[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   17.831120] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   20.949418] random: sshd: uninitialized urandom read (32 bytes read)
[   21.185305] random: sshd: uninitialized urandom read (32 bytes read)
[   21.972849] random: sshd: uninitialized urandom read (32 bytes read)
[   37.614567] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.36' (ECDSA) to the list of known hosts.
[   43.184840] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   43.287835] ==================================================================
[   43.295278] BUG: KASAN: slab-out-of-bounds in tgr192_final+0x538/0x560
[   43.301930] Write of size 8 at addr ffff8801d911c3a0 by task syz-executor485/4517
[   43.309528] 
[   43.311142] CPU: 0 PID: 4517 Comm: syz-executor485 Not tainted 4.17.0+ #92
[   43.318141] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.327478] Call Trace:
[   43.330054]  dump_stack+0x1b9/0x294
[   43.333680]  ? dump_stack_print_info.cold.2+0x52/0x52
[   43.338847]  ? printk+0x9e/0xba
[   43.342103]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   43.346880]  ? kasan_check_write+0x14/0x20
[   43.351105]  print_address_description+0x6c/0x20b
[   43.355938]  ? tgr192_final+0x538/0x560
[   43.359898]  kasan_report.cold.7+0x242/0x2fe
[   43.364289]  __asan_report_store8_noabort+0x17/0x20
[   43.369284]  tgr192_final+0x538/0x560
[   43.373069]  crypto_shash_final+0x104/0x260
[   43.377395]  ? tgr192_update+0x520/0x520
[   43.381438]  __keyctl_dh_compute+0x1184/0x1bc0
[   43.386004]  ? copy_overflow+0x30/0x30
[   43.389870]  ? __kasan_slab_free+0x11a/0x170
[   43.394255]  ? kfree+0xd9/0x260
[   43.397512]  ? __x64_sys_add_key+0x2b7/0x4e0
[   43.401901]  ? do_syscall_64+0x1b1/0x800
[   43.405941]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.411284]  ? find_held_lock+0x36/0x1c0
[   43.415329]  ? lock_downgrade+0x8e0/0x8e0
[   43.419462]  ? check_same_owner+0x320/0x320
[   43.423770]  ? debug_check_no_obj_freed+0x2ff/0x584
[   43.428775]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   43.434289]  ? _copy_from_user+0xdf/0x150
[   43.438416]  keyctl_dh_compute+0xb9/0x100
[   43.443237]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   43.447972]  ? __x64_sys_add_key+0x2bc/0x4e0
[   43.452362]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   43.457539]  __x64_sys_keyctl+0x12a/0x3b0
[   43.461667]  do_syscall_64+0x1b1/0x800
[   43.465550]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   43.470377]  ? syscall_return_slowpath+0x5c0/0x5c0
[   43.475294]  ? syscall_return_slowpath+0x30f/0x5c0
[   43.480213]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   43.485572]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.490399]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.495567] RIP: 0033:0x440099
[   43.498730] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   43.517899] RSP: 002b:00007fffdbef5298 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   43.525585] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440099
[   43.532832] RDX: 0000000020000540 RSI: 0000000020000380 RDI: 0000000000000017
[   43.540079] RBP: 00000000006ca018 R08: 00000000200005c0 R09: 00000000004002c8
[   43.547325] R10: 0000000000000010 R11: 0000000000000217 R12: 00000000004019c0
[   43.554574] R13: 0000000000401a50 R14: 0000000000000000 R15: 0000000000000000
[   43.561825] 
[   43.563428] Allocated by task 4517:
[   43.567037]  save_stack+0x43/0xd0
[   43.570465]  kasan_kmalloc+0xc4/0xe0
[   43.574158]  __kmalloc+0x14e/0x760
[   43.577677]  __keyctl_dh_compute+0xfe9/0x1bc0
[   43.582151]  keyctl_dh_compute+0xb9/0x100
[   43.586276]  __x64_sys_keyctl+0x12a/0x3b0
[   43.590401]  do_syscall_64+0x1b1/0x800
[   43.594267]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.599438] 
[   43.601041] Freed by task 2869:
[   43.604298]  save_stack+0x43/0xd0
[   43.607727]  __kasan_slab_free+0x11a/0x170
[   43.611948]  kasan_slab_free+0xe/0x10
[   43.615734]  kfree+0xd9/0x260
[   43.618821]  single_release+0x8f/0xb0
[   43.622613]  __fput+0x353/0x890
[   43.625874]  ____fput+0x15/0x20
[   43.629142]  task_work_run+0x1e4/0x290
[   43.633006]  exit_to_usermode_loop+0x2bd/0x310
[   43.637573]  do_syscall_64+0x6ac/0x800
[   43.641442]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.646608] 
[   43.648217] The buggy address belongs to the object at ffff8801d911c380
[   43.648217]  which belongs to the cache kmalloc-32 of size 32
[   43.660688] The buggy address is located 0 bytes to the right of
[   43.660688]  32-byte region [ffff8801d911c380, ffff8801d911c3a0)
[   43.672798] The buggy address belongs to the page:
[   43.677707] page:ffffea0007644700 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801d911cfc1
[   43.687130] flags: 0x2fffc0000000100(slab)
[   43.691353] raw: 02fffc0000000100 ffffea000766e9c8 ffffea000766f608 ffff8801da8001c0
[   43.699225] raw: ffff8801d911cfc1 ffff8801d911c000 0000000100000023 0000000000000000
[   43.707085] page dumped because: kasan: bad access detected
[   43.712858] 
[   43.714462] Memory state around the buggy address:
[   43.719370]  ffff8801d911c280: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc
[   43.726707]  ffff8801d911c300: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
[   43.734043] >ffff8801d911c380: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
[   43.741375]                                ^
[   43.745759]  ffff8801d911c400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   43.753093]  ffff8801d911c480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   43.760424] ==================================================================
[   43.767754] Disabling lock debugging due to kernel taint
[   43.773258] Kernel panic - not syncing: panic_on_warn set ...
