keychord: unsupported version 40 keychord: invalid keycode count 0 ================================================================== BUG: Double free or freeing an invalid pointer keychord: invalid keycode count 0 Unexpected shadow byte: 0xFB CPU: 0 PID: 8733 Comm: syz-executor0 Not tainted 4.9.41-gdb02484 #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c65c7b70 ffffffff81d92609 ffff8801da001b40 ffff8801d198d240 ffff8801d198d250 ffffffff82a73968 0000000000000282 ffff8801c65c7b98 ffffffff8153c1bc 00000000fffffffb ffff8801da001b40 ffff8801d198d240 Call Trace: [] dump_stack+0xc1/0x128 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-integrity.c:49 [] kasan_object_err+0x1c/0x70 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:4539 [] calculate_order /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3244 [inline] [] kasan_report_double_free+0x53/0x80 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3506 [] create_unique_id /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5556 [inline] [] kasan_slab_free+0x9d/0xc0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5590 [] trace /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:972 [inline] [] kfree+0xf0/0x2f0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1085 [] keychord_write+0x628/0x820 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/input/misc/gpio_input.c:305 [] SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline] [] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363 [] vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765 [] SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d198d240, in cache kmalloc-16 size: 16 Allocated: PID = 8733 save_stack_trace+0x16/0x20 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/kernel/stacktrace.c:57 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline] virt_to_head_page /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/mm.h:557 [inline] build_detached_freelist /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3055 [inline] save_stack+0x43/0xd0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3085 kasan_kmalloc+0xad/0xe0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3868 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline] __SetPageSlab /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:265 [inline] allocate_slab /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1583 [inline] __kmalloc+0x11d/0x310 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1635 keychord_write+0x6d/0x820 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/input/misc/gpio_input.c:130 SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363 vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765 SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8741 save_stack_trace+0x16/0x20 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/kernel/stacktrace.c:57 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline] virt_to_head_page /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/mm.h:557 [inline] build_detached_freelist /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3055 [inline] save_stack+0x43/0xd0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3085 create_unique_id /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5553 [inline] kasan_slab_free+0x73/0xc0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5590 trace /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:972 [inline] kfree+0xf0/0x2f0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1085 keychord_write+0x15d/0x820 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/input/misc/gpio_input.c:60 SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363 vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765 SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898 entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== keychord: unsupported version 40 binder: 8778:8788 ioctl 402c5342 20041f98 returned -22 nla_parse: 31 callbacks suppressed binder: 8778:8810 ioctl 402c5342 20041f98 returned -22 netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. IPv6: NLM_F_REPLACE set, but no existing node found! binder: 8916:8920 ioctl 4b60 20c87000 returned -22 netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. IPv6: NLM_F_REPLACE set, but no existing node found! binder: 8916:8920 ioctl 4b60 20c87000 returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. binder: binder_mmap: 9016 2007d000-2007e000 bad vm_flags failed -1 binder: binder_mmap: 9016 2007d000-2007e000 bad vm_flags failed -1 netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=769 sclass=netlink_route_socket pig=9102 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=769 sclass=netlink_route_socket pig=9102 comm=syz-executor6 binder: 9337:9344 ioctl 4b4e 0 returned -22 binder: 9337:9344 ioctl 4b4e 0 returned -22 device lo entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=56267 sclass=netlink_route_socket pig=9395 comm=syz-executor0 device lo left promiscuous mode mmap: syz-executor2 (9414): VmData 18624512 exceed data ulimit 127. Update limits or use boot option ignore_rlimit_data. