./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3029405187 <...> Warning: Permanently added '10.128.0.89' (ED25519) to the list of known hosts. execve("./syz-executor3029405187", ["./syz-executor3029405187"], 0x7ffdb599bee0 /* 10 vars */) = 0 brk(NULL) = 0x5555565fa000 brk(0x5555565fad40) = 0x5555565fad40 arch_prctl(ARCH_SET_FS, 0x5555565fa3c0) = 0 set_tid_address(0x5555565fa690) = 5014 set_robust_list(0x5555565fa6a0, 24) = 0 rseq(0x5555565face0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3029405187", 4096) = 28 getrandom("\xaa\xcd\x1a\xbe\x9c\x00\x5d\x65", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555565fad40 brk(0x55555661bd40) = 0x55555661bd40 brk(0x55555661c000) = 0x55555661c000 mprotect(0x7f0e09ae0000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565fa690) = 5015 ./strace-static-x86_64: Process 5015 attached [pid 5015] set_robust_list(0x5555565fa6a0, 24) = 0 [pid 5015] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5015] setpgid(0, 0) = 0 [pid 5015] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5015] write(3, "1000", 4) = 4 [pid 5015] close(3) = 0 [pid 5015] futex(0x7f0e09ae636c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5015] rt_sigaction(SIGRT_1, {sa_handler=0x7f0e09a833f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f0e09a74a70}, NULL, 8) = 0 [pid 5015] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5015] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f0e099fd000 [pid 5015] mprotect(0x7f0e099fe000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5015] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5015] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f0e09a1d990, parent_tid=0x7f0e09a1d990, exit_signal=0, stack=0x7f0e099fd000, stack_size=0x20300, tls=0x7f0e09a1d6c0}./strace-static-x86_64: Process 5016 attached => {parent_tid=[5016]}, 88) = 5016 [pid 5015] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5015] futex(0x7f0e09ae6368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5016] rseq(0x7f0e09a1dfe0, 0x20, 0, 0x53053053 [pid 5015] futex(0x7f0e09ae636c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5016] <... rseq resumed>) = 0 [pid 5016] set_robust_list(0x7f0e09a1d9a0, 24) = 0 [pid 5016] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5016] openat(AT_FDCWD, "/dev/virtual_nci", O_RDWR) = 3 [pid 5016] futex(0x7f0e09ae636c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5015] <... futex resumed>) = 0 [pid 5016] futex(0x7f0e09ae6368, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5015] futex(0x7f0e09ae6368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5016] <... futex resumed>) = 0 [pid 5015] <... futex resumed>) = 1 [pid 5016] ioctl(3, _IOC(_IOC_NONE, 0, 0, 0) [pid 5015] futex(0x7f0e09ae636c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5016] <... ioctl resumed>, 0x200000c0) = 0 [pid 5016] futex(0x7f0e09ae636c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5015] <... futex resumed>) = 0 [pid 5016] futex(0x7f0e09ae6368, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5015] futex(0x7f0e09ae6368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5016] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5016] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC [pid 5015] <... futex resumed>) = 0 [pid 5016] <... socket resumed>) = 4 [pid 5015] futex(0x7f0e09ae636c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5016] futex(0x7f0e09ae636c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5015] <... futex resumed>) = 0 [pid 5016] sendto(4, [{nlmsg_len=28, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00"], 28, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12 [pid 5015] futex(0x7f0e09ae6368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5016] <... sendto resumed>) = 28 [pid 5016] recvfrom(4, [pid 5015] <... futex resumed>) = 0 [pid 5016] <... recvfrom resumed>[{nlmsg_len=472, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5015}, "\x01\x02\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00\x06\x00\x01\x00\x1e\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x1f\x00\x00\x00\x80\x01\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0b\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00\x03\x00\x00\x00"...], 4096, 0, NULL, NULL) = 472 [pid 5015] futex(0x7f0e09ae636c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5016] recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5015}, {error=0, msg={nlmsg_len=28, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5016] futex(0x7f0e09ae636c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5015] <... futex resumed>) = 0 [pid 5016] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x1c\x00\x00\x00\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x08\x00\x01\x00\x02\x00\x00\x00", iov_len=28}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 5015] futex(0x7f0e09ae6368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5015] futex(0x7f0e09ae636c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5015] futex(0x7f0e09ae637c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5015] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f0e099dc000 [pid 