keychord: using input dev AT Translated Set 2 keyboard for fevent
keychord: unsupported version 40
==================================================================
BUG: Double free or freeing an invalid pointer
Unexpected shadow byte: 0xFB
CPU: 1 PID: 22720 Comm: syz-executor7 Not tainted 4.9.40-ged32335 #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cd6c7b70 ffffffff81d8d829 ffff8801da001b40 ffff8801d1b06c00
 ffff8801d1b06c10 ffffffff82a81678 0000000000000282 ffff8801cd6c7b98
 ffffffff81537a3c 00000000fffffffb ffff8801da001b40 ffff8801d1b06c00
Call Trace:
 [<ffffffff81d8d829>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d8d829>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81537a3c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff81538273>] kasan_report_double_free+0x53/0x80 mm/kasan/report.c:181
 [<ffffffff8153762d>] kasan_slab_free+0x9d/0xc0 mm/kasan/kasan.c:562
 [<ffffffff815341b0>] slab_free_hook mm/slub.c:1355 [inline]
 [<ffffffff815341b0>] slab_free_freelist_hook mm/slub.c:1377 [inline]
 [<ffffffff815341b0>] slab_free mm/slub.c:2958 [inline]
 [<ffffffff815341b0>] kfree+0xf0/0x2f0 mm/slub.c:3878
 [<ffffffff82a81678>] keychord_write+0x628/0x820 drivers/input/misc/keychord.c:319
 [<ffffffff815659a3>] __vfs_write+0x103/0x680 fs/read_write.c:510
 [<ffffffff81569ad0>] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [<ffffffff8156d4c9>] SYSC_write fs/read_write.c:607 [inline]
 [<ffffffff8156d4c9>] SyS_write+0xd9/0x1b0 fs/read_write.c:599
 [<ffffffff838b36c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d1b06c00, in cache kmalloc-16 size: 16
Allocated:
PID = 22720
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 keychord_write+0x6d/0x820 drivers/input/misc/keychord.c:243
 __vfs_write+0x103/0x680 fs/read_write.c:510
 vfs_write+0x170/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 22721
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 keychord_write+0x15d/0x820 drivers/input/misc/keychord.c:261
 __vfs_write+0x103/0x680 fs/read_write.c:510
 vfs_write+0x170/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6
==================================================================
keychord: unsupported version 40
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
nla_parse: 17 callbacks suppressed
netlink: 6 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.
device lo entered promiscuous mode
FAULT_FLAG_ALLOW_RETRY missing 70
CPU: 1 PID: 23331 Comm: syz-executor6 Tainted: G    B           4.9.40-ged32335 #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ce64fb50 ffffffff81d8d829 ffff8801ce64fe30 0000000000000000
 ffff8801cbb08d10 ffff8801ce64fd20 ffff8801cbb08c00 ffff8801ce64fd48
 ffffffff8165b7c8 ffff8801ce64fca0 0000000020001000 00000001c7cb5067
Call Trace:
 [<ffffffff81d8d829>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d8d829>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165b7c8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cac0a>] do_anonymous_page mm/memory.c:2746 [inline]
 [<ffffffff814cac0a>] handle_pte_fault mm/memory.c:3487 [inline]
 [<ffffffff814cac0a>] __handle_mm_fault mm/memory.c:3576 [inline]
 [<ffffffff814cac0a>] handle_mm_fault+0x1faa/0x2510 mm/memory.c:3613
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838b4898>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
qtaguid: iface_stat: create(lo): no inet dev
qtaguid: iface_stat: create6(lo): no inet dev
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
device lo left promiscuous mode
device lo entered promiscuous mode
qtaguid: iface_stat: create(lo): no inet dev
qtaguid: iface_stat: create6(lo): no inet dev
