binder: 25841:25845 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
binder: 25850:25854 Acquire 1 refcount change on invalid ref 0 ret -22
binder: 25850:25854 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
binder: 25850:25854 Release 1 refcount change on invalid ref 0 ret -22
binder: 25850:25854 transaction failed 29189/-22, size 0-0 line 3119
INFO: task kworker/u4:4:2137 blocked for more than 140 seconds.
      Not tainted 4.9.185+ #7
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/u4:4    D25560  2137      2 0x80000000
Workqueue: events_unbound fsnotify_mark_destroy_workfn
 0000000000000087 ffff8801cfeeaf80 0000000000000000 ffff8801db721000
 ffff8801da6817c0 ffff8801db721018 ffff8801cf0af730 ffffffff8280a47e
 0000000000000000 0000000000000376 0000000000000002 ffff8801db7218f0
Call Trace:
 [<00000000a7137b8f>] schedule+0x92/0x1c0 kernel/sched/core.c:3546
 [<00000000c7977768>] schedule_timeout+0x766/0xe50 kernel/time/timer.c:1771
 [<0000000023b1e614>] do_wait_for_common kernel/sched/completion.c:75 [inline]
 [<0000000023b1e614>] __wait_for_common kernel/sched/completion.c:93 [inline]
 [<0000000023b1e614>] wait_for_common+0x2c6/0x4d0 kernel/sched/completion.c:101
 [<00000000ac356893>] wait_for_completion+0x18/0x20 kernel/sched/completion.c:122
 [<00000000f3a5a7fb>] __synchronize_srcu+0x26d/0x3d0 kernel/rcu/srcu.c:448
 [<000000004f78e073>] synchronize_srcu+0x1f/0x40 kernel/rcu/srcu.c:492
 [<00000000de055a11>] fsnotify_mark_destroy_list+0x110/0x390 fs/notify/mark.c:551
 [<00000000fef6e7ae>] fsnotify_mark_destroy_workfn+0xe/0x10 fs/notify/mark.c:561
 [<0000000019d39bc9>] process_one_work+0x88b/0x1600 kernel/workqueue.c:2114
 [<0000000032898dd2>] worker_thread+0x5df/0x11d0 kernel/workqueue.c:2251
 [<00000000a38b1256>] kthread+0x278/0x310 kernel/kthread.c:211
 [<0000000054ecc1d3>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:375

Showing all locks held in the system:
2 locks held by khungtaskd/24:
 #0:  (rcu_read_lock){......}, at: [<00000000a92af8ce>] check_hung_uninterruptible_tasks kernel/hung_task.c:169 [inline]
 #0:  (rcu_read_lock){......}, at: [<00000000a92af8ce>] watchdog+0x14b/0xaf0 kernel/hung_task.c:263
 #1:  (tasklist_lock){.+.+..}, at: [<00000000be809c6a>] debug_show_all_locks+0x7f/0x21f kernel/locking/lockdep.c:4336
1 lock held by rsyslogd/1914:
 #0:  (&f->f_pos_lock){+.+.+.}, at: [<00000000e79e19cb>] __fdget_pos+0xa8/0xd0 fs/file.c:782
2 locks held by getty/2042:
 #0:  (&tty->ldisc_sem){++++++}, at: [<000000003e318ebb>] ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:377
 #1:  (&ldata->atomic_read_lock){+.+...}, at: [<0000000058c9d78e>] n_tty_read+0x1fe/0x1820 drivers/tty/n_tty.c:2156
2 locks held by kworker/u4:4/2137:
 #0:  ("events_unbound"){.+.+.+}, at: [<00000000e3c91426>] process_one_work+0x790/0x1600 kernel/workqueue.c:2107
 #1:  ((reaper_work).work){+.+...}, at: [<00000000d89c42a0>] process_one_work+0x7ce/0x1600 kernel/workqueue.c:2111
2 locks held by udevd/22768:
