./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1939908395 <...> Warning: Permanently added '10.128.1.86' (ED25519) to the list of known hosts. execve("./syz-executor1939908395", ["./syz-executor1939908395"], 0x7ffd7a0f5fd0 /* 10 vars */) = 0 brk(NULL) = 0x55555614e000 brk(0x55555614ed40) = 0x55555614ed40 arch_prctl(ARCH_SET_FS, 0x55555614e3c0) = 0 set_tid_address(0x55555614e690) = 5057 set_robust_list(0x55555614e6a0, 24) = 0 rseq(0x55555614ece0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1939908395", 4096) = 28 getrandom("\x62\x94\xdb\x00\x94\x94\x9f\x35", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555614ed40 brk(0x55555616fd40) = 0x55555616fd40 brk(0x555556170000) = 0x555556170000 mprotect(0x7fa0a3cfd000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555614e690) = 5058 ./strace-static-x86_64: Process 5058 attached [pid 5058] set_robust_list(0x55555614e6a0, 24) = 0 [pid 5058] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5058] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5058] setsid() = 1 [pid 5058] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3 [pid 5058] dup2(3, 201) = 201 [pid 5058] close(3) = 0 [pid 5058] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5058] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5058] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5058] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5058] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5058] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5058] unshare(CLONE_NEWNS) = 0 [pid 5058] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5058] unshare(CLONE_NEWIPC) = 0 [pid 5058] unshare(CLONE_NEWCGROUP) = 0 [pid 5058] unshare(CLONE_NEWUTS) = 0 [pid 5058] unshare(CLONE_SYSVSEM) = 0 [pid 5058] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5058] write(3, "16777216", 8) = 8 [pid 5058] close(3) = 0 [pid 5058] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5058] write(3, "536870912", 9) = 9 [pid 5058] close(3) = 0 [pid 5058] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5058] write(3, "1024", 4) = 4 [pid 5058] close(3) = 0 [pid 5058] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5058] write(3, "8192", 4) = 4 [pid 5058] close(3) = 0 [pid 5058] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5058] write(3, "1024", 4) = 4 [pid 5058] close(3) = 0 [pid 5058] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5058] write(3, "1024", 4) = 4 [pid 5058] close(3) = 0 [pid 5058] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5058] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5058] close(3) = 0 [pid 5058] getpid() = 1 [pid 5058] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 5062] rseq(0x7fa0a3c38fe0, 0x20, 0, 0x53053053 [pid 5061] <... clone3 resumed> => {parent_tid=[3]}, 88) = 3 [pid 5062] <... rseq resumed>) = 0 [pid 5062] set_robust_list(0x7fa0a3c389a0, 24) = 0 [pid 5061] rt_sigprocmask(SIG_SETMASK, [], [pid 5062] rt_sigprocmask(SIG_SETMASK, [], [pid 5061] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5062] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5061] futex(0x7fa0a3d03328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5062] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY [pid 5061] <... futex resumed>) = 0 [pid 5062] <... openat resumed>) = 3 [pid 5061] futex(0x7fa0a3d0332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5062] setns(201, 0) = 0 [pid 5062] socket(AF_NFC, SOCK_DGRAM, NFC_SOCKPROTO_LLCP) = 4 [pid 5062] setns(3, 0) = 0 [pid 5062] close(3) = 0 [pid 5062] futex(0x7fa0a3d0332c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5062] futex(0x7fa0a3d03328, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5061] <... futex resumed>) = 0 [pid 5061] futex(0x7fa0a3d03328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5062] <... futex resumed>) = 0 [pid 5061] <... futex resumed>) = 1 [pid 5062] openat(AT_FDCWD, "/dev/virtual_nci", O_RDWR [pid 5061] futex(0x7fa0a3d0332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5062] <... openat resumed>) = 3 [pid 5062] futex(0x7fa0a3d0332c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5061] <... futex resumed>) = 0 [pid 5062] futex(0x7fa0a3d03328, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5061] futex(0x7fa0a3d03328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5062] <... futex resumed>) = 0 [pid 5061] <... futex resumed>) = 1 [pid 5062] ioctl(3, _IOC(_IOC_NONE, 0, 0, 0) [pid 5061] futex(0x7fa0a3d0332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5062] <... ioctl resumed>, 0x20000180) = 0 [pid 5062] futex(0x7fa0a3d0332c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5062] futex(0x7fa0a3d03328, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5061] <... futex resumed>) = 0 [pid 5061] futex(0x7fa0a3d03328, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5062] <... futex resumed>) = 0 [pid 5061] futex(0x7fa0a3d0332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5062] bind(4, {sa_family=AF_NFC, dev_idx=if_nametoindex("bond0"), target_idx=0, nfc_protocol=0 /* NFC_PROTO_??? */, dsap=0, ssap=0, service_name="\x94\xf7\x0c\x47\xab\xa8\x62\x63\xa1\x46\x84\x73\x93\xee\xe5\x9e\xde\x0c\x74\x0a\x48\x4c\x39\xa2\xc3\x0c\xef\x77\x5b\x56\x38\xdd\x7d\x3a\x8c\xe7\x2e\x8f\xe8\xc2\x35\x2d\x16\x5f\xe4\xb0\xc5\x97\x05", service_name_len=49}, 96) = 0 [pid 5062] futex(0x7fa0a3d0332c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5061] <... futex resumed>) = 0 [pid 5062] futex(0x7fa0a3d03328, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5061] futex(0x7fa0a3d03328, FUTEX_WAKE_PRIVATE, 1000000 [pid 5062] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5062] sendmmsg(4, [pid 5061] <... futex resumed>) = 0 [pid 5061] futex(0x7fa0a3d0332c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5062] <... sendmmsg resumed>[{msg_hdr={msg_name={sa_family=AF_NFC, dev_idx=0, target_idx=0x1, nfc_protocol=NFC_PROTO_JEWEL, dsap=0x1f, ssap=0x2 /* LLCP_SAP_IP */, service_name="\x57\x74\x85\x79\x78\x5e\xcf\xb9\xb2\xcb\xeb\xd9\xa0\x4e\x45\xc6\xbf\xcf\x8e\x67\x02\x01\xbf\x4a\x7c\x6e\xd4\xd3\xe1\x30\xa1\x3f\x84\x53\xbc\x44\x27\x70\x44\x6a\x20\x6a", service_name_len=42}, msg_namelen=96, msg_iov=[{iov_base=NULL, iov_len=0}, {iov_base="\x83\x44\xc1\x47\x4f\xf6\x62\x1f\xe9\xf4\x06\x95\x53\x46\x0c\xc5\x4f\x2a\xad\x35\x4c\xed\xf2\x6f\xcf\x0d\x7c\xfd\x22\x3f\xef\x04\x16\xe5\x69\x3c\xe1\x20\x31\x51\x0a\xe5\x6b\x6e\xfc\x18\x38\xc0\x36\xd0\x0f\x96\x46\xc3\xcb\x6e\xaf\xa2\x8c\x30\xec\x9a\x99\xba\x7f\x65\x37\xbd\xbb\xb8\xae\x0c\xb2\x44\x6d\xb7\x32\x14\x96\x5a\xeb\x4c\x94\xf4\xc2\xa9\x8b\xda\xdf\x5c\x06\x52\x90\xcf\x1b\xa0\x97\x32\x3a\x3e"..., iov_len=4096}, {iov_base=NULL, iov_len=0}], msg_iovlen=3, msg_controllen=0, msg_flags=MSG_DONTROUTE|MSG_PROBE}, msg_len=4096}], 