syzbot


BUG: Double free or freeing an invalid pointer

Status: fixed on 2017/08/12 08:42
Fix commit: 59584701f1e2 ANDROID: keychord: Fix races in keychord_write.
First crash: 2559d, last: 2540d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 BUG: Double free or freeing an invalid pointer (2) C 1 2422d 2422d 2/3 fixed on 2018/02/20 22:33

Sample crash report:
keychord: using input dev AT Translated Set 2 keyboard for fevent
keychord: using input dev AT Translated Set 2 keyboard for fevent
==================================================================
BUG: Double free or freeing an invalid pointer
Unexpected shadow byte: 0xFB
CPU: 1 PID: 3477 Comm: syz-executor0 Not tainted 4.9.41-gc6b2ed3 #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c780fb70 ffffffff81d92609 ffff8801da001b40 ffff8801d1b4f980
 ffff8801d1b4f990 ffffffff82a73968 0000000000000282 ffff8801c780fb98
 ffffffff8153c1bc 00000000fffffffb ffff8801da001b40 ffff8801d1b4f980
Call Trace:
 [<ffffffff81d92609>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d92609>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c9f3>] kasan_report_double_free+0x53/0x80 mm/kasan/report.c:181
 [<ffffffff8153bdad>] kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:562
 [<ffffffff81538930>] slab_free_hook mm/slub.c:1355 [inline]
 [<ffffffff81538930>] slab_free_freelist_hook mm/slub.c:1377 [inline]
 [<ffffffff81538930>] slab_free mm/slub.c:2958 [inline]
 [<ffffffff81538930>] kfree+0xf0/0x2f0 mm/slub.c:3878
 [<ffffffff82a73968>] keychord_write+0x628/0x820 drivers/input/misc/keychord.c:319
 [<ffffffff8156a133>] __vfs_write+0x103/0x680 fs/read_write.c:510
 [<ffffffff8156e260>] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [<ffffffff81571c59>] SYSC_write fs/read_write.c:607 [inline]
 [<ffffffff81571c59>] SyS_write+0xd9/0x1b0 fs/read_write.c:599
 [<ffffffff838a5985>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d1b4f980, in cache kmalloc-16 size: 16
Allocated:
PID = 3477
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 keychord_write+0x6d/0x820 drivers/input/misc/keychord.c:243
 __vfs_write+0x103/0x680 fs/read_write.c:510
 vfs_write+0x170/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3493
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 keychord_write+0x15d/0x820 drivers/input/misc/keychord.c:261
 __vfs_write+0x103/0x680 fs/read_write.c:510
 vfs_write+0x170/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6
==================================================================
==================================================================
BUG: Double free or freeing an invalid pointer
Unexpected shadow byte: 0xFB
CPU: 0 PID: 3524 Comm: syz-executor0 Tainted: G    B           4.9.41-gc6b2ed3 #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d0ccfb70 ffffffff81d92609 ffff8801da001b40 ffff8801d851dd00
 ffff8801d851dd10 ffffffff82a73968 0000000000000282 ffff8801d0ccfb98
 ffffffff8153c1bc 00000000fffffffb ffff8801da001b40 ffff8801d851dd00
Call Trace:
 [<ffffffff81d92609>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d92609>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c9f3>] kasan_report_double_free+0x53/0x80 mm/kasan/report.c:181
 [<ffffffff8153bdad>] kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:562
 [<ffffffff81538930>] slab_free_hook mm/slub.c:1355 [inline]
 [<ffffffff81538930>] slab_free_freelist_hook mm/slub.c:1377 [inline]
 [<ffffffff81538930>] slab_free mm/slub.c:2958 [inline]
 [<ffffffff81538930>] kfree+0xf0/0x2f0 mm/slub.c:3878
 [<ffffffff82a73968>] keychord_write+0x628/0x820 drivers/input/misc/keychord.c:319
 [<ffffffff8156a133>] __vfs_write+0x103/0x680 fs/read_write.c:510
 [<ffffffff8156e260>] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [<ffffffff81571c59>] SYSC_write fs/read_write.c:607 [inline]
 [<ffffffff81571c59>] SyS_write+0xd9/0x1b0 fs/read_write.c:599
 [<ffffffff838a5985>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d851dd00, in cache kmalloc-16 size: 16
Allocated:
PID = 3524
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 keychord_write+0x6d/0x820 drivers/input/misc/keychord.c:243
 __vfs_write+0x103/0x680 fs/read_write.c:510
 vfs_write+0x170/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3565
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 keychord_write+0x15d/0x820 drivers/input/misc/keychord.c:261
 __vfs_write+0x103/0x680 fs/read_write.c:510
 vfs_write+0x170/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6
==================================================================
==================================================================
BUG: Double free or freeing an invalid pointer
Unexpected shadow byte: 0xFB
CPU: 1 PID: 3608 Comm: syz-executor2 Tainted: G    B           4.9.41-gc6b2ed3 #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ccd6fb70 ffffffff81d92609 ffff8801da001b40 ffff8801d851d760
 ffff8801d851d770 ffffffff82a73968 0000000000000282 ffff8801ccd6fb98
 ffffffff8153c1bc 00000000fffffffb ffff8801da001b40 ffff8801d851d760
Call Trace:
 [<ffffffff81d92609>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d92609>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c9f3>] kasan_report_double_free+0x53/0x80 mm/kasan/report.c:181
 [<ffffffff8153bdad>] kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:562
 [<ffffffff81538930>] slab_free_hook mm/slub.c:1355 [inline]
 [<ffffffff81538930>] slab_free_freelist_hook mm/slub.c:1377 [inline]
 [<ffffffff81538930>] slab_free mm/slub.c:2958 [inline]
 [<ffffffff81538930>] kfree+0xf0/0x2f0 mm/slub.c:3878
 [<ffffffff82a73968>] keychord_write+0x628/0x820 drivers/input/misc/keychord.c:319
 [<ffffffff8156a133>] __vfs_write+0x103/0x680 fs/read_write.c:510
 [<ffffffff8156e260>] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [<ffffffff81571c59>] SYSC_write fs/read_write.c:607 [inline]
 [<ffffffff81571c59>] SyS_write+0xd9/0x1b0 fs/read_write.c:599
 [<ffffffff838a5985>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d851d760, in cache kmalloc-16 size: 16
Allocated:
PID = 3608
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 keychord_write+0x6d/0x820 drivers/input/misc/keychord.c:243
 __vfs_write+0x103/0x680 fs/read_write.c:510
 vfs_write+0x170/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3631
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 keychord_write+0x15d/0x820 drivers/input/misc/keychord.c:261
 __vfs_write+0x103/0x680 fs/read_write.c:510
 vfs_write+0x170/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6

