keychord: Insufficient bytes present for keycount 34 ================================================================== BUG: Double free or freeing an invalid pointer Unexpected shadow byte: 0xFB CPU: 0 PID: 26567 Comm: syz-executor2 Not tainted 4.9.41-gc6b2ed3 #21 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c8c97b70 ffffffff81d92609 ffff8801da001b40 ffff8801d197e4a0 ffff8801d197e4b0 ffffffff82a73968 0000000000000282 ffff8801c8c97b98 ffffffff8153c1bc 00000000fffffffb ffff8801da001b40 ffff8801d197e4a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] kasan_report_double_free+0x53/0x80 mm/kasan/report.c:181 [] kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:562 [] slab_free_hook mm/slub.c:1355 [inline] [] slab_free_freelist_hook mm/slub.c:1377 [inline] [] slab_free mm/slub.c:2958 [inline] [] kfree+0xf0/0x2f0 mm/slub.c:3878 [] keychord_write+0x628/0x820 drivers/input/misc/keychord.c:319 [] __vfs_write+0x103/0x680 fs/read_write.c:510 [] vfs_write+0x170/0x4e0 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d197e4a0, in cache kmalloc-16 size: 16 Allocated: PID = 26567 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] kzalloc include/linux/slab.h:636 [inline] keychord_write+0x6d/0x820 drivers/input/misc/keychord.c:243 __vfs_write+0x103/0x680 fs/read_write.c:510 vfs_write+0x170/0x4e0 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 26576 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 keychord_write+0x15d/0x820 drivers/input/misc/keychord.c:261 __vfs_write+0x103/0x680 fs/read_write.c:510 vfs_write+0x170/0x4e0 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== IPVS: Creating netns size=2536 id=32 Node 0 active_anon:283104kB inactive_anon:200kB active_file:15804kB inactive_file:20488kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:84840kB dirty:208kB writeback:0kB shmem:756kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 24576kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 2910 6411 6411 DMA32 free:2981156kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981852kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:696kB local_pcp:648kB free_cma:0kB lowmem_reserve[]: 0 0 3501 3501 Normal free:2987764kB min:36816kB low:46020kB high:55224kB active_anon:283104kB inactive_anon:200kB active_file:15804kB inactive_file:20488kB unevictable:0kB writepending:260kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:27292kB slab_unreclaimable:98688kB kernel_stack:5664kB pagetables:2188kB bounce:0kB free_pcp:1168kB local_pcp:596kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB DMA32: 1*4kB (M) 2*8kB (M) 3*16kB (M) 1*32kB (M) 3*64kB (M) 2*128kB (M) 3*256kB (M) 2*512kB (M) 1*1024kB (M) 2*2048kB (M) 726*4096kB (M) = 2981156kB Normal: 751*4kB (UME) 834*8kB (UME) 1001*16kB (UME) 1058*32kB (UME) 894*64kB (UME) 253*128kB (UME) 74*256kB (UME) 41*512kB (UME) 31*1024kB (UM) 25*2048kB (UME) 663*4096kB (UM) = 2987676kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 9271 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320234 pages reserved device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev SELinux: unrecognized netlink message: protocol=9 nlmsg_type=770 sclass=netlink_audit_socket pig=26658 comm=syz-executor7 syz-executor6: vmalloc: allocation failure: 17179868160 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 0 PID: 26651 Comm: syz-executor6 Tainted: G B 4.9.41-gc6b2ed3 #21 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d88bf888 ffffffff81d92609 1ffff1003b117f14 ffff8801cc341800 ffffffff83ab7b00 0000000000000001 0000000000400000 ffff8801d88bf998 ffffffff814503e2 024000c2031b4c24 0000000041b58ab3 ffffffff8418e79d Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3038 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x21a/0x1e30 net/ipv4/netfilter/ip_tables.c:700 [] ? 0xffffffff810002b8 [] do_replace net/ipv4/netfilter/ip_tables.c:1151 [inline] [] do_ipt_set_ctl+0x2be/0x470 net/ipv4/netfilter/ip_tables.c:1687 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1243 [] udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2086 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Mem-Info: active_anon:84251 inactive_anon:50 isolated_anon:0 active_file:3951 inactive_file:5122 isolated_file:0 unevictable:0 dirty:66 writeback:0 unstable:0 slab_reclaimable:6823 slab_unreclaimable:24861 mapped:21210 shmem:189 pagetables:640 bounce:0 free:1481335 free_pcp:287 free_cma:0 Node 0 active_anon:337004kB inactive_anon:200kB active_file:15804kB inactive_file:20488kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:84840kB dirty:264kB writeback:0kB shmem:756kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 14336kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB DMA32 free:2981156kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981852kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:696kB local_pcp:48kB free_cma:0kB Normal free:2928276kB min:36816kB low:46020kB high:55224kB active_anon:337004kB inactive_anon:200kB active_file:15804kB inactive_file:20488kB unevictable:0kB writepending:264kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:27292kB slab_unreclaimable:99444kB kernel_stack:6208kB pagetables:2560kB bounce:0kB free_pcp:452kB local_pcp:220kB free_cma:0kB DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 9272 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320234 pages reserved SELinux: unrecognized netlink message: protocol=9 nlmsg_type=770 sclass=netlink_audit_socket pig=26658 comm=syz-executor7 syz-executor6: vmalloc: allocation failure: 17179868160 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 1 PID: 26673 Comm: syz-executor6 Tainted: G B 4.9.41-gc6b2ed3 #21 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d70bf888 ffffffff81d92609 1ffff1003ae17f14 ffff8801c0fd9800 ffffffff83ab7b00 0000000000000001 0000000000400000 ffff8801d70bf998 ffffffff814503e2 024000c2de53913d 0000000041b58ab3 ffffffff8418e79d Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3038 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x21a/0x1e30 net/ipv4/netfilter/ip_tables.c:700 [] ? 0xffffffff810002b8 [] do_replace net/ipv4/netfilter/ip_tables.c:1151 [inline] [] do_ipt_set_ctl+0x2be/0x470 net/ipv4/netfilter/ip_tables.c:1687 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1243 [] udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2086 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Mem-Info: active_anon:80651 inactive_anon:125 isolated_anon:0 active_file:3951 inactive_file:5122 isolated_file:0 unevictable:0 dirty:66 writeback:0 unstable:0 slab_reclaimable:6823 slab_unreclaimable:25076 mapped:21210 shmem:264 pagetables:640 bounce:0 free:1485046 free_pcp:358 free_cma:0 Node 0 active_anon:322604kB inactive_anon:500kB active_file:15804kB inactive_file:20488kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:84840kB dirty:264kB writeback:0kB shmem:1056kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 14336kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB DMA32 free:2981156kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981852kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:696kB local_pcp:648kB free_cma:0kB Normal free:2943120kB min:36816kB low:46020kB high:55224kB active_anon:322604kB inactive_anon:500kB active_file:15804kB inactive_file:20488kB unevictable:0kB writepending:264kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:27292kB slab_unreclaimable:100304kB kernel_stack:6336kB pagetables:2560kB bounce:0kB free_pcp:736kB local_pcp:360kB free_cma:0kB DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 9347 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320234 pages reserved IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=26721 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=26750 comm=syz-executor7 netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=26763 comm=syz-executor7 netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=26774 comm=syz-executor3 netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=26771 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=26782 comm=syz-executor4 netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=26785 comm=syz-executor3 netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=26832 comm=syz-executor4 nla_parse: 74 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. selinux_nlmsg_perm: 27 callbacks suppressed SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=28803 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=28812 comm=syz-executor3 netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'.