[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   19.234177] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.795386] random: sshd: uninitialized urandom read (32 bytes read)
[   25.081386] random: sshd: uninitialized urandom read (32 bytes read)
[   25.877508] random: sshd: uninitialized urandom read (32 bytes read)
[   26.033336] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts.
[   31.428447] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   31.531402] ==================================================================
[   31.538844] BUG: KASAN: slab-out-of-bounds in tgr192_final+0x538/0x560
[   31.545500] Write of size 8 at addr ffff8801af53de20 by task syz-executor142/4504
[   31.553093] 
[   31.554704] CPU: 1 PID: 4504 Comm: syz-executor142 Not tainted 4.17.0+ #92
[   31.561691] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.571027] Call Trace:
[   31.573606]  dump_stack+0x1b9/0x294
[   31.577215]  ? dump_stack_print_info.cold.2+0x52/0x52
[   31.582383]  ? printk+0x9e/0xba
[   31.585643]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   31.590380]  ? kasan_check_write+0x14/0x20
[   31.594597]  print_address_description+0x6c/0x20b
[   31.599418]  ? tgr192_final+0x538/0x560
[   31.603373]  kasan_report.cold.7+0x242/0x2fe
[   31.607765]  __asan_report_store8_noabort+0x17/0x20
[   31.612759]  tgr192_final+0x538/0x560
[   31.616550]  crypto_shash_final+0x104/0x260
[   31.620849]  ? tgr192_update+0x520/0x520
[   31.624892]  __keyctl_dh_compute+0x1184/0x1bc0
[   31.629462]  ? copy_overflow+0x30/0x30
[   31.633330]  ? __kasan_slab_free+0x11a/0x170
[   31.637716]  ? kfree+0xd9/0x260
[   31.640973]  ? __x64_sys_add_key+0x2b7/0x4e0
[   31.645359]  ? do_syscall_64+0x1b1/0x800
[   31.649400]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.654748]  ? find_held_lock+0x36/0x1c0
[   31.658794]  ? lock_downgrade+0x8e0/0x8e0
[   31.662923]  ? check_same_owner+0x320/0x320
[   31.667222]  ? debug_check_no_obj_freed+0x2ff/0x584
[   31.672227]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   31.677742]  ? _copy_from_user+0xdf/0x150
[   31.681871]  keyctl_dh_compute+0xb9/0x100
[   31.685997]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   31.690730]  ? __x64_sys_add_key+0x2bc/0x4e0
[   31.695126]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   31.700295]  __x64_sys_keyctl+0x12a/0x3b0
[   31.704421]  do_syscall_64+0x1b1/0x800
[   31.708295]  ? syscall_return_slowpath+0x5c0/0x5c0
[   31.713206]  ? syscall_return_slowpath+0x30f/0x5c0
[   31.718117]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   31.723461]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   31.728291]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.733459] RIP: 0033:0x440099
[   31.736625] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   31.755786] RSP: 002b:00007ffd04232a48 EFLAGS: 00000213 ORIG_RAX: 00000000000000fa
[   31.763473] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440099
[   31.770720] RDX: 0000000020000540 RSI: 0000000020000380 RDI: 0000000000000017
[   31.777966] RBP: 00000000006ca018 R08: 00000000200005c0 R09: 00000000004002c8
[   31.785212] R10: 0000000000000010 R11: 0000000000000213 R12: 00000000004019c0
[   31.792458] R13: 0000000000401a50 R14: 0000000000000000 R15: 0000000000000000
[   31.799711] 
[   31.801316] Allocated by task 4504:
[   31.804923]  save_stack+0x43/0xd0
[   31.808369]  kasan_kmalloc+0xc4/0xe0
[   31.812060]  __kmalloc+0x14e/0x760
[   31.815579]  __keyctl_dh_compute+0xfe9/0x1bc0
[   31.820050]  keyctl_dh_compute+0xb9/0x100
[   31.824175]  __x64_sys_keyctl+0x12a/0x3b0
[   31.828300]  do_syscall_64+0x1b1/0x800
[   31.832162]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.837321] 
[   31.838924] Freed by task 2846:
[   31.842179]  save_stack+0x43/0xd0
[   31.845610]  __kasan_slab_free+0x11a/0x170
[   31.849821]  kasan_slab_free+0xe/0x10
[   31.853616]  kfree+0xd9/0x260
[   31.856701]  single_release+0x8f/0xb0
[   31.860475]  __fput+0x353/0x890
[   31.863730]  ____fput+0x15/0x20
[   31.866987]  task_work_run+0x1e4/0x290
[   31.870853]  exit_to_usermode_loop+0x2bd/0x310
[   31.875409]  do_syscall_64+0x6ac/0x800
[   31.879273]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   31.884432] 
[   31.886040] The buggy address belongs to the object at ffff8801af53de00
[   31.886040]  which belongs to the cache kmalloc-32 of size 32
[   31.898501] The buggy address is located 0 bytes to the right of
[   31.898501]  32-byte region [ffff8801af53de00, ffff8801af53de20)
[   31.910609] The buggy address belongs to the page:
[   31.915516] page:ffffea0006bd4f40 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801af53dfc1
[   31.924934] flags: 0x2fffc0000000100(slab)
[   31.929149] raw: 02fffc0000000100 ffffea0006bf91c8 ffffea0006bdac88 ffff8801da8001c0
[   31.937012] raw: ffff8801af53dfc1 ffff8801af53d000 000000010000003f 0000000000000000
[   31.944872] page dumped because: kasan: bad access detected
[   31.950553] 
[   31.952155] Memory state around the buggy address:
[   31.957058]  ffff8801af53dd00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.964393]  ffff8801af53dd80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.971728] >ffff8801af53de00: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
[   31.979056]                                ^
[   31.983437]  ffff8801af53de80: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
[   31.990771]  ffff8801af53df00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[   31.998102] ==================================================================
[   32.005438] Disabling lock debugging due to kernel taint
[   32.010939] Kernel panic - not syncing: panic_on_warn set ...
