./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3583840092 <...> Warning: Permanently added '10.128.1.171' (ED25519) to the list of known hosts. execve("./syz-executor3583840092", ["./syz-executor3583840092"], 0x7ffc21c3c570 /* 10 vars */) = 0 brk(NULL) = 0x55557f452000 brk(0x55557f452d40) = 0x55557f452d40 arch_prctl(ARCH_SET_FS, 0x55557f4523c0) = 0 set_tid_address(0x55557f452690) = 5182 set_robust_list(0x55557f4526a0, 24) = 0 rseq(0x55557f452ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3583840092", 4096) = 28 getrandom("\x54\x53\x24\x26\x36\xda\xd7\x65", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55557f452d40 brk(0x55557f473d40) = 0x55557f473d40 brk(0x55557f474000) = 0x55557f474000 mprotect(0x7fba021f5000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55557f452690) = 5183 ./strace-static-x86_64: Process 5183 attached [pid 5183] set_robust_list(0x55557f4526a0, 24) = 0 [pid 5183] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5183] setpgid(0, 0) = 0 [pid 5183] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5183] write(3, "1000", 4) = 4 [pid 5183] close(3) = 0 [pid 5183] write(1, "executing program\n", 18executing program ) = 18 [pid 5183] futex(0x7fba021fb36c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5183] rt_sigaction(SIGRT_1, {sa_handler=0x7fba021983b0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fba02189a30}, NULL, 8) = 0 [pid 5183] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5183] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fba0210c000 [pid 5183] mprotect(0x7fba0210d000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5183] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5183] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fba0212c990, parent_tid=0x7fba0212c990, exit_signal=0, stack=0x7fba0210c000, stack_size=0x20300, tls=0x7fba0212c6c0} => {parent_tid=[5184]}, 88) = 5184 [pid 5183] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5183] futex(0x7fba021fb368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5183] futex(0x7fba021fb36c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5184 attached [pid 5184] rseq(0x7fba0212cfe0, 0x20, 0, 0x53053053) = 0 [pid 5184] set_robust_list(0x7fba0212c9a0, 24) = 0 [pid 5184] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5184] openat(AT_FDCWD, "/dev/virtual_nci", O_RDWR) = 3 [pid 5184] futex(0x7fba021fb36c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5183] <... futex resumed>) = 0 [pid 5184] futex(0x7fba021fb368, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5183] futex(0x7fba021fb368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5184] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5184] ioctl(3, _IOC(_IOC_NONE, 0, 0, 0) [pid 5183] <... futex resumed>) = 0 [pid 5184] <... ioctl resumed>, 0x200000c0) = 0 [pid 5183] futex(0x7fba021fb36c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5184] futex(0x7fba021fb36c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5183] <... futex resumed>) = 0 [pid 5183] futex(0x7fba021fb368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC [pid 5183] futex(0x7fba021fb36c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5184] <... socket resumed>) = 4 [pid 5184] futex(0x7fba021fb36c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5183] <... futex resumed>) = 0 [pid 5184] sendto(4, [{nlmsg_len=28, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00"], 28, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12 [pid 5183] futex(0x7fba021fb368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5184] <... sendto resumed>) = 28 [pid 5183] <... futex resumed>) = 0 [pid 5183] futex(0x7fba021fb36c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5184] recvfrom(4, [{nlmsg_len=472, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5183}, "\x01\x02\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00\x06\x00\x01\x00\x1e\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x1f\x00\x00\x00\x80\x01\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0b\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00\x03\x00\x00\x00"...], 4096, 0, NULL, NULL) = 472 [pid 5184] recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5183}, {error=0, msg={nlmsg_len=28, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5184] futex(0x7fba021fb36c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5183] <... futex resumed>) = 0 [pid 5183] futex(0x7fba021fb368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5184] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x1c\x00\x00\x00\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x08\x00\x01\x00\x02\x00\x00\x00", iov_len=28}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 5183] <... futex resumed>) = 0 [pid 5183] futex(0x7fba021fb36c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5183] futex(0x7fba021fb37c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5183] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fba020eb000 [pid 5183] mprotect(0x7fba020ec000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5183] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5183] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fba0210b990, parent_tid=0x7fba0210b990, exit_signal=0, stack=0x7fba020eb000, stack_size=0x20300, tls=0x7fba0210b6c0}./strace-static-x86_64: Process 5189 attached [pid 5189] rseq(0x7fba0210bfe0, 0x20, 0, 0x53053053 [pid 5183] <... clone3 resumed> => {parent_tid=[5189]}, 88) = 5189 [pid 5189] <... rseq resumed>) = 0 [pid 5183] rt_sigprocmask(SIG_SETMASK, [], [pid 5189] set_robust_list(0x7fba0210b9a0, 24) = 0 [pid 5183] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5189] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5183] futex(0x7fba021fb378, FUTEX_WAKE_PRIVATE, 1000000 [pid 5189] write(3, "\x61\x03\x01\xfd\x71\xe6\xe5\xb1\xd1\x0b\xc4\x51\xb4\xe1\x78\xb6\xff\xd6", 18) = 18 [pid 5183] <... futex resumed>) = 0 [pid 5183] futex(0x7fba021fb37c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5189] futex(0x7fba021fb37c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5183] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5189] <... futex resumed>) = 0 [ 158.524139][ T2937] nci: nci_rf_discover_ntf_packet: unsupported rf_tech_and_mode 0xe6 [ 158.532618][ T2937] ===================================================== [ 158.540066][ T2937] BUG: KMSAN: uninit-value in nci_ntf_packet+0x2ac6/0x39c0 [ 158.547482][ T2937] nci_ntf_packet+0x2ac6/0x39c0 [ 158.552669][ T2937] nci_rx_work+0x408/0x6f0 [ 158.557277][ T2937] process_scheduled_works+0xae0/0x1c40 [ 158.563065][ T2937] worker_thread+0xea7/0x14f0 [ 158.567917][ T2937] kthread+0x3e2/0x540 [ 158.572322][ T2937] ret_from_fork+0x6d/0x90 [ 158.576861][ T2937] ret_from_fork_asm+0x1a/0x30 [ 158.581911][ T2937] [ 158.584307][ T2937] Uninit was created at: [ 158.588769][ T2937] kmem_cache_alloc_node_noprof+0x6bf/0xb80 [ 158.594964][ T2937] kmalloc_reserve+0x13d/0x4a0 [ 158.600078][ T2937] __alloc_skb+0x363/0x7b0 [ 158.604644][ T2937] virtual_ncidev_write+0x67/0x380 [ 158.609990][ T2937] vfs_write+0x487/0x1540 [ 158.614483][ T2937] ksys_write+0x24f/0x4c0 [ 158.618952][ T2937] __x64_sys_write+0x93/0xe0 [ 158.623927][ T2937] x64_sys_call+0x306a/0x3ba0 [ 158.628782][ T2937] do_syscall_64+0xcd/0x1e0 [ 158.633688][ T2937] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 158.639873][ T2937] [ 158.642284][ T2937] CPU: 1 UID: 0 PID: 2937 Comm: kworker/u8:9 Not tainted 6.12.0-rc1-syzkaller-00349-g8f602276d390 #0 [ 158.653464][ T2937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 158.663809][ T2937] Workqueue: nfc2_nci_rx_wq nci_rx_work [pid 5189] futex(0x7fba021fb378, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5183] exit_group(0 [pid 5189] <... futex resumed>) = ? [pid 5183] <... exit_group resumed>) = ? [pid 5189] +++ exited with 0 +++ [pid 5184] <... sendmsg resumed>) = ? [ 158.669544][ T2937] ===================================================== [ 158.676794][ T2937] Disabling lock debugging due to kernel taint [ 158.683240][ T2937] Kernel panic - not syncing: kmsan.panic set ... [ 158.689770][ T2937] CPU: 1 UID: 0 PID: 2937 Comm: kworker/u8:9 Tainted: G B 6.12.0-rc1-syzkaller-00349-g8f602276d390 #0 [ 158.702217][ T2937] Tainted: [B]=BAD_PAGE [ 158.706462][ T2937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 158.716691][ T2937] Workqueue: nfc2_nci_rx_wq nci_rx_work [ 158.722486][ T2937] Call Trace: [ 158.725886][ T2937] [ 158.728924][ T2937] dump_stack_lvl+0x216/0x2d0 [ 158.733802][ T2937] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 158.739797][ T2937] dump_stack+0x1e/0x30 [ 158.744108][ T2937] panic+0x4e2/0xcf0 [ 158.748104][ T2937] ? kmsan_get_metadata+0x101/0x1c0 [ 158.753404][ T2937] kmsan_report+0x2c7/0x2d0 [ 158.758041][ T2937] ? irq_work_queue+0x18d/0x260 [ 158.763009][ T2937] ? __msan_warning+0x95/0x120 [ 158.767907][ T2937] ? nci_ntf_packet+0x2ac6/0x39c0 [ 158.773126][ T2937] ? nci_rx_work+0x408/0x6f0 [ 158.777827][ T2937] ? process_scheduled_works+0xae0/0x1c40 [ 158.783690][ T2937] ? worker_thread+0xea7/0x14f0 [ 158.788648][ T2937] ? kthread+0x3e2/0x540 [ 158.793014][ T2937] ? ret_from_fork+0x6d/0x90 [ 158.797700][ T2937] ? ret_from_fork_asm+0x1a/0x30 [ 158.802814][ T2937] ? vprintk_emit+0xd5c/0xea0 [ 158.807616][ T2937] ? vprintk_default+0x3e/0x50 [ 158.812475][ T2937] ? vprintk+0xee/0xf0 [ 158.816665][ T2937] ? _printk+0x157/0x190 [ 158.821013][ T2937] ? kmsan_get_metadata+0x13e/0x1c0 [ 158.826327][ T2937] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 158.832237][ T2937] __msan_warning+0x95/0x120 [ 158.836959][ T2937] nci_ntf_packet+0x2ac6/0x39c0 [ 158.841934][ T2937] ? kmsan_get_metadata+0x13e/0x1c0 [ 158.847260][ T2937] ? kmsan_internal_unpoison_memory+0x14/0x20 [ 158.853523][ T2937] ? sk_skb_reason_drop+0x140/0x480 [ 158.858870][ T2937] nci_rx_work+0x408/0x6f0 [ 158.863482][ T2937] ? __pfx_nci_rx_work+0x10/0x10 [ 158.868528][ T2937] process_scheduled_works+0xae0/0x1c40 [ 158.874214][ T2937] worker_thread+0xea7/0x14f0 [ 158.879015][ T2937] kthread+0x3e2/0x540 [ 158.883213][ T2937] ? __pfx_worker_thread+0x10/0x10 [ 158.888439][ T2937] ? __pfx_kthread+0x10/0x10 [ 158.893162][ T2937] ret_from_fork+0x6d/0x90 [ 158.897672][ T2937] ? __pfx_kthread+0x10/0x10 [ 158.902378][ T2937] ret_from_fork_asm+0x1a/0x30 [ 158.907265][ T2937] [ 158.910605][ T2937] Kernel Offset: disabled [ 158.914995][ T2937] Rebooting in 86400 seconds..