1, 0) = 1 [pid 5062] sendmmsg(4, [{msg_hdr={msg_name={sa_family=AF_NFC, dev_idx=0, target_idx=0x1, nfc_protocol=NFC_PROTO_JEWEL, dsap=0x1f, ssap=0x2 /* LLCP_SAP_IP */, service_name="\x57\x74\x85\x79\x78\x5e\xcf\xb9\xb2\xcb\xeb\xd9\xa0\x4e\x45\xc6\xbf\xcf\x8e\x67\x02\x01\xbf\x4a\x7c\x6e\xd4\xd3\xe1\x30\xa1\x3f\x84\x53\xbc\x44\x27\x70\x44\x6a\x20\x6a", service_name_len=42}, msg_namelen=96, msg_iov=[{iov_base=NULL, iov_len=0}, {iov_base="\x83\x44\xc1\x47\x4f\xf6\x62\x1f\xe9\xf4\x06\x95\x53\x46\x0c\xc5\x4f\x2a\xad\x35\x4c\xed\xf2\x6f\xcf\x0d\x7c\xfd\x22\x3f\xef\x04\x16\xe5\x69\x3c\xe1\x20\x31\x51\x0a\xe5\x6b\x6e\xfc\x18\x38\xc0\x36\xd0\x0f\x96\x46\xc3\xcb\x6e\xaf\xa2\x8c\x30\xec\x9a\x99\xba\x7f\x65\x37\xbd\xbb\xb8\xae\x0c\xb2\x44\x6d\xb7\x32\x14\x96\x5a\xeb\x4c\x94\xf4\xc2\xa9\x8b\xda\xdf\x5c\x06\x52\x90\xcf\x1b\xa0\x97\x32\x3a\x3e"..., iov_len=4096}, {iov_base=NULL, iov_len=0}], msg_iovlen=3, msg_controllen=0, msg_flags=MSG_DONTROUTE|MSG_PROBE}, msg_len=4096}], 1, 0) = 1 [pid 5062] sendmmsg(4, [{msg_hdr={msg_name={sa_family=AF_NFC, dev_idx=0, target_idx=0x1, nfc_protocol=NFC_PROTO_JEWEL, dsap=0x1f, ssap=0x2 /* LLCP_SAP_IP */, service_name="\x57\x74\x85\x79\x78\x5e\xcf\xb9\xb2\xcb\xeb\xd9\xa0\x4e\x45\xc6\xbf\xcf\x8e\x67\x02\x01\xbf\x4a\x7c\x6e\xd4\xd3\xe1\x30\xa1\x3f\x84\x53\xbc\x44\x27\x70\x44\x6a\x20\x6a", service_name_len=42}, msg_namelen=96, msg_iov=[{iov_base=NULL, iov_len=0}, {iov_base="\x83\x44\xc1\x47\x4f\xf6\x62\x1f\xe9\xf4\x06\x95\x53\x46\x0c\xc5\x4f\x2a\xad\x35\x4c\xed\xf2\x6f\xcf\x0d\x7c\xfd\x22\x3f\xef\x04\x16\xe5\x69\x3c\xe1\x20\x31\x51\x0a\xe5\x6b\x6e\xfc\x18\x38\xc0\x36\xd0\x0f\x96\x46\xc3\xcb\x6e\xaf\xa2\x8c\x30\xec\x9a\x99\xba\x7f\x65\x37\xbd\xbb\xb8\xae\x0c\xb2\x44\x6d\xb7\x32\x14\x96\x5a\xeb\x4c\x94\xf4\xc2\xa9\x8b\xda\xdf\x5c\x06\x52\x90\xcf\x1b\xa0\x97\x32\x3a\x3e"..., iov_len=4096}, {iov_base=NULL, iov_len=0}], msg_iovlen=3, msg_controllen=0, msg_flags=MSG_DONTROUTE|MSG_PROBE}, msg_len=4096}], 1, 0) = 1 [pid 5062] sendmmsg(4, [{msg_hdr={msg_name={sa_family=AF_NFC, dev_idx=0, target_idx=0x1, nfc_protocol=NFC_PROTO_JEWEL, dsap=0x1f, ssap=0x2 /* LLCP_SAP_IP */, service_name="\x57\x74\x85\x79\x78\x5e\xcf\xb9\xb2\xcb\xeb\xd9\xa0\x4e\x45\xc6\xbf\xcf\x8e\x67\x02\x01\xbf\x4a\x7c\x6e\xd4\xd3\xe1\x30\xa1\x3f\x84\x53\xbc\x44\x27\x70\x44\x6a\x20\x6a", service_name_len=42}, msg_namelen=96, msg_iov=[{iov_base=NULL, iov_len=0}, {iov_base="\x83\x44\xc1\x47\x4f\xf6\x62\x1f\xe9\xf4\x06\x95\x53\x46\x0c\xc5\x4f\x2a\xad\x35\x4c\xed\xf2\x6f\xcf\x0d\x7c\xfd\x22\x3f\xef\x04\x16\xe5\x69\x3c\xe1\x20\x31\x51\x0a\xe5\x6b\x6e\xfc\x18\x38\xc0\x36\xd0\x0f\x96\x46\xc3\xcb\x6e\xaf\xa2\x8c\x30\xec\x9a\x99\xba\x7f\x65\x37\xbd\xbb\xb8\xae\x0c\xb2\x44\x6d\xb7\x32\x14\x96\x5a\xeb\x4c\x94\xf4\xc2\xa9\x8b\xda\xdf\x5c\x06\x52\x90\xcf\x1b\xa0\x97\x32\x3a\x3e"..., iov_len=4096}, {iov_base=NULL, iov_len=0}], msg_iovlen=3, msg_controllen=0, msg_flags=MSG_DONTROUTE|MSG_PROBE}, msg_len=4096}], 