./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1685730590 <...> Warning: Permanently added '10.128.1.90' (ED25519) to the list of known hosts. execve("./syz-executor1685730590", ["./syz-executor1685730590"], 0x7ffdc10517f0 /* 10 vars */) = 0 brk(NULL) = 0x555569e85000 brk(0x555569e85d40) = 0x555569e85d40 arch_prctl(ARCH_SET_FS, 0x555569e853c0) = 0 set_tid_address(0x555569e85690) = 5775 set_robust_list(0x555569e856a0, 24) = 0 rseq(0x555569e85ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1685730590", 4096) = 28 getrandom("\x9d\x45\x4f\x95\xc6\x55\xfe\x8e", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555569e85d40 brk(0x555569ea6d40) = 0x555569ea6d40 brk(0x555569ea7000) = 0x555569ea7000 mprotect(0x7eff374fa000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555569e85690) = 5776 ./strace-static-x86_64: Process 5776 attached [pid 5776] set_robust_list(0x555569e856a0, 24) = 0 [pid 5776] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5776] setpgid(0, 0) = 0 [pid 5776] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5776] write(3, "1000", 4) = 4 executing program [pid 5776] close(3) = 0 [pid 5776] write(1, "executing program\n", 18) = 18 [pid 5776] futex(0x7eff3750036c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5776] rt_sigaction(SIGRT_1, {sa_handler=0x7eff3749d3b0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7eff3748ea30}, NULL, 8) = 0 [pid 5776] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5776] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7eff37411000 [pid 5776] mprotect(0x7eff37412000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5776] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5776] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7eff37431990, parent_tid=0x7eff37431990, exit_signal=0, stack=0x7eff37411000, stack_size=0x20300, tls=0x7eff374316c0}./strace-static-x86_64: Process 5777 attached [pid 5777] rseq(0x7eff37431fe0, 0x20, 0, 0x53053053) = 0 [pid 5776] <... clone3 resumed> => {parent_tid=[5777]}, 88) = 5777 [pid 5777] set_robust_list(0x7eff374319a0, 24 [pid 5776] rt_sigprocmask(SIG_SETMASK, [], [pid 5777] <... set_robust_list resumed>) = 0 [pid 5776] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5777] rt_sigprocmask(SIG_SETMASK, [], [pid 5776] futex(0x7eff37500368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5777] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5777] openat(AT_FDCWD, "/dev/virtual_nci", O_RDWR [pid 5776] <... futex resumed>) = 0 [pid 5776] futex(0x7eff3750036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5777] <... openat resumed>) = 3 [pid 5777] futex(0x7eff3750036c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5777] futex(0x7eff37500368, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5776] <... futex resumed>) = 0 [pid 5776] futex(0x7eff37500368, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5777] <... futex resumed>) = 0 [pid 5777] ioctl(3, _IOC(_IOC_NONE, 0, 0, 0), 0x200000c0) = 0 [pid 5776] futex(0x7eff3750036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5777] futex(0x7eff3750036c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5776] <... futex resumed>) = 0 [pid 5777] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC [pid 5776] futex(0x7eff37500368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5776] futex(0x7eff3750036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5777] <... socket resumed>) = 4 [pid 5777] futex(0x7eff3750036c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5776] <... futex resumed>) = 0 [pid 