binder: 4079:4080 ERROR: BC_REGISTER_LOOPER called without request
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 4032:4044 transaction 241 in, still active
binder: send failed reply for transaction 241 to 4032:4044
==================================================================
BUG: KASAN: use-after-free in __list_del_entry+0x1a9/0x1c0 lib/list_debug.c:60
Read of size 8 at addr ffff8801da201510 by task kworker/0:1/25

CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.9.93-gcb02358 #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events binder_deferred_func
 ffff8801d951fa58 ffffffff81d9c249 ffffea0007688040 ffff8801da201510
 0000000000000000 ffff8801da201510 ffffed003afd7199 ffff8801d951fa90
 ffffffff8156533b ffff8801da201510 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81d9c249>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d9c249>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8156533b>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
binder: 4060:4081 transaction failed 29189/-22, size 0-0 line 3010
binder: undelivered TRANSACTION_ERROR: 29189
binder: 4060:4081 transaction failed 29189/-22, size 0-0 line 3010
 [<ffffffff815655af>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff815655af>] kasan_report.cold.6+0xac/0x2f5 mm/kasan/report.c:412
 [<ffffffff815393c4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 [<ffffffff81e04129>] __list_del_entry+0x1a9/0x1c0 lib/list_debug.c:60
 [<ffffffff82d3986f>] list_del_init include/linux/list.h:145 [inline]
 [<ffffffff82d3986f>] binder_dequeue_work_head_ilocked drivers/android/binder.c:913 [inline]
 [<ffffffff82d3986f>] binder_dequeue_work_head drivers/android/binder.c:933 [inline]
 [<ffffffff82d3986f>] binder_release_work+0x6f/0x1d0 drivers/android/binder.c:4361
 [<ffffffff82d39df5>] binder_thread_release+0x425/0x520 drivers/android/binder.c:4569
 [<ffffffff82d3a33d>] binder_deferred_release drivers/android/binder.c:5110 [inline]
 [<ffffffff82d3a33d>] binder_deferred_func+0x44d/0xc30 drivers/android/binder.c:5182
binder: 4063:4083 transaction failed 29189/-22, size 0-0 line 3010
binder: undelivered TRANSACTION_ERROR: 29189
binder: 4063:4083 transaction failed 29189/-22, size 0-0 line 3010
 [<ffffffff8118ac91>] process_one_work+0x7e1/0x1500 kernel/workqueue.c:2092
binder: 4060:4081 ERROR: BC_REGISTER_LOOPER called without request
binder: release 4060:4084 transaction 275 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: 4067:4085 got new transaction with bad transaction stack, transaction 278 has target 4060:0
binder: 4067:4085 transaction failed 29201/-71, size 0-0 line 3037
binder: release 4067:4085 transaction 278 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
 [<ffffffff8118ba86>] worker_thread+0xd6/0x10a0 kernel/workqueue.c:2226
binder: 4070:4086 got new transaction with bad transaction stack, transaction 281 has target 4060:0
binder: 4070:4086 transaction failed 29201/-71, size 0-0 line 3037
binder: release 4070:4086 transaction 281 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4063:4087 ioctl 40046207 0 returned -16
binder: 4063:4083 ERROR: BC_REGISTER_LOOPER called without request
binder: release 4063:4087 transaction 284 out, still active
binder: undelivered TRANSACTION_COMPLETE
 [<ffffffff8119ab4d>] kthread+0x26d/0x300 kernel/kthread.c:211
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4067:4088 ioctl 40046207 0 returned -16
binder: 4067:4085 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4067:4088 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4067:4085 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4067:4088 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4073:4089 transaction failed 29189/-3, size 0-0 line 3133
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4070:4090 ioctl 40046207 0 returned -16
binder: undelivered TRANSACTION_ERROR: 29189
binder: 4070:4086 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4070:4090 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4070:4086 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4073:4089 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4070:4090 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4076:4091 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4076:4091 transaction failed 29189/-3, size 0-0 line 3133
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4073:4092 ioctl 40046207 0 returned -16
binder: 4073:4089 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4073:4092 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4073:4089 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4073:4092 transaction failed 29189/-3, size 0-0 line 3133
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4076:4093 ioctl 40046207 0 returned -16
binder: 4076:4091 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4076:4093 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4076:4091 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4076:4093 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4079:4094 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4079:4094 transaction failed 29189/-3, size 0-0 line 3133
 [<ffffffff838d5b1c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373

Allocated by task 4044:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
 kmem_cache_alloc_trace+0xfd/0x2b0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 binder_transaction+0x8d5/0x6230 drivers/android/binder.c:3062
 binder_thread_write+0xa40/0x2170 drivers/android/binder.c:3685
 binder_ioctl_write_read.isra.46+0x1eb/0x810 drivers/android/binder.c:4624
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4079:4095 ioctl 40046207 0 returned -16
binder: 4079:4094 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4079:4095 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4079:4094 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 4060: binder_alloc_buf, no vma
binder: 4079:4095 transaction failed 29189/-3, size 0-0 line 3133
 binder_ioctl+0x702/0x1160 drivers/android/binder.c:4763
 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
 compat_SyS_ioctl+0x126/0x1fe0 fs/compat_ioctl.c:1549
 do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline]
 do_fast_syscall_32+0x2f7/0x870 arch/x86/entry/common.c:387
 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

Freed by task 25:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 binder_free_transaction+0x6a/0x90 drivers/android/binder.c:2122
 binder_send_failed_reply+0x1c3/0x230 drivers/android/binder.c:2161
 binder_thread_release+0x413/0x520 drivers/android/binder.c:4568
 binder_deferred_release drivers/android/binder.c:5110 [inline]
 binder_deferred_func+0x44d/0xc30 drivers/android/binder.c:5182
 process_one_work+0x7e1/0x1500 kernel/workqueue.c:2092
 worker_thread+0xd6/0x10a0 kernel/workqueue.c:2226
 kthread+0x26d/0x300 kernel/kthread.c:211
 ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373

The buggy address belongs to the object at ffff8801da201500
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 16 bytes inside of
 192-byte region [ffff8801da201500, ffff8801da2015c0)
The buggy address belongs to the page:
page:ffffea0007688040 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801da201400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801da201480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>ffff8801da201500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8801da201580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801da201600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================