./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor935088652 <...> Warning: Permanently added '10.128.1.144' (ED25519) to the list of known hosts. execve("./syz-executor935088652", ["./syz-executor935088652"], 0x7ffee31135a0 /* 10 vars */) = 0 brk(NULL) = 0x555555e39000 brk(0x555555e39d40) = 0x555555e39d40 arch_prctl(ARCH_SET_FS, 0x555555e393c0) = 0 set_tid_address(0x555555e39690) = 5010 set_robust_list(0x555555e396a0, 24) = 0 rseq(0x555555e39ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor935088652", 4096) = 27 getrandom("\xe7\xb5\xdf\x6a\x56\x28\xf6\x01", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555555e39d40 brk(0x555555e5ad40) = 0x555555e5ad40 brk(0x555555e5b000) = 0x555555e5b000 mprotect(0x7f9423343000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e39690) = 5011 ./strace-static-x86_64: Process 5011 attached [pid 5011] set_robust_list(0x555555e396a0, 24) = 0 [pid 5011] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5011] setpgid(0, 0) = 0 [pid 5011] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5011] write(3, "1000", 4) = 4 [pid 5011] close(3) = 0 [pid 5011] futex(0x7f942334936c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5011] rt_sigaction(SIGRT_1, {sa_handler=0x7f94232e63f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f94232d7a70}, NULL, 8) = 0 [pid 5011] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5011] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9423260000 [pid 5011] mprotect(0x7f9423261000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5011] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5011] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f9423280990, parent_tid=0x7f9423280990, exit_signal=0, stack=0x7f9423260000, stack_size=0x20300, tls=0x7f94232806c0}./strace-static-x86_64: Process 5012 attached => {parent_tid=[5012]}, 88) = 5012 [pid 5011] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5012] rseq(0x7f9423280fe0, 0x20, 0, 0x53053053) = 0 [pid 5011] futex(0x7f9423349368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5011] futex(0x7f942334936c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5012] set_robust_list(0x7f94232809a0, 24) = 0 [pid 5012] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5012] openat(AT_FDCWD, "/dev/virtual_nci", O_RDWR) = 3 [pid 5012] futex(0x7f942334936c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5012] futex(0x7f9423349368, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5011] <... futex resumed>) = 0 [pid 5011] futex(0x7f9423349368, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5011] futex(0x7f942334936c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5012] <... futex resumed>) = 0 [pid 5012] write(-1, "\x60\x00\x00\x00", 4) = -1 EBADF (Bad file descriptor) [pid 5012] futex(0x7f942334936c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5012] futex(0x7f9423349368, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5011] <... futex resumed>) = 0 [pid 5011] futex(0x7f9423349368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5012] <... futex resumed>) = 0 [pid 5011] <... futex resumed>) = 1 [pid 5012] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC [pid 5011] futex(0x7f942334936c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5012] <... socket resumed>) = 4 [pid 5012] futex(0x7f942334936c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5011] <... futex resumed>) = 0 [pid 5011] futex(0x7f9423349368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5012] sendto(4, [{nlmsg_len=28, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00"], 28, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12 [pid 5011] <... futex resumed>) = 0 [pid 5012] <... sendto resumed>) = 28 [pid 5011] futex(0x7f942334936c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5012] recvfrom(4, [{nlmsg_len=472, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5011}, "\x01\x02\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00\x06\x00\x01\x00\x1e\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x1f\x00\x00\x00\x80\x01\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0b\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00\x03\x00\x00\x00"...], 4096, 0, NULL, NULL) = 472 [pid 5012] recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5011}, {error=0, msg={nlmsg_len=28, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5012] futex(0x7f942334936c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5011] <... futex