1, 0) = 1 [pid 5062] sendmmsg(4, [{msg_hdr={msg_name={sa_family=AF_NFC, dev_idx=0, target_idx=0x1, nfc_protocol=NFC_PROTO_JEWEL, dsap=0x1f, ssap=0x2 /* LLCP_SAP_IP */, service_name="\x57\x74\x85\x79\x78\x5e\xcf\xb9\xb2\xcb\xeb\xd9\xa0\x4e\x45\xc6\xbf\xcf\x8e\x67\x02\x01\xbf\x4a\x7c\x6e\xd4\xd3\xe1\x30\xa1\x3f\x84\x53\xbc\x44\x27\x70\x44\x6a\x20\x6a", service_name_len=42}, msg_namelen=96, msg_iov=[{iov_base=NULL, iov_len=0}, {iov_base="\x83\x44\xc1\x47\x4f\xf6\x62\x1f\xe9\xf4\x06\x95\x53\x46\x0c\xc5\x4f\x2a\xad\x35\x4c\xed\xf2\x6f\xcf\x0d\x7c\xfd\x22\x3f\xef\x04\x16\xe5\x69\x3c\xe1\x20\x31\x51\x0a\xe5\x6b\x6e\xfc\x18\x38\xc0\x36\xd0\x0f\x96\x46\xc3\xcb\x6e\xaf\xa2\x8c\x30\xec\x9a\x99\xba\x7f\x65\x37\xbd\xbb\xb8\xae\x0c\xb2\x44\x6d\xb7\x32\x14\x96\x5a\xeb\x4c\x94\xf4\xc2\xa9\x8b\xda\xdf\x5c\x06\x52\x90\xcf\x1b\xa0\x97\x32\x3a\x3e"..., iov_len=4096}, {iov_base=NULL, iov_len=0}], msg_iovlen=3, msg_controllen=0, msg_flags=MSG_DONTROUTE|MSG_PROBE}, msg_len=4096}], 1, 0) = 1 [pid 5062] sendmmsg(4, [{msg_hdr={msg_name={sa_family=AF_NFC, dev_idx=0, target_idx=0x1, nfc_protocol=NFC_PROTO_JEWEL, dsap=0x1f, ssap=0x2 /* LLCP_SAP_IP */, service_name="\x57\x74\x85\x79\x78\x5e\xcf\xb9\xb2\xcb\xeb\xd9\xa0\x4e\x45\xc6\xbf\xcf\x8e\x67\x02\x01\xbf\x4a\x7c\x6e\xd4\xd3\xe1\x30\xa1\x3f\x84\x53\xbc\x44\x27\x70\x44\x6a\x20\x6a", service_name_len=42}, msg_namelen=96, msg_iov=[{iov_base=NULL, iov_len=0}, {iov_base="\x83\x44\xc1\x47\x4f\xf6\x62\x1f\xe9\xf4\x06\x95\x53\x46\x0c\xc5\x4f\x2a\xad\x35\x4c\xed\xf2\x6f\xcf\x0d\x7c\xfd\x22\x3f\xef\x04\x16\xe5\x69\x3c\xe1\x20\x31\x51\x0a\xe5\x6b\x6e\xfc\x18\x38\xc0\x36\xd0\x0f\x96\x46\xc3\xcb\x6e\xaf\xa2\x8c\x30\xec\x9a\x99\xba\x7f\x65\x37\xbd\xbb\xb8\xae\x0c\xb2\x44\x6d\xb7\x32\x14\x96\x5a\xeb\x4c\x94\xf4\xc2\xa9\x8b\xda\xdf\x5c\x06\x52\x90\xcf\x1b\xa0\x97\x32\x3a\x3e"..., iov_len=4096}, {iov_base=NULL, iov_len=0}], msg_iovlen=3, msg_controllen=0, msg_flags=MSG_DONTROUTE|MSG_PROBE}, msg_len=4096}], 1, 0) = 1 [pid 5062] sendmmsg(4, [{msg_hdr={msg_name={sa_family=AF_NFC, dev_idx=0, target_idx=0x1, nfc_protocol=NFC_PROTO_JEWEL, dsap=0x1f, ssap=0x2 /* LLCP_SAP_IP */, service_name="\x57\x74\x85\x79\x78\x5e\xcf\xb9\xb2\xcb\xeb\xd9\xa0\x4e\x45\xc6\xbf\xcf\x8e\x67\x02\x01\xbf\x4a\x7c\x6e\xd4\xd3\xe1\x30\xa1\x3f\x84\x53\xbc\x44\x27\x70\x44\x6a\x20\x6a", service_name_len=42}, msg_namelen=96, msg_iov=[{iov_base=NULL, iov_len=0}, {iov_base="\x83\x44\xc1\x47\x4f\xf6\x62\x1f\xe9\xf4\x06\x95\x53\x46\x0c\xc5\x4f\x2a\xad\x35\x4c\xed\xf2\x6f\xcf\x0d\x7c\xfd\x22\x3f\xef\x04\x16\xe5\x69\x3c\xe1\x20\x31\x51\x0a\xe5\x6b\x6e\xfc\x18\x38\xc0\x36\xd0\x0f\x96\x46\xc3\xcb\x6e\xaf\xa2\x8c\x30\xec\x9a\x99\xba\x7f\x65\x37\xbd\xbb\xb8\xae\x0c\xb2\x44\x6d\xb7\x32\x14\x96\x5a\xeb\x4c\x94\xf4\xc2\xa9\x8b\xda\xdf\x5c\x06\x52\x90\xcf\x1b\xa0\x97\x32\x3a\x3e"..., iov_len=4096}, {iov_base=NULL, iov_len=0}], msg_iovlen=3, msg_controllen=0, msg_flags=MSG_DONTROUTE|MSG_PROBE}, msg_len=4096}], 1, 0) = 1 [pid 5062] sendmmsg(4, [pid 5061] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5061] close(3) = 0 [pid 5062] <... sendmmsg