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
device lo left promiscuous mode
IPVS: Creating netns size=2536 id=13
syz-executor1: vmalloc: allocation failure: 17179607040 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM)
syz-executor1: vmalloc: allocation failure: 17179607040 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM)
CPU: 0 PID: 23444 Comm: syz-executor1 Tainted: G    B           4.9.40-ged32335 #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cb8d7880 ffffffff81d8d829 1ffff1003971af13 ffff8801a8cfaf00
 ffffffff83ab7440 0000000000000001 0000000000400000 ffff8801cb8d7990
 ffffffff8144bc62 024000c2da386dfa 0000000041b58ab3 ffffffff8419233d
Call Trace:
 [<ffffffff81d8d829>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d8d829>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8144bc62>] warn_alloc+0x212/0x240 mm/page_alloc.c:3038
 [<ffffffff814f9945>] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722
 [<ffffffff814f9c0b>] __vmalloc_node mm/vmalloc.c:1744 [inline]
 [<ffffffff814f9c0b>] __vmalloc_node_flags mm/vmalloc.c:1758 [inline]
 [<ffffffff814f9c0b>] vmalloc+0x5b/0x70 mm/vmalloc.c:1773
 [<ffffffff83143ec1>] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722
 [<ffffffff8351f14a>] translate_table+0x21a/0x1e80 net/ipv6/netfilter/ip6_tables.c:730
 [<ffffffff810002b8>] ? 0xffffffff810002b8
 [<ffffffff8352302e>] do_replace net/ipv6/netfilter/ip6_tables.c:1182 [inline]
 [<ffffffff8352302e>] do_ip6t_set_ctl+0x2be/0x470 net/ipv6/netfilter/ip6_tables.c:1708
 [<ffffffff830a2117>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
 [<ffffffff830a2117>] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
 [<ffffffff8347b605>] ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:903
 [<ffffffff83234592>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701
 [<ffffffff82edf245>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705
 [<ffffffff82edc1e0>] SYSC_setsockopt net/socket.c:1771 [inline]
 [<ffffffff82edc1e0>] SyS_setsockopt+0x160/0x250 net/socket.c:1750
 [<ffffffff838b36c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Mem-Info:
active_anon:71566 inactive_anon:57 isolated_anon:0
 active_file:3852 inactive_file:4712 isolated_file:0
 unevictable:0 dirty:42 writeback:0 unstable:0
 slab_reclaimable:7414 slab_unreclaimable:29674
 mapped:20963 shmem:206 pagetables:848 bounce:0
 free:1490819 free_pcp:380 free_cma:0
Node 0 active_anon:286264kB inactive_anon:228kB active_file:15408kB inactive_file:18848kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:83852kB dirty:168kB writeback:0kB shmem:824kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 12288kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no
DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
DMA32 free:2981140kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981840kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:700kB local_pcp:700kB free_cma:0kB
Normal free:2964180kB min:36816kB low:46020kB high:55224kB active_anon:286264kB inactive_anon:228kB active_file:15408kB inactive_file:18848kB unevictable:0kB writepending:168kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:29656kB slab_unreclaimable:118696kB kernel_stack:7200kB pagetables:3392kB bounce:0kB free_pcp:816kB local_pcp:492kB free_cma:0kB
DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
8769 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
320237 pages reserved
netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'.
device lo entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
netlink: 7 bytes leftover after parsing attributes in process `syz-executor5'.