resumed>) = 0 [pid 5012] futex(0x7f9423349368, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5011] futex(0x7f9423349368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5012] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5011] <... futex resumed>) = 0 [pid 5012] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC [pid 5011] futex(0x7f942334936c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5012] <... socket resumed>) = 5 [pid 5012] futex(0x7f942334936c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5011] <... futex resumed>) = 0 [pid 5011] futex(0x7f9423349368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5012] ioctl(3, _IOC(_IOC_NONE, 0, 0, 0) [pid 5011] <... futex resumed>) = 0 [pid 5012] <... ioctl resumed>, 0x20000180) = 0 [pid 5011] futex(0x7f942334936c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5012] futex(0x7f942334936c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5011] <... futex resumed>) = 0 [pid 5011] futex(0x7f9423349368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5011] futex(0x7f942334936c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5012] sendmsg(5, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x1c\x00\x00\x00\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x08\x00\x01\x00\x02\x00\x00\x00", iov_len=28}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 5011] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5011] futex(0x7f942334937c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5011] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f942323f000 [pid 5011] mprotect(0x7f9423240000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5011] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5011] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f942325f990, parent_tid=0x7f942325f990, exit_signal=0, stack=0x7f942323f000, stack_size=0x20300, tls=0x7f942325f6c0}./strace-static-x86_64: Process 5017 attached => {parent_tid=[5017]}, 88) = 5017 [pid 5011] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5011] futex(0x7f9423349378, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5011] futex(0x7f942334937c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5017] rseq(0x7f942325ffe0, 0x20, 0, 0x53053053) = 0 [pid 5017] set_robust_list(0x7f942325f9a0, 24) = 0 [pid 5017] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5017] write(3, "\x60\x00\x00", 3) = 3 [pid 5017] futex(0x7f942334937c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5017] futex(0x7f9423349378, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5011] <... futex resumed>) = 0 [ 160.984334][ T5012] ===================================================== [ 160.991746][ T5012] BUG: KMSAN: uninit-value in nci_dev_up+0xfec/0x1b10 [ 160.998789][ T5012] nci_dev_up+0xfec/0x1b10 [ 161.003719][ T5012] nfc_dev_up+0x26e/0x440 [ 161.008249][ T5012] nfc_genl_dev_up+0xfe/0x1d0 [ 161.013293][ T5012] genl_rcv_msg+0x11ec/0x1290 [ 161.018290][ T5012] netlink_rcv_skb+0x371/0x650 [ 161.023448][ T5012] genl_rcv+0x40/0x60 [ 161.027677][ T5012] netlink_unicast+0xf47/0x1250 [ 161.033004][ T5012] netlink_sendmsg+0x1238/0x13d0 [ 161.038178][ T5012] ____sys_sendmsg+0x9c2/0xd60 [ 161.043325][ T5012] ___sys_sendmsg+0x28d/0x3c0 [ 161.048250][ T5012] __x64_sys_sendmsg+0x307/0x490 [ 161.053536][ T5012] do_syscall_64+0x6d/0x140 [ 161.058254][ T5012] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 161.064552][ T5012] [ 161.066983][ T5012] Uninit was stored to memory at: [ 161.072395][ T5012] nci_ntf_packet+0x19dc/0x39c0 [ 161.077442][ T5012] nci_rx_work+0x213/0x500 [ 161.082302][ T5012] process_scheduled_works+0x104e/0x1e70 [ 161.088214][ T5012] worker_thread+0xf45/0x1490 [ 161.093222][ T5012] kthread+0x3ed/0x540 [ 161.097517][ T5012] ret_from_fork+0x66/0x80 [ 161.102254][ T5012] ret_from_fork_asm+0x11/0x20 [ 161.107232][ T5012] [ 161.109920][ T5012] Uninit was created at: [ 161.114426][ T5012] slab_post_alloc_hook+0x129/0xa70 [ 161.119988][ T5012] kmem_cache_alloc_node+0x5e9/0xb10 [ 161.125484][ T5012] kmalloc_reserve+0x13d/0x4a0 [ 161.130563][ T5012] __alloc_skb+0x318/0x740 [ 161.135196][ T5012] virtual_ncidev_write+0x6d/0x280 [ 161.140698][ T5012] vfs_write+0x48b/0x1200 [ 161.145384][ T5012] ksys_write+0x20f/0x4c0 [ 161.150070][ T5012] __x64_sys_write+0x93/0xd0 [ 161.154851][ T5012] do_syscall_64+0x6d/0x140 [ 161.159765][ T5012] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 161.165911][ T5012] [ 161.168528][ T5012] CPU: 1 PID: 5012 Comm: syz-executor935 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 [pid 5011] exit_group(0) = ? [pid 5017] <... futex resumed>) = ? [pid 5017] +++ exited with 0 +++ [ 161.179084][ T5012] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 161.189914][ T5012] ===================================================== [ 161.197072][ T5012] Disabling lock debugging due to kernel taint [ 161.203594][ T5012] Kernel panic - not syncing: kmsan.panic set ... [ 161.210169][ T5012] CPU: 1 PID: 5012 Comm: syz-executor935 Tainted: G B 6.7.0-syzkaller-00562-g9f8413c4a66f #0 [ 161.221927][ T5012] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 161.232153][ T5012] Call Trace: [ 161.235574][ T5012] [ 161.238656][ T5012] dump_stack_lvl+0x1bf/0x240 [ 161.243613][ T5012] dump_stack+0x1e/0x20 [ 161.247938][ T5012] panic+0x4de/0xc90 [ 161.252216][ T5012] ? add_taint+0x108/0x1a0 [ 161.256842][ T5012] kmsan_report+0x2d0/0x2d0 [ 161.261690][ T5012] ? __msan_warning+0x96/0x110 [ 161.266778][ T5012] ? nci_dev_up+0xfec/0x1b10 [ 161.271612][ T5012] ? nfc_dev_up+0x26e/0x440 [ 161.276305][ T5012] ? nfc_genl_dev_up+0xfe/0x1d0 [ 161.281367][ T5012] ? genl_rcv_msg+0x11ec/0x1290 [ 161.286463][ T5012] ? netlink_rcv_skb+0x371/0x650 [ 161.291541][ T5012] ? genl_rcv+0x40/0x60 [ 161.295838][ T5012] ? netlink_unicast+0xf47/0x1250 [ 161.301002][ T5012] ? netlink_sendmsg+0x1238/0x13d0 [ 161.306304][ T5012] ? ____sys_sendmsg+0x9c2/0xd60 [ 161.311486][ T5012] ? ___sys_sendmsg+0x28d/0x3c0 [ 161.316628][ T5012] ? __x64_sys_sendmsg+0x307/0x490 [ 161.321985][ T5012] ? do_syscall_64+0x6d/0x140 [ 161.326826][ T5012] ? entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 161.333068][ T5012] ? __timer_delete_sync+0x4c7/0x510 [ 161.338639][ T5012] ? kmsan_internal_set_shadow_origin+0x66/0xe0 [ 161.345076][ T5012] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0 [ 161.351173][ T5012] ? _raw_spin_unlock_irqrestore+0x3f/0x60 [ 161.357193][ T5012] ? kmsan_internal_set_shadow_origin+0x66/0xe0 [ 161.363707][ T5012] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0 [ 161.369783][ T5012] __msan_warning+0x96/0x110 [ 161.374531][ T5012] nci_dev_up+0xfec/0x1b10 [ 161.379184][ T5012] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0 [ 161.385275][ T5012] ? nci_core_ntf_packet+0x340/0x340 [ 161.390838][ T5012] nfc_dev_up+0x26e/0x440 [ 161.395294][ T5012] ? nfc_get_device+0x70/0xe0 [ 161.400099][ T5012] nfc_genl_dev_up+0xfe/0x1d0 [ 161.404934][ T5012] ? nfc_genl_dump_devices_done+0xe0/0xe0 [ 161.410806][ T5012] genl_rcv_msg+0x11ec/0x1290 [ 161.415746][ T5012] ? nfc_genl_dump_devices_done+0xe0/0xe0 [ 161.421696][ T5012] netlink_rcv_skb+0x371/0x650 [ 161.426689][ T5012] ? genl_bind+0x560/0x560 [ 161.431357][ T5012] ? genl_pernet_exit+0x60/0x60 [ 161.436456][ T5012] genl_rcv+0x40/0x60 [ 161.440754][ T5012] netlink_unicast+0xf47/0x1250 [ 161.445794][ T5012] netlink_sendmsg+0x1238/0x13d0 [ 161.450913][ T5012] ? netlink_getsockopt+0x980/0x980 [ 161.456311][ T5012] ____sys_sendmsg+0x9c2/0xd60 [ 161.461416][ T5012] ___sys_sendmsg+0x28d/0x3c0 [ 161.466389][ T5012] ? __rcu_read_unlock+0x7a/0xd0 [ 161.471592][ T5012] ? __fget_files+0x513/0x5e0 [ 161.476544][ T5012] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0 [ 161.482605][ T5012] __x64_sys_sendmsg+0x307/0x490 [ 161.487743][ T5012] do_syscall_64+0x6d/0x140 [ 161.492472][ T5012] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 161.498619][ T5012] RIP: 0033:0x7f94232c0309 [ 161.503281][ T5012] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 161.523031][ T5012] RSP: 002b:00007f9423280238 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 161.531606][ T5012] RAX: ffffffffffffffda RBX: 00007f9423349368 RCX: 00007f94232c0309 [ 161.539744][ T5012] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000005 [ 161.547845][ T5012] RBP: 00007f9423349360 R08: 00007f94232806c0 R09: 00007f94232806c0 [ 161.555999][ T5012] R10: 00007f94232806c0 R11: 0000000000000246 R12: 00007f9423316064 [ 161.564456][ T5012] R13: 0000000000000000 R14: 00007ffcec060510 R15: 00007ffcec0605f8 [ 161.572676][ T5012] [ 161.576075][ T5012] Kernel Offset: disabled [ 161.580483][ T5012] Rebooting in 86400 seconds..