./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1785664876 <...> Warning: Permanently added '10.128.0.190' (ED25519) to the list of known hosts. execve("./syz-executor1785664876", ["./syz-executor1785664876"], 0x7ffd28fefc30 /* 10 vars */) = 0 brk(NULL) = 0x5555568a5000 brk(0x5555568a5d40) = 0x5555568a5d40 arch_prctl(ARCH_SET_FS, 0x5555568a53c0) = 0 set_tid_address(0x5555568a5690) = 5009 set_robust_list(0x5555568a56a0, 24) = 0 rseq(0x5555568a5ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1785664876", 4096) = 28 getrandom("\xdc\x7b\xc9\xc0\x77\x61\xb9\xae", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555568a5d40 brk(0x5555568c6d40) = 0x5555568c6d40 brk(0x5555568c7000) = 0x5555568c7000 mprotect(0x7ff0d3f2a000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555568a5690) = 5010 ./strace-static-x86_64: Process 5010 attached [pid 5010] set_robust_list(0x5555568a56a0, 24) = 0 [pid 5010] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5010] setpgid(0, 0) = 0 [pid 5010] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5010] write(3, "1000", 4) = 4 [pid 5010] close(3) = 0 [pid 5010] futex(0x7ff0d3f3036c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] rt_sigaction(SIGRT_1, {sa_handler=0x7ff0d3ecd3f0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7ff0d3ebea70}, NULL, 8) = 0 [pid 5010] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5010] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ff0d3e47000 [pid 5010] mprotect(0x7ff0d3e48000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5010] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5010] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7ff0d3e67990, parent_tid=0x7ff0d3e67990, exit_signal=0, stack=0x7ff0d3e47000, stack_size=0x20300, tls=0x7ff0d3e676c0} => {parent_tid=[5011]}, 88) = 5011 [pid 5010] rt_sigprocmask(SIG_SETMASK, [], ./strace-static-x86_64: Process 5011 attached [pid 5011] rseq(0x7ff0d3e67fe0, 0x20, 0, 0x53053053 [pid 5010] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5010] futex(0x7ff0d3f30368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5011] <... rseq resumed>) = 0 [pid 5010] futex(0x7ff0d3f3036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5011] set_robust_list(0x7ff0d3e679a0, 24) = 0 [pid 5011] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5011] openat(AT_FDCWD, "/dev/virtual_nci", O_RDWR) = 3 [pid 5011] futex(0x7ff0d3f3036c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5011] futex(0x7ff0d3f30368, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5010] <... futex resumed>) = 0 [pid 5010] futex(0x7ff0d3f30368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5011] <... futex resumed>) = 0 [pid 5010] <... futex resumed>) = 1 [pid 5010] futex(0x7ff0d3f3036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5011] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 [pid 5011] futex(0x7ff0d3f3036c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5010] <... futex resumed>) = 0 [pid 5011] futex(0x7ff0d3f30368, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5010] futex(0x7ff0d3f30368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5011] sendto(4, [{nlmsg_len=28, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00"], 28, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 28 [pid 5010] <... futex resumed>) = 0 [pid 5011] recvfrom(4, [pid 5010] futex(0x7ff0d3f3036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5011] <... recvfrom