5015] mprotect(0x7f0e099dd000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5015] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5015] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f0e099fc990, parent_tid=0x7f0e099fc990, exit_signal=0, stack=0x7f0e099dc000, stack_size=0x20300, tls=0x7f0e099fc6c0}./strace-static-x86_64: Process 5021 attached => {parent_tid=[5021]}, 88) = 5021 [pid 5015] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5015] futex(0x7f0e09ae6378, FUTEX_WAKE_PRIVATE, 1000000 [pid 5021] rseq(0x7f0e099fcfe0, 0x20, 0, 0x53053053 [pid 5015] <... futex resumed>) = 0 [pid 5015] futex(0x7f0e09ae637c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5021] <... rseq resumed>) = 0 [pid 5021] set_robust_list(0x7f0e099fc9a0, 24) = 0 [pid 5021] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5021] write(3, "\x40\x00\x00\x00\xe7\x00", 6) = 6 [pid 5021] futex(0x7f0e09ae637c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5015] <... futex resumed>) = 0 [pid 5015] futex(0x7f0e09ae6378, FUTEX_WAKE_PRIVATE, 1000000 [pid 5021] write(3, NULL, 0 [pid 5015] <... futex resumed>) = 0 [pid 5021] <... write resumed>) = 0 [pid 5015] futex(0x7f0e09ae637c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5021] futex(0x7f0e09ae637c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5015] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5021] <... futex resumed>) = 0 [ 166.005066][ T3300] ===================================================== [ 166.012325][ T3300] BUG: KMSAN: uninit-value in nci_rx_work+0x2e6/0x500 [ 166.019566][ T3300] nci_rx_work+0x2e6/0x500 [ 166.024322][ T3300] process_scheduled_works+0x1132/0x1f40 [ 166.030173][ T3300] worker_thread+0xea4/0x1560 [ 166.035219][ T3300] kthread+0x3ed/0x550 [ 166.039532][ T3300] ret_from_fork+0x66/0x80 [ 166.044346][ T3300] ret_from_fork_asm+0x11/0x20 [ 166.049347][ T3300] [ 166.051781][ T3300] Uninit was created at: [ 166.056373][ T3300] kmem_cache_alloc_node+0x5cb/0xbc0 [ 166.061901][ T3300] kmalloc_reserve+0x13d/0x4a0 [ 166.066943][ T3300] __alloc_skb+0x352/0x790 [ 166.071556][ T3300] virtual_ncidev_write+0x6d/0x280 [ 166.077008][ T3300] vfs_write+0x494/0x1520 [ 166.081560][ T3300] ksys_write+0x20f/0x4c0 [ 166.086273][ T3300] __x64_sys_write+0x93/0xd0 [ 166.091080][ T3300] do_syscall_64+0xcf/0x1e0 [ 166.095937][ T3300] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 166.102083][ T3300] [ 166.104640][ T3300] CPU: 1 PID: 3300 Comm: kworker/u4:12 Not tainted 6.8.0-rc6-syzkaller-00278-g58c806d867bf #0 [ 166.115186][ T3300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 [ 166.125550][ T3300] Workqueue: nfc2_nci_rx_wq nci_rx_work [ 166.131336][ T3300] ===================================================== [ 166.138552][ T3300] Disabling lock debugging due to kernel taint [ 166.145129][ T3300] Kernel panic - not syncing: kmsan.panic set ... [ 166.151686][ T3300] CPU: 1 PID: 3300 Comm: kworker/u4:12 Tainted: G B 6.8.0-rc6-syzkaller-00278-g58c806d867bf #0 [ 166.163593][ T3300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 [ 166.173784][ T3300] Workqueue: nfc2_nci_rx_wq nci_rx_work [ 166.179575][ T3300] Call Trace: [ 166.182988][ T3300] [ 166.186058][ T3300] dump_stack_lvl+0x1bf/0x240 [ 166.190959][ T3300] dump_stack+0x1e/0x20 [ 166.195297][ T3300] panic+0x4de/0xc90 [ 166.199406][ T3300] kmsan_report+0x2d0/0x2d0 [pid 5021] futex(0x7f0e09ae6378, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5015] exit_group(0) = ? [pid 5021] <... futex resumed>) = ? [ 166.204108][ T3300] ? kmsan_get_metadata+0x146/0x1c0 [ 166.209448][ T3300] ? __msan_warning+0x96/0x120 [ 166.214395][ T3300] ? nci_rx_work+0x2e6/0x500 [ 166.219189][ T3300] ? process_scheduled_works+0x1132/0x1f40 [ 166.225216][ T3300] ? worker_thread+0xea4/0x1560 [ 166.230243][ T3300] ? kthread+0x3ed/0x550 [ 166.234653][ T3300] ? ret_from_fork+0x66/0x80 [ 166.239462][ T3300] ? ret_from_fork_asm+0x11/0x20 [ 166.244593][ T3300] ? filter_irq_stacks+0x60/0x1a0 [ 166.249835][ T3300] ? stack_depot_save_flags+0x2c/0x6e0 [pid 5021] +++ exited with 0 +++ [pid 5016] <... sendmsg resumed>) = ? [ 166.255536][ T3300] ? kmsan_get_metadata+0x146/0x1c0 [ 166.260104][ T5016] nci: __nci_request: wait_for_completion_interruptible_timeout failed -512 [ 166.269711][ T3300] ? kmsan_get_metadata+0x146/0x1c0 [ 166.275119][ T3300] ? kmsan_get_metadata+0x146/0x1c0 [ 166.280521][ T3300] ? kmsan_internal_set_shadow_origin+0x66/0xe0 [ 166.287065][ T3300] ? kmsan_internal_unpoison_memory+0x14/0x20 [ 166.293402][ T3300] ? kfree_skb_reason+0x193/0x4f0 [ 166.298656][ T3300] ? nfc_send_to_raw_sock+0x504/0x520 [ 166.304295][ T3300] ? kmsan_get_metadata+0x146/0x1c0 [ 166.309672][ T3300] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 166.315706][ T3300] __msan_warning+0x96/0x120 [ 166.320567][ T3300] nci_rx_work+0x2e6/0x500 [ 166.325222][ T3300] ? nci_cmd_work+0x480/0x480 [ 166.330116][ T3300] process_scheduled_works+0x1132/0x1f40 [ 166.335950][ T3300] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 166.341938][ T3300] worker_thread+0xea4/0x1560 [ 166.346839][ T3300] kthread+0x3ed/0x550 [ 166.351145][ T3300] ? pr_cont_work+0xce0/0xce0 [ 166.356002][ T3300] ? kthread_blkcg+0x120/0x120 [ 166.360951][ T3300] ret_from_fork+0x66/0x80 [ 166.365613][ T3300] ? kthread_blkcg+0x120/0x120 [ 166.370619][ T3300] ret_from_fork_asm+0x11/0x20 [ 166.375642][ T3300] [ 166.379032][ T3300] Kernel Offset: disabled [ 166.383430][ T3300] Rebooting in 86400 seconds..