[   43.773258] 
[   43.780607] CPU: 0 PID: 4517 Comm: syz-executor485 Tainted: G    B             4.17.0+ #92
[   43.788981] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   43.798309] Call Trace:
[   43.800879]  dump_stack+0x1b9/0x294
[   43.804492]  ? dump_stack_print_info.cold.2+0x52/0x52
[   43.809660]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   43.814394]  ? tgr192_final+0x500/0x560
[   43.818345]  panic+0x22f/0x4de
[   43.821517]  ? add_taint.cold.5+0x16/0x16
[   43.825643]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.830025]  ? do_raw_spin_unlock+0x9e/0x2e0
[   43.834407]  ? tgr192_final+0x538/0x560
[   43.838360]  kasan_end_report+0x47/0x4f
[   43.842310]  kasan_report.cold.7+0x76/0x2fe
[   43.846615]  __asan_report_store8_noabort+0x17/0x20
[   43.851615]  tgr192_final+0x538/0x560
[   43.855393]  crypto_shash_final+0x104/0x260
[   43.859689]  ? tgr192_update+0x520/0x520
[   43.863727]  __keyctl_dh_compute+0x1184/0x1bc0
[   43.868303]  ? copy_overflow+0x30/0x30
[   43.872171]  ? __kasan_slab_free+0x11a/0x170
[   43.876563]  ? kfree+0xd9/0x260
[   43.879826]  ? __x64_sys_add_key+0x2b7/0x4e0
[   43.884220]  ? do_syscall_64+0x1b1/0x800
[   43.888261]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.893605]  ? find_held_lock+0x36/0x1c0
[   43.897648]  ? lock_downgrade+0x8e0/0x8e0
[   43.901775]  ? check_same_owner+0x320/0x320
[   43.906075]  ? debug_check_no_obj_freed+0x2ff/0x584
[   43.911072]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   43.916586]  ? _copy_from_user+0xdf/0x150
[   43.920714]  keyctl_dh_compute+0xb9/0x100
[   43.924838]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   43.929566]  ? __x64_sys_add_key+0x2bc/0x4e0
[   43.933952]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   43.939116]  __x64_sys_keyctl+0x12a/0x3b0
[   43.943268]  do_syscall_64+0x1b1/0x800
[   43.947144]  ? syscall_slow_exit_work+0x4f0/0x4f0
[   43.951971]  ? syscall_return_slowpath+0x5c0/0x5c0
[   43.956884]  ? syscall_return_slowpath+0x30f/0x5c0
[   43.961796]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   43.967143]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   43.971963]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   43.977128] RIP: 0033:0x440099
[   43.980289] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   43.999408] RSP: 002b:00007fffdbef5298 EFLAGS: 00000217 ORIG_RAX: 00000000000000fa
[   44.007099] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440099
[   44.014350] RDX: 0000000020000540 RSI: 0000000020000380 RDI: 0000000000000017
[   44.021596] RBP: 00000000006ca018 R08: 00000000200005c0 R09: 00000000004002c8
[   44.028850] R10: 0000000000000010 R11: 0000000000000217 R12: 00000000004019c0
[   44.036096] R13: 0000000000401a50 R14: 0000000000000000 R15: 0000000000000000
[   44.043800] Dumping ftrace buffer:
[   44.047320]    (ftrace buffer empty)
[   44.051008] Kernel Offset: disabled
[   44.054611] Rebooting in 86400 seconds..