./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3431556292 <...> Warning: Permanently added '10.128.0.135' (ED25519) to the list of known hosts. execve("./syz-executor3431556292", ["./syz-executor3431556292"], 0x7ffdef7d6ab0 /* 10 vars */) = 0 brk(NULL) = 0x555581915000 brk(0x555581915d00) = 0x555581915d00 arch_prctl(ARCH_SET_FS, 0x555581915380) = 0 set_tid_address(0x555581915650) = 297 set_robust_list(0x555581915660, 24) = 0 rseq(0x555581915ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3431556292", 4096) = 28 getrandom("\xee\xc9\xcd\xc8\x22\xff\x8f\xa4", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555581915d00 brk(0x555581936d00) = 0x555581936d00 brk(0x555581937000) = 0x555581937000 mprotect(0x7fb104e49000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555581915650) = 298 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 write(3, "10000000000", 11) = 11 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 write(3, "20", 2) = 2 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 write(3, "100", 3) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 write(3, "7 4 1 3", 7) = 7 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 ./strace-static-x86_64: Process 298 attached [pid 297] write(3, "1", 1) = 1 [pid 297] close(3) = 0 [pid 297] openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 [pid 297] write(3, "0", 1) = 1 [pid 297] close(3) = 0 [pid 297] openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 [pid 297] write(3, "298", 3) = 3 [pid 297] close(3) = 0 [pid 297] kill(298, SIGKILL) = 0 [pid 298] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=298, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} --- mkdir("./syzkaller.PLJqk4", 0700) = 0 chmod("./syzkaller.PLJqk4", 0777) = 0 chdir("./syzkaller.PLJqk4") = 0 mkdir("./0", 0777) = 0 [ 26.855302][ T30] audit: type=1400 audit(1735341068.100:66): avc: denied { execmem } for pid=297 comm="syz-executor343" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 26.874611][ T30] audit: type=1400 audit(1735341068.110:67): avc: denied { integrity } for pid=297 comm="syz-executor343" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555581915650) = 300 ./strace-static-x86_64: Process 300 attached [pid 300] set_robust_list(0x555581915660, 24) = 0 [pid 300] chdir("./0") = 0 [pid 300] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 300] setpgid(0, 0) = 0 [pid 300] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 300] write(3, "1000", 4) = 4 [pid 300] close(3) = 0 [pid 300] symlink("/dev/binderfs", "./binderfs") = 0 [pid 300] write(1, "executing program\n", 18executing program ) = 18 [pid 300] memfd_create("syzkaller", 0) = 3 [pid 300] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb0fc996000 [pid 300] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 300] munmap(0x7fb0fc996000, 138412032) = 0 [pid 300] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 300] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 300] close(3) = 0 [ 26.900194][ T30] audit: type=1400 audit(1735341068.150:68): avc: denied { read write } for pid=297 comm="syz-executor343" name="loop0" dev="devtmpfs" ino=112 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 26.924464][ T30] audit: type=1400 audit(1735341068.150:69): avc: denied { open } for pid=297 comm="syz-executor343" path="/dev/loop0" dev="devtmpfs" ino=112 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 26.927541][ T300] loop0: detected capacity change from 0 to 512 [pid 300] close(4) = 0 [pid 300] mkdir("./file0", 0777) = 0 [ 26.948742][ T30] audit: type=1400 audit(1735341068.160:70): avc: denied { ioctl } for pid=297 comm="syz-executor343" path="/dev/loop0" dev="devtmpfs" ino=112 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 26.979930][ T30] audit: type=1400 audit(1735341068.210:71): avc: denied { mounton } for pid=300 comm="syz-executor343" path="/root/syzkaller.PLJqk4/0/file0" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 27.004592][ T300] EXT4-fs (loop0): Ignoring removed mblk_io_submit option [ 27.011584][ T300] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem [ 27.020107][ T300] [EXT4 FS bs=1024, gc=1, bpg=8192, ipg=32, mo=b016c118, mo2=0002] [ 27.028096][ T300] System zones: 1-12 [ 