keychord: invalid keycode count 0 ================================================================== BUG: Double free or freeing an invalid pointer Unexpected shadow byte: 0xFB CPU: 0 PID: 32369 Comm: syz-executor4 Not tainted 4.9.41-gdb02484 #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cfc37b70 ffffffff81d92609 ffff8801da001b40 ffff8801ccfca160 ffff8801ccfca170 ffffffff82a73968 0000000000000282 ffff8801cfc37b98 ffffffff8153c1bc 00000000fffffffb ffff8801da001b40 ffff8801ccfca160 Call Trace: [] dump_stack+0xc1/0x128 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-integrity.c:49 [] kasan_object_err+0x1c/0x70 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:4539 [] calculate_order /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3244 [inline] [] kasan_report_double_free+0x53/0x80 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3506 [] create_unique_id /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5556 [inline] [] kasan_slab_free+0x9d/0xc0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5590 [] trace /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:972 [inline] [] kfree+0xf0/0x2f0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1085 [] keychord_write+0x628/0x820 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/input/misc/gpio_input.c:305 [] SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline] [] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363 [] vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765 [] SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801ccfca160, in cache kmalloc-16 size: 16 Allocated: PID = 32369 save_stack_trace+0x16/0x20 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/kernel/stacktrace.c:57 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline] virt_to_head_page /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/mm.h:557 [inline] build_detached_freelist /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3055 [inline] save_stack+0x43/0xd0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3085 kasan_kmalloc+0xad/0xe0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3868 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline] __SetPageSlab /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:265 [inline] allocate_slab /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1583 [inline] __kmalloc+0x11d/0x310 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1635 keychord_write+0x6d/0x820 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/input/misc/gpio_input.c:130 SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363 vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765 SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 32378 save_stack_trace+0x16/0x20 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/kernel/stacktrace.c:57 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline] virt_to_head_page /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/mm.h:557 [inline] build_detached_freelist /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3055 [inline] save_stack+0x43/0xd0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3085 create_unique_id /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5553 [inline] kasan_slab_free+0x73/0xc0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5590 trace /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:972 [inline] kfree+0xf0/0x2f0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1085 keychord_write+0x15d/0x820 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/input/misc/gpio_input.c:60 SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363 vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765 SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898 entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. binder: 365:366 ioctl 541c 20606fff returned -22 binder: 365:366 ioctl 541c 20606fff returned -22 9pnet_virtio: no channels available for device ./bus 9pnet_virtio: no channels available for device ./bus binder: 639:640 ioctl 891a 20001000 returned -22 binder: 639:647 ioctl 891a 20001000 returned -22 sock: sock_set_timeout: `syz-executor4' (pid 919) tries to set negative timeout binder: 885:892 ioctl 80184540 20729000 returned -22 binder: 885:892 ioctl 8940 2012efe8 returned -22 sock: sock_set_timeout: `syz-executor4' (pid 919) tries to set negative timeout SELinux: unrecognized netlink message: protocol=9 nlmsg_type=770 sclass=netlink_audit_socket pig=1060 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=770 sclass=netlink_audit_socket pig=1060 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=771 sclass=netlink_audit_socket pig=1060 comm=syz-executor6 nla_parse: 5 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. SELinux: unrecognized netlink message: protocol=9 nlmsg_type=770 sclass=netlink_audit_socket pig=1091 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=770 sclass=netlink_audit_socket pig=1091 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=1091 comm=syz-executor6 netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=7162 sclass=netlink_route_socket pig=1213 comm=syz-executor3 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=7162 sclass=netlink_route_socket pig=1228 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3618 sclass=netlink_route_socket pig=1210 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3618 sclass=netlink_route_socket pig=1241 comm=syz-executor5 tmpfs: No value for mount option 'I' tmpfs: No value for mount option 'I' device syz0 left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode qtaguid: iface_stat: create6(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev device lo entered promiscuous mode device lo left promiscuous mode sg_write: data in/out 65499/6 bytes for SCSI command 0x0-- guessing data in; program syz-executor1 not setting count and/or reply_len properly IPVS: Creating netns size=2536 id=26 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads qtaguid: iface_stat: create6(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev binder: 1835:1838 ioctl 80084503 20aca000 returned -22 binder: 1835:1859 ioctl 80084503 20aca000 returned -22 keychord: keycode 52925 out of range keychord: invalid keycode count 0 tmpfs: Bad mount option „냎ø tmpfs: Bad mount option „냎ø device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode PF_BRIDGE: RTM_NEWNEIGH with invalid address binder_alloc: binder_alloc_mmap_handler: 2313 2007d000-2007e000 already mapped failed -16 binder: 2499:2501 ioctl c010640b 20c8fff0 returned -22 binder: 2499:2501 ioctl c0206434 20000000 returned -22 binder: 2499:2501 ioctl 40106436 20001000 returned -22 binder: 2499:2501 ioctl 40106437 20006000 returned -22 binder: 2499:2501 ioctl 800454cf 20007ffc returned -22 binder: 2499:2523 ioctl c010640b 20c8fff0 returned -22 binder: 2499:2501 ioctl c0206434 20000000 returned -22 binder: 2499:2501 ioctl 40106436 20001000 returned -22 binder: 2499:2523 ioctl 40106437 20006000 returned -22 binder: 2499:2523 ioctl 800454cf 20007ffc returned -22 IPv6: NLM_F_REPLACE set, but no existing node found! IPv6: NLM_F_REPLACE set, but no existing node found! nla_parse: 40 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. device lo entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. binder: 3191:3193 ioctl c008640a 202dcff8 returned -22 binder: 3191:3193 ioctl c008640a 202dcff8 returned -22 device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode