binder: send failed reply for transaction 4 to 6473:6484
binder: 6489:6498 ERROR: BC_REGISTER_LOOPER called without request
==================================================================
BUG: KASAN: use-after-free in __list_del_entry+0x1a9/0x1c0 lib/list_debug.c:60
Read of size 8 at addr ffff8801ce846110 by task kworker/u4:3/488

CPU: 0 PID: 488 Comm: kworker/u4:3 Not tainted 4.4.128-gbd23e3a #20
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: binder binder_deferred_func
 0000000000000000 b5a8f4225b163e4f ffff8800bb1c7a50 ffffffff81e0daad
 ffffea00073a1180 ffff8801ce846110 0000000000000000 ffff8801ce846110
 ffffed0016b39239 ffff8800bb1c7a88 ffffffff815150ac ffff8801ce846110
Call Trace:
 [<ffffffff81e0daad>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81e0daad>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff815150ac>] print_address_description+0x6c/0x216 mm/kasan/report.c:252
 [<ffffffff815153cb>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff815153cb>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408
 [<ffffffff814f8ec4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff81e6db39>] __list_del_entry+0x1a9/0x1c0 lib/list_debug.c:60
 [<ffffffff82d6558f>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff82d6558f>] binder_dequeue_work_head_ilocked drivers/android/binder.c:914 [inline]
 [<ffffffff82d6558f>] binder_dequeue_work_head drivers/android/binder.c:934 [inline]
 [<ffffffff82d6558f>] binder_release_work+0x6f/0x1d0 drivers/android/binder.c:4362
 [<ffffffff82d65b12>] binder_thread_release+0x422/0x520 drivers/android/binder.c:4570
 [<ffffffff82d66037>] binder_deferred_release drivers/android/binder.c:5111 [inline]
 [<ffffffff82d66037>] binder_deferred_func+0x427/0xc00 drivers/android/binder.c:5183
 [<ffffffff81181d3f>] process_one_work+0x7df/0x1600 kernel/workqueue.c:2064
 [<ffffffff81182c39>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196
 [<ffffffff81190748>] kthread+0x268/0x300 kernel/kthread.c:211
 [<ffffffff838beb95>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510

Allocated by task 6484:
 [<ffffffff810341d6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814f7f73>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814f8257>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814f8257>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616
 [<ffffffff814f4604>] kmem_cache_alloc_trace+0x104/0x2c0 mm/slub.c:2642
 [<ffffffff82d72954>] kmalloc include/linux/slab.h:476 [inline]
 [<ffffffff82d72954>] kzalloc include/linux/slab.h:620 [inline]
 [<ffffffff82d72954>] binder_transaction+0x8d4/0x6490 drivers/android/binder.c:3063
 [<ffffffff82d78f2f>] binder_thread_write+0xa1f/0x2240 drivers/android/binder.c:3686
 [<ffffffff82d7a91d>] binder_ioctl_write_read.isra.47+0x1cd/0x920 drivers/android/binder.c:4625
 [<ffffffff82d7b864>] binder_ioctl+0x7f4/0x1210 drivers/android/binder.c:4764
 [<ffffffff8155929f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff8155929f>] file_ioctl fs/ioctl.c:470 [inline]
 [<ffffffff8155929f>] do_vfs_ioctl+0x63f/0xf40 fs/ioctl.c:605
 [<ffffffff81559c2f>] SYSC_ioctl fs/ioctl.c:622 [inline]
 [<ffffffff81559c2f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
 [<ffffffff838be765>] entry_SYSCALL_64_fastpath+0x22/0x9e

Freed by task 488:
 [<ffffffff810341d6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814f7f73>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814f88a2>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814f88a2>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589
 [<ffffffff814f5da4>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff814f5da4>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff814f5da4>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff814f5da4>] kfree+0xf4/0x310 mm/slub.c:3749
 [<ffffffff82d5950a>] binder_free_transaction+0x6a/0x90 drivers/android/binder.c:2123
 [<ffffffff82d653b3>] binder_send_failed_reply+0x1c3/0x230 drivers/android/binder.c:2162
 [<ffffffff82d65b00>] binder_thread_release+0x410/0x520 drivers/android/binder.c:4569
 [<ffffffff82d66037>] binder_deferred_release drivers/android/binder.c:5111 [inline]
 [<ffffffff82d66037>] binder_deferred_func+0x427/0xc00 drivers/android/binder.c:5183
 [<ffffffff81181d3f>] process_one_work+0x7df/0x1600 kernel/workqueue.c:2064
 [<ffffffff81182c39>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196
 [<ffffffff81190748>] kthread+0x268/0x300 kernel/kthread.c:211
 [<ffffffff838beb95>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510

The buggy address belongs to the object at ffff8801ce846100
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 16 bytes inside of
 192-byte region [ffff8801ce846100, ffff8801ce8461c0)
The buggy address belongs to the page:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 0 at kernel/locking/lockdep.c:973 lock_accessed kernel/locking/lockdep.c:973 [inline]()
WARNING: CPU: 1 PID: 0 at kernel/locking/lockdep.c:973 __bfs+0x2aa/0x5f0 kernel/locking/lockdep.c:1040()