resumed>[{msg_hdr={msg_name={sa_family=AF_NFC, dev_idx=0, target_idx=0x1, nfc_protocol=NFC_PROTO_JEWEL, dsap=0x1f, ssap=0x2 /* LLCP_SAP_IP */, service_name="\x57\x74\x85\x79\x78\x5e\xcf\xb9\xb2\xcb\xeb\xd9\xa0\x4e\x45\xc6\xbf\xcf\x8e\x67\x02\x01\xbf\x4a\x7c\x6e\xd4\xd3\xe1\x30\xa1\x3f\x84\x53\xbc\x44\x27\x70\x44\x6a\x20\x6a", service_name_len=42}, msg_namelen=96, msg_iov=[{iov_base=NULL, iov_len=0}, {iov_base="\x83\x44\xc1\x47\x4f\xf6\x62\x1f\xe9\xf4\x06\x95\x53\x46\x0c\xc5\x4f\x2a\xad\x35\x4c\xed\xf2\x6f\xcf\x0d\x7c\xfd\x22\x3f\xef\x04\x16\xe5\x69\x3c\xe1\x20\x31\x51\x0a\xe5\x6b\x6e\xfc\x18\x38\xc0\x36\xd0\x0f\x96\x46\xc3\xcb\x6e\xaf\xa2\x8c\x30\xec\x9a\x99\xba\x7f\x65\x37\xbd\xbb\xb8\xae\x0c\xb2\x44\x6d\xb7\x32\x14\x96\x5a\xeb\x4c\x94\xf4\xc2\xa9\x8b\xda\xdf\x5c\x06\x52\x90\xcf\x1b\xa0\x97\x32\x3a\x3e"..., iov_len=4096}, {iov_base=NULL, iov_len=0}], msg_iovlen=3, msg_controllen=0, msg_flags=MSG_DONTROUTE|MSG_PROBE}, msg_len=1792}], 1, 0) = 1 [pid 5062] sendmmsg(4, [pid 5061] close(4) = 0 [pid 5061] close(5) = -1 EBADF (Bad file descriptor) [pid 5061] close(6) = -1 EBADF (Bad file descriptor) [pid 5061] close(7) = -1 EBADF (Bad file descriptor) [pid 5061] close(8) = -1 EBADF (Bad file descriptor) [ 56.503886][ T5062] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 56.522700][ T5062] ================================================================== [ 56.530799][ T5062] BUG: KASAN: slab-use-after-free in nfc_alloc_send_skb+0x149/0x1c0 [ 56.538810][ T5062] Read of size 4 at addr ffff888075231548 by task syz-executor193/5062 [ 56.547036][ T5062] [pid 5061] close(9) = -1 EBADF (Bad file descriptor) [pid 5061] close(10) = -1 EBADF (Bad file descriptor) [pid 5061] close(11) = -1 EBADF (Bad file descriptor) [pid 5061] close(12) = -1 EBADF (Bad file descriptor) [pid 5061] close(13) = -1 EBADF (Bad file descriptor) [pid 5061] close(14) = -1 EBADF (Bad file descriptor) [pid 5061] close(15) = -1 EBADF (Bad file descriptor) [ 56.549357][ T5062] CPU: 1 PID: 5062 Comm: syz-executor193 Not tainted 6.6.0-syzkaller-14263-gaea6bf908d73 #0 [ 56.559400][ T5062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 56.569444][ T5062] Call Trace: [ 56.572709][ T5062] [ 56.575626][ T5062] dump_stack_lvl+0x1e7/0x2d0 [ 56.580297][ T5062] ? nf_tcp_handle_invalid+0x650/0x650 [ 56.585747][ T5062] ? panic+0x850/0x850 [ 56.589817][ T5062] ? _printk+0xd5/0x120 [ 56.593983][ T5062] print_report+0x163/0x540 [ 56.598467][ T5062] ? __virt_addr_valid+0x22f/0x2e0 [ 56.603561][ T5062] ? __phys_addr+0xba/0x170 [ 56.608047][ T5062] ? nfc_alloc_send_skb+0x149/0x1c0 [ 56.613230][ T5062] kasan_report+0x142/0x170 [ 56.617723][ T5062] ? nfc_alloc_send_skb+0x149/0x1c0 [ 56.622918][ T5062] nfc_alloc_send_skb+0x149/0x1c0 [ 56.627954][ T5062] nfc_llcp_send_ui_frame+0x2ac/0x670 [ 56.633322][ T5062] ? nfc_llcp_send_i_frame+0x4f0/0x4f0 [ 56.638775][ T5062] ? llcp_sock_sendmsg+0x1fc/0x390 [ 56.644049][ T5062] ? nfc_llcp_getsockopt+0x560/0x560 [ 56.649325][ T5062] ____sys_sendmsg+0x592/0x890 [ 56.654083][ T5062] ? __sys_sendmsg_sock+0x30/0x30 [ 56.659095][ T5062] ? __fget_files+0x3fe/0x480 [ 56.663765][ T5062] __sys_sendmmsg+0x3b2/0x730 [ 56.668435][ T5062] ? __ia32_sys_sendmsg+0x90/0x90 [ 56.673463][ T5062] ? do_raw_spin_lock+0x14d/0x3a0 [ 56.678484][ T5062] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0 [ 56.684478][ T5062] ? _raw_spin_unlock_irq+0x23/0x50 [ 56.689682][ T5062] ? lockdep_hardirqs_on+0x98/0x140 [ 56.694886][ T5062] ? print_irqtrace_events+0x220/0x220 [ 56.700346][ T5062] ? syscall_enter_from_user_mode+0x32/0x230 [ 56.706323][ T5062] __x64_sys_sendmmsg+0xa0/0xb0 [ 56.711183][ T5062] do_syscall_64+0x44/0x110 [ 56.715678][ T5062] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.721576][ T5062] RIP: 0033:0x7fa0a3c77969 [ 56.725987][ T5062] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 56.745946][ T5062] RSP: 002b:00007fa0a3c38208 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 56.754386][ T5062] RAX: ffffffffffffffda RBX: 00007fa0a3d03328 RCX: 00007fa0a3c77969 [ 56.762353][ T5062] RDX: 0000000000000001 RSI: 00000000200013c0 RDI: 0000000000000004 [ 56.770317][ T5062] RBP: 00007fa0a3d03320 R08: 0000000000000000 R09: 0000000000000000 [ 56.778296][ T5062] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa0a3cd01a4 [ 56.786262][ T5062] R13: 0000000000000039 R14: 00007fa0a3d010f0 R15: 00007fa0a3c38670 [ 56.794235][ T5062] [ 56.797242][ T5062] [ 56.799554][ T5062] Allocated by task 5062: [ 56.803870][ T5062] kasan_set_track+0x4f/0x70 [ 56.808455][ T5062] __kasan_kmalloc+0x98/0xb0 [ 56.813126][ T5062] nfc_allocate_device+0x12f/0x520 [ 56.818317][ T5062] nci_allocate_device+0x1e2/0x360 [ 56.823415][ T5062] virtual_ncidev_open+0x75/0x1b0 [ 56.828429][ T5062] misc_open+0x30b/0x380 [ 56.832673][ T5062] chrdev_open+0x5ab/0x630 [ 56.837089][ T5062] do_dentry_open+0x8fd/0x1590 [ 56.841840][ T5062] path_openat+0x2845/0x3280 [ 56.846421][ T5062] do_filp_open+0x234/0x490 [ 56.850916][ T5062] do_sys_openat2+0x13e/0x1d0 [ 56.855579][ T5062] __x64_sys_openat+0x247/0x290 [ 56.860417][ T5062] do_syscall_64+0x44/0x110 [ 56.864938][ T5062] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.870858][ T5062] [ 56.873167][ T5062] Freed by task 5061: [ 56.877168][ T5062] kasan_set_track+0x4f/0x70 [ 56.881775][ T5062] kasan_save_free_info+0x28/0x40 [ 56.886890][ T5062] ____kasan_slab_free+0xd6/0x120 [ 56.891943][ T5062] __kmem_cache_free+0x263/0x3a0 [ 56.896878][ T5062] device_release+0x95/0x1c0 [ 56.901462][ T5062] kobject_put+0x1ee/0x430 [ 56.905868][ T5062] nci_free_device+0x38/0x50 [ 56.910445][ T5062] virtual_ncidev_close+0x70/0x90 [ 56.915455][ T5062] __fput+0x3cc/0xa10 [ 56.919425][ T5062] __se_sys_close+0x15f/0x220 [ 56.924090][ T5062] do_syscall_64+0x44/0x110 [ 56.928580][ T5062] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.934477][ T5062] [ 56.936793][ T5062] The buggy address belongs to the object at ffff888075231000 [ 56.936793][ T5062] which belongs to the cache kmalloc-2k of size 2048 [ 56.950847][ T5062] The buggy address is located 1352 bytes inside of [ 56.950847][ T5062] freed 2048-byte region [ffff888075231000, ffff888075231800) [ 56.964826][ T5062] [ 56.967146][ T5062] The buggy address belongs to the physical page: [ 56.973549][ T5062] page:ffffea0001d48c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75230 [ 56.983697][ T5062] head:ffffea0001d48c00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 56.992615][ T5062] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 57.000583][ T5062] page_type: 0xffffffff() [ 57.004921][ T5062] raw: 00fff00000000840 ffff888012c42000 dead000000000122 0000000000000000 [ 57.013506][ T5062] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 57.022075][ T5062] page dumped because: kasan: bad access detected [ 57.028472][ T5062] page_owner tracks the page as allocated [ 57.034360][ T5062] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5062, tgid 5061 (syz-executor193), ts 56272329966, free_ts 55738397890 [ 57.055973][ T5062] post_alloc_hook+0x1e6/0x210 [ 57.060740][ T5062] get_page_from_freelist+0x339a/0x3530 [ 57.066279][ T5062] __alloc_pages+0x255/0x670 [ 57.070859][ T5062] alloc_pages_mpol+0x3de/0x640 [ 57.075705][ T5062] alloc_slab_page+0x6a/0x160 [ 57.080405][ T5062] new_slab+0x84/0x2f0 [ 57.084467][ T5062] ___slab_alloc+0xc85/0x1310 [ 57.089133][ T5062] __kmem_cache_alloc_node+0x21d/0x300 [ 57.094588][ T5062] kmalloc_trace+0x2a/0xe0 [ 57.098996][ T5062] nci_allocate_device+0xe9/0x360 [ 57.104006][ T5062] virtual_ncidev_open+0x75/0x1b0 [ 57.109019][ T5062] misc_open+0x30b/0x380 [ 57.113255][ T5062] chrdev_open+0x5ab/0x630 [ 57.117656][ T5062] do_dentry_open+0x8fd/0x1590 [ 57.122407][ T5062] path_openat+0x2845/0x3280 [ 57.126987][ T5062] do_filp_open+0x234/0x490 [ 57.131481][ T5062] page last free stack trace: [ 57.136135][ T5062] free_unref_page_prepare+0x92a/0xa50 [ 57.141591][ T5062] free_unref_page+0x37/0x3f0 [ 57.146257][ T5062] __slab_free+0x2f6/0x390 [ 57.150661][ T5062] qlist_free_all+0x75/0xe0 [ 57.155154][ T5062] kasan_quarantine_reduce+0x14b/0x160 [ 57.160601][ T5062] __kasan_slab_alloc+0x23/0x70 [ 57.165438][ T5062] slab_post_alloc_hook+0x6c/0x3c0 [ 57.170540][ T5062] __kmem_cache_alloc_node+0x1d0/0x300 [ 57.175985][ T5062] __kmalloc+0xa8/0x230 [ 57.180131][ T5062] tomoyo_supervisor+0xe06/0x11f0 [ 57.185145][ T5062] tomoyo_env_perm+0x178/0x210 [ 57.189897][ T5062] tomoyo_find_next_domain+0x1383/0x1cf0 [ 57.195520][ T5062] tomoyo_bprm_check_security+0x114/0x170 [ 57.201240][ T5062] security_bprm_check+0x63/0xa0 [ 57.206163][ T5062] bprm_execve+0x95f/0x18a0 [ 57.210655][ T5062] do_execveat_common+0x580/0x720 [ 57.215667][ T5062] [ 57.217978][ T5062] Memory state around the buggy address: [ 57.223593][ T5062] ffff888075231400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.231661][ T5062] ffff888075231480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.239714][ T5062] >ffff888075231500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.247754][ T5062] ^ [pid 5061] close(16) = -1 EBADF (Bad file descriptor) [pid 5061] close(17) = -1 EBADF (Bad file descriptor) [pid 5061] close(18) = -1 EBADF (Bad file descriptor) [pid 5061] close(19) = -1 EBADF (Bad file descriptor) [pid 5061] close(20) = -1 EBADF (Bad file descriptor) [pid 5061] close(21) = -1 EBADF (Bad file descriptor) [pid 5061] close(22) = -1 EBADF (Bad file descriptor) [pid 5061] close(23) = -1 EBADF (Bad file descriptor) [pid 5061] close(24) = -1 EBADF (Bad file descriptor) [pid 5061] close(25) = -1 EBADF (Bad file descriptor) [pid 5061] close(26) = -1 