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=56267 sclass=netlink_route_socket pig=9428 comm=syz-executor0 IPVS: Creating netns size=2536 id=11 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9482 comm=syz-executor6 IPVS: Creating netns size=2536 id=12 9pnet_virtio: no channels available for device ./bus 9pnet_virtio: no channels available for device ./bus device syz5 entered promiscuous mode cgroup: cgroup2: unknown option "" cgroup: cgroup2: unknown option "" keychord: using input dev AT Translated Set 2 keyboard for fevent keychord: using input dev AT Translated Set 2 keyboard for fevent device syz1 left promiscuous mode binder: 9855:9858 ioctl 8954 200fafbc returned -22 9pnet_virtio: no channels available for device ./bus binder: 9855:9858 ioctl 8954 200fafbc returned -22 9pnet_virtio: no channels available for device ./bus SELinux: unrecognized netlink message: protocol=9 nlmsg_type=46163 sclass=netlink_audit_socket pig=10035 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=46163 sclass=netlink_audit_socket pig=10056 comm=syz-executor2 device lo entered promiscuous mode binder: 10279:10282 ioctl c0bc5310 20000f44 returned -22 binder: 10279:10282 ioctl 402c5342 200b4000 returned -22 binder: 10348:10351 ioctl 89e0 204deffc returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket pig=10351 comm=syz-executor3 binder: 10348:10351 ioctl 89e0 204deffc returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket pig=10351 comm=syz-executor3 device syz6 left promiscuous mode IPVS: Creating netns size=2536 id=13 pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) IPVS: Creating netns size=2536 id=14 9pnet_virtio: no channels available for device ./bus 9pnet_virtio: no channels available for device ./bus nla_parse: 27 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor4'. IPVS: Creating netns size=2536 id=15 netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. FAULT_FLAG_ALLOW_RETRY missing 70 CPU: 1 PID: 10886 Comm: syz-executor2 Tainted: G B 4.9.41-gdb02484 #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d071fb50 ffffffff81d92609 ffff8801d071fe30 0000000000000000 ffff8801d23ccb90 ffff8801d071fd20 ffff8801d23cca80 ffff8801d071fd48 ffffffff81660478 ffff8801d071fca0 0000000000000000 00000001ccaa9067 Call Trace: [] dump_stack+0xc1/0x128 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-integrity.c:49 [] handle_userfault+0xa48/0x1300 /syzkaller/managers/android-49-kasan-gce/kernel/fs/userfaultfd.c:1220 [] pmd_none_or_trans_huge_or_clear_bad /syzkaller/managers/android-49-kasan-gce/kernel/./include/asm-generic/pgtable.h:709 [inline] [] pmd_trans_unstable /syzkaller/managers/android-49-kasan-gce/kernel/./include/asm-generic/pgtable.h:734 [inline] [] pte_alloc_one_map /syzkaller/managers/android-49-kasan-gce/kernel/mm/memory.c:2882 [inline] [] handle_mm_fault+0x1faa/0x2510 /syzkaller/managers/android-49-kasan-gce/kernel/mm/memory.c:2983 [] __do_page_fault+0x4eb/0xbd0 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/tty/tty_ldsem.c:365 FAULT_FLAG_ALLOW_RETRY missing 70 CPU: 0 PID: 10912 Comm: syz-executor2 Tainted: G B 4.9.41-gdb02484 #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdc9fb50 ffffffff81d92609 ffff8801cdc9fe30 0000000000000000 ffff8801949a7610 ffff8801cdc9fd20 ffff8801949a7500 ffff8801cdc9fd48 ffffffff81660478 ffff8801cdc9fca0 0000000020001000 00000001ce2de067 Call Trace: [] dump_stack+0xc1/0x128 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-integrity.c:49 [] handle_userfault+0xa48/0x1300 /syzkaller/managers/android-49-kasan-gce/kernel/fs/userfaultfd.c:1220 [] pmd_none_or_trans_huge_or_clear_bad /syzkaller/managers/android-49-kasan-gce/kernel/./include/asm-generic/pgtable.h:709 [inline] [] pmd_trans_unstable /syzkaller/managers/android-49-kasan-gce/kernel/./include/asm-generic/pgtable.h:734 [inline] [] pte_alloc_one_map /syzkaller/managers/android-49-kasan-gce/kernel/mm/memory.c:2882 [inline] [] handle_mm_fault+0x1faa/0x2510 /syzkaller/managers/android-49-kasan-gce/kernel/mm/memory.c:2983 [] __do_page_fault+0x4eb/0xbd0 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/mm/fault.c:1397 [] do_page_fault+0x27/0x30 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/tty/tty_ldsem.c:365 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14917 sclass=netlink_route_socket pig=11028 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14917 sclass=netlink_route_socket pig=11028 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14917 sclass=netlink_route_socket pig=11104 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=54002 sclass=netlink_route_socket pig=11114 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=54002 sclass=netlink_route_socket pig=11114 comm=syz-executor0 ALSA: seq fatal error: cannot create timer (-22) SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14917 sclass=netlink_route_socket pig=11104 comm=syz-executor2 9pnet_virtio: no channels available for device ./bus 9pnet_virtio: no channels available for device ./bus netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. device syz3 entered promiscuous mode device syz3 left promiscuous mode device syz3 entered promiscuous mode binder: 11772:11776 ioctl 8918 2081f000 returned -22 tmpfs: No value for mount option '' binder: 11772:11776 ioctl c02c5341 203d4000 returned -22 tmpfs: No value for mount option '' binder: 11772:11776 ioctl 540f 205ba000 returned -22 binder: 11772:11776 ioctl 8915 20734000 returned -22 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=770 sclass=netlink_audit_socket pig=11799 comm=syz-executor7 binder: 11772:11776 ioctl 8918 2081f000 returned -22 binder: 11772:11811 ioctl c02c5341 203d4000 returned -22 binder: 11772:11815 ioctl 540f 205ba000 returned -22 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=770 sclass=netlink_audit_socket pig=11817 comm=syz-executor7 binder: 11772:11811 ioctl 8915 20734000 returned -22