keychord: using input dev AT Translated Set 2 keyboard for fevent keychord: unsupported version 40 ================================================================== BUG: Double free or freeing an invalid pointer Unexpected shadow byte: 0xFB CPU: 1 PID: 22720 Comm: syz-executor7 Not tainted 4.9.40-ged32335 #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cd6c7b70 ffffffff81d8d829 ffff8801da001b40 ffff8801d1b06c00 ffff8801d1b06c10 ffffffff82a81678 0000000000000282 ffff8801cd6c7b98 ffffffff81537a3c 00000000fffffffb ffff8801da001b40 ffff8801d1b06c00 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] kasan_report_double_free+0x53/0x80 mm/kasan/report.c:181 [] kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:562 [] slab_free_hook mm/slub.c:1355 [inline] [] slab_free_freelist_hook mm/slub.c:1377 [inline] [] slab_free mm/slub.c:2958 [inline] [] kfree+0xf0/0x2f0 mm/slub.c:3878 [] keychord_write+0x628/0x820 drivers/input/misc/keychord.c:319 [] __vfs_write+0x103/0x680 fs/read_write.c:510 [] vfs_write+0x170/0x4e0 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d1b06c00, in cache kmalloc-16 size: 16 Allocated: PID = 22720 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] kzalloc include/linux/slab.h:636 [inline] keychord_write+0x6d/0x820 drivers/input/misc/keychord.c:243 __vfs_write+0x103/0x680 fs/read_write.c:510 vfs_write+0x170/0x4e0 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 22721 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 keychord_write+0x15d/0x820 drivers/input/misc/keychord.c:261 __vfs_write+0x103/0x680 fs/read_write.c:510 vfs_write+0x170/0x4e0 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== keychord: unsupported version 40 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode nla_parse: 17 callbacks suppressed netlink: 6 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. device lo entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 70 CPU: 1 PID: 23331 Comm: syz-executor6 Tainted: G B 4.9.40-ged32335 #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ce64fb50 ffffffff81d8d829 ffff8801ce64fe30 0000000000000000 ffff8801cbb08d10 ffff8801ce64fd20 ffff8801cbb08c00 ffff8801ce64fd48 ffffffff8165b7c8 ffff8801ce64fca0 0000000020001000 00000001c7cb5067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2746 [inline] [] handle_pte_fault mm/memory.c:3487 [inline] [] __handle_mm_fault mm/memory.c:3576 [inline] [] handle_mm_fault+0x1faa/0x2510 mm/memory.c:3613 [] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode IPVS: Creating netns size=2536 id=13 syz-executor1: vmalloc: allocation failure: 17179607040 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) syz-executor1: vmalloc: allocation failure: 17179607040 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 0 PID: 23444 Comm: syz-executor1 Tainted: G B 4.9.40-ged32335 #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cb8d7880 ffffffff81d8d829 1ffff1003971af13 ffff8801a8cfaf00 ffffffff83ab7440 0000000000000001 0000000000400000 ffff8801cb8d7990 ffffffff8144bc62 024000c2da386dfa 0000000041b58ab3 ffffffff8419233d Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3038 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x21a/0x1e80 net/ipv6/netfilter/ip6_tables.c:730 [] ? 0xffffffff810002b8 [] do_replace net/ipv6/netfilter/ip6_tables.c:1182 [inline] [] do_ip6t_set_ctl+0x2be/0x470 net/ipv6/netfilter/ip6_tables.c:1708 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:903 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Mem-Info: active_anon:71566 inactive_anon:57 isolated_anon:0 active_file:3852 inactive_file:4712 isolated_file:0 unevictable:0 dirty:42 writeback:0 unstable:0 slab_reclaimable:7414 slab_unreclaimable:29674 mapped:20963 shmem:206 pagetables:848 bounce:0 free:1490819 free_pcp:380 free_cma:0 Node 0 active_anon:286264kB inactive_anon:228kB active_file:15408kB inactive_file:18848kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:83852kB dirty:168kB writeback:0kB shmem:824kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 12288kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB