binder: 7070:7073 transaction failed 29189/-3, size 72-24 line 3137
binder: 7077:7079 transaction failed 29189/-22, size 72-24 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 7088 Comm: syz-executor.1 Not tainted 4.4.174+ #17
task: ffff8801c1732f80 task.stack: ffff8801cfd98000
RIP: 0010:[<ffffffff8214c0da>]  [<ffffffff8214c0da>] __read_once_size include/linux/compiler.h:218 [inline]
RIP: 0010:[<ffffffff8214c0da>]  [<ffffffff8214c0da>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP: 0010:[<ffffffff8214c0da>]  [<ffffffff8214c0da>] __atomic_add_unless arch/x86/include/asm/atomic.h:211 [inline]
RIP: 0010:[<ffffffff8214c0da>]  [<ffffffff8214c0da>] atomic_add_unless include/linux/atomic.h:437 [inline]
RIP: 0010:[<ffffffff8214c0da>]  [<ffffffff8214c0da>] binder_update_page_range drivers/android/binder_alloc.c:217 [inline]
RIP: 0010:[<ffffffff8214c0da>]  [<ffffffff8214c0da>] binder_update_page_range+0xada/0x1e00 drivers/android/binder_alloc.c:186
RSP: 0018:ffff8801cfd9f5b0  EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffc9000fff4000 RCX: ffffc9000231e000
RDX: 0000000000000009 RSI: ffffffff8214c09c RDI: ffff8801cecc8010
RBP: ffff8801cfd9f638 R08: 0000000000000000 R09: ffff8801c1733868
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000048
R13: 0000000000000000 R14: ffff8801d7295488 R15: ffff8801d7295400
FS:  0000000000000000(0000) GS:ffff8801db700000(0063) knlGS:00000000f55dcb40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020269000 CR3: 00000001d4b51000 CR4: 00000000001606b0
Stack:
 0000000000000246 360bc7c4d2464580 ffff8801c1732f80 ffffffff82ea73a0
 ffffc9000fff3000 ffffffff82ea7320 ffff8801d72954c8 ffff8801d7295490
 ffffffff82141492 ffff8801cfd9f620 0000000000000246 360bc7c4d2464580
Call Trace:
 [<ffffffff8214eea2>] binder_alloc_new_buf_locked drivers/android/binder_alloc.c:442 [inline]
 [<ffffffff8214eea2>] binder_alloc_new_buf+0xa12/0x1020 drivers/android/binder_alloc.c:512
 [<ffffffff82141b9f>] binder_transaction+0x168f/0x5fe0 drivers/android/binder.c:3127
 [<ffffffff82146c3b>] binder_thread_write+0x74b/0x2240 drivers/android/binder.c:3692
 [<ffffffff8214988d>] binder_ioctl_write_read drivers/android/binder.c:4632 [inline]
 [<ffffffff8214988d>] binder_ioctl+0x115d/0x1c20 drivers/android/binder.c:4807
 [<ffffffff8159b2c3>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
 [<ffffffff8159b2c3>] compat_SyS_ioctl+0x403/0x2210 fs/compat_ioctl.c:1544
 [<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
 [<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397
 [<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
Code: f2 48 c1 ea 03 80 3c 02 00 0f 85 7b 12 00 00 4d 8b af 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8d 65 48 4c 89 e2 48 c1 ea 03 <0f> b6 14 02 4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 
RIP  [<ffffffff8214c0da>] __read_once_size include/linux/compiler.h:218 [inline]
RIP  [<ffffffff8214c0da>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP  [<ffffffff8214c0da>] __atomic_add_unless arch/x86/include/asm/atomic.h:211 [inline]
RIP  [<ffffffff8214c0da>] atomic_add_unless include/linux/atomic.h:437 [inline]
RIP  [<ffffffff8214c0da>] binder_update_page_range drivers/android/binder_alloc.c:217 [inline]
RIP  [<ffffffff8214c0da>] binder_update_page_range+0xada/0x1e00 drivers/android/binder_alloc.c:186
 RSP <ffff8801cfd9f5b0>
---[ end trace 7e2da91d528c5552 ]---