binder: 10431:10456 ioctl 40206417 20818000 returned -22
==================================================================
BUG: Double free or freeing an invalid pointer
Unexpected shadow byte: 0xFB
CPU: 0 PID: 10434 Comm: syz-executor1 Not tainted 4.9.41-gdb02484 #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ab65fb70 ffffffff81d92609 ffff8801da001b40 ffff8801d5175760
 ffff8801d5175770 ffffffff82a73968 0000000000000282 ffff8801ab65fb98
 ffffffff8153c1bc 00000000fffffffb ffff8801da001b40 ffff8801d5175760
Call Trace:
 [<ffffffff81d92609>] dump_stack+0xc1/0x128 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-integrity.c:49
 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:4539
 [<ffffffff8153c9f3>] calculate_order /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3244 [inline]
 [<ffffffff8153c9f3>] kasan_report_double_free+0x53/0x80 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3506
 [<ffffffff8153bdad>] create_unique_id /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5556 [inline]
 [<ffffffff8153bdad>] kasan_slab_free+0x9d/0xc0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5590
 [<ffffffff81538930>] trace /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:972 [inline]
 [<ffffffff81538930>] kfree+0xf0/0x2f0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1085
 [<ffffffff82a73968>] keychord_write+0x628/0x820 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/input/misc/gpio_input.c:305
 [<ffffffff8156a133>] SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline]
 [<ffffffff8156a133>] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363
 [<ffffffff8156e260>] vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765
 [<ffffffff81571c59>] SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898
 [<ffffffff838a5985>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d5175760, in cache kmalloc-16 size: 16
Allocated:
PID = 10434
 save_stack_trace+0x16/0x20 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/kernel/stacktrace.c:57
 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline]
 virt_to_head_page /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/mm.h:557 [inline]
 build_detached_freelist /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3055 [inline]
 save_stack+0x43/0xd0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3085
 kasan_kmalloc+0xad/0xe0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3868
 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline]
 __SetPageSlab /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:265 [inline]
 allocate_slab /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1583 [inline]
 __kmalloc+0x11d/0x310 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1635
 keychord_write+0x6d/0x820 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/input/misc/gpio_input.c:130
 SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline]
 __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363
 vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765
 SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 10456
 save_stack_trace+0x16/0x20 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/kernel/stacktrace.c:57
 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline]
 virt_to_head_page /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/mm.h:557 [inline]
 build_detached_freelist /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3055 [inline]
 save_stack+0x43/0xd0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3085
 create_unique_id /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5553 [inline]
 kasan_slab_free+0x73/0xc0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5590
 trace /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:972 [inline]
 kfree+0xf0/0x2f0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1085
 keychord_write+0x15d/0x820 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/input/misc/gpio_input.c:60
 SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline]
 __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363
 vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765
 SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898
 entry_SYSCALL_64_fastpath+0x23/0xc6
==================================================================
binder: 10474:10480 ioctl 40206417 20818000 returned -22
binder: 10476:10481 ioctl 40206417 20818000 returned -22
binder: 10478:10483 ioctl 40206417 20818000 returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
keychord: using input dev AT Translated Set 2 keyboard for fevent
binder: 10476:10481 ioctl 40206417 20818000 returned -22
binder: 10478:10498 ioctl 40206417 20818000 returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
binder: 10474:10494 ioctl 40206417 20818000 returned -22
binder: 10547:10551 ioctl 40206417 20818000 returned -22
binder: 10544:10557 ioctl 40206417 20818000 returned -22
binder: 10553:10558 ioctl 40206417 20818000 returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
keychord: using input dev AT Translated Set 2 keyboard for fevent
binder: 10553:10558 ioctl 40206417 20818000 returned -22
binder: 10544:10573 ioctl 40206417 20818000 returned -22
binder: 10547:10587 ioctl 40206417 20818000 returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
binder: 10606:10607 ioctl 40206417 20818000 returned -22
binder: 10611:10618 ioctl 40206417 20818000 returned -22
binder: 10611:10618 ioctl 40206417 20818000 returned -22
binder: 10606:10629 ioctl 40206417 20818000 returned -22
binder: 10641:10643 ioctl 40206417 20818000 returned -22
binder: 10638:10649 ioctl 40206417 20818000 returned -22
binder: 10642:10647 ioctl 40206417 20818000 returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
binder: 10641:10660 ioctl 40206417 20818000 returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
keychord: using input dev AT Translated Set 2 keyboard for fevent
binder: 10638:10668 ioctl 40206417 20818000 returned -22
binder: 10642:10675 ioctl 40206417 20818000 returned -22
binder: 10683:10685 ioctl 40206417 20818000 returned -22
binder: 10683:10690 ioctl 40206417 20818000 returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
binder: 10706:10715 ioctl 40206417 20818000 returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
binder: 10706:10732 ioctl 40206417 20818000 returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
keychord: using input dev AT Translated Set 2 keyboard for fevent
binder: 10764:10768 ioctl 40206417 20818000 returned -22
binder: 10764:10779 ioctl 40206417 20818000 returned -22
keychord: using input dev AT Translated Set 2 keyboard for fevent
------------[ cut here ]------------
WARNING: CPU: 0 PID: 10780 at lib/list_debug.c:36 assoc_array_insert_into_terminal_node /syzkaller/managers/android-49-kasan-gce/kernel/lib/assoc_array.c:818 [inline]
WARNING: CPU: 0 PID: 10780 at lib/list_debug.c:36 __list_add+0x169/0x1c0 /syzkaller/managers/android-49-kasan-gce/kernel/lib/assoc_array.c:1033
list_add double add: new=ffff8801a74ac968, prev=ffff8801a74ac968, next=ffffffff84833fe0.
binder: 10787:10795 ioctl 40206417 20818000 returned -22