 #0:  (&mm->mmap_sem){++++++}, at: [<00000000ba053311>] vm_mmap_pgoff+0x13d/0x1c0 mm/util.c:327
 #1:  (&anon_vma->rwsem){++++..}, at: [<00000000d119a523>] anon_vma_lock_read include/linux/rmap.h:127 [inline]
 #1:  (&anon_vma->rwsem){++++..}, at: [<00000000d119a523>] validate_mm+0xdb/0x5a0 mm/mmap.c:361
4 locks held by udevd/25397:
 #0:  (&dup_mmap_sem){.+.+.+}, at: [<00000000b18bad1e>] dup_mmap kernel/fork.c:573 [inline]
 #0:  (&dup_mmap_sem){.+.+.+}, at: [<00000000b18bad1e>] dup_mm kernel/fork.c:1156 [inline]
 #0:  (&dup_mmap_sem){.+.+.+}, at: [<00000000b18bad1e>] copy_mm kernel/fork.c:1210 [inline]
 #0:  (&dup_mmap_sem){.+.+.+}, at: [<00000000b18bad1e>] copy_process.part.0+0x38ca/0x63f0 kernel/fork.c:1694
 #1:  (&mm->mmap_sem){++++++}, at: [<000000006f0bc837>] dup_mmap kernel/fork.c:574 [inline]
 #1:  (&mm->mmap_sem){++++++}, at: [<000000006f0bc837>] dup_mm kernel/fork.c:1156 [inline]
 #1:  (&mm->mmap_sem){++++++}, at: [<000000006f0bc837>] copy_mm kernel/fork.c:1210 [inline]
 #1:  (&mm->mmap_sem){++++++}, at: [<000000006f0bc837>] copy_process.part.0+0x38e5/0x63f0 kernel/fork.c:1694
 #2:  (&mm->mmap_sem/1){+.+.+.}, at: [<00000000dc903b6b>] dup_mmap kernel/fork.c:583 [inline]
 #2:  (&mm->mmap_sem/1){+.+.+.}, at: [<00000000dc903b6b>] dup_mm kernel/fork.c:1156 [inline]
 #2:  (&mm->mmap_sem/1){+.+.+.}, at: [<00000000dc903b6b>] copy_mm kernel/fork.c:1210 [inline]
 #2:  (&mm->mmap_sem/1){+.+.+.}, at: [<00000000dc903b6b>] copy_process.part.0+0x391e/0x63f0 kernel/fork.c:1694
 #3:  (&anon_vma->rwsem){++++..}, at: [<0000000044add0fb>] lock_anon_vma_root mm/rmap.c:235 [inline]
 #3:  (&anon_vma->rwsem){++++..}, at: [<0000000044add0fb>] anon_vma_clone+0x143/0x4a0 mm/rmap.c:275
2 locks held by udevd/25847:
 #0:  (&sig->cred_guard_mutex){+.+.+.}, at: [<0000000002bede24>] prepare_bprm_creds+0x55/0x120 fs/exec.c:1369
 #1:  (&anon_vma->rwsem){++++..}, at: [<0000000046b013ed>] anon_vma_lock_write include/linux/rmap.h:117 [inline]
 #1:  (&anon_vma->rwsem){++++..}, at: [<0000000046b013ed>] anon_vma_free mm/rmap.c:116 [inline]
 #1:  (&anon_vma->rwsem){++++..}, at: [<0000000046b013ed>] __put_anon_vma+0x1d8/0x2c0 mm/rmap.c:1806

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 24 Comm: khungtaskd Not tainted 4.9.185+ #7
 ffff8801d98d7cc8 ffffffff81b57f51 0000000000000000 0000000000000000
 0000000000000000 ffffffff81099a01 dffffc0000000000 ffff8801d98d7d00
 ffffffff81b631ec 0000000000000000 0000000000000000 0000000000000000
Call Trace:
 [<000000000a27d38b>] __dump_stack lib/dump_stack.c:15 [inline]
 [<000000000a27d38b>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<000000006eef93d6>] nmi_cpu_backtrace.cold+0x47/0x87 lib/nmi_backtrace.c:99
 [<0000000013f683eb>] nmi_trigger_cpumask_backtrace+0x124/0x155 lib/nmi_backtrace.c:60
 [<000000008404ac82>] arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:37
 [<00000000d87049a8>] trigger_all_cpu_backtrace include/linux/nmi.h:58 [inline]
 [<00000000d87049a8>] check_hung_task kernel/hung_task.c:126 [inline]