5777] futex(0x7eff37500368, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5776] futex(0x7eff37500368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5777] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5776] <... futex resumed>) = 0 [pid 5777] sendto(4, [{nlmsg_len=28, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00"], 28, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12 [pid 5776] futex(0x7eff3750036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5777] <... sendto resumed>) = 28 [pid 5777] recvfrom(4, [{nlmsg_len=472, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5776}, "\x01\x02\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00\x06\x00\x01\x00\x1e\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x20\x00\x00\x00\x80\x01\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0b\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00\x03\x00\x00\x00"...], 4096, 0, NULL, NULL) = 472 [pid 5777] recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5776}, {error=0, msg={nlmsg_len=28, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5777] futex(0x7eff3750036c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5776] <... futex resumed>) = 0 [pid 5776] futex(0x7eff37500368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5776] futex(0x7eff3750036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5777] sendmsg(4, {msg_name=NULL, msg_namelen=-153, msg_iov=[{iov_base="\x1c\x00\x00\x00\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x08\x00\x01\x00\x02\x00\x00\x00", iov_len=28}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 5776] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5776] futex(0x7eff3750037c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5776] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7eff373f0000 [pid 5776] mprotect(0x7eff373f1000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5776] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5776] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7eff37410990, parent_tid=0x7eff37410990, exit_signal=0, stack=0x7eff373f0000, stack_size=0x20300, tls=0x7eff374106c0}./strace-static-x86_64: Process 5782 attached [pid 5782] rseq(0x7eff37410fe0, 0x20, 0, 0x53053053) = 0 [pid 5776] <... clone3 resumed> => {parent_tid=[5782]}, 88) = 5782 [pid 5782] set_robust_list(0x7eff374109a0, 24 [pid 5776] rt_sigprocmask(SIG_SETMASK, [], [pid 5782] <... set_robust_list resumed>) = 0 [pid 5776] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5782] rt_sigprocmask(SIG_SETMASK, [], [pid 5776] futex(0x7eff37500378, FUTEX_WAKE_PRIVATE, 1000000 [pid 5782] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5776] <... futex resumed>) = 0 [pid 5782] write(3, "\x61\x03\x05\xf8\x01\x06\x01\x03\x01\x88", 10 [pid 5776] futex(0x7eff3750037c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5782] <... write resumed>) = 10 [pid 5782] futex(0x7eff3750037c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5776] <... futex resumed>) = 0 [pid 5782] <... futex resumed>) = 1 [ 180.692249][ T4197] nci: nci_add_new_protocol: the target found does not have the desired protocol [ 180.701778][ T4197] ===================================================== [ 180.709165][ T4197] BUG: KMSAN: uninit-value in nci_ntf_packet+0x2388/0x3ce0 [ 180.716663][ T4197] nci_ntf_packet+0x2388/0x3ce0 [ 180.721663][ T4197] nci_rx_work+0x408/0x6f0 [ 180.726456][ T4197] process_scheduled_works+0xae0/0x1c40 [ 180.732210][ T4197] worker_thread+0xea7/0x14f0 [ 180.737299][ T4197] kthread+0x6b9/0xef0 [ 180.741541][ T4197] ret_from_fork+0x6d/0x90 [ 180.746263][ T4197] ret_from_fork_asm+0x1a/0x30 [ 180.751177][ T4197] [ 180.753741][ T4197] Uninit was created at: [ 180.758157][ T4197] kmem_cache_alloc_node_noprof+0x907/0xe00 [ 180.764365][ T4197] kmalloc_reserve+0x13d/0x4a0 [ 180.769337][ T4197] __alloc_skb+0x363/0x7b0 [ 180.774095][ T4197] virtual_ncidev_write+0x67/0x380 [ 180.779446][ T4197] vfs_write+0x48a/0x1540 [ 180.784130][ T4197] ksys_write+0x240/0x4b0 [ 180.788616][ T4197] __x64_sys_write+0x93/0xe0 [ 180.793323][ T4197] x64_sys_call+0x3161/0x3c30 [ 180.798361][ T4197] do_syscall_64+0xcd/0x1e0 [ 180.803087][ T4197] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 180.809384][ T4197] [ 180.811810][ T4197] CPU: 0 UID: 0 PID: 4197 Comm: kworker/u8:23 Not tainted 6.13.0-syzkaller-07632-gaa22f4da2a46 #0 [ 180.822726][ T4197] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 180.833009][ T4197] Workqueue: nfc2_nci_rx_wq nci_rx_work [ 180.838876][ T4197] ===================================================== [ 180.846059][ T4197] Disabling lock debugging due to kernel taint [ 180.852329][ T4197] Kernel panic - not syncing: kmsan.panic set ... [ 180.858880][ T4197] CPU: 0 UID: 0 PID: 4197 Comm: kworker/u8:23 Tainted: G B 6.13.0-syzkaller-07632-gaa22f4da2a46 #0 [ 180.871163][ T4197] Tainted: [B]=BAD_PAGE [ 180.875400][ T4197] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 180.885575][ T4197] Workqueue: nfc2_nci_rx_wq nci_rx_work [pid 5782] futex(0x7eff37500378, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5776] exit_group(0 [pid 5782] <... futex resumed>) = ? [pid 5776] <... exit_group resumed>) = ? [pid 5782] +++ exited with 0 +++ [pid 5777] <... sendmsg resumed>) = ? [ 180.891326][ T4197] Call Trace: [ 180.894694][ T4197] [ 180.897732][ T4197] dump_stack_lvl+0x216/0x2d0 [ 180.902591][ T4197] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 180.908628][ T4197] dump_stack+0x1e/0x24 [ 180.912955][ T4197] panic+0x4e2/0xcf0 [ 180.917073][ T4197] ? kmsan_get_metadata+0x51/0x1c0 [ 180.922879][ T4197] kmsan_report+0x2c7/0x2d0 [ 180.927505][ T4197] ? vprintk_emit+0xd5c/0xea0 [ 180.932270][ T4197] ? stack_depot_save_flags+0x6db/0x750 [ 180.937939][ T4197] ? __msan_warning+0x95/0x120 [ 180.942803][ T4197] ? nci_ntf_packet+0x2388/0x3ce0 [ 180.947982][ T4197] ? nci_rx_work+0x408/0x6f0 [ 180.952760][ T4197] ? process_scheduled_works+0xae0/0x1c40 [ 180.958600][ T4197] ? worker_thread+0xea7/0x14f0 [ 180.963589][ T4197] ? kthread+0x6b9/0xef0 [ 180.967953][ T4197] ? ret_from_fork+0x6d/0x90 [ 180.972651][ T4197] ? ret_from_fork_asm+0x1a/0x30 [ 180.977688][ T4197] ? vprintk_default+0x3e/0x50 [ 180.982565][ T4197] ? vprintk+0x35/0x40 [ 180.986798][ T4197] ? _printk+0x157/0x190 [ 180.991165][ T4197] ? kmsan_get_metadata+0x13e/0x1c0 [ 180.996480][ T4197] ? nci_add_new_protocol+0x159/0x870 [ 181.001973][ T4197] ? nci_add_new_protocol+0x51/0x870 [ 181.007384][ T4197] ? nci_add_new_protocol+0x5a0/0x870 [ 181.012915][ T4197] __msan_warning+0x95/0x120 [ 181.017697][ T4197] nci_ntf_packet+0x2388/0x3ce0 [ 181.023184][ T4197] ? kmsan_get_metadata+0x13e/0x1c0 [ 181.028504][ T4197] ? kmsan_internal_unpoison_memory+0x14/0x20 [ 181.034703][ T4197] ? nfc_send_to_raw_sock+0x508/0x530 [ 181.040208][ T4197] nci_rx_work+0x408/0x6f0 [ 181.044739][ T4197] ? __pfx_nci_rx_work+0x10/0x10 [ 181.049799][ T4197] process_scheduled_works+0xae0/0x1c40 [ 181.055538][ T4197] worker_thread+0xea7/0x14f0 [ 181.060323][ T4197] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 181.066264][ T4197] kthread+0x6b9/0xef0 [ 181.070434][ T4197] ? __pfx_worker_thread+0x10/0x10 [ 181.075657][ T4197] ? __pfx_kthread+0x10/0x10 [ 181.080351][ T4197] ret_from_fork+0x6d/0x90 [ 181.084905][ T4197] ? __pfx_kthread+0x10/0x10 [ 181.089669][ T4197] ret_from_fork_asm+0x1a/0x30 [ 181.094535][ T4197] [ 181.097906][ T4197] Kernel Offset: disabled [ 181.102295][ T4197] Rebooting in 86400 seconds..