DMA32 free:2981140kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981840kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:700kB local_pcp:700kB free_cma:0kB Normal free:2964180kB min:36816kB low:46020kB high:55224kB active_anon:286264kB inactive_anon:228kB active_file:15408kB inactive_file:18848kB unevictable:0kB writepending:168kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:29656kB slab_unreclaimable:118696kB kernel_stack:7200kB pagetables:3392kB bounce:0kB free_pcp:816kB local_pcp:492kB free_cma:0kB DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 8769 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320237 pages reserved netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'. device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev netlink: 7 bytes leftover after parsing attributes in process `syz-executor5'. device lo left promiscuous mode device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode CPU: 0 PID: 23429 Comm: syz-executor1 Tainted: G B 4.9.40-ged32335 #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a919f880 ffffffff81d8d829 1ffff10035233f13 ffff8801cd3b1780 ffffffff83ab7440 0000000000000001 0000000000400000 ffff8801a919f990 ffffffff8144bc62 024000c2dbe2faaf 0000000041b58ab3 ffffffff8419233d Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3038 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x21a/0x1e80 net/ipv6/netfilter/ip6_tables.c:730 [] ? 0xffffffff810002b8 [] do_replace net/ipv6/netfilter/ip6_tables.c:1182 [inline] [] do_ip6t_set_ctl+0x2be/0x470 net/ipv6/netfilter/ip6_tables.c:1708 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:903 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Mem-Info: active_anon:66486 inactive_anon:57 isolated_anon:0 active_file:3852 inactive_file:4720 isolated_file:0 unevictable:0 dirty:93 writeback:0 unstable:0 slab_reclaimable:7586 slab_unreclaimable:34375 mapped:20963 shmem:207 pagetables:755 bounce:0 free:1491833 free_pcp:450 free_cma:0 Node 0 active_anon:265944kB inactive_anon:228kB active_file:15408kB inactive_file:18880kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:83852kB dirty:372kB writeback:0kB shmem:828kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 18432kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 2910 6411 6411 DMA32 free:2981140kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981840kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:700kB local_pcp:700kB free_cma:0kB lowmem_reserve[]: 0 0 3501 3501 Normal free:2970284kB min:36816kB low:46020kB high:55224kB active_anon:265944kB inactive_anon:228kB active_file:15408kB inactive_file:18880kB unevictable:0kB writepending:376kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:30344kB slab_unreclaimable:137500kB kernel_stack:6528kB pagetables:3020kB bounce:0kB free_pcp:1096kB local_pcp:520kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB DMA32: 3*4kB (M) 3*8kB (M) 5*16kB (M) 3*32kB (M) 3*64kB (M) 3*128kB (M) 2*256kB (M) 2*512kB (M) 1*1024kB (M) 2*2048kB (M) 726*4096kB (M) = 2981140kB Normal: 4453*4kB (UME) 3139*8kB (UME) 2064*16kB (UME) 806*32kB (UME) 1359*64kB (UME) 423*128kB (UME) 66*256kB (UME) 6*512kB (UM) 2*1024kB (UE) 5*2048kB (ME) 658*4096kB (UM) = 2970284kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 8782 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320237 pages reserved tmpfs: No value for mount option 'I' binder: 23546:23562 ioctl c0286404 207e2fd8 returned -22 binder: 23546:23578 ioctl c0286404 207e2fd8 returned -22 device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev selinux_nlmsg_perm: 3 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=24324 sclass=netlink_route_socket pig=23792 comm=syz-executor6 binder: 23797:23799 ioctl 540f 206e8ffc returned -22 binder: 23797:23799 ioctl 540f 206e8ffc returned -22 binder: 23884:23897 ioctl 541c 20001ff4 returned -22 binder: 23884:23886 ioctl 80404519 20001f88 returned -22 binder: 23884:23912 ioctl 541c 20001ff4 returned -22 binder: 23884:23916 ioctl 80404519 20001f88 returned -22