 [<00000000d87049a8>] check_hung_uninterruptible_tasks kernel/hung_task.c:183 [inline]
 [<00000000d87049a8>] watchdog+0x670/0xaf0 kernel/hung_task.c:263
 [<00000000a38b1256>] kthread+0x278/0x310 kernel/kthread.c:211
 [<0000000054ecc1d3>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:375
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 25856 Comm: syz-executor.2 Not tainted 4.9.185+ #7
task: 000000007d166fd6 task.stack: 00000000641a8ff6
RIP: 0010:[<ffffffff8149fab7>] 
c [<0000000083afb952>] vm_normal_page+0x87/0x300 mm/memory.c:744
RSP: 0018:ffff8801a93ef620  EFLAGS: 00000a02
RAX: 1ffff1003527decb RBX: dffffc0000000000 RCX: ffff8801a93ef900
RDX: 0000000000000000 RSI: ffffffff8149faac RDI: ffff8801a93ef658
RBP: ffff8801a93ef6c0 R08: ffff8801a93ef920 R09: 0000000000000ed9
R10: ffff8801d68788b0 R11: 0000000000000001 R12: 1ffff1003527dec7
R13: 00007f86984dd000 R14: ffff8801a93ef698 R15: dffffc0000000000
FS:  00007f8696a9a700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff6f5f4f58 CR3: 00000001ac5f1000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 00007f86984dd000
c ffff8801d67db960
c 80000001b5faf007
c 0000000041b58ab3
c
 ffffffff82e3e6ad
c ffffffff8149fa30
c 0000000000000000
c 80000001b5fb0007
c
 ffff8801a93ef688
c 0000000000000001
c 0000000000000000
c ffff8800000004d8
c
Call Trace:
 [<00000000fc083db2>] zap_pte_range mm/memory.c:1129 [inline]
 [<00000000fc083db2>] zap_pmd_range mm/memory.c:1249 [inline]
 [<00000000fc083db2>] zap_pud_range mm/memory.c:1270 [inline]
 [<00000000fc083db2>] unmap_page_range+0x9d4/0x1690 mm/memory.c:1291
 [<000000001a07b142>] unmap_single_vma+0x124/0x180 mm/memory.c:1336
 [<00000000138abba3>] unmap_vmas+0x48/0xa0 mm/memory.c:1366
 [<0000000043ef3b80>] exit_mmap+0x1e3/0x3b0 mm/mmap.c:3020
 [<00000000f519c543>] __mmput kernel/fork.c:884 [inline]
 [<00000000f519c543>] mmput kernel/fork.c:906 [inline]
 [<00000000f519c543>] mmput+0xd5/0x370 kernel/fork.c:901
 [<00000000569c1ecf>] exit_mm kernel/exit.c:514 [inline]
 [<00000000569c1ecf>] do_exit+0x6ca/0x2aa0 kernel/exit.c:828
 [<00000000bdd7fb98>] do_group_exit+0x111/0x300 kernel/exit.c:945
 [<00000000ba59b1a8>] get_signal+0x377/0x1cb0 kernel/signal.c:2382
 [<00000000679802b3>] do_signal+0x9c/0x1920 arch/x86/kernel/signal.c:812
 [<00000000606fe252>] exit_to_usermode_loop+0x11c/0x160 arch/x86/entry/common.c:159
 [<00000000337fb8c4>] prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
 [<00000000337fb8c4>] syscall_return_slowpath arch/x86/entry/common.c:266 [inline]
 [<00000000337fb8c4>] do_syscall_64+0x3ab/0x5c0 arch/x86/entry/common.c:293
 [<0000000075a27318>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: 
cf1 
cc7 
c40 
c04 
c00 
cf3 
cf3 
cf3 
c65 
c48 
c8b 
c04 
c25 
c28 
c00 
c00 
c00 
c48 
c89 
c45 
cd0 
c31 
cc0 
c48 
c89 
c55 
c98 
ce8 
ce4 
c12 
ce8 
cff 
c48 
c8d 
c7d 
c98 
c48 
c89 
cf8 
c48 
cc1 
ce8 
c03 
c<80> 
c3c 
c18 
c00 
c0f 
c85 
c30 
c02 
c00 
c00 
c4d 
c8b 
c6e 
cc0 
c4c 
c89 
cef 
c48 
c89 
cf8 
c0f 
c