device lo left promiscuous mode
device lo entered promiscuous mode
qtaguid: iface_stat: create(lo): no inet dev
qtaguid: iface_stat: create6(lo): no inet dev
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
device lo left promiscuous mode
CPU: 0 PID: 23429 Comm: syz-executor1 Tainted: G    B           4.9.40-ged32335 #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a919f880 ffffffff81d8d829 1ffff10035233f13 ffff8801cd3b1780
 ffffffff83ab7440 0000000000000001 0000000000400000 ffff8801a919f990
 ffffffff8144bc62 024000c2dbe2faaf 0000000041b58ab3 ffffffff8419233d
Call Trace:
 [<ffffffff81d8d829>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d8d829>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8144bc62>] warn_alloc+0x212/0x240 mm/page_alloc.c:3038
 [<ffffffff814f9945>] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722
 [<ffffffff814f9c0b>] __vmalloc_node mm/vmalloc.c:1744 [inline]
 [<ffffffff814f9c0b>] __vmalloc_node_flags mm/vmalloc.c:1758 [inline]
 [<ffffffff814f9c0b>] vmalloc+0x5b/0x70 mm/vmalloc.c:1773
 [<ffffffff83143ec1>] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722
 [<ffffffff8351f14a>] translate_table+0x21a/0x1e80 net/ipv6/netfilter/ip6_tables.c:730
 [<ffffffff810002b8>] ? 0xffffffff810002b8
 [<ffffffff8352302e>] do_replace net/ipv6/netfilter/ip6_tables.c:1182 [inline]
 [<ffffffff8352302e>] do_ip6t_set_ctl+0x2be/0x470 net/ipv6/netfilter/ip6_tables.c:1708
 [<ffffffff830a2117>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
 [<ffffffff830a2117>] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
 [<ffffffff8347b605>] ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:903
 [<ffffffff83234592>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701
 [<ffffffff82edf245>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705
 [<ffffffff82edc1e0>] SYSC_setsockopt net/socket.c:1771 [inline]
 [<ffffffff82edc1e0>] SyS_setsockopt+0x160/0x250 net/socket.c:1750
 [<ffffffff838b36c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Mem-Info:
active_anon:66486 inactive_anon:57 isolated_anon:0
 active_file:3852 inactive_file:4720 isolated_file:0
 unevictable:0 dirty:93 writeback:0 unstable:0
 slab_reclaimable:7586 slab_unreclaimable:34375
 mapped:20963 shmem:207 pagetables:755 bounce:0
 free:1491833 free_pcp:450 free_cma:0
Node 0 active_anon:265944kB inactive_anon:228kB active_file:15408kB inactive_file:18880kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:83852kB dirty:372kB writeback:0kB shmem:828kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 18432kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no
DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 2910 6411 6411
DMA32 free:2981140kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981840kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:700kB local_pcp:700kB free_cma:0kB
lowmem_reserve[]: 0 0 3501 3501
Normal free:2970284kB min:36816kB low:46020kB high:55224kB active_anon:265944kB inactive_anon:228kB active_file:15408kB inactive_file:18880kB unevictable:0kB writepending:376kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:30344kB slab_unreclaimable:137500kB kernel_stack:6528kB pagetables:3020kB bounce:0kB free_pcp:1096kB local_pcp:520kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
DMA32: 3*4kB (M) 3*8kB (M) 5*16kB (M) 3*32kB (M) 3*64kB (M) 3*128kB (M) 2*256kB (M) 2*512kB (M) 1*1024kB (M) 2*2048kB (M) 726*4096kB (M) = 2981140kB
Normal: 4453*4kB (UME) 3139*8kB (UME) 2064*16kB (UME) 806*32kB (UME) 1359*64kB (UME) 423*128kB (UME) 66*256kB (UME) 6*512kB (UM) 2*1024kB (UE) 5*2048kB (ME) 658*4096kB (UM) = 2970284kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
8782 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
320237 pages reserved
tmpfs: No value for mount option 'I'
binder: 23546:23562 ioctl c0286404 207e2fd8 returned -22
binder: 23546:23578 ioctl c0286404 207e2fd8 returned -22
device lo entered promiscuous mode
qtaguid: iface_stat: create(lo): no inet dev
qtaguid: iface_stat: create6(lo): no inet dev
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
selinux_nlmsg_perm: 3 callbacks suppressed
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=24324 sclass=netlink_route_socket pig=23792 comm=syz-executor6
binder: 23797:23799 ioctl 540f 206e8ffc returned -22
binder: 23797:23799 ioctl 540f 206e8ffc returned -22
binder: 23884:23897 ioctl 541c 20001ff4 returned -22
binder: 23884:23886 ioctl 80404519 20001f88 returned -22
binder: 23884:23912 ioctl 541c 20001ff4 returned -22
binder: 23884:23916 ioctl 80404519 20001f88 returned -22