binder: 21215:21217 DecRefs 0 refcount change on invalid ref 0 ret -22
binder: 21220:21222 unknown command 287493
binder: 21220:21222 ioctl c0306201 20012000 returned -22
binder: 21220:21222 DecRefs 0 refcount change on invalid ref 0 ret -22
------------[ cut here ]------------
kernel BUG at ./include/linux/skbuff.h:1294!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 21207 Comm: syz-executor.5 Not tainted 4.9.190+ #0
task: 00000000db0698bc task.stack: 000000009451b9a6
RIP: 0010:[<ffffffff8252c406>]  [<000000001224adb7>] skb_queue_prev include/linux/skbuff.h:1294 [inline]
RIP: 0010:[<ffffffff8252c406>]  [<000000001224adb7>] tcp_write_queue_prev include/net/tcp.h:1563 [inline]
RIP: 0010:[<ffffffff8252c406>]  [<000000001224adb7>] tcp_rtx_queue_tail include/net/tcp.h:1616 [inline]
RIP: 0010:[<ffffffff8252c406>]  [<000000001224adb7>] tcp_fragment+0x1266/0x1390 net/ipv4/tcp_output.c:1195
RSP: 0018:ffff8801db607b90  EFLAGS: 00010206
RAX: ffff8801cf0aaf80 RBX: ffff8801d1021500 RCX: 1ffff1003a20431d
RDX: 0000000000000100 RSI: ffffffff8252c406 RDI: ffff8801ce0d6508
RBP: ffff8801db607be0 R08: 0000000002080020 R09: ffff8801ce0d6528
R10: ffff88021fffd010 R11: 0000004a796ccfdf R12: 0000000000000000
R13: ffff8801d10216f0 R14: ffff8801ce0d6500 R15: ffff8801d1021744
FS:  00007efd3723d700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000016ceaa0 CR3: 00000001cbc8a000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801ce0d6500 ffff8801d10216f0 ffff8801ce0d6578 ffff880102080020
 000063000000ffcb 0000000000006300 ffff8801d1021500 ffff8801ce0d6500
 000000000000ffcb ffff8801ce0d6534 ffff8801db607c30 ffffffff8253fd65
Call Trace:
 <IRQ> [  317.990875]  [<00000000ee54098d>] tcp_write_wakeup+0x345/0x5b0 net/ipv4/tcp_output.c:3613
 [<00000000baaa06d1>] tcp_send_probe0+0x4b/0x400 net/ipv4/tcp_output.c:3641
 [<00000000d2e1458d>] tcp_probe_timer net/ipv4/tcp_timer.c:379 [inline]
 [<00000000d2e1458d>] tcp_write_timer_handler+0x6a0/0x7a0 net/ipv4/tcp_timer.c:596
 [<00000000349d8724>] tcp_write_timer+0xc5/0x190 net/ipv4/tcp_timer.c:610
 [<00000000c38f1618>] call_timer_fn+0x167/0x6d0 kernel/time/timer.c:1319
 [<00000000c3a39ec0>] expire_timers+0x25b/0x5c0 kernel/time/timer.c:1359
 [<0000000073b72fdc>] __run_timers kernel/time/timer.c:1674 [inline]
 [<0000000073b72fdc>] run_timer_softirq+0x1ff/0x620 kernel/time/timer.c:1687
 [<000000005da2f23f>] __do_softirq+0x22d/0x964 kernel/softirq.c:288
 [<000000001ace36bc>] invoke_softirq kernel/softirq.c:368 [inline]
 [<000000001ace36bc>] irq_exit+0x119/0x160 kernel/softirq.c:409
 [<000000005dee132b>] exiting_irq arch/x86/include/asm/apic.h:669 [inline]
 [<000000005dee132b>] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:962
 [<00000000f8f5eb4d>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:653
 <EOI> [  318.142602]  [<00000000ee95db92>] ? __read_once_size include/linux/compiler.h:264 [inline]
 <EOI> [  318.142602]  [<00000000ee95db92>] ? depot_save_stack+0x105/0x4a0 lib/stackdepot.c:225
 [<00000000c4f8fdf8>] save_stack mm/kasan/kasan.c:518 [inline]
 [<00000000c4f8fdf8>] set_track mm/kasan/kasan.c:524 [inline]
 [<00000000c4f8fdf8>] kasan_slab_free+0x104/0x190 mm/kasan/kasan.c:589
 [<00000000c9c9ada0>] slab_free_hook mm/slub.c:1355 [inline]
 [<00000000c9c9ada0>] slab_free_freelist_hook mm/slub.c:1377 [inline]
 [<00000000c9c9ada0>] slab_free mm/slub.c:2958 [inline]
 [<00000000c9c9ada0>] kmem_cache_free+0xbe/0x310 mm/slub.c:2980
 [<000000007ec15c82>] dio_complete+0x514/0x6e0 fs/direct-io.c:286
 [<00000000364ffb19>] do_blockdev_direct_IO fs/direct-io.c:1335 [inline]
 [<00000000364ffb19>] __blockdev_direct_IO+0xa0ae/0xd370 fs/direct-io.c:1361
 [<00000000e900912c>] ext4_direct_IO_write fs/ext4/inode.c:3504 [inline]
 [<00000000e900912c>] ext4_direct_IO+0xa1d/0x29b0 fs/ext4/inode.c:3660
 [<000000000c50cbc2>] generic_file_direct_write+0x293/0x520 mm/filemap.c:2841
 [<00000000459507ad>] __generic_file_write_iter+0x20f/0x530 mm/filemap.c:3021
 [<00000000e9220b48>] ext4_file_write_iter+0x6e7/0xcd0 fs/ext4/file.c:165
 [<0000000040bc2ad5>] vfs_iter_write+0x2e2/0x580 fs/read_write.c:390
 [<0000000018ce8aee>] iter_file_splice_write+0x5a9/0xb10 fs/splice.c:768
 [<00000000f67c560b>] do_splice_from fs/splice.c:870 [inline]
 [<00000000f67c560b>] direct_splice_actor+0x126/0x1a0 fs/splice.c:1037
 [<0000000094733eb6>] splice_direct_to_actor+0x2c8/0x820 fs/splice.c:992
 [<0000000046b62828>] do_splice_direct+0x1a5/0x260 fs/splice.c:1080
 [<0000000024bf7790>] do_sendfile+0x503/0xc00 fs/read_write.c:1402
 [<00000000256680d0>] SYSC_sendfile64 fs/read_write.c:1463 [inline]
 [<00000000256680d0>] SyS_sendfile64+0x145/0x160 fs/read_write.c:1449
 [<00000000986c4d75>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 [<0000000029e0fe5b>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: c1 ea 03 80 3c 02 00 0f 85 3a 01 00 00 4c 8b ab f8 01 00 00 ba 00 00 00 00 4c 3b 6d b8 4c 0f 44 ea e9 f9 fc ff ff e8 6a 5f df fe <0f> 0b e8 f3 20 fd fe e9 6e f0 ff ff e8 e9 20 fd fe e9 68 f3 ff 
RIP  [<000000001224adb7>] skb_queue_prev include/linux/skbuff.h:1294 [inline]
RIP  [<000000001224adb7>] tcp_write_queue_prev include/net/tcp.h:1563 [inline]
RIP  [<000000001224adb7>] tcp_rtx_queue_tail include/net/tcp.h:1616 [inline]
RIP  [<000000001224adb7>] tcp_fragment+0x1266/0x1390 net/ipv4/tcp_output.c:1195
 RSP <ffff8801db607b90>
---[ end trace f74091fa4145bacb ]---