27.032759][ T300] EXT4-fs error (device loop0): ext4_xattr_ibody_find:2219: inode #15: comm syz-executor343: corrupted in-inode xattr [pid 300] mount("/dev/loop0", "./file0", "ext3", MS_MGC_VAL|MS_NOSUID|MS_NODEV|MS_NOEXEC, "jqfmt=vfsold,data_err=abort,debug,noload,mblk_io_submit,commit=0x0000000000000005,init_itable=0x0000"...) = 0 [pid 300] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 300] chdir("./file0") = 0 [pid 300] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 300] ioctl(4, LOOP_CLR_FD) = 0 [pid 300] close(4) = 0 [pid 300] creat("./bus", 000) = 4 [pid 300] mount("/dev/loop0", "./bus", NULL, MS_NODEV|MS_SYNCHRONOUS|MS_BIND, NULL) = 0 [pid 300] mknod("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 000) = 0 [pid 300] link("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") = 0 [pid 300] link("./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") = 0 [pid 300] rename("./file0", "./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") = 0 [pid 300] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_CLOEXEC) = 5 [pid 300] mmap(0x20000000, 8388608, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 5, 0x1000) = 0x20000000 [pid 300] sendmsg(-1, 0x200001c0, 0) = -1 EBADF (Bad file descriptor) [pid 300] exit_group(0) = ? [pid 300] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=300, si_uid=0, si_status=0, si_utime=0, si_stime=9} --- umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555819166f0 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0755, st_size=3072, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [ 27.045152][ T300] EXT4-fs error (device loop0): ext4_orphan_get:1406: comm syz-executor343: couldn't read orphan inode 15 (err -117) [ 27.057484][ T300] EXT4-fs (loop0): mounted filesystem without journal. Opts: jqfmt=vfsold,data_err=abort,debug,noload,mblk_io_submit,commit=0x0000000000000005,init_itable=0x0000000000000601,grpquota,,errors=continue. Quota mode: writeback. [ 27.079153][ T30] audit: type=1400 audit(1735341068.330:72): avc: denied { mount } for pid=300 comm="syz-executor343" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 27.100950][ T30] audit: type=1400 audit(1735341068.330:73): avc: denied { write } for pid=300 comm="syz-executor343" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 27.104441][ T297] ================================================================== [ 27.122705][ T30] audit: type=1400 audit(1735341068.330:74): avc: denied { add_name } for pid=300 comm="syz-executor343" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 27.130468][ T297] BUG: KASAN: use-after-free in ext4_htree_fill_tree+0x131b/0x13e0 [ 27.150999][ T30] audit: type=1400 audit(1735341068.330:75): avc: denied { create } for pid=300 comm="syz-executor343" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 27.158675][ T297] Read of size 1 at addr ffff88811a671a67 by task syz-executor343/297 [ 27.158690][ T297] [ 27.158703][ T297] CPU: 1 PID: 297 Comm: syz-executor343 Not tainted 5.15.173-syzkaller-00161-gb4bd207b0380 #0 [ 27.198950][ T297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 27.208850][ T297] Call Trace: [ 27.211967][ T297] [ 27.214746][ T297] dump_stack_lvl+0x151/0x1c0 [ 27.219257][ T297] ? io_uring_drop_tctx_refs+0x190/0x190 [ 27.224724][ T297] ? panic+0x760/0x760 [ 27.228630][ T297] print_address_description+0x87/0x3b0 [ 27.234012][ T297] kasan_report+0x179/0x1c0 [ 27.238353][ T297] ? ext4_htree_fill_tree+0x131b/0x13e0 [ 27.243735][ T297] ? ext4_htree_fill_tree+0x131b/0x13e0 [ 27.249115][ T297] __asan_report_load1_noabort+0x14/0x20 [ 27.254582][ T297] ext4_htree_fill_tree+0x131b/0x13e0 [ 27.259791][ T297] ? ext4_handle_dirty_dirblock+0x6d0/0x6d0 [ 27.265521][ T297] ? __kasan_kmalloc+0x9/0x10 [ 27.270031][ T297] ? ext4_readdir+0x523/0x3960 [ 27.274629][ T297] ext4_readdir+0x2f75/0x3960 [ 27.279143][ T297] ? __kasan_check_write+0x14/0x20 [ 27.284090][ T297] ? compat_start_thread+0x20/0x20 [ 27.289038][ T297] ? down_read_killable+0x1035/0x1b10 [ 27.294246][ T297] ? down_read_interruptible+0x1bf0/0x1bf0 [ 27.299888][ T297] ? finish_task_switch+0x167/0x7b0 [ 27.304922][ T297] ? ext4_dir_llseek+0x540/0x540 [ 27.309694][ T297] ? __schedule+0xcd4/0x1590 [ 27.314123][ T297] ? __kasan_check_read+0x11/0x20 [ 27.318983][ T297] ? security_file_permission+0x86/0xb0 [ 27.324364][ T297] iterate_dir+0x265/0x600 [ 27.328617][ T297] ? ext4_dir_llseek+0x540/0x540 [ 27.333391][ T297] __se_sys_getdents64+0x1c1/0x460 [ 27.338337][ T297] ? __x64_sys_getdents64+0x90/0x90 [ 27.343371][ T297] ? filldir+0x680/0x680 [ 27.347451][ T297] __x64_sys_getdents64+0x7b/0x90 [ 27.352312][ T297] x64_sys_call+0x5ae/0x9a0 [ 27.356658][ T297] do_syscall_64+0x3b/0xb0 [ 27.360901][ T297] ? clear_bhb_loop+0x35/0x90 [ 27.365417][ T297] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.371144][ T297] RIP: 0033:0x7fb104dfd573 [ 27.375401][ T297] Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 52 47 fb ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 [ 27.394840][ T297] RSP: 002b:00007ffc8efce7e8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 [ 27.403083][ T297] RAX: ffffffffffffffda RBX: 000055558191e730 RCX: 00007fb104dfd573 [ 27.410894][ T297] RDX: 0000000000008000 RSI: 000055558191e730 RDI: 0000000000000004 [ 27.418705][ T297] RBP: 000055558191e704 R08: 0000000000000000 R09: 0000000000000000 [ 27.426516][ T297] R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffb8 [ 27.434504][ T297] R13: 0000000000000010 R14: 000055558191e700 R15: 00007ffc8efd0a60 [ 27.442316][ T297] [ 27.445178][ T297] [ 27.447348][ T297] The buggy address belongs to the page: [ 27.452826][ T297] page:ffffea0004699c40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a671 [ 27.462891][ T297] flags: 0x4000000000000000(zone=1) [ 27.467926][ T297] raw: 4000000000000000 ffffea0004699c88 ffffea0004699c08 0000000000000000 [ 27.476342][ T297] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 27.484756][ T297] page dumped because: kasan: bad access detected [ 27.491010][ T297] page_owner tracks the page as freed [ 27.496220][ T297] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), pid 279, ts 20828983642, free_ts 20829081258 [ 27.511144][ T297] post_alloc_hook+0x1a3/0x1b0 [ 27.515739][ T297] prep_new_page+0x1b/0x110 [ 27.520081][ T297] get_page_from_freelist+0x3550/0x35d0 [ 27.525460][ T297] __alloc_pages+0x27e/0x8f0 [ 27.529894][ T297] pipe_write+0x551/0x1930 [ 27.534139][ T297] vfs_write+0xd5d/0x1110 [ 27.538307][ T297] ksys_write+0x199/0x2c0 [ 27.542471][ T297] __x64_sys_write+0x7b/0x90 [ 27.546901][ T297] x64_sys_call+0x2f/0x9a0 [ 27.551151][ T297] do_syscall_64+0x3b/0xb0 [ 27.555405][ T297] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.561139][ T297] page last free stack trace: [ 27.565651][ T297] free_unref_page_prepare+0x7c8/0x7d0 [ 27.570942][ T297] free_unref_page+0xe8/0x750 [ 27.575457][ T297] __put_page+0xb0/0xe0 [ 27.579445][ T297] anon_pipe_buf_release+0x187/0x200 [ 27.584566][ T297] pipe_read+0x5a6/0x1040 [ 27.588734][ T297] vfs_read+0xa81/0xd40 [ 27.592723][ T297] ksys_read+0x199/0x2c0 [ 27.596804][ T297] __x64_sys_read+0x7b/0x90 [ 27.601144][ T297] x64_sys_call+0x28/0x9a0 [ 27.605397][ T297] do_syscall_64+0x3b/0xb0 [ 27.609649][ T297] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 27.615381][ T297] [ 27.617557][ T297] Memory state around the buggy address: [ 27.623021][ T297] ffff88811a671900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.630916][ T297] ffff88811a671980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.638814][ T297] >ffff88811a671a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.646711][ T297] ^ newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=3072, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558191e730 /* 1 entries */, 32768) = 176 umount2("\x2e\x2f\x30\x2f\x66\x69\x6c\x65\x30\x2f\xf7\x6c\x70\xb6\x3b\xa7\x71\x1b\x28\x03\x02\x02\x2e\x2e", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "\x2e\x2f\x30\x2f\x66\x69\x6c\x65\x30\x2f\xf7\x6c\x70\xb6\x3b\xa7\x71\x1b\x28\x03\x02\x02\x2e\x2e", 0x7ffc8efce850, AT_SYMLINK_NOFOLLOW) = -1 ENOENT (No such file or directory) exit_group(1) = ? +++ exited with 1 +++ [ 27.653741][ T297] ffff88811a671a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.661642][ T297] ffff88811a671b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 27.669537][ T297] ================================================================== [ 27.677434][ T297] Disabling lock debugging due to kernel taint