[   30.983293]  rmd320_final+0x201/0x240
[   30.987109]  ? rmd320_update+0x170/0x170
[   30.991169]  ? rmd320_update+0x13b/0x170
[   30.995221]  ? kasan_unpoison_shadow+0x35/0x50
[   30.999805]  crypto_shash_final+0x104/0x260
[   31.004130]  ? rmd320_update+0x170/0x170
[   31.008202]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.012788]  ? copy_overflow+0x30/0x30
[   31.016677]  ? find_held_lock+0x36/0x1c0
[   31.020740]  ? lock_downgrade+0x8e0/0x8e0
[   31.024878]  ? check_same_owner+0x320/0x320
[   31.029189]  ? kasan_check_write+0x14/0x20
[   31.033411]  ? do_raw_spin_lock+0xc1/0x200
[   31.037637]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.043171]  ? _copy_from_user+0xdf/0x150
[   31.047309]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   31.052141]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   31.057087]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.062271]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   31.067109]  do_fast_syscall_32+0x345/0xf9b
[   31.071425]  ? do_int80_syscall_32+0x880/0x880
[   31.075996]  ? do_syscall_64+0x48f/0x800
[   31.080057]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.084988]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.089904]  ? sysret32_from_system_call+0x5/0x46
[   31.094734]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.099563]  entry_SYSENTER_compat+0x70/0x7f
[   31.103949] RIP: 0023:0xf7fc8cb9
[   31.107289] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   31.126466] RSP: 002b:00000000ffb280cc EFLAGS: 00000292 ORIG_RAX: 0000000000000120
[   31.134172] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000740
[   31.141428] RDX: 0000000020000780 RSI: 000000000000002d RDI: 0000000020000880
[   31.148690] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   31.155943] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   31.163201] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   31.170487] 
[   31.172110] Allocated by task 4556:
[   31.175729]  save_stack+0x43/0xd0
[   31.179171]  kasan_kmalloc+0xc4/0xe0
[   31.182875]  __kmalloc+0x14e/0x760
[   31.186419]  __keyctl_dh_compute+0xfe9/0x1bc0
[   31.190922]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   31.195761]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   31.200627]  do_fast_syscall_32+0x345/0xf9b
[   31.204948]  entry_SYSENTER_compat+0x70/0x7f
[   31.209337] 
[   31.210957] Freed by task 19:
[   31.214063]  save_stack+0x43/0xd0
[   31.217519]  __kasan_slab_free+0x11a/0x170
[   31.221740]  kasan_slab_free+0xe/0x10
[   31.225530]  kfree+0xd9/0x260
[   31.228628]  kvfree+0x61/0x70
[   31.231727]  __nf_hook_entries_free+0x31/0x40
[   31.236212]  rcu_process_callbacks+0xe9d/0x1760
[   31.240862]  __do_softirq+0x2e0/0xaf5
[   31.244636] 
[   31.247460] The buggy address belongs to the object at ffff8801cdca6300
[   31.247460]  which belongs to the cache kmalloc-64 of size 64
[   31.259934] The buggy address is located 48 bytes inside of
[   31.259934]  64-byte region [ffff8801cdca6300, ffff8801cdca6340)
[   31.271631] The buggy address belongs to the page:
[   31.276565] page:ffffea0007372980 count:1 mapcount:0 mapping:ffff8801da800340 index:0xffff8801cdca6f00
[   31.286013] flags: 0x2fffc0000000100(slab)
[   31.290246] raw: 02fffc0000000100 ffffea00073ab8c8 ffff8801da801338 ffff8801da800340
[   31.298119] raw: ffff8801cdca6f00 ffff8801cdca6000 000000010000001b 0000000000000000
[   31.305982] page dumped because: kasan: bad access detected
[   31.311679] 
[   31.313285] Memory state around the buggy address:
[   31.318202]  ffff8801cdca6200: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   31.325553]  ffff8801cdca6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   31.332910] >ffff8801cdca6300: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   31.340248]                                      ^
[   31.345162]  ffff8801cdca6380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   31.352502]  ffff8801cdca6400: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   31.359866] ==================================================================
[   31.367204] Disabling lock debugging due to kernel taint
[   31.372704] Kernel panic - not syncing: panic_on_warn set ...
[   31.372704] 
[   31.380086] CPU: 1 PID: 4556 Comm: syz-executor147 Tainted: G    B             4.17.0+ #115
[   31.388554] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.397889] Call Trace:
[   31.400462]  dump_stack+0x1b9/0x294
[   31.404082]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.409262]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.414009]  ? rmd320_final+0x190/0x240
[   31.417972]  panic+0x22f/0x4de
[   31.421152]  ? add_taint.cold.5+0x16/0x16
[   31.425286]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.429672]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.434074]  ? rmd320_final+0x201/0x240
[   31.438044]  kasan_end_report+0x47/0x4f
[   31.441997]  kasan_report.cold.7+0x76/0x2fe
[   31.446326]  __asan_report_store4_noabort+0x17/0x20
[   31.451338]  rmd320_final+0x201/0x240
[   31.455123]  ? rmd320_update+0x170/0x170
[   31.459170]  ? rmd320_update+0x13b/0x170
[   31.463213]  ? kasan_unpoison_shadow+0x35/0x50
[   31.467783]  crypto_shash_final+0x104/0x260
[   31.472096]  ? rmd320_update+0x170/0x170
[   31.476137]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.480706]  ? copy_overflow+0x30/0x30
[   31.484577]  ? find_held_lock+0x36/0x1c0
[   31.488618]  ? lock_downgrade+0x8e0/0x8e0
[   31.492755]  ? check_same_owner+0x320/0x320
[   31.497071]  ? kasan_check_write+0x14/0x20
[   31.501293]  ? do_raw_spin_lock+0xc1/0x200
[   31.505528]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.511059]  ? _copy_from_user+0xdf/0x150
[   31.515195]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   31.520036]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   31.524951]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.530123]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   31.535124]  do_fast_syscall_32+0x345/0xf9b
[   31.539433]  ? do_int80_syscall_32+0x880/0x880
[   31.544000]  ? do_syscall_64+0x48f/0x800
[   31.548056]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.552972]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.557890]  ? sysret32_from_system_call+0x5/0x46
[   31.562724]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.567548]  entry_SYSENTER_compat+0x70/0x7f
[   31.571939] RIP: 0023:0xf7fc8cb9
[   31.575289] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   31.594490] RSP: 002b:00000000ffb280cc EFLAGS: 00000292 ORIG_RAX: 0000000000000120
[   31.602194] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000740
[   31.609443] RDX: 0000000020000780 RSI: 000000000000002d RDI: 0000000020000880
[   31.616886] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   31.624149] R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
[   31.631410] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   31.639137] Dumping ftrace buffer:
[   31.642663]    (ftrace buffer empty)
[   31.646352] Kernel Offset: disabled
[   31.649970] Rebooting in 86400 seconds..