[   32.010939] 
[   32.018295] CPU: 1 PID: 4504 Comm: syz-executor142 Tainted: G    B             4.17.0+ #92
[   32.026671] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.035995] Call Trace:
[   32.038565]  dump_stack+0x1b9/0x294
[   32.042170]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.047333]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   32.052065]  ? tgr192_final+0x500/0x560
[   32.056020]  panic+0x22f/0x4de
[   32.059194]  ? add_taint.cold.5+0x16/0x16
[   32.063321]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.067701]  ? do_raw_spin_unlock+0x9e/0x2e0
[   32.072082]  ? tgr192_final+0x538/0x560
[   32.076034]  kasan_end_report+0x47/0x4f
[   32.079984]  kasan_report.cold.7+0x76/0x2fe
[   32.084285]  __asan_report_store8_noabort+0x17/0x20
[   32.089277]  tgr192_final+0x538/0x560
[   32.093053]  crypto_shash_final+0x104/0x260
[   32.097346]  ? tgr192_update+0x520/0x520
[   32.101384]  __keyctl_dh_compute+0x1184/0x1bc0
[   32.105943]  ? copy_overflow+0x30/0x30
[   32.109805]  ? __kasan_slab_free+0x11a/0x170
[   32.114187]  ? kfree+0xd9/0x260
[   32.117442]  ? __x64_sys_add_key+0x2b7/0x4e0
[   32.121826]  ? do_syscall_64+0x1b1/0x800
[   32.125862]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.131202]  ? find_held_lock+0x36/0x1c0
[   32.135241]  ? lock_downgrade+0x8e0/0x8e0
[   32.139372]  ? check_same_owner+0x320/0x320
[   32.143670]  ? debug_check_no_obj_freed+0x2ff/0x584
[   32.148666]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   32.154180]  ? _copy_from_user+0xdf/0x150
[   32.158307]  keyctl_dh_compute+0xb9/0x100
[   32.162429]  ? __keyctl_dh_compute+0x1bc0/0x1bc0
[   32.167158]  ? __x64_sys_add_key+0x2bc/0x4e0
[   32.171545]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   32.176710]  __x64_sys_keyctl+0x12a/0x3b0
[   32.180835]  do_syscall_64+0x1b1/0x800
[   32.184699]  ? syscall_return_slowpath+0x5c0/0x5c0
[   32.189604]  ? syscall_return_slowpath+0x30f/0x5c0
[   32.194510]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   32.199849]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.204668]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.209831] RIP: 0033:0x440099
[   32.212993] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
[   32.232113] RSP: 002b:00007ffd04232a48 EFLAGS: 00000213 ORIG_RAX: 00000000000000fa
[   32.239805] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440099
[   32.247049] RDX: 0000000020000540 RSI: 0000000020000380 RDI: 0000000000000017
[   32.254296] RBP: 00000000006ca018 R08: 00000000200005c0 R09: 00000000004002c8
[   32.261538] R10: 0000000000000010 R11: 0000000000000213 R12: 00000000004019c0
[   32.268782] R13: 0000000000401a50 R14: 0000000000000000 R15: 0000000000000000
[   32.276424] Dumping ftrace buffer:
[   32.279944]    (ftrace buffer empty)
[   32.283626] Kernel Offset: disabled
[   32.287225] Rebooting in 86400 seconds..