resumed>[{nlmsg_len=472, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5010}, "\x01\x02\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00\x06\x00\x01\x00\x1e\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x1f\x00\x00\x00\x80\x01\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0b\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00\x03\x00\x00\x00"...], 4096, 0, NULL, NULL) = 472 [pid 5011] recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5010}, {error=0, msg={nlmsg_len=28, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5011] futex(0x7ff0d3f3036c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5010] <... futex resumed>) = 0 [pid 5010] futex(0x7ff0d3f30368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] futex(0x7ff0d3f3036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5011] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 5 [pid 5011] futex(0x7ff0d3f3036c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5010] <... futex resumed>) = 0 [pid 5010] futex(0x7ff0d3f30368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] futex(0x7ff0d3f3036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5011] ioctl(3, _IOC(_IOC_NONE, 0, 0, 0), 0x20000180) = 0 [pid 5011] futex(0x7ff0d3f3036c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5010] <... futex resumed>) = 0 [pid 5010] futex(0x7ff0d3f30368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] futex(0x7ff0d3f3036c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5011] sendmsg(5, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x1c\x00\x00\x00\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x04\x00\x00\x08\x00\x01\x00\x02\x00\x00\x00", iov_len=28}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 5010] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5010] futex(0x7ff0d3f3037c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ff0d3e26000 [pid 5010] mprotect(0x7ff0d3e27000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5010] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5010] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7ff0d3e46990, parent_tid=0x7ff0d3e46990, exit_signal=0, stack=0x7ff0d3e26000, stack_size=0x20300, tls=0x7ff0d3e466c0}./strace-static-x86_64: Process 5016 attached => {parent_tid=[5016]}, 88) = 5016 [pid 5016] rseq(0x7ff0d3e46fe0, 0x20, 0, 0x53053053 [pid 5010] rt_sigprocmask(SIG_SETMASK, [], [pid 5016] <... rseq resumed>) = 0 [pid 5016] set_robust_list(0x7ff0d3e469a0, 24 [pid 5010] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5016] <... set_robust_list resumed>) = 0 [pid 5016] rt_sigprocmask(SIG_SETMASK, [], [pid 5010] futex(0x7ff0d3f30378, FUTEX_WAKE_PRIVATE, 1000000 [pid 5016] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5016] write(3, "\x61\x03\x00\xe0\xff\xff\xb4\x00\x00\x00\x00\x00", 12 [pid 5010] <... futex resumed>) = 0 [pid 5016] <... write resumed>) = 12 [pid 5016] futex(0x7ff0d3f3037c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5010] futex(0x7ff0d3f3037c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5016] <... futex resumed>) = 0 [pid 5010] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 159.800799][ T4386] nci: nci_rf_discover_ntf_packet: unsupported rf_tech_and_mode 0xff [ 159.809297][ T4386] ===================================================== [ 159.816712][ T4386] BUG: KMSAN: uninit-value in nci_ntf_packet+0x2ac8/0x39c0 [ 159.824316][ T4386] nci_ntf_packet+0x2ac8/0x39c0 [ 159.829419][ T4386] nci_rx_work+0x213/0x500 [ 159.834245][ T4386] process_scheduled_works+0x104e/0x1e70 [ 159.840097][ T4386] worker_thread+0xf45/0x1490 [ 159.845347][ T4386] kthread+0x3ed/0x540 [ 159.849639][ T4386] ret_from_fork+0x66/0x80 [ 159.854462][ T4386] ret_from_fork_asm+0x11/0x20 [ 159.859449][ T4386] [ 159.861878][ T4386] Uninit was created at: [ 159.866479][ T4386] slab_post_alloc_hook+0x129/0xa70 [ 159.871866][ T4386] kmem_cache_alloc_node+0x5e9/0xb10 [ 159.877611][ T4386] kmalloc_reserve+0x13d/0x4a0 [ 159.882605][ T4386] __alloc_skb+0x318/0x740 [ 159.887525][ T4386] virtual_ncidev_write+0x6d/0x280 [ 159.892815][ T4386] vfs_write+0x561/0x1490 [ 159.897477][ T4386] ksys_write+0x20f/0x4c0 [ 159.901985][ T4386] __x64_sys_write+0x93/0xd0 [ 159.906949][ T4386] do_syscall_64+0x44/0x110 [ 159.911674][ T4386] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 159.918205][ T4386] [ 159.921102][ T4386] CPU: 1 PID: 4386 Comm: kworker/u4:31 Not tainted 6.7.0-rc8-syzkaller #0 [ 159.930081][ T4386] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 159.940445][ T4386] Workqueue: nfc2_nci_rx_wq nci_rx_work [ 159.946481][ T4386] ===================================================== [ 159.953614][ T4386] Disabling lock debugging due to kernel taint [ 159.959895][ T4386] Kernel panic - not syncing: kmsan.panic set ... [ 159.966450][ T4386] CPU: 1 PID: 4386 Comm: kworker/u4:31 Tainted: G B 6.7.0-rc8-syzkaller #0 [ 159.976616][ T4386] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 159.986814][ T4386] Workqueue: nfc2_nci_rx_wq nci_rx_work [ 159.992619][ T4386] Call Trace: [ 159.996021][ T4386] [pid 5016] futex(0x7ff0d3f30378, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5010] exit_group(0 [pid 5016] <... futex resumed>) = ? [pid 5016] +++ exited with 0 +++ [pid 5010] <... exit_group resumed>) = ? [pid 5011] <... sendmsg resumed>) = ? [ 159.999062][ T4386] dump_stack_lvl+0x1bf/0x240 [ 160.003999][ T4386] dump_stack+0x1e/0x20 [ 160.008390][ T4386] panic+0x4de/0xc90 [ 160.012545][ T4386] ? add_taint+0x108/0x1a0 [ 160.017171][ T4386] kmsan_report+0x2d0/0x2d0 [ 160.021914][ T4386] ? kmsan_internal_unpoison_memory+0x14/0x20 [ 160.028424][ T4386] ? __msan_warning+0x96/0x110 [ 160.033405][ T4386] ? nci_ntf_packet+0x2ac8/0x39c0 [ 160.038672][ T4386] ? nci_rx_work+0x213/0x500 [ 160.044630][ T4386] ? process_scheduled_works+0x104e/0x1e70 [ 160.049252][ T5011] nci: __nci_request: wait_for_completion_interruptible_timeout failed -512 [ 160.059376][ T4386] ? worker_thread+0xf45/0x1490 [ 160.064430][ T4386] ? kthread+0x3ed/0x540 [ 160.069771][ T4386] ? ret_from_fork+0x66/0x80 [ 160.074594][ T4386] ? ret_from_fork_asm+0x11/0x20 [ 160.079770][ T4386] ? vprintk_emit+0xa59/0xbd0 [ 160.084674][ T4386] ? vprintk_default+0x3e/0x50 [ 160.089651][ T4386] ? vprintk+0xea/0xf0 [ 160.093947][ T4386] ? _printk+0x157/0x190 [ 160.098477][ T4386] ? kmsan_get_shadow_origin_ptr+0x4d/0xa0 [ 160.104540][ T4386] __msan_warning+0x96/0x110 [ 160.109270][ T4386] nci_ntf_packet+0x2ac8/0x39c0 [ 160.114278][ T4386] ? kmsan_internal_set_shadow_origin+0x66/0xe0 [ 160.120786][ T4386] ? kmsan_internal_unpoison_memory+0x14/0x20 [ 160.127119][ T4386] nci_rx_work+0x213/0x500 [ 160.131773][ T4386] ? nci_cmd_work+0x480/0x480 [ 160.136677][ T4386] process_scheduled_works+0x104e/0x1e70 [ 160.142527][ T4386] worker_thread+0xf45/0x1490 [ 160.147365][ T4386] kthread+0x3ed/0x540 [ 160.151595][ T4386] ? pr_cont_work+0xce0/0xce0 [ 160.156406][ T4386] ? kthread_blkcg+0x120/0x120 [ 160.161314][ T4386] ret_from_fork+0x66/0x80 [ 160.165983][ T4386] ? kthread_blkcg+0x120/0x120 [ 160.171317][ T4386] ret_from_fork_asm+0x11/0x20 [ 160.176224][ T4386] [ 160.179591][ T4386] Kernel Offset: disabled [ 160.183984][ T4386] Rebooting in 86400 seconds..