[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.674368] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.192156] random: sshd: uninitialized urandom read (32 bytes read)
[   24.636427] random: sshd: uninitialized urandom read (32 bytes read)
[   25.407256] random: sshd: uninitialized urandom read (32 bytes read)
[   25.564841] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts.
[   30.996796] random: sshd: uninitialized urandom read (32 bytes read)
2018/06/08 02:20:31 parsed 1 programs
[   32.122160] random: cc1: uninitialized urandom read (8 bytes read)
2018/06/08 02:20:33 executed programs: 0
[   33.169462] IPVS: ftp: loaded support on port[0] = 21
[   33.295283] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.301741] bridge0: port 1(bridge_slave_0) entered disabled state
[   33.309182] device bridge_slave_0 entered promiscuous mode
[   33.325340] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.331802] bridge0: port 2(bridge_slave_1) entered disabled state
[   33.338920] device bridge_slave_1 entered promiscuous mode
[   33.354224] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   33.369748] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   33.410660] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   33.428273] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   33.489514] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   33.496850] team0: Port device team_slave_0 added
[   33.511797] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   33.518907] team0: Port device team_slave_1 added
[   33.535264] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   33.552419] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   33.570797] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   33.587539] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   33.703973] bridge0: port 2(bridge_slave_1) entered blocking state
[   33.710446] bridge0: port 2(bridge_slave_1) entered forwarding state
[   33.717422] bridge0: port 1(bridge_slave_0) entered blocking state
[   33.723792] bridge0: port 1(bridge_slave_0) entered forwarding state
[   34.133394] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   34.139528] 8021q: adding VLAN 0 to HW filter on device bond0
[   34.183269] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   34.225478] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   34.233601] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   34.269583] 8021q: adding VLAN 0 to HW filter on device team0
[   34.515484] ==================================================================
[   34.522985] BUG: KASAN: slab-out-of-bounds in rmd320_final+0x201/0x240
[   34.529686] Write of size 4 at addr ffff8801c813bdc0 by task syz-executor0/4782
[   34.537113] 
[   34.538728] CPU: 1 PID: 4782 Comm: syz-executor0 Not tainted 4.17.0+ #114
[   34.545629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.554960] Call Trace:
[   34.557534]  dump_stack+0x1b9/0x294
[   34.561151]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.566357]  ? printk+0x9e/0xba
[   34.569619]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   34.574361]  ? kasan_check_write+0x14/0x20
[   34.578582]  print_address_description+0x6c/0x20b
[   34.583408]  ? rmd320_final+0x201/0x240
[   34.587364]  kasan_report.cold.7+0x242/0x2fe
[   34.591759]  __asan_report_store4_noabort+0x17/0x20
[   34.596765]  rmd320_final+0x201/0x240
[   34.600550]  ? rmd320_update+0x170/0x170
[   34.604596]  ? rmd320_update+0x13b/0x170
[   34.608639]  ? kasan_unpoison_shadow+0x35/0x50
[   34.613214]  crypto_shash_final+0x104/0x260
[   34.617531]  ? rmd320_update+0x170/0x170
[   34.621585]  __keyctl_dh_compute+0x1184/0x1bc0
[   34.626155]  ? copy_overflow+0x30/0x30
[   34.630043]  ? find_held_lock+0x36/0x1c0
[   34.634109]  ? lock_downgrade+0x8e0/0x8e0
[   34.638254]  ? check_same_owner+0x320/0x320
[   34.642571]  ? find_held_lock+0x36/0x1c0
[   34.646625]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   34.652149]  ? _copy_from_user+0xdf/0x150
[   34.656308]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   34.661164]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   34.666088]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   34.671264]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   34.676107]  do_fast_syscall_32+0x345/0xf9b
[   34.680415]  ? do_int80_syscall_32+0x880/0x880
[   34.684981]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   34.689724]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   34.695250]  ? syscall_return_slowpath+0x30f/0x5c0
[   34.700181]  ? sysret32_from_system_call+0x5/0x46
[   34.705043]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.709892]  entry_SYSENTER_compat+0x70/0x7f
[   34.714287] RIP: 0023:0xf7f35cb9
[   34.717630] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   34.736810] RSP: 002b:00000000ffadeabc EFLAGS: 00000286 ORIG_RAX: 0000000000000120
[   34.744512] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   34.751768] RDX: 0000000020a53ffb RSI: 000000000000001c RDI: 0000000020c61fc8
[   34.759037] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   34.766303] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
[   34.773566] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   34.780831] 
[   34.782441] Allocated by task 4782:
[   34.786062]  save_stack+0x43/0xd0
[   34.789503]  kasan_kmalloc+0xc4/0xe0
