================================================================== BUG: Double free or freeing an invalid pointer rpcbind: RPC call returned error 22 Unexpected shadow byte: 0xFB CPU: 1 PID: 24629 Comm: syz-executor6 Not tainted 4.9.40-ged32335 #9 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d9037b78 ffffffff81eaccf9 ffff8801dac01b40 ffff8801d4ce4b40 ffff8801d4ce4b50 ffffffff82b49afb 0000000000000282 ffff8801d9037ba0 ffffffff81546b9c 00000000fffffffb ffff8801dac01b40 ffff8801d4ce4b40 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] kasan_report_double_free+0x44/0x60 mm/kasan/report.c:181 [] kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:562 [] slab_free_hook mm/slub.c:1355 [inline] [] slab_free_freelist_hook mm/slub.c:1377 [inline] [] slab_free mm/slub.c:2958 [inline] [] kfree+0xf0/0x2f0 mm/slub.c:3878 [] keychord_write+0x61b/0x810 drivers/input/misc/keychord.c:319 [] __vfs_write+0xfb/0x660 fs/read_write.c:510 rpcbind: RPC call returned error 22 [] vfs_write+0x170/0x4e0 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd4/0x1a0 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d4ce4b40, in cache kmalloc-16 size: 16 Allocated: PID = 24629 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 __kmalloc+0x128/0x320 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] kzalloc include/linux/slab.h:636 [inline] keychord_write+0x6d/0x810 drivers/input/misc/keychord.c:243 __vfs_write+0xfb/0x660 fs/read_write.c:510 vfs_write+0x170/0x4e0 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd4/0x1a0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 24633 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 keychord_write+0x150/0x810 drivers/input/misc/keychord.c:261 __vfs_write+0xfb/0x660 fs/read_write.c:510 vfs_write+0x170/0x4e0 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd4/0x1a0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== sg_write: data in/out 458718/2 bytes for SCSI command 0x25-- guessing data in; program syz-executor7 not setting count and/or reply_len properly nla_parse: 5 callbacks suppressed netlink: 14 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 14 bytes leftover after parsing attributes in process `syz-executor1'. sg_write: data in/out 458718/2 bytes for SCSI command 0x25-- guessing data in; program syz-executor0 not setting count and/or reply_len properly sg_write: data in/out 458718/2 bytes for SCSI command 0x25-- guessing data in; program syz-executor5 not setting count and/or reply_len properly sg_write: data in/out 458718/2 bytes for SCSI command 0x25-- guessing data in; program syz-executor5 not setting count and/or reply_len properly sg_write: data in/out 458718/2 bytes for SCSI command 0x25-- guessing data in; program syz-executor6 not setting count and/or reply_len properly netlink: 14 bytes leftover after parsing attributes in process `syz-executor1'. sg_write: data in/out 458718/2 bytes for SCSI command 0x25-- guessing data in; program syz-executor0 not setting count and/or reply_len properly sg_write: data in/out 458718/2 bytes for SCSI command 0x25-- guessing data in; program syz-executor6 not setting count and/or reply_len properly sg_write: data in/out 458718/2 bytes for SCSI command 0x25-- guessing data in; program syz-executor7 not setting count and/or reply_len properly sg_write: data in/out 458718/2 bytes for SCSI command 0x25-- guessing data in; program syz-executor6 not setting count and/or reply_len properly netlink: 14 bytes leftover after parsing attributes in process `syz-executor1'. sg_write: data in/out 458718/2 bytes for SCSI command 0x25-- guessing data in; program syz-executor7 not setting count and/or reply_len properly netlink: 14 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 14 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 14 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 14 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 14 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 14 bytes leftover after parsing attributes in process `syz-executor3'. device lo entered promiscuous mode tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' device lo entered promiscuous mode device lo entered promiscuous mode tmpfs: No value for mount option '›' device lo entered promiscuous mode tmpfs: No value for mount option '›' device lo entered promiscuous mode tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' tmpfs: No value for mount option '›' binder_alloc: binder_alloc_mmap_handler: 25623 2076f000-20772000 already mapped failed -16 device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode binder_alloc: binder_alloc_mmap_handler: 25706 2076f000-20772000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 25715 2076f000-20772000 already mapped failed -16 device lo entered promiscuous mode device lo left promiscuous mode binder_alloc: binder_alloc_mmap_handler: 25722 2076f000-20772000 already mapped failed -16 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo left promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. IPv6: NLM_F_REPLACE set, but no existing node found! binder: 26424:26425 ioctl 4b44 20675000 returned -22 binder: 26424:26444 ioctl 4b44 20675000 returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. binder: 26453:26458 ioctl 4b44 20675000 returned -22 IPv6: NLM_F_REPLACE set, but no existing node found! binder: 26453:26473 ioctl 4b44 20675000 returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. IPv6: NLM_F_REPLACE set, but no existing node found! binder: 26488:26491 ioctl 4b44 20675000 returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. IPv6: NLM_F_REPLACE set, but no existing node found! binder: 26488:26500 ioctl 4b44 20675000 returned -22 binder: 26501:26503 ioctl 4b44 20675000 returned -22 binder: 26501:26523 ioctl 4b44 20675000 returned -22