./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor879741959 <...> Warning: Permanently added '10.128.0.72' (ED25519) to the list of known hosts. execve("./syz-executor879741959", ["./syz-executor879741959"], 0x7ffc89921dc0 /* 10 vars */) = 0 brk(NULL) = 0x55557d091000 brk(0x55557d091d40) = 0x55557d091d40 arch_prctl(ARCH_SET_FS, 0x55557d0913c0) = 0 set_tid_address(0x55557d091690) = 5043 set_robust_list(0x55557d0916a0, 24) = 0 rseq(0x55557d091ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor879741959", 4096) = 27 getrandom("\x38\x82\xa7\x53\x52\x79\x6c\x13", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55557d091d40 brk(0x55557d0b2d40) = 0x55557d0b2d40 brk(0x55557d0b3000) = 0x55557d0b3000 mprotect(0x7f388368b000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55557d091690) = 5044 ./strace-static-x86_64: Process 5044 attached [pid 5044] set_robust_list(0x55557d0916a0, 24) = 0 [pid 5044] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5044] setpgid(0, 0) = 0 [pid 5044] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5044] write(3, "1000", 4) = 4 [pid 5044] close(3) = 0 [pid 5044] futex(0x7f388369136c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5044] rt_sigaction(SIGRT_1, {sa_handler=0x7f388362e3b0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f388361fa30}, NULL, 8) = 0 [pid 5044] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5044] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f38835a2000 [pid 5044] mprotect(0x7f38835a3000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5044] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5044] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f38835c2990, parent_tid=0x7f38835c2990, exit_signal=0, stack=0x7f38835a2000, stack_size=0x20300, tls=0x7f38835c26c0}./strace-static-x86_64: Process 5045 attached => {parent_tid=[5045]}, 88) = 5045 [pid 5045] rseq(0x7f38835c2fe0, 0x20, 0, 0x53053053) = 0 [pid 5044] rt_sigprocmask(SIG_SETMASK, [], [pid 5045] set_robust_list(0x7f38835c29a0, 24 [pid 5044] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5045] <... set_robust_list resumed>) = 0 [pid 5044] futex(0x7f3883691368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5045] rt_sigprocmask(SIG_SETMASK, [], [pid 5044] <... futex resumed>) = 0 [pid 5045] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5044] futex(0x7f388369136c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5045] openat(AT_FDCWD, "/dev/virtual_nci", O_RDWR) = 3 [pid 5045] futex(0x7f388369136c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5044] <... futex resumed>) = 0 [pid 5044] futex(0x7f3883691368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5045] ioctl(3, _IOC(_IOC_NONE, 0, 0, 0), 0x200000c0) = 0 [pid 5044] futex(0x7f388369136c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5045] futex(0x7f388369136c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5044] <... futex resumed>) = 0 [pid 5044] futex(0x7f3883691368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5044] futex(0x7f388369136c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5045] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 [pid 5045] futex(0x7f388369136c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5044] <... futex resumed>) = 0 [pid 5045] futex(0x7f3883691368, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5044] futex(0x7f3883691368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5045] sendto(4, [{nlmsg_len=28, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00"], 28, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12 [pid 5044] <... futex resumed>) = 0 [pid 5045] <... sendto resumed>) = 28 [pid 5044] futex(0x7f388369136c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5045] recvfrom(4, [{nlmsg_len=472, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5044}, "\x01\x02\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00\x06\x00\x01\x00\x1e\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x1f\x00\x00\x00\x80\x01\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0b\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00\x03\x00\x00\x00"...], 4096, 0, NULL, NULL) = 472 [pid 5045] recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5044}, {error=0, msg={nlmsg_len=28, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5045] futex(0x7f388369136c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5044] <... futex resumed>) = 0 [pid 5044] futex(0x7f3883691368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5044] futex(0x7f388369136c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5045] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x1c\x00\x00\x00\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x08\x00\x01\x00\x02\x00\x00\x00", iov_len=28}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 5044] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5044] futex(0x7f388369137c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5044] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f3883581000 [pid 5044] mprotect(0x7f3883582000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5044] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5044] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f38835a1990, parent_tid=0x7f38835a1990, exit_signal=0, stack=0x7f3883581000, stack_size=0x20300, tls=0x7f38835a16c0}./strace-static-x86_64: Process 5050 attached [pid 5050] rseq(0x7f38835a1fe0, 0x20, 0, 0x53053053 [pid 5044] <... clone3 resumed> => {parent_tid=[5050]}, 88) = 5050 [pid 5050] <... rseq resumed>) = 0 [pid 5044] rt_sigprocmask(SIG_SETMASK, [], [pid 5050] set_robust_list(0x7f38835a19a0, 24 [pid 5044] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5050] <... set_robust_list resumed>) = 0 [pid 5050] rt_sigprocmask(SIG_SETMASK, [], [pid 5044] futex(0x7f3883691378, FUTEX_WAKE_PRIVATE, 1000000 [pid 5050] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5044] <... futex resumed>) = 0 [pid 5050] write(3, NULL, 0 [pid 5044] futex(0x7f388369137c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5050] <... write resumed>) = 0 [pid 5050] futex(0x7f388369137c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5050] futex(0x7f3883691378, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5044] <... futex resumed>) = 0 [pid 5044] futex(0x7f3883691378, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5050] <... futex resumed>) = 0 [pid 5044] futex(0x7f388369137c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5050] write(3, NULL, 0) = 0 [pid 5050] futex(0x7f388369137c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5044] <... futex resumed>) = 0 [ 152.865151][ T3395] ===================================================== [ 152.872424][ T3395] BUG: KMSAN: uninit-value in nci_rx_work+0x35a/0x5d0 [ 152.879602][ T3395] nci_rx_work+0x35a/0x5d0 [ 152.884513][ T3395] process_scheduled_works+0xa81/0x1bd0 [ 152.890262][ T3395] worker_thread+0xea5/0x1560 [ 152.895379][ T3395] kthread+0x3e2/0x540 [ 152.899649][ T3395] ret_from_fork+0x6d/0x90 [ 152.904354][ T3395] ret_from_fork_asm+0x1a/0x30 [ 152.909325][ T3395] [ 152.911740][ T3395] Uninit was created at: [ 152.916332][ T3395] kmem_cache_alloc_node+0x622/0xc90 [ 152.921825][ T3395] kmalloc_reserve+0x13d/0x4a0 [ 152.926885][ T3395] __alloc_skb+0x35b/0x7a0 [ 152.931481][ T3395] virtual_ncidev_write+0x6d/0x290 [ 152.937016][ T3395] vfs_write+0x49b/0x1520 [ 152.941547][ T3395] ksys_write+0x20f/0x4c0 [ 152.946187][ T3395] __x64_sys_write+0x93/0xe0 [ 152.950962][ T3395] x64_sys_call+0x3062/0x3b50 [ 152.955918][ T3395] do_syscall_64+0xcf/0x1e0 [ 152.960608][ T3395] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 152.966865][ T3395] [ 152.969285][ T3395] CPU: 1 PID: 3395 Comm: kworker/u8:19 Not tainted 6.9.0-syzkaller #0 [ 152.977751][ T3395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 152.990860][ T3395] Workqueue: nfc2_nci_rx_wq nci_rx_work [ 152.996834][ T3395] ===================================================== [ 153.003951][ T3395] Disabling lock debugging due to kernel taint [ 153.010222][ T3395] Kernel panic - not syncing: kmsan.panic set ... [ 153.016736][ T3395] CPU: 1 PID: 3395 Comm: kworker/u8:19 Tainted: G B 6.9.0-syzkaller #0 [ 153.026543][ T3395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 153.036718][ T3395] Workqueue: nfc2_nci_rx_wq nci_rx_work [ 153.042511][ T3395] Call Trace: [ 153.046436][ T3395] [ 153.049481][ T3395] dump_stack_lvl+0x216/0x2d0 [ 153.054366][ T3395] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 153.060375][ T3395] dump_stack+0x1e/0x30 [pid 5050] futex(0x7f3883691378, FUTEX_WAIT_PRIVATE, 0, NULL [ 153.064733][ T3395] panic+0x4e2/0xcd0 [ 153.068816][ T3395] ? kmsan_get_metadata+0x81/0x1d0 [ 153.074094][ T3395] kmsan_report+0x2d5/0x2e0 [ 153.078734][ T3395] ? kmsan_get_metadata+0x146/0x1d0 [ 153.084111][ T3395] ? __msan_warning+0x95/0x120 [ 153.089095][ T3395] ? nci_rx_work+0x35a/0x5d0 [ 153.093900][ T3395] ? process_scheduled_works+0xa81/0x1bd0 [ 153.099974][ T3395] ? worker_thread+0xea5/0x1560 [ 153.104958][ T3395] ? kthread+0x3e2/0x540 [ 153.110046][ T3395] ? ret_from_fork+0x6d/0x90 [pid 5044] exit_group(0 [pid 5050] <... futex resumed>) = ? [pid 5044] <... exit_group resumed>) = ? [pid 5050] +++ exited with 0 +++ [pid 5045] <... sendmsg resumed>) = ? [ 153.114928][ T3395] ? ret_from_fork_asm+0x1a/0x30 [ 153.120085][ T3395] ? filter_irq_stacks+0x60/0x1a0 [ 153.125625][ T3395] ? stack_depot_save_flags+0x2c/0x6e0 [ 153.131299][ T3395] ? kmsan_get_metadata+0x146/0x1d0 [ 153.136670][ T3395] ? kmsan_get_metadata+0x146/0x1d0 [ 153.142034][ T3395] ? kmsan_get_metadata+0x146/0x1d0 [ 153.147393][ T3395] ? kmsan_internal_set_shadow_origin+0x66/0xe0 [ 153.157054][ T3395] ? kmsan_internal_unpoison_memory+0x14/0x20 [ 153.164911][ T3395] ? kfree_skb_reason+0x197/0x4f0 [ 153.170124][ T3395] ? nfc_send_to_raw_sock+0x504/0x530 [ 153.175667][ T3395] ? kmsan_get_metadata+0x146/0x1d0 [ 153.181059][ T3395] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 153.187041][ T3395] __msan_warning+0x95/0x120 [ 153.191861][ T3395] nci_rx_work+0x35a/0x5d0 [ 153.196480][ T3395] ? __pfx_nci_rx_work+0x10/0x10 [ 153.201611][ T3395] process_scheduled_works+0xa81/0x1bd0 [ 153.207375][ T3395] worker_thread+0xea5/0x1560 [ 153.212270][ T3395] kthread+0x3e2/0x540 [ 153.216604][ T3395] ? __pfx_worker_thread+0x10/0x10 [ 153.221984][ T3395] ? __pfx_kthread+0x10/0x10 [ 153.226989][ T3395] ret_from_fork+0x6d/0x90 [ 153.232203][ T3395] ? __pfx_kthread+0x10/0x10 [ 153.237972][ T3395] ret_from_fork_asm+0x1a/0x30 [ 153.242960][ T3395] [ 153.246204][ T3395] Kernel Offset: disabled [ 153.250617][ T3395] Rebooting in 86400 seconds..