RBP: 000000000071bea0 R08: 0000000000000008 R09: 0000000000000000
R10: 00000000201e7000 R11: 0000000000000246 R12: 0000000000000014
R13: 000000000000043d R14: 00000000006f6658 R15: 0000000000000000
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 6963 Comm: syz-executor4 Not tainted 4.15.0+ #308
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:binder_poll+0xa0/0x390 drivers/android/binder.c:4395
RSP: 0018:ffff8801acc07658 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff841dbe90
RDX: 0000000000000000 RSI: ffffc90003ce2000 RDI: 0000000000000282
binder_alloc: binder_alloc_mmap_handler: 6987 20000000-20002000 already mapped failed -16
RBP: ffff8801acc07700 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff10035980ecf
R13: ffff8801acc079b0 R14: ffff8801d53b35c0 R15: ffff8801acc076d8
FS:  00007f50242d7700(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004d6144 CR3: 00000001ca05b001 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 do_pollfd fs/select.c:826 [inline]
 do_poll fs/select.c:877 [inline]
 do_sys_poll+0x716/0x1050 fs/select.c:971
binder: BINDER_SET_CONTEXT_MGR already set
binder_alloc: 6987: binder_alloc_buf, no vma
binder: 6987:6996 transaction failed 29189/-3, size 80-8 line 2957
binder: 6987:6992 ioctl 40046207 0 returned -16
 SYSC_ppoll fs/select.c:1079 [inline]
 SyS_ppoll+0x1ef/0x450 fs/select.c:1051
binder: 6987:7000 IncRefs 0 refcount change on invalid ref 1 ret -22
 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 6987:6992 transaction 24 out, still active
 entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453a59
RSP: 002b:00007f50242d6c68 EFLAGS: 00000246
binder: unexpected work type, 4, not freed
 ORIG_RAX: 000000000000010f
RAX: ffffffffffffffda RBX: 00007f50242d76d4 RCX: 0000000000453a59
RDX: 0000000020eb4ff0 RSI: 0000000000000001 RDI: 0000000020d77fe0
RBP: 000000000071bea0 R08: 0000000000000008 R09: 0000000000000000
R10: 00000000201e7000 R11: 0000000000000246 R12: 0000000000000014
R13: 000000000000043d R14: 00000000006f6658 R15: 0000000000000000
Code: 
binder: undelivered TRANSACTION_COMPLETE
03 80 3c 18 00 0f 
binder: send failed reply for transaction 24, target dead
85 3c 02 00 00 49 8b be 90 01 00 00 e8 04 f7 ff ff 48 89 c2 48 89 c3 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 ca 02 00 00 48 8b 3b be 2b 11 00 00 e8 29 89 
RIP: binder_poll+0xa0/0x390 drivers/android/binder.c:4395 RSP: ffff8801acc07658
---[ end trace bf36e8ea3940832f ]---