binder: undelivered TRANSACTION_ERROR: 29189
binder: release 3876:3879 transaction 42 in, still active
binder: send failed reply for transaction 42 to 3876:3879
IPVS: Creating netns size=2552 id=7
==================================================================
BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 lib/list_debug.c:60
Read of size 8 at addr ffff8801d174e310 by task kworker/u4:0/6

CPU: 0 PID: 6 Comm: kworker/u4:0 Not tainted 4.4.120-gd63fdf6 #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: binder binder_deferred_func
 0000000000000000 1e83c01fd5e8a2fa ffff8801d9b1fa58 ffffffff81d0408d
 ffffea000745d380 ffff8801d174e310 0000000000000000 ffff8801d174e310
 ffffed003b233779 ffff8801d9b1fa90[   29.683962] binder: 3904:3905 ERROR: BC_REGISTER_LOOPER called without request
 ffffffff814fe143 ffff8801d174e310
Call Trace:
 [<ffffffff81d0408d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0408d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814fe143>] print_address_description+0x73/0x260 mm/kasan/report.c:252
binder: release 3904:3905 transaction 49 out, still active
binder: release 3904:3905 transaction 48 in, still active
binder: undelivered TRANSACTION_COMPLETE
binder: 3904:3907 IncRefs 0 refcount change on invalid ref 2 ret -22
binder: 3904:3907 Acquire 1 refcount change on invalid ref 1 ret -22
binder: 3904:3907 BC_FREE_BUFFER u0000000000000000 no match
binder: 3904:3907 ERROR: BC_REGISTER_LOOPER called without request
binder: 3904:3907 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER
binder: 3904:3907 DecRefs 0 refcount change on invalid ref 3 ret -22
 [<ffffffff814fe655>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff814fe655>] kasan_report+0x285/0x370 mm/kasan/report.c:408
 [<ffffffff814fe7b4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff81d643a6>] __list_del_entry+0x196/0x1d0 lib/list_debug.c:60
 [<ffffffff82c7694e>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff82c7694e>] binder_dequeue_work_head_ilocked drivers/android/binder.c:914 [inline]
 [<ffffffff82c7694e>] binder_dequeue_work_head drivers/android/binder.c:934 [inline]
 [<ffffffff82c7694e>] binder_release_work+0x6e/0x260 drivers/android/binder.c:4356
 [<ffffffff82c76f65>] binder_thread_release+0x425/0x600 drivers/android/binder.c:4564
 [<ffffffff82c7bbd8>] binder_deferred_release drivers/android/binder.c:5105 [inline]
 [<ffffffff82c7bbd8>] binder_deferred_func+0x438/0xd10 drivers/android/binder.c:5177
 [<ffffffff8117fd37>] process_one_work+0x7d7/0x16e0 kernel/workqueue.c:2064
 [<ffffffff81180d19>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196
 [<ffffffff81190788>] kthread+0x268/0x300 kernel/kthread.c:211
 [<ffffffff83773d85>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:506

Allocated by task 3879:
 [<ffffffff81035d96>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814fd1b3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814fd47d>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814fd47d>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
 [<ffffffff814f9400>] kmem_cache_alloc_trace+0x100/0x2b0 mm/slub.c:2642
 [<ffffffff82c86d2c>] kmalloc include/linux/slab.h:476 [inline]
 [<ffffffff82c86d2c>] kzalloc include/linux/slab.h:620 [inline]
 [<ffffffff82c86d2c>] binder_transaction+0x103c/0x7290 drivers/android/binder.c:3057
 [<ffffffff82c8d79f>] binder_thread_write+0x81f/0x33e0 drivers/android/binder.c:3680
 [<ffffffff82c9052f>] binder_ioctl_write_read.isra.55+0x1cf/0xbc0 drivers/android/binder.c:4619
 [<ffffffff82c91b70>] binder_ioctl+0xc50/0x12e0 drivers/android/binder.c:4758
 [<ffffffff8161e5da>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
 [<ffffffff8161e5da>] compat_SyS_ioctl+0x28a/0x2540 fs/compat_ioctl.c:1544
 [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
 [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff837752ea>] sysenter_flags_fixed+0xd/0x17

Freed by task 6:
 [<ffffffff81035d96>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814fd1b3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814fdad2>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814fdad2>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589
 [<ffffffff814fa56c>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff814fa56c>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff814fa56c>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff814fa56c>] kfree+0xfc/0x300 mm/slub.c:3749
 [<ffffffff82c6c0aa>] binder_free_transaction+0x6a/0x90 drivers/android/binder.c:2123
 [<ffffffff82c76585>] binder_send_failed_reply+0x185/0x3a0 drivers/android/binder.c:2156
 [<ffffffff82c76f53>] binder_thread_release+0x413/0x600 drivers/android/binder.c:4563
 [<ffffffff82c7bbd8>] binder_deferred_release drivers/android/binder.c:5105 [inline]
 [<ffffffff82c7bbd8>] binder_deferred_func+0x438/0xd10 drivers/android/binder.c:5177
 [<ffffffff8117fd37>] process_one_work+0x7d7/0x16e0 kernel/workqueue.c:2064
 [<ffffffff81180d19>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196
 [<ffffffff81190788>] kthread+0x268/0x300 kernel/kthread.c:211
 [<ffffffff83773d85>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:506

The buggy address belongs to the object at ffff8801d174e300
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 16 bytes inside of
 192-byte region [ffff8801d174e300, ffff8801d174e3c0)
The buggy address belongs to the page:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 0 at kernel/locking/lockdep.c:973 lock_accessed kernel/locking/lockdep.c:973 [inline]()
WARNING: CPU: 1 PID: 0 at kernel/locking/lockdep.c:973 __bfs+0x2c4/0x5d0 kernel/locking/lockdep.c:1040()