[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.081568] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.608755] random: sshd: uninitialized urandom read (32 bytes read)
[   23.926064] random: sshd: uninitialized urandom read (32 bytes read)
[   24.760408] random: sshd: uninitialized urandom read (32 bytes read)
[   24.928721] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts.
[   30.385817] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.490818] ==================================================================
[   30.498301] BUG: KASAN: slab-out-of-bounds in rmd320_final+0x201/0x240
[   30.504966] Write of size 4 at addr ffff8801d21106c0 by task syz-executor793/4516
[   30.512566] 
[   30.514206] CPU: 1 PID: 4516 Comm: syz-executor793 Not tainted 4.17.0+ #91
[   30.521206] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.530538] Call Trace:
[   30.533110]  dump_stack+0x1b9/0x294
[   30.536722]  ? dump_stack_print_info.cold.2+0x52/0x52
[   30.541894]  ? printk+0x9e/0xba
[   30.545156]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   30.549896]  ? kasan_check_write+0x14/0x20
[   30.554117]  print_address_description+0x6c/0x20b
[   30.558955]  ? rmd320_final+0x201/0x240
[   30.562922]  kasan_report.cold.7+0x242/0x2fe
[   30.567313]  __asan_report_store4_noabort+0x17/0x20
[   30.572316]  rmd320_final+0x201/0x240
[   30.576107]  ? rmd320_update+0x170/0x170
[   30.580150]  ? rmd320_update+0x13b/0x170
[   30.584203]  ? kasan_unpoison_shadow+0x35/0x50
[   30.588769]  crypto_shash_final+0x104/0x260
[   30.593076]  ? rmd320_update+0x170/0x170
[   30.597138]  __keyctl_dh_compute+0x1184/0x1bc0
[   30.601710]  ? copy_overflow+0x30/0x30
[   30.605597]  ? find_held_lock+0x36/0x1c0
[   30.609648]  ? lock_downgrade+0x8e0/0x8e0
[   30.613779]  ? check_same_owner+0x320/0x320
[   30.618083]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   30.623625]  ? handle_mm_fault+0x55a/0xc70
[   30.627850]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   30.633370]  ? _copy_from_user+0xdf/0x150
[   30.637507]  keyctl_dh_compute+0xb9/0x100
[   30.641644]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   30.646408]  ? kzfree+0x28/0x30
[   30.649701]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   30.654884]  __x64_sys_keyctl+0x12a/0x3b0
[   30.659032]  do_syscall_64+0x1b1/0x800
[   30.662911]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   30.667745]  ? syscall_return_slowpath+0x5c0/0x5c0
[   30.672688]  ? syscall_return_slowpath+0x30f/0x5c0
[   30.677609]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   30.683133]  ? retint_user+0x18/0x18
[   30.686840]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   30.691681]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.696855] RIP: 0033:0x440019
[   30.700025] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   30.719206] RSP: 002b:00007ffe8a3f7228 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   30.726901] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
[   30.734165] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   30.741419] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   30.748681] R10: 000000000000001c R11: 0000000000000217 R12: 0000000000401940
[   30.755934] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000
[   30.763193] 
[   30.764806] Allocated by task 4516:
[   30.768428]  save_stack+0x43/0xd0
[   30.771865]  kasan_kmalloc+0xc4/0xe0
[   30.775560]  __kmalloc+0x14e/0x760
[   30.779090]  __keyctl_dh_compute+0xfe9/0x1bc0
[   30.783607]  keyctl_dh_compute+0xb9/0x100
[   30.787752]  __x64_sys_keyctl+0x12a/0x3b0
[   30.791889]  do_syscall_64+0x1b1/0x800
[   30.795758]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   30.800923] 
[   30.802538] Freed by task 1:
[   30.805541]  save_stack+0x43/0xd0
[   30.808977]  __kasan_slab_free+0x11a/0x170
[   30.813191]  kasan_slab_free+0xe/0x10
[   30.816977]  kfree+0xd9/0x260
[   30.820074]  virtscsi_target_destroy+0x37/0x50
[   30.824652]  scsi_target_destroy+0x1fa/0x560
[   30.829051]  scsi_target_reap+0xf8/0x140
[   30.833101]  __scsi_scan_target+0x221/0xfe0
[   30.837404]  scsi_scan_channel.part.7+0x11f/0x190
[   30.842230]  scsi_scan_host_selected+0x2b9/0x3d0
[   30.846965]  do_scsi_scan_host+0x1ee/0x260
[   30.851192]  scsi_scan_host+0x4a2/0x590
[   30.855150]  virtscsi_probe+0xbe5/0xf04
[   30.859109]  virtio_dev_probe+0x592/0x942
[   30.863237]  driver_probe_device+0x68e/0x950
[   30.867627]  __driver_attach+0x28b/0x2f0
[   30.871685]  bus_for_each_dev+0x151/0x1d0
[   30.875815]  driver_attach+0x3d/0x50
[   30.879508]  bus_add_driver+0x4b2/0x600
[   30.883461]  driver_register+0x1c8/0x320
