keychord: unsupported version 40
==================================================================
BUG: Double free or freeing an invalid pointer
Unexpected shadow byte: 0xFB
CPU: 1 PID: 23801 Comm: syz-executor7 Not tainted 4.9.40-g7b2727c #16
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c6a87b70 ffffffff81d8f109 ffff8801da001b40 ffff8801d0628400
 ffff8801d0628410 ffffffff82a70418 0000000000000282 ffff8801c6a87b98
 ffffffff8153931c 00000000fffffffb ffff8801da001b40 ffff8801d0628400
Call Trace:
 [<ffffffff81d8f109>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d8f109>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153931c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff81539b53>] kasan_report_double_free+0x53/0x80 mm/kasan/report.c:181
 [<ffffffff81538f0d>] kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:562
 [<ffffffff81535a90>] slab_free_hook mm/slub.c:1355 [inline]
 [<ffffffff81535a90>] slab_free_freelist_hook mm/slub.c:1377 [inline]
 [<ffffffff81535a90>] slab_free mm/slub.c:2958 [inline]
 [<ffffffff81535a90>] kfree+0xf0/0x2f0 mm/slub.c:3878
 [<ffffffff82a70418>] keychord_write+0x628/0x820 drivers/input/misc/keychord.c:319
 [<ffffffff81567283>] __vfs_write+0x103/0x680 fs/read_write.c:510
 [<ffffffff8156b3b0>] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [<ffffffff8156eda9>] SYSC_write fs/read_write.c:607 [inline]
 [<ffffffff8156eda9>] SyS_write+0xd9/0x1b0 fs/read_write.c:599
 [<ffffffff838a26c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d0628400, in cache kmalloc-16 size: 16
Allocated:
PID = 23801
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 keychord_write+0x6d/0x820 drivers/input/misc/keychord.c:243
 __vfs_write+0x103/0x680 fs/read_write.c:510
 vfs_write+0x170/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 23807
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 keychord_write+0x15d/0x820 drivers/input/misc/keychord.c:261
 __vfs_write+0x103/0x680 fs/read_write.c:510
 vfs_write+0x170/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6
==================================================================
keychord: unsupported version 40
sd 0:0:1:0: [sg0] tag#249 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#249 CDB: opcode=0xc0 (vendor)
sd 0:0:1:0: [sg0] tag#249 CDB[00]: c0 3f 00 20 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#271 CDB: opcode=0xc0 (vendor)
sd 0:0:1:0: [sg0] tag#271 CDB[00]: c0 3f 00 20 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[40]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[50]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[60]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[70]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[80]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[90]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[a0]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[b0]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[c0]: 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[40]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[50]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[60]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[70]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[80]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[90]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[a0]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[b0]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[c0]: 00 00 00 00 00 00 00 00 00 00
device ! entered promiscuous mode
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=22 sclass=netlink_tcpdiag_socket pig=23932 comm=syz-executor1
device ! left promiscuous mode
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=22 sclass=netlink_tcpdiag_socket pig=23932 comm=syz-executor1
netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 11 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 11 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 11 bytes leftover after parsing attributes in process `syz-executor5'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=24011 comm=syz-executor5
binder: 24062:24063 ioctl c08c5332 2015c000 returned -22
binder: 24062:24070 ioctl c08c5332 2015c000 returned -22
netlink: 13 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 6 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor5'.
binder: binder_mmap: 24174 2007d000-2007e000 bad vm_flags failed -1
binder: binder_mmap: 24174 2007d000-2007e000 bad vm_flags failed -1
netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'.
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 1, async page read
Buffer I/O error on dev loop0, logical block 2, async page read
Buffer I/O error on dev loop0, logical block 3, async page read
Buffer I/O error on dev loop0, logical block 4, async page read
Buffer I/O error on dev loop0, logical block 5, async page read
Buffer I/O error on dev loop0, logical block 6, async page read
Buffer I/O error on dev loop0, logical block 7, async page read
loop_reread_partitions: partition scan of loop0 () failed (rc=-13)
sd 0:0:1:0: [sg0] tag#271 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#271 CDB: opcode=0xc0 (vendor)
sd 0:0:1:0: [sg0] tag#271 CDB[00]: c0 3f 00 20 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[40]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[50]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[60]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[70]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#249 CDB: opcode=0xc0 (vendor)
sd 0:0:1:0: [sg0] tag#249 CDB[00]: c0 3f 00 20 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[40]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[50]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[60]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[70]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[80]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[90]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[a0]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[b0]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#249 CDB[c0]: 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[80]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[90]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[a0]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[b0]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#271 CDB[c0]: 00 00 00 00 00 00 00 00 00 00
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=123 sclass=netlink_route_socket pig=24619 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=24625 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=123 sclass=netlink_route_socket pig=24619 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=24625 comm=syz-executor7
sg_write: data in/out 1729298428/132 bytes for SCSI command 0xfd-- guessing data in;
   program syz-executor1 not setting count and/or reply_len properly
device syz2 entered promiscuous mode
nla_parse: 15 callbacks suppressed
netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'.
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=1 sclass=netlink_audit_socket pig=24823 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=1 sclass=netlink_audit_socket pig=24823 comm=syz-executor5
netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'.
binder: 24921:24923 ioctl 80045430 7fc0de156c2c returned -22
binder: 24921:24923 ioctl c0286404 207e2fd8 returned -22
binder: 24921:24966 ioctl 80045430 7fc0de135c2c returned -22
binder: 24921:24966 ioctl c0286404 207e2fd8 returned -22
device sit0 entered promiscuous mode
device sit0 left promiscuous mode
netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20020. Sending cookies.  Check SNMP counters.
netlink: 16 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 16 bytes leftover after parsing attributes in process `syz-executor0'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=38906 sclass=netlink_route_socket pig=25312 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=25316 comm=syz-executor6
netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'.
syz-executor1 (25357) used greatest stack depth: 24160 bytes left
binder: 25397:25402 ioctl c0286404 20872000 returned -22
binder: 25397:25416 ioctl c0286404 20872000 returned -22
device lo left promiscuous mode
keychord: keycode 4095 out of range
IPv6: ADDRCONF(NETDEV_CHANGE): syz4: link becomes ready
keychord: keycode 4095 out of range
9pnet_virtio: no channels available for device ./bus
9pnet_virtio: no channels available for device ./bus
9pnet_virtio: no channels available for device ./bus
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=51555 sclass=netlink_route_socket pig=25757 comm=syz-executor4
IPv6: ADDRCONF(NETDEV_CHANGE): syz4: link becomes ready
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=51555 sclass=netlink_route_socket pig=25757 comm=syz-executor4
9pnet_virtio: no channels available for device ./bus
device syz1 left promiscuous mode
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
sock: process `syz-executor3' is using obsolete setsockopt SO_BSDCOMPAT
binder: 25973:25974 ioctl c08c5332 2015c000 returned -22
binder: 25973:25974 ioctl c08c5332 2015c000 returned -22
binder: 26021:26024 ioctl c0286404 207e2fd8 returned -22
binder: 26021:26024 ioctl c0286404 207e2fd8 returned -22
IPv6: NLM_F_REPLACE set, but no existing node found!
program syz-executor0 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
program syz-executor0 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
program syz-executor0 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
program syz-executor0 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
device lo entered promiscuous mode
device lo left promiscuous mode