Crashes (70):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/08/10 23:45 https://android.googlesource.com/kernel/common android-4.9 c6b2ed395f12 125de3e4 .config console log report syz ci-android-49-kasan-gce
2017/07/28 01:15 https://android.googlesource.com/kernel/common android-4.9 a1e4c795e1b6 b0d23a5c .config console log report syz ci-android-49-kasan-gce
2017/07/22 06:20 https://android.googlesource.com/kernel/common android-4.9 5b07c2d25292 b59a95bc .config console log report syz ci-android-49-kasan-gce
2017/08/11 02:49 https://android.googlesource.com/kernel/common android-4.9 c6b2ed395f12 125de3e4 .config console log report ci-android-49-kasan-gce
2017/08/10 22:00 https://android.googlesource.com/kernel/common android-4.9 c6b2ed395f12 125de3e4 .config console log report ci-android-49-kasan-gce
2017/08/10 19:14 https://android.googlesource.com/kernel/common android-4.9 c6b2ed395f12 125de3e4 .config console log report ci-android-49-kasan-gce
2017/08/10 13:36 https://android.googlesource.com/kernel/common android-4.9 db0248427f18 7e288c05 .config console log report ci-android-49-kasan-gce
2017/08/10 11:12 https://android.googlesource.com/kernel/common android-4.9 db0248427f18 7e288c05 .config console log report ci-android-49-kasan-gce
2017/08/10 03:47 https://android.googlesource.com/kernel/common android-4.9 db0248427f18 7e288c05 .config console log report ci-android-49-kasan-gce
2017/08/10 02:22 https://android.googlesource.com/kernel/common android-4.9 db0248427f18 7e288c05 .config console log report ci-android-49-kasan-gce
2017/08/09 17:01 https://android.googlesource.com/kernel/common android-4.9 db0248427f18 7e288c05 .config console log report ci-android-49-kasan-gce
2017/08/09 11:22 https://android.googlesource.com/kernel/common android-4.9 db0248427f18 7e288c05 .config console log report ci-android-49-kasan-gce
2017/08/08 03:37 https://android.googlesource.com/kernel/common android-4.9 7b2727c68878 77a9ec9b .config console log report ci-android-49-kasan-gce
2017/08/06 00:59 https://android.googlesource.com/kernel/common android-4.9 682c1e364674 a8561e92 .config console log report ci-android-49-kasan-gce
2017/08/04 05:39 https://android.googlesource.com/kernel/common android-4.9 682c1e364674 a8561e92 .config console log report ci-android-49-kasan-gce
2017/08/03 22:38 https://android.googlesource.com/kernel/common android-4.9 682c1e364674 a8561e92 .config console log report ci-android-49-kasan-gce
2017/08/01 13:17 https://android.googlesource.com/kernel/common android-4.9 ed323354ecec f5040a63 .config console log report ci-android-49-kasan-gce
2017/08/01 01:33 https://android.googlesource.com/kernel/common android-4.9 ed323354ecec f5040a63 .config console log report ci-android-49-kasan-gce
2017/07/30 23:26 https://android.googlesource.com/kernel/common android-4.9 ed323354ecec f5040a63 .config console log report ci-android-49-kasan-gce
2017/07/30 13:54 https://android.googlesource.com/kernel/common android-4.9 ed323354ecec f5040a63 .config console log report ci-android-49-kasan-gce
2017/07/29 06:32 https://android.googlesource.com/kernel/common android-4.9 ed323354ecec 078d5f87 .config console log report ci-android-49-kasan-gce
2017/07/28 10:15 https://android.googlesource.com/kernel/common android-4.9 ed323354ecec b0d23a5c .config console log report ci-android-49-kasan-gce
2017/07/28 08:31 https://android.googlesource.com/kernel/common android-4.9 a1e4c795e1b6 b0d23a5c .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.