[   30.887507]  register_virtio_driver+0x79/0xd0
[   30.891985]  init+0xa3/0x114
[   30.894987]  do_one_initcall+0x127/0x913
[   30.899040]  kernel_init_freeable+0x49b/0x58e
[   30.903532]  kernel_init+0x11/0x1b3
[   30.907137]  ret_from_fork+0x3a/0x50
[   30.910826] 
[   30.912432] The buggy address belongs to the object at ffff8801d2110680
[   30.912432]  which belongs to the cache kmalloc-64 of size 64
[   30.924902] The buggy address is located 0 bytes to the right of
[   30.924902]  64-byte region [ffff8801d2110680, ffff8801d21106c0)
[   30.937019] The buggy address belongs to the page:
[   30.941938] page:ffffea0007484400 count:1 mapcount:0 mapping:ffff8801da800340 index:0xffff8801d2110d80
[   30.951365] flags: 0x2fffc0000000100(slab)
[   30.955584] raw: 02fffc0000000100 ffff8801da801338 ffffea00073988c8 ffff8801da800340
[   30.963460] raw: ffff8801d2110d80 ffff8801d2110000 0000000100000015 0000000000000000
[   30.971331] page dumped because: kasan: bad access detected
[   30.977023] 
[   30.978635] Memory state around the buggy address:
[   30.983554]  ffff8801d2110580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.990893]  ffff8801d2110600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   30.998232] >ffff8801d2110680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   31.005585]                                            ^
[   31.011037]  ffff8801d2110700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   31.018393]  ffff8801d2110780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   31.025916] ==================================================================
[   31.033252] Disabling lock debugging due to kernel taint
[   31.038967] Kernel panic - not syncing: panic_on_warn set ...
[   31.038967] 
[   31.046358] CPU: 1 PID: 4516 Comm: syz-executor793 Tainted: G    B             4.17.0+ #91
[   31.054750] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.064083] Call Trace:
[   31.066657]  dump_stack+0x1b9/0x294
[   31.070265]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.075438]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   31.080176]  ? rmd320_final+0x120/0x240
[   31.084133]  panic+0x22f/0x4de
[   31.087316]  ? add_taint.cold.5+0x16/0x16
[   31.091448]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.095836]  ? do_raw_spin_unlock+0x9e/0x2e0
[   31.100227]  ? rmd320_final+0x201/0x240
[   31.104191]  kasan_end_report+0x47/0x4f
[   31.108145]  kasan_report.cold.7+0x76/0x2fe
[   31.112447]  __asan_report_store4_noabort+0x17/0x20
[   31.117444]  rmd320_final+0x201/0x240
[   31.121808]  ? rmd320_update+0x170/0x170
[   31.125853]  ? rmd320_update+0x13b/0x170
[   31.129898]  ? kasan_unpoison_shadow+0x35/0x50
[   31.134467]  crypto_shash_final+0x104/0x260
[   31.138771]  ? rmd320_update+0x170/0x170
[   31.142812]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.147376]  ? copy_overflow+0x30/0x30
[   31.151249]  ? find_held_lock+0x36/0x1c0
[   31.155294]  ? lock_downgrade+0x8e0/0x8e0
[   31.159426]  ? check_same_owner+0x320/0x320
[   31.163740]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   31.169258]  ? handle_mm_fault+0x55a/0xc70
[   31.173477]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.178994]  ? _copy_from_user+0xdf/0x150
[   31.183124]  keyctl_dh_compute+0xb9/0x100
[   31.187250]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.191987]  ? kzfree+0x28/0x30
[   31.195250]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.200418]  __x64_sys_keyctl+0x12a/0x3b0
[   31.204554]  do_syscall_64+0x1b1/0x800
[   31.208420]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   31.213249]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.218161]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.223072]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   31.228589]  ? retint_user+0x18/0x18
[   31.232304]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.237134]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.242300] RIP: 0033:0x440019
[   31.245465] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.264589] RSP: 002b:00007ffe8a3f7228 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   31.272283] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
[   31.279542] RDX: 0000000020a53ffb RSI: 0000000020000100 RDI: 0000000000000017
[   31.286788] RBP: 00000000006ca018 R08: 0000000020c61fc8 R09: 00000000004002c8
[   31.294042] R10: 000000000000001c R11: 0000000000000217 R12: 0000000000401940
[   31.301295] R13: 00000000004019d0 R14: 0000000000000000 R15: 0000000000000000
[   31.309070] Dumping ftrace buffer:
[   31.312595]    (ftrace buffer empty)
[   31.316289] Kernel Offset: disabled
[   31.319894] Rebooting in 86400 seconds..