EBADF (Bad file descriptor) [ 57.254151][ T5062] ffff888075231580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.262197][ T5062] ffff888075231600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.270242][ T5062] ================================================================== [ 57.280021][ T5062] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 57.287233][ T5062] CPU: 1 PID: 5062 Comm: syz-executor193 Not tainted 6.6.0-syzkaller-14263-gaea6bf908d73 #0 [ 57.297395][ T5062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 57.307454][ T5062] Call Trace: [ 57.310725][ T5062] [ 57.313658][ T5062] dump_stack_lvl+0x1e7/0x2d0 [ 57.318330][ T5062] ? nf_tcp_handle_invalid+0x650/0x650 [ 57.323867][ T5062] ? panic+0x850/0x850 [ 57.327931][ T5062] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0 [ 57.333907][ T5062] ? vscnprintf+0x5d/0x80 [ 57.338230][ T5062] panic+0x349/0x850 [ 57.342117][ T5062] ? check_panic_on_warn+0x21/0xa0 [ 57.347218][ T5062] ? __memcpy_flushcache+0x2b0/0x2b0 [ 57.352509][ T5062] ? _raw_spin_unlock_irqrestore+0x12c/0x140 [ 57.358484][ T5062] ? _raw_spin_unlock+0x40/0x40 [ 57.363333][ T5062] check_panic_on_warn+0x82/0xa0 [ 57.368260][ T5062] ? nfc_alloc_send_skb+0x149/0x1c0 [ 57.373447][ T5062] end_report+0x6e/0x130 [ 57.377677][ T5062] kasan_report+0x153/0x170 [ 57.382169][ T5062] ? nfc_alloc_send_skb+0x149/0x1c0 [ 57.387357][ T5062] nfc_alloc_send_skb+0x149/0x1c0 [ 57.392374][ T5062] nfc_llcp_send_ui_frame+0x2ac/0x670 [ 57.397916][ T5062] ? nfc_llcp_send_i_frame+0x4f0/0x4f0 [ 57.403395][ T5062] ? llcp_sock_sendmsg+0x1fc/0x390 [ 57.408500][ T5062] ? nfc_llcp_getsockopt+0x560/0x560 [ 57.413779][ T5062] ____sys_sendmsg+0x592/0x890 [ 57.418538][ T5062] ? __sys_sendmsg_sock+0x30/0x30 [ 57.423573][ T5062] ? __fget_files+0x3fe/0x480 [ 57.428244][ T5062] __sys_sendmmsg+0x3b2/0x730 [ 57.432919][ T5062] ? __ia32_sys_sendmsg+0x90/0x90 [ 57.437949][ T5062] ? do_raw_spin_lock+0x14d/0x3a0 [ 57.442972][ T5062] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0 [ 57.448946][ T5062] ? _raw_spin_unlock_irq+0x23/0x50 [ 57.454136][ T5062] ? lockdep_hardirqs_on+0x98/0x140 [ 57.459338][ T5062] ? print_irqtrace_events+0x220/0x220 [ 57.464881][ T5062] ? syscall_enter_from_user_mode+0x32/0x230 [ 57.470852][ T5062] __x64_sys_sendmmsg+0xa0/0xb0 [ 57.475696][ T5062] do_syscall_64+0x44/0x110 [ 57.480186][ T5062] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 57.486157][ T5062] RIP: 0033:0x7fa0a3c77969 [ 57.490565][ T5062] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 57.510248][ T5062] RSP: 002b:00007fa0a3c38208 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 57.518652][ T5062] RAX: ffffffffffffffda RBX: 00007fa0a3d03328 RCX: 00007fa0a3c77969 [ 57.526613][ T5062] RDX: 0000000000000001 RSI: 00000000200013c0 RDI: 0000000000000004 [ 57.534603][ T5062] RBP: 00007fa0a3d03320 R08: 0000000000000000 R09: 0000000000000000 [ 57.542561][ T5062] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa0a3cd01a4 [ 57.550519][ T5062] R13: 0000000000000039 R14: 00007fa0a3d010f0 R15: 00007fa0a3c38670 [ 57.558495][ T5062] [ 57.561732][ T5062] Kernel Offset: disabled [ 57.566040][ T5062] Rebooting in 86400 seconds..