[   34.793197]  __kmalloc+0x14e/0x760
[   34.796731]  __keyctl_dh_compute+0xfe9/0x1bc0
[   34.801207]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   34.806040]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   34.810877]  do_fast_syscall_32+0x345/0xf9b
[   34.815200]  entry_SYSENTER_compat+0x70/0x7f
[   34.819594] 
[   34.821202] Freed by task 2310:
[   34.824465]  save_stack+0x43/0xd0
[   34.828511]  __kasan_slab_free+0x11a/0x170
[   34.832728]  kasan_slab_free+0xe/0x10
[   34.836509]  kfree+0xd9/0x260
[   34.839598]  __vunmap+0x2d2/0x3c0
[   34.843040]  vfree+0x68/0x100
[   34.846137]  n_tty_close+0xc3/0x130
[   34.849771]  tty_ldisc_close.isra.0+0xb0/0xe0
[   34.854245]  tty_ldisc_kill+0x4b/0xc0
[   34.858033]  tty_ldisc_release+0xc5/0x280
[   34.862180]  tty_release_struct+0x1a/0x50
[   34.866313]  tty_release+0xe96/0x12e0
[   34.870109]  __fput+0x353/0x890
[   34.873383]  ____fput+0x15/0x20
[   34.876662]  task_work_run+0x1e4/0x290
[   34.880547]  exit_to_usermode_loop+0x2bd/0x310
[   34.885115]  do_syscall_64+0x6ac/0x800
[   34.888988]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.894159] 
[   34.895773] The buggy address belongs to the object at ffff8801c813bd80
[   34.895773]  which belongs to the cache kmalloc-64 of size 64
[   34.908239] The buggy address is located 0 bytes to the right of
[   34.908239]  64-byte region [ffff8801c813bd80, ffff8801c813bdc0)
[   34.920358] The buggy address belongs to the page:
[   34.925282] page:ffffea0007204ec0 count:1 mapcount:0 mapping:ffff8801c813b000 index:0x0
[   34.933410] flags: 0x2fffc0000000100(slab)
[   34.937636] raw: 02fffc0000000100 ffff8801c813b000 0000000000000000 0000000100000020
[   34.945505] raw: ffffea000749b9a0 ffffea0006d37260 ffff8801da800340 0000000000000000
[   34.953366] page dumped because: kasan: bad access detected
[   34.959052] 
[   34.960665] Memory state around the buggy address:
[   34.965571]  ffff8801c813bc80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.972912]  ffff8801c813bd00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   34.980271] >ffff8801c813bd80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   34.987621]                                            ^
[   34.993058]  ffff8801c813be00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   35.000402]  ffff8801c813be80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   35.007758] ==================================================================
[   35.015096] Disabling lock debugging due to kernel taint
[   35.021042] Kernel panic - not syncing: panic_on_warn set ...
[   35.021042] 
[   35.028415] CPU: 1 PID: 4782 Comm: syz-executor0 Tainted: G    B             4.17.0+ #114
[   35.036712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   35.046053] Call Trace:
[   35.048633]  dump_stack+0x1b9/0x294
[   35.052249]  ? dump_stack_print_info.cold.2+0x52/0x52
[   35.057431]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.062169]  ? rmd320_final+0x200/0x240
[   35.066124]  panic+0x22f/0x4de
[   35.069312]  ? add_taint.cold.5+0x16/0x16
[   35.073449]  ? do_raw_spin_unlock+0x9e/0x2e0
[   35.077837]  ? do_raw_spin_unlock+0x9e/0x2e0
[   35.082239]  ? rmd320_final+0x201/0x240
[   35.086202]  kasan_end_report+0x47/0x4f
[   35.090163]  kasan_report.cold.7+0x76/0x2fe
[   35.094468]  __asan_report_store4_noabort+0x17/0x20
[   35.099488]  rmd320_final+0x201/0x240
[   35.103297]  ? rmd320_update+0x170/0x170
[   35.107344]  ? rmd320_update+0x13b/0x170
[   35.111389]  ? kasan_unpoison_shadow+0x35/0x50
[   35.115951]  crypto_shash_final+0x104/0x260
[   35.120253]  ? rmd320_update+0x170/0x170
[   35.124303]  __keyctl_dh_compute+0x1184/0x1bc0
[   35.128872]  ? copy_overflow+0x30/0x30
[   35.132751]  ? find_held_lock+0x36/0x1c0
[   35.136795]  ? lock_downgrade+0x8e0/0x8e0
[   35.140924]  ? check_same_owner+0x320/0x320
[   35.145229]  ? find_held_lock+0x36/0x1c0
[   35.149274]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   35.154805]  ? _copy_from_user+0xdf/0x150
[   35.158943]  compat_keyctl_dh_compute+0x2c8/0x3e0
[   35.163788]  ? __x32_compat_sys_keyctl+0x3b0/0x3b0
[   35.168749]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   35.173932]  __ia32_compat_sys_keyctl+0x137/0x3b0
[   35.178772]  do_fast_syscall_32+0x345/0xf9b
[   35.183074]  ? do_int80_syscall_32+0x880/0x880
[   35.187670]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   35.192420]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.197939]  ? syscall_return_slowpath+0x30f/0x5c0
[   35.202850]  ? sysret32_from_system_call+0x5/0x46
[   35.207684]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.212508]  entry_SYSENTER_compat+0x70/0x7f
[   35.216901] RIP: 0023:0xf7f35cb9
[   35.220249] Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 
[   35.239376] RSP: 002b:00000000ffadeabc EFLAGS: 00000286 ORIG_RAX: 0000000000000120
[   35.247067] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000020000100
[   35.254317] RDX: 0000000020a53ffb RSI: 000000000000001c RDI: 0000000020c61fc8
[   35.261571] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   35.268826] R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
[   35.276075] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   35.283866] Dumping ftrace buffer:
[   35.287396]    (ftrace buffer empty)
[   35.291083] Kernel Offset: disabled
[   35.294690] Rebooting in 86400 seconds..